Efficient Committed Oblivious Transfer of Bit Strings
E?cient Committed Oblivious Transfer
of Bit Strings
Mehmet S.Kiraz,Berry Schoenmakers,and Jos′e Villegas
Dept.of Mathematics and Computer Science,TU Eindhoven
P.O.Box513,5600MB Eindhoven,The Netherlands
m.kiraz@tue.nl,berry@win.tue.nl,j.a.villegas@tue.nl Abstract.Oblivious transfer(OT)is a powerful primitive in modern
cryptography,often used in a context of semi-honest https://www.wendangku.net/doc/c110796181.html,-
mitted oblivious transfer(COT)is an enhancement involving the use of
commitments,which can be used in many applications of OT covering
particular malicious adversarial behavior.For OT,many protocols are
known that cover the transfer of bit strings rather than just single bits.
For COT,though,the known protocols only cover the transfer of bits.
In this paper,we thus present e?cient COT protocols for transferring
(long)bit strings,which perform quite well in comparison to the most
e?cient COT protocols for bits.We prove the security of our proto-
cols following the simulation paradigm in the cryptographic model,also
assuming the random oracle model for e?cient non-interactive proofs.
Also,as a motivation for the use of COT instead of OT,we point out
that a protocol which uses OT as a subprotocol may have subtle security
issues in the presence of malicious adversaries.
Keywords:Committed oblivious transfer;Commitments;Homomorphic en-cryption
1Introduction
Oblivious transfer is a fundamental primitive in modern cryptography.After Rabin introduced oblivious transfer[Rab81]a huge number of papers appeared regarding possible extensions,variants and applications of oblivious transfer. In Rabin’s original oblivious transfer,the sender has a secret and sends it to a chooser who receives the secret with probability1/2while the sender does not know whether the secret has been https://www.wendangku.net/doc/c110796181.html,ter,Even,Goldreich and Lempel[EGL85]presented1-out-of-2Oblivious Transfer(OT),where the sender has two values s0and s1and the chooser has a selection bit b.Upon completion of the protocol,the chooser holds the value s b while the sender does not know which of the two values s0and s1the chooser got who,in turn,learns nothing about s1?b.Cr′e peau[Cr′e87]showed that Rabin’s OT and1-out-of-2OT are equivalent.1-out-of-2OT will be called standard OT throughout the rest of the paper.
Committed Oblivious Transfer(COT)is obtained as a natural combination of1-out-of-2oblivious transfer and bit commitments.This notion was?rst intro-duced by Cr′e peau[Cr′e90]under the name Veri?able Oblivious https://www.wendangku.net/doc/c110796181.html,ter, Cr′e peau et al.[CvdGT95]presented a more e?cient COT protocol and showed that from COT one can construct a protocol for general secure multi-party com-putation in the malicious case.Brie?y,in these variants of oblivious transfer, the parties running the protocol are committed to their input values prior to the protocol.That is,if the sender has two private values to be obliviously trans-ferred to the chooser who has a selection bit,all these input values must have been committed to by the respective parties before the transfer starts.At the end of the protocol,the chooser will receive one of the corresponding private values of the sender together with a(public)commitment by the chooser.
For many applications in which OT is used as a subprotocol,the security of the overall protocol is considered only in the semi-honest model.However,there may be subtle security issues when such protocols using OT are extended to the malicious case.We highlight this in this paper and we describe how COT helps to overcome these https://www.wendangku.net/doc/c110796181.html,ly,the link between OT and the surrounding protocol can be securely done with the use of COT.
Since e?cient COT protocols for transferring bits are known,one may thus replace applications of OT of bits by COT of bits.An interesting question is how to do the same when transferring bit strings.This is the starting point of this work.In this paper,we present e?cient protocols for string COT based on any(2,2)-threshold homomorphic cryptosystem.
Related Work
Garay et al.[GMY04]present the most e?cient COT protocol to date re-alizing COT functionality in the Universal Composable(UC)framework of Canetti[Can00].However,this protocol only works for bits whereas our pro-tocol allow for bit strings of arbitrary length(up to the length of plaintexts of the underlying threshold homomorphic cryptosystem,or a multiple thereof).In this paper,we will just consider a stand-alone setting,noting that the e?ciency of our protocols improves the e?ciency of the UC-protocols of[GMY04]when trimmed down to a stand-alone setting(replacing,e.g.,the use of?-protocols byΣ-protocols).
If the parties are committed to the inputs of the OT protocol but there is no commitment to chooser’s output we refer to this variant as Veri?able OT(VOT) in this paper.In this direction,Cachin and Camenisch[CC00]as well as Jarecki and Shmatikov[JS07]present protocols for VOT in2rounds.These protocols can be converted into COT by requesting the chooser to recommit to its received value and to prove the validity of this commitment w.r.t.the commitments for the inputs.In general,this incurs one extra communication round.
Lipmaa[Lip03]also presents a protocol under the name veri?able homomor-phic oblivious transfer for strings.However,veri?ability is de?ned in a di?erent sense.The chooser will get commitments to all inputs of the sender which can later be used and referred to by the surrounding protocol.Similarly,the sender
gets an encryption of the chooser’s input.Hence,this is yet another form of OT, which is related to COT and VOT,and is somewhat similar to the notion of “committing OT”,introduced later in[KS06].
Recently,Camenisch et al.[CNs07]presented a protocol for adaptive OT,in which a sender has a list of messages and a receiver adaptively chooses one mes-sage after the other.To prevent the so-called selective-failure problem mentioned in[CNs07](which is similar to the problem discussed in[KS06],see below),the sender is required to commit to its input list of messages and to prove consistency w.r.t.this list in all ensuing runs of adaptive OT.
More generally,we note that standard OT protocols,which are secure in a stand-alone setting,must be carefully dealt with when used as subroutines in higher level protocols.Kiraz and Schoenmakers[KS06]show that there are actually several protocols in the literature(e.g.,[Pin03,MNPS04,MF06])where the use of standard OT compromises the overall security of the https://www.wendangku.net/doc/c110796181.html,ly, a malicious sender may put‘bogus’values instead of the correct messages,and by doing so,compromise the privacy of the surrounding protocol.The use of COT or VOT protocols may prevent such problems.
Our contributions
We present a protocol that implements COT,assuming that a(2,2)-threshold homomorphic cryptosystem has been setup before(as in,e.g.,[CDN01]).This setting also allows for multiple(sequential)runs of the COT protocol,amortizing the initial cost of setting up the(2,2)-threshold cryptosystem.Our COT protocol e?ciently transfers bit https://www.wendangku.net/doc/c110796181.html,ing the random oracle model our protocol achieves2rounds of interaction.
Compared to the COT protocol of[GMY04],which works for bits only,the cost of transferring O(k)-bit strings(for security parameter k)using our pro-tocol is comparable to the cost of transferring a single bit using the protocol of[GMY04].Compared to the2-round VOT protocol of[JS07]for bit strings, which can be turned into a3-round COT protocol(see above),our protocol uses one round less and is also computationally more e?cient.However,[JS07]only assumes a common reference string(CRS)containing an RSA modulus(among other things),while we assume that a(2,2)-threshold homomorphic cryptosys-tem has been setup.
The security analysis of our COT protocol is done using the simulation paradigm,in the model described by[Lip03].Although the privacy for both parties is computational(as the commitments in our protocol are public key encryptions),we show a simulation which produces a statistically indistinguish-able view of the COT protocol for both parties.Hence,the COT protocol does not divulge any information beyond what can be inferred from the encryptions (which are used as computationally hiding commitments).
Organization of the paper
The rest of the paper is as follows.In Section2,we give some notation and de?nitions which are used throughout the paper.In Section3,we present our COT protocol together with a proof of security.In Section4,we discuss the complexity of our protocol and compare with previous solutions.In Section5, we discuss some applications which have some issues with the use of OT and motivate COT instead and?nally we conclude the paper.
2Preliminaries
Threshold homomorphic cryptosystems.Our results apply to any threshold ho-momorphic cryptosystem.Brie?y,let E(m,r)denote the encryption of value m using randomness r for a semantically secure public key encryption scheme.Of-ten the randomness is omitted in the notation,writing E(m).A cryptosystem is additively homomorphic if the product E(m1)E(m2)results in E(m1+m2).As a consequence,for any public constant c,E(m)c is an encryption whose plaintext is cm.
In a(t,n)-threshold cryptosystem there are n parties,each of them holds a share of the overall secret key.There is a public key which allows anyone to encrypt messages.If at least t parties cooperate,any encryption can be suc-cessfully decrypted,whereas any collusion of less than t parties cannot get any information about the plaintext.
There are various instances of threshold homomorphic cryptosystems.The most widely used are(based on)ElGamal or Paillier.Threshold homomorphic ElGamal has the drawback of only allowing decryption of values belonging to a relatively small set,for which it is feasible to compute discrete logs.On the other hand,Paillier does not have this problem and allows decryption of encrypted values in an arbitrarily large set(e.g.,1024-bit integers).However,the distributed key generation protocol for threshold Paillier is very expensive compared to that for threshold ElGamal.It is also possible to use an amalgam of ElGamal and Paillier cryptosystems:the key generation protocol it is that of ElGamal, while allowing decryption of full-size plaintexts like in Paillier.One drawback of the latter is that the security of the cryptosystem relies on two computational assumptions(see[DJ03]).
Σ-protocols.AΣ-protocol for a relation R={(v;w)}is a3-round protocol between a prover and a veri?er,where the prover acts?rst.Both parties have the value v as common input,and the prover has a witness w as private input,where (v;w)∈R.AΣ-protocol is a proof of knowledge for relation R which satis?es special soundness and(special)honest-veri?er zero-knowledge.See[CDS94]for further details.Moreover,non-interactiveΣ-proofs are easily obtained in the random oracle model.
We will also use the fact that both for homomorphic ElGamal encryptions and for Paillier encryptions,there are e?cientΣ-protocols for the relation R enc=
{(e;m,r):e=E(m,r)},proving knowledge of the message m and randomness r for a given encryption e=E(m,r).
(Non-Interactive)Public and Private Threshold Decryption.Given a ciphertext in the(t,n)-threshold cryptosystem,at least t parties willing to decrypt,produce shares of the decryption,based on their respective shares of the secret key.This information is broadcast and with this,everyone can simply recover the plaintext by using a reconstruction algorithm.Putting this more formally,on ciphertext
c,at least t parties broadcast c i=D sk
i (c),where sk i denotes the secret key
share for the i-th https://www.wendangku.net/doc/c110796181.html,ter,everyone can perform m=R(c1,...,c t)where c=E(m),where R denotes the public reconstruction algorithm.
In order to withstand malicious adversaries,parties have to prove that the decryption share c i is correctly computed.For this,they use aΣ-protocol for
the relation R tdec={(c i,c;sk i):c i=D sk
i (c)}.
For the security of this process,and for later use in our security proofs,we assume that if t?1parties are corrupted,then there is a simulator that on inputs e=E(m,r),the message m,and the t?1shares of the private key for the corrupted parties,it can produce a statistically indistinguishable view of the decryption protocol.The concrete details on how to do this depend on the speci?c threshold encryption scheme used.For examples,see[ST04,Section2]for the homomorphic threshold ElGamal,and[DJ01,Section4.1]for the threshold Paillier cryptosystem.
In our protocol,we consider a variant of the threshold decryption protocol, the so-called private threshold decryption[CDN01,full version].Here,the re-quirement is that one of the t parties will be the only party who will recover the secret.This is easily achieved:all t?1other parties follow the protocol,and broadcast their shares(along with the proofs of correctness).The party who will learn the plaintext proceeds with the decryption process privately,collects all decryption shares from the t?1other parties,and privately reconstructs the message.Note that the remaining parties will not get any information about this message.
Secure multi-party computation from threshold homomorphic cryptosystems. Cramer,Damg?ard and Nielsen[CDN01]present a framework to build secure mul-tiparty computation of any functionality that can be expressed as an arithmetic circuit(or formulae).Roughly,on inputs e1=E(m1)and e2=E(m2)where m1and m2may be unknown to everybody,parties can compute E(m1+m2) without interaction because of homomorphic properties.To compute E(m1m2) parties must engage in a secure multiplication protocol.If in the latter case one of the values,say m1,is private to one of the parties,this party can compute e=e m12E(0,r)proving that this is the case.Clearly,e encrypts m1m2.This protocol is usually referred to as private-multiplier(see,e.g.,[ST04]).For later use in the paper,the relation for the proof given in the private-multiplier gate is denoted as R pm={(e1,e2,e;m1,r1,r):e1=E(m1,r1)∧e=e m12E(0,r)}.
For later use in the simulation of our protocols,given E(m1),E(m2)and E(m1m2),the private-multiplier gate can be statistically simulated when there
are at most t?1corrupted parties in a(t,n)-threshold homomorphic cryptosys-tem.For details,see[CDN01,DJ01,ST04,DN03].
Encryptions as Commitments.A probabilistic public key encryption scheme can be used as a non-interactive commitment scheme.One party commits to a message by encrypting it.The opening is done by disclosing the message and the randomness used.
In this scenario we have to be careful:the holder of the private key can always see the contents of any commitment of this type and,depending on the encryption scheme used,this party might recover the randomness and therefore virtually open any commitment.1This compromises the hiding property for the commiter that do not know the secret key.
We can resolve this issue with the following two possible actions:using the encryption scheme as a commitment without allowing any of the parties to know the secret key;while another suitable alternative could be to set up a threshold encryption scenario.In this way,the ability to decrypt can be distributed in a threshold fashion(possibly letting the threshold be the total number of parties).
Given a commitment e=E(m,r),its committer in this scenario is the party that knows both the message m and the randomness r.Note that parties can run private threshold homomorphic decryption w.r.t.one party to retrieve the message behind e,but this not always allows the recipient to obtain the ran-domness used in e(e.g.,ElGamal),and therefore this party will not be able to open e as a commitment.If party P is the committer of e=E(m,r)we denote it by e=commit P(m,r).
Committed Oblivious Transfer.In1-out-of-2OT there are two parties:the sender S,who inputs two private values s0and s1;and the chooser C who has a selection bit b.At the end,C receives the value s b.The main security requirement of any protocol implementing OT is that after running the protocol S will not gain any information about the C’s selection bit b;and C will be ignorant about the value of s1?b.
De?nition1.A COT protocol is run between the parties S and C.At the be-ginning there public commitments commit S(s0,r0),commit S(s1,r1),and commit C(b,r).S inputs s0,s1and r0,r1,while C inputs b,r.At the end of the protocol,C receives s b and a fresh commitment commit C(s b,u)is publicly avail-able.S learns nothing about b while C has no clue about s1?b.(See Figure1) Now we point out the di?erence between COT and VOT in more detail.COT and VOT are identical except that in VOT the commitment by the chooser to its selected value s b is not required.Keeping this in mind,we notice that [Cr′e90,CvdGT95,CD97,GMY04]are papers that present COT(of bits).Instead, in[CC00,JS07]only VOT protocols are presented.However,the di?erent use 1For Paillier encryptions,one is able to recover both the plaintext and the randomness used if one knows the private key.Whereas,for ElGamal encryptions recovering the randomness is impossible under the DL assumption.
Sender
Priv.Input:s0,s1,r0,r1 Priv.Output:⊥
Common Input:commit C(b,r),
commit S(s0,r0),commit S(s1,r1)
Committed OT
←→
Common Output:commit C(s b,u)
Chooser
Priv.Input:b,r
Priv.Output:
s b,u
https://www.wendangku.net/doc/c110796181.html,mitted Oblivious Transfer
of these terms causes some confusion:Cr′e peau[Cr′e90]introduces COT under the name of VOT,Jarecki and Shmatikov[JS07]present protocols for VOT, while they use the term COT.In the latter paper,they present a UC-secure VOT protocol(which for them is a COT),modifying the de?nition of the ideal functionality for COT by Garay et al.[GMY04]to make it into VOT.It is straightforward to see that in line with our de?nitions COT implies VOT by just ignoring the output commitment.Vice versa,a VOT protocol can be turned into a COT protocol by adding a round in which the chooser commits to the received bit string and proves the validity of the commitment.
Security de?nitions.The main security obligation is to show that our protocol achieves the privacy requirements for COT.There are protocols in the literature that achieve unconditional privacy for one of the parties(e.g.,[NP01,Tze02,Lip03]) while the privacy for the other party on a computational assumption.As our com-mitments are encryptions of the underlying threshold public key cryptosystem, we can only give computational privacy to both parties.However,our proto-col achieves more than computational privacy:we show that for any corrupted party(sender or chooser)there exists a simulator that produces a view of the protocol which is statistically indistinguishable from the view of the corrupted party executing a real instance of the protocol.This has clear consequences in the framework of[CDN01]:a successful attacker to our protocol is an attacker to the security of underlying cryptosystem without loss in its success probability. This results in modular security proofs of higher level protocols that use our COT as a subroutine.
To carry out such simulations,we proceed as follows.Assuming that one party is corrupted,we build an e?cient simulator that has access to the public input,private secret shares of secret key and,as done in[Lip03],the private output in the case that the chooser is corrupted.Besides,the simulator knows the public output.
3Committed Oblivious Transfer Protocol
In this section,we will present our COT protocol.A(2,2)-threshold homomor-phic cryptosystem is assumed to be set up.We let E denote the encryption
algorithm of this cryptosystem,and as explained above,we also use E as a non-interactive commitment scheme.
Let e0=E(s0,r0)and e1=E(s1,r1)be the commitments to the sender’s input strings s0and s1,and e=E(b,r)be the commitment to the chooser’s selection bit b.
Using the general approach to secure multiparty computation of[CDN01],the COT protocol corresponds to the secure evaluation of an arithmetic circuit given by t=b(s1?s0)+s0which clearly returns s0if b=0and s1when b=1.This approach is so general that even s0,s1and b need not be known to any party. Note that the output of the evaluation will be an encryption e =E(t)=E(s b).If inputs(s0,s1)and/or b are known to the respective parties then one can securely compute e using a private-multiplier gate(instead of a secure multiplication gate),resulting in a more e?cient protocol.
Once e is obtained,according to one of the COT requirements,only the chooser must recover the plaintext.For this,we use private decryption,where the chooser is the one who will learn the plaintext inside e .
To complete the COT protocol,the chooser needs to commit to the received value s b,and to prove that it does so correctly.In principle,this can be done using some proofs of knowledge.However,we will use the fact that our commitments are encryptions for a threshold cryptosystem:to prove that a fresh commitment e to output s b is correct,we observe that this proof equivalent to show that e /e is an encryption of0.The latter statement is proved by actually decrypting e /e .
As a?nal remark,we see that if the chooser starts producing e ,it turns out that it has to wait for the decryption share of it from the sender,so that it later can produce the fresh commitment as just explained.This results in at least3 rounds of communication.However,if the sender starts,it produces e and at the same time the decryption share for e ,which reduces the overall strategy to at least2rounds of communication.In both cases,the computational cost is actually the same.For this reason,we only go into the details of this second approach,as it results in a more e?cient way of doing COT.
2-round COT protocol
We now present our protocol for COT.This protocol has two rounds and it is quite e?cient compared to the state of the art.In the beginning of the protocol, we take advantage of the fact that the values for the commitments e0,e1and e are known to the respective parties.The protocol is as follows.
Step1.The sender produces e =E(b(s1?s0)+s0)=e(s1?s0)·e0·E(0,r ) and theΣ-proof for relation R pm on(e,e1/e0,e /e0;s1?s0,r1?r0,r ).The sender also produces its decryption share s S of e ,along with theΣ-proof for relation R tdec on(e ,s S;sk S).
Step2.After checking the two proofs given by the sender,and if they pass, the chooser then produces its corresponding decryption share for e ,denoted
as s C .Combining s S and s C ,the chooser gets s b .Immediately,the chooser produces a fresh encryption e =E (s b ,u )for a fresh random u ,and generates its decryption share for e /e ,denoted as ?s C .Then,e and ?s C are sent along
with the Σ-proofs for R enc and R tdec on inputs (e ;s b ,u )and (e /e ,?s C ;sk C )
respectively.
Step 3.Finally,upon receiving e ,the sender produces its decryption share for
e /e ,denoted as ?s S .This is combined with ?s C to check whether the resulting decrypted value is 0.I
f so,the sender accepts e as a valid commitment for the chooser’s output.Otherwise,the sender rejects.
The protocol is sketched in Figure 2.
Committed OT of bit strings
Sender
Chooser Private Input
Common Input,Private Input s 0,s 1,,r 0,r 1,sk S
e =E (b,r ),b,r,sk C e 0=E (s 0,r 0),e 1=E (s 1,r 1)
e =e s 1?s 0·e 0·E (0)
s S =D sk S (e )??????
e ,s S +proofs ?????????????????→s C =D sk C (e ),s b =R (s S ,s C ),e =E (s b ,u )for random u,?s C =D sk C (e /e )←??????e ,?s C +proo
f ????????????????
?s S =D sk S (e /e )
0?=R (?s S ,?s C )
Private Output:⊥Common Output:
Private Output:s b ,u
e Fig.2.Sketch o
f the committed OT protocol
The value s b denotes the output of the chooser after privately decrypting e .When this value has been computed,a fresh commitment to s b (denoted as e )by the chooser has to be sent in order to ful?ll the COT requirement that the chooser’s output must be committed.Notice here that without the fresh commitment to s b the protocol ful?ll the VOT requirement in one round only.Security analysis
For the security analysis,we are going to prove that this protocol ful?lls the privacy requirements for COT.We are going to show that given a party is cor-
rupted,there exists a simulator that can produce a view which is statistically indistinguishable from the view of that party interacting with the other honest party.
Before starting the proof we make some remarks in the security model to make the proof precise.As we mentioned earlier,before the simulation is run the simulator already knows the shares of the secret key of the corrupted party. The reason is that the threshold cryptosystem is set up before the protocol starts, and therefore we assume that the simulator extracts this information when the distributed key generation is run.
Also,in case the chooser is corrupted,we use the approach in[Lip03]:the simulator will be given access to the received value by the chooser.From this and public information,we construct a simulator that produces an indistinguishable view for the adversary w.r.t.the view in the real execution.
Finally,we remind that the protocol gives computational privacy to both parties,the sender and the chooser,because of the semantic security of the underlying cryptosystem.Going a bit further than computational privacy,we now show that the protocol is simulatable for both parties and those simulations produce views which are statistically indistinguishable from the views in the real protocol executions.
Theorem1.On the sender’s inputs s0,s1(and randomness r0and r1),the chooser’s private selection bit b(and randomness r),where public commitments to the parties’inputs e0=E(s0,r0),e1=E(s1,r1),and e=E(b,r)are avail-able,the COT protocol privately gives s b(and a fresh randomness u)to the chooser,along with a public commitment e =E(s b,u).
Proof.As we argued before,we assume that one of the parties is corrupted. Based on public information besides of its private decryption share,we show a simulation which produces a view to the adversary that is statistically indistin-guishable from the view in the real protocol execution.
In all cases,a set of valid public inputs is available:e is a commitment to the chooser’s selection bit,and e0,e1are respective commitments to the sender’s inputs.Also,the simulator is assumed to get the public output commitment e which is a valid commitment to chooser’s received value.
Case1-The chooser is corrupted.We?rst prove the security for the case that the chooser is corrupted.The simulator has the chooser’s private key share sk C,and received value s b,apart from the public commitments.From this information, the simulator constructs a view for the chooser which is statistically close to the one when interacting with the honest sender.
The simulator proceeds as follows:
1.The simulator computes e =e ·E(0).The value e together with a simula-
tion of the private-multiplier gate(over multiplicands e and e1/e0and result
e /e0)are output.
2.At the same time,the decryption share s S can be simulated given e ,its
plaintext(which is s b)and the share of private key sk C of the chooser.All proofs at this stage are also simulated.
This completes the simulation for the malicious chooser.The transcript is consis-tent and statistically indistinguishable from the chooser’s view when interacting with the honest sender.
Case2-The sender is corrupted.We next prove the security for the case that the sender is corrupted.The simulator has only sender’s private key share sk S and all public information as described above.From this information,the simulator constructs a view for the sender which is statistically close to the one when interacting with the honest chooser.
The simulator proceeds as follows:
1.The simulator waits until the sender produces the encryption e and the
decryption share for e .The simulator checks all the proofs as if the honest chooser would check in the real protocol execution.If all proofs are passed, the simulator goes on,otherwise it aborts.
2.Now,simulator prepares e as e ·E(0)and outputs it along with a simu-
lated proof of knowledge.Also,it simulates?s C calling the simulator to the decryption process on inputs e /e ,plaintext0and the sender’s secret key share sk S.
This completes the simulation for the malicious sender.The transcript is consis-tent and statistically indistinguishable from the sender’s view when interacting with the honest receiver. 4Complexity analysis and comparison
Our protocol involves only a constant computational,communication and round complexities.When studied in similar frameworks,our protocols are as e?cient as the COT protocol by Garay et al.[GMY04]which is the most e?cient one up to now.We stress that the protocol of Garay et al.works in a stronger model, since they are interested in the UC framework.We,instead,will adapt their protocol to our framework to be able to carry out a comparison.
In the following,we present the precise description for the complexity of our protocol.For a concrete result we use(2,2)-threshold ElGamal cryptosystem by considering o?ine computations.In the protocol by Garay et al.they need?-protocols for the proofs of knowledge.For simplicity,we trimmed them down to the simplerΣ-protocols.This is done to make a reasonable comparison.
COT protocol by Garay et al.Let’s roughly sketch the protocol idea.The CRS consists of the pair(g,h),where nobody knows the discrete log x of h to the base g,i.e.h=g x.The protocol uses Pedersen commitments,and so,let E0=g r0h s0 and E1=g r1h s1denote the commitment to sender’s inputs s0and s1.Also,
E=g r h b is the commitment to chooser’s input b.The protocol has the following two main steps:
1.The sender“re-encrypts”E0and E1under the‘keys’E and E/h respec-
tively.Denote E 0and E 1the resulting encryptions.Note that E b will be re-encrypted with the key g r.It also proves that this is done correctly.
2.The chooser can only“decrypt”the message in E
b as it knows the secret
exponent r,recovering s b.On the other hand,the chooser cannot decrypt
E
1?b unless the discrete-log of h to the base g is known.To?nish,the chooser
has to recommit to the received value s b and prove that this is the case.
See[GMY04]for more details.In the?rst step,for the reencryption,4expo-nentiations are computed by the sender(2of them can be o?-line).The proofs at that step cost16exponentiations(8of them can be o?-line).As for the sec-ond step,the chooser needs only1on-line exponentiation to retrieve the chosen value.To?nish,the chooser computes a fresh commitment which costs1o?-line exponentiation.The proof of knowledge at the end costs8exponentiations(4 can be o?-line).In total,there are15on-line and15o?-line exponentiations. VOT by Jarecki and Shmatikov.We now just sketch the VOT protocol in[JS07]. The input commitments are encryptions under a homomorphic public key cryp-tosystem(the public key is part of the CRS).The chooser?rst sends a new public key together with the encryption of its selection bit under this new cryptosystem, proving that this is done https://www.wendangku.net/doc/c110796181.html,ter,the sender encrypts its inputs under this new public key,combining them with the encryption for the selection bit. Finally,the chooser can decrypt both ciphertexts,but only one of them contains the selected value,and the other one is random.
To convert it into COT,the chooser must recommit to its received value, producing a proof that the value encrypted is consistent with previous commit-ments.This protocol results in3rounds.
This scheme virtually works for any homomorphic encryption.When instan-tiated to additively homomorphic ElGamal,for the sake of our comparison,the protocol is slightly less e?cient than that of[GMY04],around17on-line and16 o?-line exponentiations(mainly due to the generation of the new cryptosystem, the recommitment of the selection bit and the respective proofs of knowledge). Meanwhile,for the VOT protocol,the cost is13and10on-line and o?-line exponentiations,resp.
Our COT protocol.Now we present the computational cost for our protocol in the case of(2,2)-threshold ElGamal.In Table1we study the computational complexity of the building blocks used in our protocol.For the private-multiplier gate,we include the cost of producing the output plus theΣ-proof for relation R pm.In the case of the private threshold decryption,we include the costs for generation of the decryption shares and oneΣ-proof for R tdec.And?nally,we consider the recommitment at the last step.Concretely,in the case of e ,chooser has to encrypt to the received value plus theΣ-proof for the knowledge of the
randomness used in that encryption.This su?ces as if chooser passes this proof and e /e decrypts to0,it implies it knows the plaintext in e .We divide the complexities analysis into on-line and o?-line computations.
Online O?ine
Private-multiplier gate35
Private threshold decryption42
Recommitment13
Table1.Number of exponentiations of building blocks used in our COT protocol for (2,2)-threshold ElGamal setting
To get the total number of exponentiations,we note that our protocol re-quires one private-multiplier gate at the?rst step(to produce e ),two private threshold decryptions(for decrypting e and e /e )and one encryption at the last step(to generate e ).Therefore,we have in total12on-line and12o?-line exponentiations.
Observe that the way of proving that the fresh commitment is correct in our protocol is di?erent(yet equally e?cient as the proof in[GMY04]).The protocol in[GMY04]needs9exponentiations to recommit and prove.Our needs 9exponentiations as well:produce e and one threshold decryption.technique we use is a little bit di?erent from the general zero knowledge proofs.
If we restrict ourselves to a VOT protocol,removing the recommitment step, we can see our protocol is really much more e?cient than the current protocols in the state-of-the-art.It certainly requires7on-line and7o?-line exponentia-tions(against11and10resp.for Garay et al.’s protocol)and also in only one round of interaction.Ours easily generalizes to any(2,2)-threshold homomorphic cryptosystem at a cost of a distributed key generation protocol at the beginning. 5Concluding Remarks
As we mentioned before there is a generic attack that can be produced when oblivious transfer is used as a building block for higher level protocols implemen-tations.Kiraz and Schoenmakers[KS06]present that there are several protocols for secure two-party computation using Yao’s garbled circuit in the presence of malicious adversaries[Pin03,MNPS04,MF06]which have a security issue with the use of standard OT,and COT is presented as a direct solution.Generally,the problem arises due to the fact that there is no connection between the interme-diate outputs in the protocol to the ones that are input for the OT protocols.We note that COT protocols(or any other combination of OT and commitments) may be therefore better to use within larger protocols assuming the correct-ness of the values inside the commitments.This correctness is controlled by the surrounding protocol and not by the COT protocol.
Moreover,there are a number of protocols for standard OT over bit strings which are pro?table for many applications,and therefore,we stress that our COT protocol may also result in e?cient implementations since it works for bit strings. Also we stress that once OT is used as a subprotocol in the semi-honest model,a COT protocol might be a good candidate to extend the higher-level protocol to the malicious case.Of course other solutions may be applicable though,but that would imply,in most of the cases,a redesign of the protocol being considered.
Finally,we highlight that our setting is quite di?erent from the previous OT protocols.We use a(2,2)-threshold setting in our protocol and of course,one might easily extend it to(2,n)-threshold cryptosystem.In particular it might be interesting the case n=3since still the adversary consists of only one party. The setting to adopt might clearly depend on the applications.
As further work,it could be interesting to present a protocol for committed oblivious transfer for bit strings in the universal composable framework and in the non-erasure model.
Acknowledgements.We thank Stas Jarecki and anonymous referees for valu-able comments on a previous version of this paper.The work has been supported in part by the European Commission through the IST Programme under Con-tract IST-2002-507932ECRYPT.The third author is supported by the research program Sentinels(http://www.sentinels.nl).Sentinels is being?nanced by Technology Foundation STW,the Dutch Organization for Scienti?c Research (NWO),and the Dutch Ministry of Economic A?airs.
References
[Can00]R.Canetti.Universally composable security:A new paradigm for cryp-tographic protocols.In IEEE Symposium on Foundations of Computer
Science,pages136–145,2000.
[CC00] C.Cachin and J.Camenisch.Optimistic fair secure computation.In Ad-vances in Cryptology—Crypto2000,volume1880of Lecture Notes in Com-
puter Science,pages93–111.Springer-Verlag,2000.
[CD97]R.Cramer and I.Damg?ard.Linear zero-knowledge–a note on e?cient zero-knowledge proofs and arguments.In ACM Symposium on Theory of
Computing–STOC1997,pages436–445.ACM Press,1997.
[CDN01]R.Cramer,I.Damg?ard,and J.Nielsen.Multiparty computation from threshold homomorphic encryption.In Advances in Cryptology—Eurocrypt
2001,volume2045of Lecture Notes in Computer Science,pages280–300.
Springer-Verlag,2001.
[CDS94]R.Cramer,I.Damg?ard,and B.Schoenmakers.Proofs of partial knowl-edge and simpli?ed design of witness hiding protocols.In Advances in
Cryptology—Crypto1994,volume839of Lecture Notes in Computer Sci-
ence,pages174–187.Springer-Verlag,1994.
[CNs07]J.Camenisch,G.Neven,and a.shelat.Simulatable adaptive oblivious transfer.In Advances in Cryptology—Eurocrypt2007,volume4515of Lec-
ture Notes in Computer Science,pages573–590.Springer-Verlag,2007.
[Cr′e87] C.Cr′e peau.Equivalence between two?avours of oblivious transfers.In Advances in Cryptology—Crypto1987,Lecture Notes in Computer Science,
pages350–354.Springer-Verlag,1987.
[Cr′e90] C.Cr′e peau.Veri?able disclosure of secrets and applications.In Advances in Cryptology—Eurocrypt1990,volume434of Lecture Notes in Computer
Science,pages181–191.Springer-Verlag,1990.
[CvdGT95] C.Cr′e peau,J.van de Graaf,and https://www.wendangku.net/doc/c110796181.html,mitted oblivious transfer and private multi-party computation.In Advances in Cryptology—Crypto
1995,volume963of Lecture Notes in Computer Science,pages110–123.
Springer-Verlag,1995.
[DJ01]I.Damg?ard and M.Jurik.A generalization,a simpli?cation and some applications of Paillier’s probabilistic public-key system.In Public Key
Cryptography—PKC2001,volume1992of Lecture Notes in Computer Sci-
ence,pages119–136.Springer-Verlag,2001.
[DJ03]I.Damg?ard and M.Jurik.A length-?exible threshold cryptosystem with applications.In ACISP2003,volume2727of Lecture Notes in Computer
Science,pages350–364.Springer-Verlag,2003.
[DN03]I.Damg?ard and J.Nielsen.Universally composable e?cient multiparty computation from threshold homomorphic encryption.In Advances in
Cryptology—Crypto2003,volume2779of Lecture Notes in Computer Sci-
ence,pages247–264.Springer-Verlag,2003.
[EGL85]S.Even,O.Goldreich,and A.Lempel.Randomized protocol for signing contracts.In Communications of the ACM28,pages637–647,1985. [GMY04]J.Garay,P.MacKenzie,and K.Yang.E?cient and universally composable committed oblivious transfer and applications.In Theory of Cryptography
Conference–TCC2004,volume2951of Lecture Notes in Computer Sci-
ence,pages297–316.Springer-Verlag,2004.
[JS07]S.Jarecki and V.Shmatikov.E?cient two-party secure computation on committed inputs.In Advances in Cryptology—Eurocrypt2007,volume
4515of Lecture Notes in Computer Science,pages97–114.Springer-Verlag,
2007.
[KS06]M.Kiraz and B.Schoenmakers.A protocol issue for the malicious case of Yao’s garbled circuit construction.In27th Symposium on Information
Theory in the Benelux,pages283–290,2006.
[Lip03]H.Lipmaa.Veri?able homomorphic oblivious transfer and private equality test.In Advances in Cryptology—Asiacrypt2003,volume2894of Lecture
Notes in Computer Science,pages416–433.Springer-Verlag,2003.
[MF06]P.Mohassel and M.Franklin.E?ciency tradeo?s for malicious two-party computation.In Public Key Cryptography—PKC2006,volume3958of
Lecture Notes in Computer Science,pages458–473,2006.
[MNPS04] D.Malkhi,N.Nisan,B.Pinkas,and Y.Sella.Fairplay–a secure two-party computation system.In USENIX Security,pages287–302,2004.
[NP01]M.Naor and B.Pinkas.E?cient oblivious transfer protocols.In12th annual ACM-SIAM symposium on Discrete algorithms–SODA’01,pages
448–457.ACM Press,2001.
[Pin03] B.Pinkas.Fair secure twoparty computation.In Advances in Cryptology—Eurocrypt2003,volume2656of Lecture Notes in Computer Science,pages
87–105.Springer-Verlag,2003.
[Rab81]M.Rabin.How to exchange secrets by oblivious transfer.Technical Report TR-81,Harvard Aiken Computation Laboratory,1981.
[ST04] B.Schoenmakers and P.Tuyls.Practical two-party computation based on the conditional gate.In Advances in Cryptology—Asiacrypt2004,vol-
ume3329of Lecture Notes in Computer Science,pages119–136.Springer-
Verlag,2004.
[Tze02]W.Tzeng.E?cient1-out-of-n oblivious transfer schemes.In Public Key Cryptography—PKC2002,volume2274of Lecture Notes in Computer Sci-
ence,pages159–171.Springer-Verlag,2002.
三角函数中1的妙用
三角函数中“1”的妙用 宁夏银川市高级中学 王波 750004 在我们学习三角函数这一部分内容的时候,我们会发现经常会与“1”有些合作,下面我就自己在教学中,利用“1”进行解题的体会与大家共同探讨。 理论一:sin 2α+cos 2α=1 应用举例 例1. 已知α是第一象限角,化简下式 ααcos sin 21+ 解析:对于根式的化简,思路主要是去根号,而对这个题目首先要考虑根式下的ααcos sin 21+是否能够配成完全平方式,沿着这个思路我们可以联想到221b a +=,自然会想到ααcos sin 21+=αα22cos sin ++ααcos sin 2,到此时解题思路豁然开朗 解:ααcos s in 21+=ααααcos sin 2cos sin 22++ =2)cos (sin αα+ =ααcos sin + ∵α是第一象限角∴0cos ,0sin >>αα ∴ααcos sin 21+=ααcos sin + 例2:已知3tan =α,求ααcos sin 的值 解析:这道题目是一个齐次式,这类题目的特点是已知角α的正切值,求含有正弦和余弦的三角多项式的值,解题的方法是化弦为切,而这道题目要用化弦为切有困难,所以我们就要观察它的特点,没有分母是它无法直接利用传统方法解题。我们发现ααcos sin 的分母 是1,而1=αα22cos sin +,这样题目就迎刃而解了 解:∵3tan =α ∵
ααcos sin =1cos sin αα=αααα22cos sin cos sin +=α αααcos sin cos sin 122+=ααtan 1tan 1+ ∴ααcos sin =3 131+=103 理论二:14tan =π(145tan 0=) 应用举例 例3:求值0 15tan 115tan 1-+ 解析:题目的形式是分式,联想到两角和的正切公式,而两角和的正切公式)tan(βα+=β αβαtan tan 1tan tan -+与题目给出的形式有区别,这时我们观察到公式中的αtan 与题目中1的位置相同,则自然会想到令1=tan450,后面的问题自然容易解决 解:0015tan 115tan 1-+=000 015 tan 45tan 115tan 45tan -+=)1545tan(00+=3 理论三:形如θθcos sin b a +的三角函数式的化简与求最值问题 θθcos sin b a +=)cos sin (222222θθb a b b a a b a ++++ ∵1)()(222222=+++b a b b a a ∴可以联想到1cos sin 22=+?? 则由此可设 ?cos 22=+b a a ,?sin 22=+b a b 或设?s in 22=+b a a ,?cos 22=+b a b
例析三角函数中“1”的代换
例析三角函数中“1”的代换 石阡县第三高中 张军 三角函数是中学数学教材中一种重要的函数,它又是研究其他各类知识的重要工具。凡是与三角函数有关的问题,都以恒等变形为研究手段。三角式的变形,包括三角式的化简、求三角式的值、证明恒等式和三角不等式等内容。特别是三角式的求值、化简是三角函数的重要内容。在三角函数中,“1”的代换有:βαcot tan 1?=,αα22cos sin 1+=, 45tan 1=,1cos sec =?αα,1sin csc =?αα等等。在具体的三角变换过程中,常根据题目不同特征选择不同的变换方式,若能把常数“1”恰当处理并灵活运用常会有意想不到的惊喜。下面举例说明。 例1、 已知 11 tan tan -=-αα ,求2cos sin sin 2++ααα的值。 分析:本题若常规思想,可由已知先求出αtan ,再由同角三角函数关系求得αsin 和αcos ,进而求出关系式的值,这种思想简单直接,但运用起来却很繁琐、费力,若借助题目条件的特殊性整体考虑,将 “αααcos sin sin 2+”的分母“1”看做αα2 2cos sin +直接转化为tan α的关系式求解救容易多了。 解:由已知得2 1tan =α。 2 cos sin sin 2++ααα 5132121212121tan tan tan 2cos sin cos sin sin 2 2 22222=++?? ? ??+? ?? ??=+++=+++=αααααααα 评析:对形如ααcos sin b a +,αααα22cos cos sin sin c b a ++的式子称为关于αsin 、αcos 的齐次式,对涉及他们的三角式通常利用整体考 虑的方法求解,使其转化为只含有正切的式子。 例2 证明: αααα2222sin tan sin tan =- 分析:本题可以由左证到右,或者由右证到左。无论哪种方式都需要利用“1”的代换,下面我们一起来看看这两种方式,自己来体会。 解:方法一(由右到左) 右边=()ααααα22222cos tan tan cos 1tan -=- =αααα α α222222 sin tan cos cos sin tan -=-=左边 因此 αααα2222sin tan sin tan =-
三角函数知识点汇总
1三角函数的概念 【知识网络】 【考点梳理】 考点一、角的概念与推广 1.任意角的概念:正角、负角、零角 2.象限角与轴线角: 与α终边相同的角的集合:},2|{Z k k ∈+=απββ 第一象限角的集合:{|22,}2 k k k Z π βπβπ<<+∈ 第二象限角的集合:{| 22,}2 k k k Z π βπβππ+<<+∈ 第三象限角的集合:3{|22,}2 k k k Z π βππβπ+<<+∈ 第四象限角的集合:3{| 222,}2 k k k Z π βπβππ+<<+∈ 终边在x 轴上的角的集合:{|,}k k Z ββπ=∈ 终边在y 轴上的角的集合:{|,}2 k k Z π ββπ=+∈ 终边在坐标轴上的角的集合:{|,}2 k k Z π ββ=∈ 要点诠释: 要熟悉任意角的概念,要注意角的集合表现形式不是唯一的,终边相同的角不一定相等,但相等的角终边一定相同,还要注意区间角与象限角及轴线角的区别与联系. 三角函数的概念 角的概念的推广、弧度制 正弦、余弦的诱导公式 同角三角函数的基本关系式 任意角的三角函数
考点二、弧度制 1.弧长公式与扇形面积公式: 弧长l r α= ?,扇形面积21 122 S lr r α==扇形(其中r 是圆的半径,α是弧所对圆心角的弧度数). 2.角度制与弧度制的换算: 180π=;180 10.017451()57.305718'180 rad rad rad π π = ≈=≈=; 要点诠释: 要熟悉弧度制与角度制的互化以及在弧度制下的有关公式. 考点三、任意角的三角函数 1. 定义:在角α上的终边上任取一点(,)P x y ,记r OP ==则sin y r α= , cos x r α=, tan y x α=,cot x y α=,sec r x α=,csc r y α= 2. 三角函数线:如图,单位圆中的有向线段MP ,OM ,AT 分别叫做α的正弦线,余弦线,正切线. 3. 三角函数的定义域:sin y α=,cos y α=的定义域是R α∈;tan y α=,sec y α=的定义域是 {|,}2 k k Z π ααπ≠+ ∈;cot y α=,csc y α=的定义域是{|,}k k Z ααπ≠∈. 4. 三角函数值在各个象限的符号: 考点四、同角三角函数间的基本关系式 1. 平方关系:2 2 2222sin cos 1;sec 1tan ;csc 1cot α+α=α=+αα=+α. 2. 商数关系:sin cos tan ;cot cos sin α α α= α= α α . 3. 倒数关系:tan cot 1;sin csc 1;cos sec 1α?α=αα=α?α= 要点诠释: ①同角三角函数的基本关系主要用于:(1)已知某一角的三角函数,求其它各三角函数值;(2)证明三角恒等式;(3)化简三角函数式. ②三角变换中要注意“1”的妙用,解决某些问题若用“1”代换,如2 2 1sin cos =α+α, 221sec tan tan 45=α-α== ,则可以事半功倍;同时三角变换中还要注意使用“化弦法”、消去法 及方程思想的运用. 考点五、诱导公式 1.2(),,,2k k Z πααπαπα+∈-±-的三角函数值等于α的同名三角函数值,前面加上一个把α看成锐角时原函数值所在象限的符号.
专题1-1 三角函数 重难点、易错点突破(含答案)
专题1-1 三角函数重难点、易错点突破 (建议用时:180分钟) 1 同角三角函数关系巧应用 同角三角函数的用途主要体现在三角函数的求值和恒等变形中各函数间的相互转化,下面结合常见的应用类型举例分析,体会其转化作用,展现同角三角函数关系的巧应用. 一、知一求二 例1 已知sin α=255,π 2≤α≤π,则tan α=_________________________________. 二、“1”的妙用 例2 证明:1-sin 6x -cos 6x 1-sin 4x -cos 4x =3 2. 三、齐次式求值 例3 已知tan α=2,求值: (1)2sin α-3cos α4sin α-9cos α=________; (2)2sin 2α-3cos 2α=________. 2 三角函数的性质总盘点 三角函数的性质是高考考查的重点和热点内容之一,应用“巧而活”.要能够灵活地运用性质,必须在脑海中能及时地浮现出三角函数的图象.下面通过典型例题对三角函数的性质进行盘点,请同学们用心体会. 一、定义域 例1 函数y =cos x -1 2 的定义域为________. 二、值域与最值 例2 函数y =cos(x +π3),x ∈(0,π 3 ]的值域是________.
三、单调性 例3 已知函数f (x )=sin(π 3-2x ),求: (1)函数f (x )的单调减区间; (2)函数f (x )在[-π,0]上的单调减区间. 四、周期性与对称性 例4 已知函数f (x )=sin(2ωx -π 3)(ω>0)的最小正周期为π,则函数f (x )的图象的对称轴方程是________. 五、奇偶性 例5 若函数f (x )=sin x +φ 3 (φ∈[0,2π))是偶函数,则φ=________. 1 善用数学思想——巧解题 一、数形结合思想 例1 在(0,2π)内,使sin x >cos x 成立的x 的取值范围是________. 二、分类讨论思想 例2 已知角α的终边在直线3x +4y =0上,求sin α,cos α,tan α的值.
浅谈“单位圆”在三角函数中的应用(1)
浅谈“单位圆”在三角函数中的使用 胡海光 (宝鸡文理学院数学系陕西宝鸡721013) 摘要:新课程用单位圆定义任意角的三角函数,提升了单位圆、三角函数线的地位,三角函数的知识结构和方法体系也发生了一些变化,利用单位圆本身直观、形象、准确、方便等特点,再结合相关的数学知识,可以使问题化难为易,化繁为简,思路清晰,方法明确。探究它在新课程三角函数公式推导和性质中的使用及解题中的使用,这样不但能使学生掌握用单位圆解题的方法,而且能激发学生的学习兴趣。 关键字:单位圆;诱导公式;三角函数;使用 1.引言 新课标指出:学生的数学活动不应只限于接受、记忆、模仿和练习,应倡导自主探索、动手实践、合作交流、阅读自习等学习数学的方式,通过各种不同形式的自主学习、探索活动,不但能让学生体验数学发现和创造的历程,培养他们的数学思维能力和创新意识,而且可以大大减少课堂的教学时间。因此,我们在教学中应充分挖掘教材的问题背景,逐渐培养学生的自主学习、自主探索等学习习惯。基于这种目的,在新课改下,我们可以将三角函数章节学习统一在单位圆和三角函数线之下,利用数形结合让学生理解知识的来龙去脉、推导过程,最主要的是使学生学会用联系的观点看三角函数,研究三角函数的定义、公式、图象和性质,明白如何用单位圆和三角函数线研究问题,动态地分析问题和解决问题。 2.单位圆的认识 单位圆是新课标里刚引进的新概念,学生受老教材的影响对单位圆的认识很模糊,为了让学生能很好的利用单位圆解决三角函数问题,笔者认为首先要了解单位圆的概念、为什么用单位圆上点的坐标定义三角函数及用单位圆上点的坐标定义三角函数的意义。 2.1单位圆的定义 所谓单位圆,就是在直角坐标系中,以原点O为圆心,以单位长度为半径的圆。如下图所示: 2.2为什么用 单位圆上点的坐标定义三a
三角函数中“1”的代换
三角函数中“1”的代换 义县高中 高一数学组 胡克让 三角函数是高中数学的重要内容,与数列、立体几何、平面向量、方程等都有密切的联系。这部分中基本计算公式特别的多,而且在解决三角函数问题时又是基础工具,能够熟练而又灵活的运用这些公式成了学习的难点。这部分公式大致分为三类,现和大家一起来研究下同角基本函数关系式中与“1”有关的问题,希望能给同学们带来帮助。 在三角函数的求值,化简,证明时,常把数1表示为三角函数式或特殊角的三角函数值参与运算,使问题得以简化。常见的代换有: 22222221sin cos 1(sin cos )2sin cos 1sec tan csc cot 1cos sec sin csc tan cot 1tan cot 44 αα αααα αααα αααααα ππ=+=+-=-=-=?=?=?== 等等。 下面例析几道题,供同学们参考。 例1 已知sin cos 2 αα-=-,则tan cot αα+的值为 . 分析:本题解法有二,一种是将sin cos αα-=与22sin cos 1αα+=联立成方程组求出sin α与cos α,再运用sin tan cos ααα=与cos cot sin ααα =求出所求值;一种是先利用sin tan cos ααα=与cos cot sin ααα =对tan cot αα+化简变形,发现只需要求出sin cos αα的 值即可,而将sin cos 2αα-=- 平方就能完成sin cos αα的求解,进而问题得以解决。两种方法对比,显然后者简单,而且运算量很少。 解析:sin cos αα-=
高中数学教学论文 三角函数中1的妙用
三角函数中“1”的妙 在我们学习三角函数这一部分内容的时候,我们会发现经常会与“1”有些合作,下面我就自己在教学中,利用“1”进行解题的体会与大家共同探讨。 理论一:sin 2α+cos 2α=1 应用举例 例1. 已知α是第一象限角,化简下式 ααcos sin 21+ 解析:对于根式的化简,思路主要是去根号,而对这个题目首先要考虑根式下的ααcos sin 21+是否能够配成完全平方式,沿着这个思路我们可以联想到221b a +=,自然会想到ααcos sin 21+=αα22cos sin ++ααcos sin 2,到此时解题思路豁然开朗 解:ααcos sin 21+=ααααcos sin 2cos sin 22++ =2)cos (sin αα+ =ααcos sin + ∵α是第一象限角∴0cos ,0sin >>αα ∴ααcos sin 21+=ααcos sin + 例2:已知3tan =α,求ααcos sin 的值 解析:这道题目是一个齐次式,这类题目的特点是已知角α的正切值,求含有正弦和余弦的三角多项式的值,解题的方法是化弦为切,而这道题目要用化弦为切有困难,所以我们就要观察它的特点,没有分母是它无法直接利用传统方法解题。我们发现ααcos sin 的分母是1,而1=αα2 2cos sin +,这样题目就迎刃而解了 解:∵3tan =α ∵ααcos sin =1cos sin αα=αααα22cos sin cos sin +=α αααcos sin cos sin 122+=ααtan 1tan 1+
∴ααcos sin =3131 +=103 理论二:14tan =π(145tan 0=) 应用举例 例3:求值0 15tan 115tan 1-+ 解析:题目的形式是分式,联想到两角和的正切公式,而两角和的正切公式)tan(βα+=β αβαtan tan 1tan tan -+与题目给出的形式有区别,这时我们观察到公式中的αtan 与题目中1的位置相同,则自然会想到令1=tan450,后面的问题自然容易解决 解:0015tan 115tan 1-+=000 015 tan 45tan 115tan 45tan -+=)1545tan(00+=3 理论三:形如θθcos sin b a +的三角函数式的化简与求最值问题 θθcos sin b a +=)cos sin (222222θθb a b b a a b a ++++ ∵1)( )(222222=+++b a b b a a ∴可以联想到1cos sin 22=+?? 则由此可设?co s 22=+b a a , ?sin 22=+b a b 或设?sin 22=+b a a ,?cos 22=+b a b 此时可得θθ cos sin b a +=)sin(?θ+ 或θθcos sin b a +=)cos(?θ-
“一名一角”在三角函数经典题型中的应用
屮孝生皋理化解题篇经典题突破方法 高考数学2019年1月 ■啊■!! 隹三話数亘典题竝中品用 ■河南省沈丘县第一高级中学孙鹏飞 纵观近5年的高考试题,对三角函数的考査主要围绕三角函数的图像及其变换,三角函数的图像与性质。考题多以中档难度岀现,有时也会以解答题形式进行考查,不仅要求考生熟练掌握三角函数的图像与性质,还要求考生注意三角恒等变换,切割化弦,名称不同化同名,角不同化同角,降幕等,最终化成;y=A sin(ojjr+甲)+&-,y=A.cos(udjc+甲)+h,夕=A tan(sr+卩)+怡型,简称"一名一-角”。利用整体代换、数形结合、化归转化等数学思想方法,在解题时明方向、巧转化、化繁为简,达到事半功倍的效果。 三角函数的周期 捌I函数/(工)=(>/^sin工+cos工)?(73cos—sin工)的最小正周期是()。 A.今 B.7T C.Y D.2tt 解法一:因为/X h)=(箱sin工+cos工)?(a/^~cos x—sin H)=3sin jc cos oc~F a/T cos2jt一a/T sin"jc—sin jc cos jc=sin2?r+y^cos2工= 2sin(2_r+专),所以丁=警=兀。故选B o 解法二:因为/(J:)=(a/3^sin jc+cos jc)?(>/3^cos x一sin jc)=4 cos JC+=2sin(2jr+于),所以T=-^ f)7Co 故选B o 方法技巧:函数y=A sin(wjc+°)+&或y—A cos(tjujc+卩)+上的最小正周期是丁=耐,函数y=AtanS+卩)+人的周期 I3 二、三角函数的奇偶性 侧2已知函数/(^)=sin(jr+箱cos(h+0),0W[—今,今]是偶函数,则0 的值是()。 A.0B.— 6 C工D- 43 解析:由辅助角公式,把/(^)=sin(x+ 0)+屈cos(工+。)化成f(工)= 2sin 若函数/'(乂〉为偶函数,则5+y=y+ kn,k&z.即&=手+smwz,结合9e 6 '今]令b=0,所以°=晋。故选B。 归纳感悟:(1)在三角函数中,判定奇偶性的前提是定义域关于原点对称,奇函数一般可化为y=A sin wjt或y=A tan tjujc的形式,而偶函数一般可化为y=Acos vujc+b的形式。 (2)已知函数的奇偶性求参数时,充分利用三角函数的性质化归到y=sin j:,y= cos j?,3/=tan x简单函数模型上去。对于》=Asin(sH+卩),若为奇函数,贝」(p=kn, &WZ;若为偶函数,则甲=今+—对于y=A cos(3乂+卩),若为奇函数,则(p= 18
高中数学三角函数总复习题解答
三角函数总复习题解答: A 组 1.解:(1)∈+==k k S ,24{ππ ββZ },4 9,4,47πππ- (2)∈+-==k k S ,232{ππββZ },3 10,34,32πππ- (3)∈+==k k S ,2512{ππββZ },5 12,52,58πππ- (4)∈π=ββ=k k S ,2{Z },-2π,0,2π 评述:这一题目要求我们首先要准确写出集合S ,并判断k 可取何值时,能使集合S 中角又属于所要求的范围. 2.解:由l =|α|r 得ππ2 9151031518054=?=???=l 44302 92≈+π=+=r l C cm 101.14 135********?≈=??==ππlr S cm 2 答:周长约44 cm ,面积约1.1×10 cm 2 评述:这一题需先将54°换算为弧度数,然后分别用公式进行计算. 3.(1)sin4<0;(2)cos5>0;(3)tan8<0;(4)tan(-3)>0. 评述:先判断角所属象限,然后确定其三角函数的符号. .,04 1cos 415 sin 1cos sin 4 1cos :.422为第一或第四象限角知由得由解???????=±=?? ???=+= 当?为第一象限角时,sin ?= 4 15,tan ?=15; 当?为第四象限角时,sin ?=-415,tan ?=-15.
评述:先由已知条件确定角所属象限,然后结合同角三角函数基本关系式,求出另外的三角函数值. 5.解:由sin x =2cos x ,得tan x =2 ∴x 为第一象限或第三象限角 当x 为第一象限角时 tan x =2,cot x = 2 1,cos x =55,sec x =5,sin x =552,csc x =25 当x 为第三象限角时 tan x =2,cot x = 21,cos x =-55,sec x =-5,sin x =-552,csc x =-2 5 110sin 10cos 10sin 10cos 10sin 10cos 10cos 10sin 170sin 10cos )10cos 10(sin 170cos 110cos 10cos 10sin 21:.622=?-??-?=?-??-?=?-??-?=? --?? ?-解 评述:注意灵活使用同角三角函数的基本关系式的变形式,即“1”的妙用,这也是三角函数式化简过程中常用的技巧之一,另外,注意及时使用诱导公式 和三角函数图象和性质:当α∈[0, 4 π)时,sin α<cos α. 7.解:sin 4α-sin 2α+cos 2α=sin 2α(sin 2α-1)+cos 2α=(1-cos 2α)(-cos 2α)+cos 2α =-cos 2α+cos 4α+cos 2α=cos 4α 评述:注意使用sin 2α+cos 2α=1及变形式. 8.证明:(1)左边=2(1-sin α)(1+cos α)=2(1-sin α+cos α-sin αcos α) =2-2sin α+2cos α-sin2α 右边=(1-sin α+cos α)2=[1-(sin α-cos α)]2 =1-2(sin α-cos α)+(sin α-cos α)2 =1-2sin α+2cos α+sin 2α+cos 2α-2sin αcos α =2-2sin α+2cos α-sin2α ∴左边=右边 即原式得证. (2)左边=sin 2α+sin 2β-sin 2α·sin 2β+cos 2α·cos 2β =sin 2α(1-sin 2β)+cos 2α·cos 2β+sin 2β =sin 2α·cos 2β+cos 2α·cos 2β+sin 2β =cos 2β(sin 2α+cos 2α)+sin 2β=1=右边
三角函数线的妙用
三角函数线的妙用 单位圆中的三角函数线是三角函数的定义的几何形式,我们就可以用形(有向线段)来研究数(三角函数)了。在解决一些三角问题时,恰当地运用一些三角函数线,往往即直观又方便. 一、求三角函数值 例 1 tan300 tan405 的值为() A. 1 3 B.1 、3 C. 1 .3 D. 1 、3 解:由于300和405可以分别用特殊角60和45来表示,因而容易在单位圆上找到它们的终边,作出三角函数线,再求出三角函数值。 因为tan300 3,tan405 1,所以tan 300 tan 405 1 .3.选 B 、解简单的三角方程 ),求x. x 解:设(。2),且cos 1 作余弦线为1的角的终边(OA和OB两条射线), 因为x ( ,2 ),所以满足条件的角只有一个(以 OA为终边,如图1所示)如果将x的取值范围改为x (,0),结合图2,可以得出:
三、解简单的三角不等式 (1) tan 1 (2) 1 3 1 sin 2 2 解:(1)因为 tan( 7) 1,tan 4 1 图3所示 取值范围是( 2k , 2k ) (3 2k ,3 4 2 4 2 (k Z),即( 4 k , 2 k )(k Z) 例3分别根据下列条件,写出 的取值范围. 2k (2)因为si n — 3 2 sin 3 2 7 sin ——si n( ) 1 且- 1 -sin ,3 6 6 2 2 2 由图4所示 的取值范围是 (6 2k '3 2k ( ; 2k' 7 6 2k ) (k Z) 四、比较大小 例 4 sin cos 一 '且 (0,5 -)' 4 图4 贝U tan ___________________ . 7 5 解:因为sin cos 且 ( 0,), 5 4 cos sin 0, sin cos 0 由(sin cos )2坐得 2si n cos 24 25 25 2 1 1 (sin cos ) sin cos 25 5 由(1) (2)可得sin 3 ,cos 4 * ,tan 3 5 5 4 由单位圆中三角函数线可得 (, 5 ) 4 x ABC 中,若 sin A 16 (A ) 65 (B) 3 厂 ,cosB 5 56 65 解:因为cosB 5 13 5 一 ,贝U cosC 的值是( 13 ( C)兰或56 65 12 (0-),s inB — 2 13 65 (D) 16 65
全国高中三角函数典型例题(教用)
【典型例题】: 1、已知2tan =x ,求x x cos ,sin 的值. 解:因为2cos sin tan == x x x ,又1cos sin 22=+a a , 联立得?? ?=+=,1 cos sin cos 2sin 2 2 x x x x 解这个方程组得. 55cos 552sin ,55cos 552sin ??? ????-=-=???????==x x x x 2、求) 330cos()150sin()690tan() 480sin()210cos()120tan( ----的值。 解:原式) 30360cos()150sin()30720tan() 120360sin()30180cos()180120tan(o --+---++-= .3330cos )150sin (30tan )120sin )(30cos (60tan -=---= 3、若 ,2cos sin cos sin =+-x x x x ,求x x cos sin 的值. 解:法一:因为 ,2cos sin cos sin =+-x x x x 所以)cos (sin 2cos sin x x x x +=- 得到x x cos 3sin -=,又1cos sin 2 2=+a a ,联立方程组,解得 ,,??? ??? ?=-=???????-==1010cos 10 103sin 1010cos 10103sin x x x x
所以?- =10 3cos sin x x 法二:因为 ,2cos sin cos sin =+-x x x x 所以)cos (sin 2cos sin x x x x +=-, 所以22)cos (sin 4)cos (sin x x x x +=-,所以x x x x cos sin 84cos sin 21+=-, 所以有?- =10 3cos sin x x 4、求证:x x x x 2 2 2 2sin tan sin tan -=。 5、求函数)6 π 2sin( 2+=x y 在区间]2,0[π上的值域。 解:因为]20π≤≤x ,所以π≤≤ 20x ,6 7626πππ≤+≤x 由正弦函数的图象,得到 ??? ???-∈+=1,21)6π2sin(2x y ,所以[] 2,1)6π2sin(2-∈+∈x y 6、求下列函数的值域. (1)2cos sin 2+-=x x y ;(2))cos (sin cos sin 2x x x x y +-=) 解:(1)2cos sin 2+-=x x y =3)cos (cos 2cos cos 122++-=+--x x x x
浅谈三角函数中“1”的妙用
浅谈三角函数中“1”的妙用 三角函数内容是新课程标准中删减、变化最大的内容之一,但是它仍然是高考的重点。许多同学在学习三角函数的时候感到很吃力,认为计算量很大,公式很多。下面笔者就从下面几道题为例,谈谈“1”在解某些三角函数问题时的妙用。 一 巧用sin 2a+cos 2a=1 2 tan 3,2sin 3sin cos a a a a =-例1:已知求的值 本题有多种解法,最常见的是根据tana 的值,求出sina 和cosa 的值,然后代入计算,但是这里要注意到a 所在的象限。这里介绍如何巧用“1”来求值。 2 22 2 2 22 22sin 3sin cos 1 2sin 3sin cos sin cos 2tan 3tan tan 12333 31910 a a a a a a a a a a a -= -=+-=+?-?=+= 解:原式 这里用到了平方关系sin 2a+cos 2a=1,就不用考虑a 所在的象限,计算也比较简便。 22 1,1 a b +=+=例2:已知求证 2 2 101011b a a b -≥-≥≤≤由于,,得,,根究结构特点, 可考虑利用三角代换来解答本题。 证明:由已知可得22 1010b a -≥-≥,, 所以11a b ≤≤,, 设a=cos ,b=cos 00αβαπβπ≤≤≤≤,且, ,由已知得
2 2 2 2 2 2 22 cos cos 1, cos sin cos sin 1,sin()1 022 2 cos cos cos cos sin cos 1 2 a b αβ αββααβπ π αβπαββα π αβαααα+=+=+=≤+≤+== -+=+=+-=+=即所以又,所以,即所以( ) 二 巧用tan450=1 00000 3(1tan 1)(1tan 2)(1tan 3)...(1tan 44)(1tan 45)+++++例计算 23 45(1tan )(1tan )1tan tan tan tan 1tan 1tan tan tan tan 2[(1tan 1)(1tan 44)][(1tan 2)(1tan 43)]...[(1tan 22)(1tan 23)](1tan 45) 2 αβαβαβαβ αβαβαβ=++=+++=++-+==+++++++=解:当+时,()()所以 原式 三 巧用tanacota=1 4tan 6730'tan 2230'-例计算 本题看似无从下手,但如果我们能够发现000 6730'2230'45-=,解本题也就不难了。 但当我们继续算下去时会发现出现00 tan 6730'tan 2230'这个式子,这时我们 就要想到00tan 6730'cot 2230'=,于是00tan 6730'tan 2230'=00 cot 2230'tan 2230'1= 00 tan 6730'tan 2230'tan 45tan(6730'2230')1tan 6730'tan 2230' tan 6730'tan 2230'tan 451tan 6730'tan 2230'1tan 6730'tan 2230'1cot 2230'tan 2230'1 -=-= +-=++=+=解:所以()= 四 巧用t a n t a n t a n () 1t a n t a n αβαβαβ±±= 1tan 54cot( )1tan 4 απαα -=+ ++例已知 求
三角函数中 的范围 (1)
三角函数中ω的范围 1.已知函数()2sin (0)f x x ωω=>在区间[0,]4 π上出现两次最大值2,则ω的范围 1218ω≤< 2已知ω是正实数,函数x x f ωsin 2)(=在]4,3[ππ- 上是增函数,,则ω的范围 解析: ,34x πωπωω??∈-????,,34πωπω??-?????,22ππ??-????。所以,正确答案230≤<ω。 3.已知()2sin (0)f x x ωω=>在[,]34ππ-上的最小值是2-,最大值不是2,则ω的范围 322 ω≤≤ 4已知0ω>,函数()sin()4f x x πω=+在(,)2ππ上单调递减.则ω的取值范围是 ()22πωππω-≤?≤,3()[,][,]424422 x ππππππωωπω+∈++? 得:315,2424224πππππωπωω+≥+≤?≤≤ 5.已知()sin (0)363f x x f f ωωπππ??????=+>= ? ? ???????,,且()f x 在区间63ππ?? ???,有最小值,无最大值,则ω=___.143 6. 已知sin()6y x π =+ ,求函数在区间(0,)2π上的值域 1(,1]2 【解析】 2(0,),(,)2663x x ππππ∈+∈,最小值应该是2sin ,sin 63ππ中的最小者,函数的值域是1(,1]2 7. 函数2sin (09)63x y x ππ??=-≤≤ ???的值域为 【解析】由90≤≤x 可知67363ππ ππ≤-≤-x ,则2sin [3,2]63x y ππ??=-∈ ??? 8. 求函数17π3π()2cos sin(24484f x x x ππ??=?-∈????),,的值域为 __. 1- 【解析】17π()2sin(22cos sin(22244444f x cos x x x ππππ??=?-?-- ???)= π3π84x ??∈????,,π50244x π∴≤-≤,2πsin 2124x ??-≤-≤ ?? ?,∴π12224x ??-≤-≤ ??? 9. 当函数sin 3(02)y x x x π=≤<取最大值时,x =____. 56 x π= 【解析】由sin 32sin()3y x x x π==- 由50233 3 x x ππππ≤
必修四第一章 三角函数解题技巧
必修四第一章 三角函数解题技巧 1 例说弧度制中的扇形问题 与扇形有关的问题是弧度制中的难点,我们可以应用弧长公式l =|α|r 和扇形面积公式S = 1 2|α|r 2解决一些实际问题,这类问题既充分体现了弧度制在运算上的优越性,又能帮助我们加深对弧度制概念的理解.下面通过几例帮助同学们分析、归纳弧度制下的扇形问题. 例1 已知扇形的圆心为60°,所在圆的半径为10,求扇形的弧长及扇形中该弧所在的弓形面积. 例2 扇形的半径为R ,其圆心角α(0<α≤π)为多大时,扇形内切圆面积最大,其最大值是多少? 例3 已知扇形的周长为30 cm ,当它的半径和圆心角各取什么值时,才能使扇形的面积最大?最大面积是多少? 针对练习: 1.扇形的周长C 一定时,它的圆心角θ取何值才能使扇形面积S 最大?最大值是多少? 2.在扇形AOB 中,∠AOB =90°,弧AB 的长为l ,求此扇形内切圆的面积. 3.已知扇形AOB 的周长是6 cm ,该扇形的中心角是1弧度,求该扇形的面积. 2 任意角三角函数问题错解辨析 任意角三角函数是三角函数的基础,在学习这部分内容时,有的同学经常因为概念不清、考虑不周、观察代替推理等原因而错解题目,下面就解题中容易出现的错误进行分类讲解,供同学们参考. 一、概念不清
例1 已知角α的终边在直线y =2x 上,求sin α+cos α的值. 二、观察代替推理 例2 当α∈(0,π 2)时,求证:sin α<tan α. 三、估算能力差 例3 若θ∈????0,π 2,则sin θ+cos θ的一个可能的值是( ) A.2 3 B.2 7π C.4-22 D .1 3 同角三角函数关系巧应用 同角三角函数的用途主要体现在三角函数的求值和恒等变形中各函数间的相互转化,下面结合常见的应用类型举例分析,体会其转化作用,展现同角三角函数关系巧应用. 一、知一求二型 例1 已知sin α=255,π2≤α≤π,则tan α=_________________________________. 二、妙用“1” 例2 证明:1-sin 6x -cos 6x 1-sin 4x -cos 4x =3 2. 三、齐次式型求值 例3 已知tan α=2,求值: (1)2sin α-3cos α4sin α-9cos α=________; (2)2sin 2α-3cos 2α=________.
1.9三角函数的简单应用
———潮汐问题 一、教学目标 1、知识与技能目标:巩固已学过的三角函数的知识,求给定自变量的函数值。已知三角函数值,求角。 2、能力目标:培养学生数学的实际应用能力和意识。 3、情感、态度和价值观:让学生进一步了解数学来源于生活。 二、教学重点:用三角函数刻画潮汐变化规律。 三.教学难点:对实际问题的数学解释。 四.学情分析—————————————————————————————————————————————————————————————————————————五.学法指导:启发,类比,小组讨论 六.教学方法:探究交流,讲练结合 七、教学过程: 1、新课引入:在客观现实世界中存在着大量的周期性变化现象,而要定量地去刻画这些现象,我们通常需要借助于三角函数这一重要数学模型。这节课我们将来学习三角函数模型的简单应用。 2、提出问题: 若干年后,如果在座的各位有机会当上船长的话,当你的船只要到某个港口去,你作为船长,你希望知道关于那个港口的一些什么情况(生答:水深情况等) 我们要到一个陌生的港口时,是非常想得到一张有关那个港口的水深与时间的对应关系数值表。那么这张表格是如何产生的呢请同学们看下面这个问题。 问题1:如图所示,下面是某个码头在某年某个季节每天的时间与水深的关系表:时 间 水 深 水的深度变化有什么特点吗(生答:水的深度开始由米增加到米,后逐渐减少一直减少到,又开始逐渐变深,增加到米后,又开始减少。) 大家发现,水深变化并不市杂乱无章,而是呈现一种周期性变化规律,为了更加直观明了地观察出这种周期性变化规律,需要画图。电脑呈现作图结果。 通过观察图像,发现跟我们前面所学过哪个函数类型非常的相似(生答:跟三角函数模型 。)
1的妙用
三角函数中“1”的妙用 在我们学习三角函数这一部分内容的时候,我们会发现经常会与“1”有些合作,下面我就自己在教学中,利用“1”进行解题的体会与大家共同探讨。 理论一:sin 2α+cos 2α=1 应用举例 例1. 已知α是第一象限角,化简下式 ααcos sin 21+ 解析:对于根式的化简,思路主要是去根号,而对这个题目首先要考虑根式下的ααcos sin 21+是否能够配成完全平方式,沿着这个思路我们可以联想到221b a +=,自然会想到ααcos sin 21+=αα22cos sin ++ααcos sin 2,到此时解题思路豁然开朗 解:ααcos sin 21+=ααααcos sin 2cos sin 22++ =2)cos (sin αα+ =ααcos sin + ∵α是第一象限角∴0cos ,0sin >>αα ∴ααcos sin 21+=ααcos sin + 例2:已知3tan =α,求ααcos sin 的值 解析:这道题目是一个齐次式,这类题目的特点是已知角α的正切值,求含有正弦和余弦的三角多项式的值,解题的方法是化弦为切,而这道题目要用化弦为切有困难,所以我们就要观察它的特点,没有分母是它无法直接利用传统方法解题。我们发现ααcos sin 的分母 是1,而1=αα22cos sin +,这样题目就迎刃而解了 解:∵3tan =α ∵
ααcos sin =1cos sin αα=αααα22cos sin cos sin +=α αααcos sin cos sin 122+=ααtan 1tan 1+ ∴ααcos sin =3 131+=103 理论二:14tan =π(145tan 0=) 应用举例 例3:求值0 15tan 115tan 1-+ 解析:题目的形式是分式,联想到两角和的正切公式,而两角和 的正切公式)tan(βα+=β αβαtan tan 1tan tan -+与题目给出的形式有区别,这时我们观察到公式中的αtan 与题目中1的位置相同,则自然会想到令1=tan450,后面的问题自然容易解决 解:0015tan 115tan 1-+=000 015 tan 45tan 115tan 45tan -+=)1545tan(00+=3 理论三:形如θθcos sin b a +的三角函数式的化简与求最值问题 θθcos sin b a +=)cos sin (222222θθb a b b a a b a ++++ ∵1)()(222222=+++b a b b a a ∴可以联想到1cos sin 22=+?? 则由此可设?cos 22=+b a a , ?sin 22=+b a b 或设?sin 22=+b a a ,?cos 22=+b a b