TY - CONF
AB - We extend a commitment scheme based on the learning with errors over rings (RLWE) problem, and present efficient companion zeroknowledge proofs of knowledge. Our scheme maps elements from the ring (or equivalently, n elements from
AU - Benhamouda, Fabrice
AU - Krenn, Stephan
AU - Lyubashevsky, Vadim
AU - Pietrzak, Krzysztof Z
ID - 1649
TI - Efficient zero-knowledge proofs for commitments from learning with errors over rings
VL - 9326
ER -
TY - CONF
AB - We consider the task of deriving a key with high HILL entropy (i.e., being computationally indistinguishable from a key with high min-entropy) from an unpredictable source.
Previous to this work, the only known way to transform unpredictability into a key that was ϵ indistinguishable from having min-entropy was via pseudorandomness, for example by Goldreich-Levin (GL) hardcore bits. This approach has the inherent limitation that from a source with k bits of unpredictability entropy one can derive a key of length (and thus HILL entropy) at most k−2log(1/ϵ) bits. In many settings, e.g. when dealing with biometric data, such a 2log(1/ϵ) bit entropy loss in not an option. Our main technical contribution is a theorem that states that in the high entropy regime, unpredictability implies HILL entropy. Concretely, any variable K with |K|−d bits of unpredictability entropy has the same amount of so called metric entropy (against real-valued, deterministic distinguishers), which is known to imply the same amount of HILL entropy. The loss in circuit size in this argument is exponential in the entropy gap d, and thus this result only applies for small d (i.e., where the size of distinguishers considered is exponential in d).
To overcome the above restriction, we investigate if it’s possible to first “condense” unpredictability entropy and make the entropy gap small. We show that any source with k bits of unpredictability can be condensed into a source of length k with k−3 bits of unpredictability entropy. Our condenser simply “abuses" the GL construction and derives a k bit key from a source with k bits of unpredicatibily. The original GL theorem implies nothing when extracting that many bits, but we show that in this regime, GL still behaves like a “condenser" for unpredictability. This result comes with two caveats (1) the loss in circuit size is exponential in k and (2) we require that the source we start with has no HILL entropy (equivalently, one can efficiently check if a guess is correct). We leave it as an intriguing open problem to overcome these restrictions or to prove they’re inherent.
AU - Skórski, Maciej
AU - Golovnev, Alexander
AU - Pietrzak, Krzysztof Z
ID - 1650
TI - Condensed unpredictability
VL - 9134
ER -
TY - CONF
AB - Cryptographic e-cash allows off-line electronic transactions between a bank, users and merchants in a secure and anonymous fashion. A plethora of e-cash constructions has been proposed in the literature; however, these traditional e-cash schemes only allow coins to be transferred once between users and merchants. Ideally, we would like users to be able to transfer coins between each other multiple times before deposit, as happens with physical cash. “Transferable” e-cash schemes are the solution to this problem. Unfortunately, the currently proposed schemes are either completely impractical or do not achieve the desirable anonymity properties without compromises, such as assuming the existence of a trusted “judge” who can trace all coins and users in the system. This paper presents the first efficient and fully anonymous transferable e-cash scheme without any trusted third parties. We start by revising the security and anonymity properties of transferable e-cash to capture issues that were previously overlooked. For our construction we use the recently proposed malleable signatures by Chase et al. to allow the secure and anonymous transfer of coins, combined with a new efficient double-spending detection mechanism. Finally, we discuss an instantiation of our construction.
AU - Baldimtsi, Foteini
AU - Chase, Melissa
AU - Fuchsbauer, Georg
AU - Kohlweiss, Markulf
ID - 1651
TI - Anonymous transferable e-cash
VL - 9020
ER -
TY - CONF
AB - We develop new theoretical tools for proving lower-bounds on the (amortized) complexity of certain functions in models of parallel computation. We apply the tools to construct a class of functions with high amortized memory complexity in the parallel Random Oracle Model (pROM); a variant of the standard ROM allowing for batches of simultaneous queries. In particular we obtain a new, more robust, type of Memory-Hard Functions (MHF); a security primitive which has recently been gaining acceptance in practice as an effective means of countering brute-force attacks on security relevant functions. Along the way we also demonstrate an important shortcoming of previous definitions of MHFs and give a new definition addressing the problem. The tools we develop represent an adaptation of the powerful pebbling paradigm (initially introduced by Hewitt and Paterson [HP70] and Cook [Coo73]) to a simple and intuitive parallel setting. We define a simple pebbling game Gp over graphs which aims to abstract parallel computation in an intuitive way. As a conceptual contribution we define a measure of pebbling complexity for graphs called cumulative complexity (CC) and show how it overcomes a crucial shortcoming (in the parallel setting) exhibited by more traditional complexity measures used in the past. As a main technical contribution we give an explicit construction of a constant in-degree family of graphs whose CC in Gp approaches maximality to within a polylogarithmic factor for any graph of equal size (analogous to the graphs of Tarjan et. al. [PTC76, LT82] for sequential pebbling games). Finally, for a given graph G and related function fG, we derive a lower-bound on the amortized memory complexity of fG in the pROM in terms of the CC of G in the game Gp.
AU - Alwen, Joel F
AU - Serbinenko, Vladimir
ID - 1652
T2 - Proceedings of the 47th annual ACM symposium on Theory of computing
TI - High parallel complexity graphs and memory-hard functions
ER -
TY - CONF
AB - HMAC and its variant NMAC are the most popular approaches to deriving a MAC (and more generally, a PRF) from a cryptographic hash function. Despite nearly two decades of research, their exact security still remains far from understood in many different contexts. Indeed, recent works have re-surfaced interest for {\em generic} attacks, i.e., attacks that treat the compression function of the underlying hash function as a black box.
Generic security can be proved in a model where the underlying compression function is modeled as a random function -- yet, to date, the question of proving tight, non-trivial bounds on the generic security of HMAC/NMAC even as a PRF remains a challenging open question.
In this paper, we ask the question of whether a small modification to HMAC and NMAC can allow us to exactly characterize the security of the resulting constructions, while only incurring little penalty with respect to efficiency. To this end, we present simple variants of NMAC and HMAC, for which we prove tight bounds on the generic PRF security, expressed in terms of numbers of construction and compression function queries necessary to break the construction. All of our constructions are obtained via a (near) {\em black-box} modification of NMAC and HMAC, which can be interpreted as an initial step of key-dependent message pre-processing.
While our focus is on PRF security, a further attractive feature of our new constructions is that they clearly defeat all recent generic attacks against properties such as state recovery and universal forgery. These exploit properties of the so-called ``functional graph'' which are not directly accessible in our new constructions.
AU - Gazi, Peter
AU - Pietrzak, Krzysztof Z
AU - Tessaro, Stefano
ID - 1654
TI - Generic security of NMAC and HMAC with input whitening
VL - 9453
ER -
TY - JOUR
AB - Quantifying behaviors of robots which were generated autonomously from task-independent objective functions is an important prerequisite for objective comparisons of algorithms and movements of animals. The temporal sequence of such a behavior can be considered as a time series and hence complexity measures developed for time series are natural candidates for its quantification. The predictive information and the excess entropy are such complexity measures. They measure the amount of information the past contains about the future and thus quantify the nonrandom structure in the temporal sequence. However, when using these measures for systems with continuous states one has to deal with the fact that their values will depend on the resolution with which the systems states are observed. For deterministic systems both measures will diverge with increasing resolution. We therefore propose a new decomposition of the excess entropy in resolution dependent and resolution independent parts and discuss how they depend on the dimensionality of the dynamics, correlations and the noise level. For the practical estimation we propose to use estimates based on the correlation integral instead of the direct estimation of the mutual information based on next neighbor statistics because the latter allows less control of the scale dependencies. Using our algorithm we are able to show how autonomous learning generates behavior of increasing complexity with increasing learning duration.
AU - Martius, Georg S
AU - Olbrich, Eckehard
ID - 1655
IS - 10
JF - Entropy
TI - Quantifying emergent behavior of autonomous robots
VL - 17
ER -
TY - CONF
AB - Recently there has been a significant effort to handle quantitative properties in formal verification and synthesis. While weighted automata over finite and infinite words provide a natural and flexible framework to express quantitative properties, perhaps surprisingly, some basic system properties such as average response time cannot be expressed using weighted automata, nor in any other know decidable formalism. In this work, we introduce nested weighted automata as a natural extension of weighted automata which makes it possible to express important quantitative properties such as average response time. In nested weighted automata, a master automaton spins off and collects results from weighted slave automata, each of which computes a quantity along a finite portion of an infinite word. Nested weighted automata can be viewed as the quantitative analogue of monitor automata, which are used in run-time verification. We establish an almost complete decidability picture for the basic decision problems about nested weighted automata, and illustrate their applicability in several domains. In particular, nested weighted automata can be used to decide average response time properties.
AU - Chatterjee, Krishnendu
AU - Henzinger, Thomas A
AU - Otop, Jan
ID - 1656
T2 - Proceedings - Symposium on Logic in Computer Science
TI - Nested weighted automata
VL - 2015-July
ER -
TY - CONF
AB - We consider Markov decision processes (MDPs) with multiple limit-average (or mean-payoff) objectives. There exist two different views: (i) ~the expectation semantics, where the goal is to optimize the expected mean-payoff objective, and (ii) ~the satisfaction semantics, where the goal is to maximize the probability of runs such that the mean-payoff value stays above a given vector. We consider optimization with respect to both objectives at once, thus unifying the existing semantics. Precisely, the goal is to optimize the expectation while ensuring the satisfaction constraint. Our problem captures the notion of optimization with respect to strategies that are risk-averse (i.e., Ensure certain probabilistic guarantee). Our main results are as follows: First, we present algorithms for the decision problems, which are always polynomial in the size of the MDP. We also show that an approximation of the Pareto curve can be computed in time polynomial in the size of the MDP, and the approximation factor, but exponential in the number of dimensions. Second, we present a complete characterization of the strategy complexity (in terms of memory bounds and randomization) required to solve our problem.
AU - Chatterjee, Krishnendu
AU - Komárková, Zuzana
AU - Kretinsky, Jan
ID - 1657
TI - Unifying two views on multiple mean-payoff objectives in Markov decision processes
ER -
TY - CONF
AB - Continuous-time Markov chain (CTMC) models have become a central tool for understanding the dynamics of complex reaction networks and the importance of stochasticity in the underlying biochemical processes. When such models are employed to answer questions in applications, in order to ensure that the model provides a sufficiently accurate representation of the real system, it is of vital importance that the model parameters are inferred from real measured data. This, however, is often a formidable task and all of the existing methods fail in one case or the other, usually because the underlying CTMC model is high-dimensional and computationally difficult to analyze. The parameter inference methods that tend to scale best in the dimension of the CTMC are based on so-called moment closure approximations. However, there exists a large number of different moment closure approximations and it is typically hard to say a priori which of the approximations is the most suitable for the inference procedure. Here, we propose a moment-based parameter inference method that automatically chooses the most appropriate moment closure method. Accordingly, contrary to existing methods, the user is not required to be experienced in moment closure techniques. In addition to that, our method adaptively changes the approximation during the parameter inference to ensure that always the best approximation is used, even in cases where different approximations are best in different regions of the parameter space.
AU - Bogomolov, Sergiy
AU - Henzinger, Thomas A
AU - Podelski, Andreas
AU - Ruess, Jakob
AU - Schilling, Christian
ID - 1658
TI - Adaptive moment closure for parameter inference of biochemical reaction networks
VL - 9308
ER -
TY - CONF
AB - The target discounted-sum problem is the following: Given a rational discount factor 0 < λ < 1 and three rational values a, b, and t, does there exist a finite or an infinite sequence w ε(a, b)∗ or w ε(a, b)w, such that Σ|w| i=0 w(i)λi equals t? The problem turns out to relate to many fields of mathematics and computer science, and its decidability question is surprisingly hard to solve. We solve the finite version of the problem, and show the hardness of the infinite version, linking it to various areas and open problems in mathematics and computer science: β-expansions, discounted-sum automata, piecewise affine maps, and generalizations of the Cantor set. We provide some partial results to the infinite version, among which are solutions to its restriction to eventually-periodic sequences and to the cases that λ λ 1/2 or λ = 1/n, for every n ε N. We use our results for solving some open problems on discounted-sum automata, among which are the exact-value problem for nondeterministic automata over finite words and the universality and inclusion problems for functional automata.
AU - Boker, Udi
AU - Henzinger, Thomas A
AU - Otop, Jan
ID - 1659
SN - 1043-6871
T2 - LICS
TI - The target discounted-sum problem
ER -
TY - CONF
AB - We study the pattern frequency vector for runs in probabilistic Vector Addition Systems with States (pVASS). Intuitively, each configuration of a given pVASS is assigned one of finitely many patterns, and every run can thus be seen as an infinite sequence of these patterns. The pattern frequency vector assigns to each run the limit of pattern frequencies computed for longer and longer prefixes of the run. If the limit does not exist, then the vector is undefined. We show that for one-counter pVASS, the pattern frequency vector is defined and takes one of finitely many values for almost all runs. Further, these values and their associated probabilities can be approximated up to an arbitrarily small relative error in polynomial time. For stable two-counter pVASS, we show the same result, but we do not provide any upper complexity bound. As a byproduct of our study, we discover counterexamples falsifying some classical results about stochastic Petri nets published in the 80s.
AU - Brázdil, Tomáš
AU - Kiefer, Stefan
AU - Kučera, Antonín
AU - Novotny, Petr
ID - 1660
TI - Long-run average behaviour of probabilistic vector addition systems
ER -
TY - CONF
AB - The computation of the winning set for one-pair Streett objectives and for k-pair Streett objectives in (standard) graphs as well as in game graphs are central problems in computer-aided verification, with application to the verification of closed systems with strong fairness conditions, the verification of open systems, checking interface compatibility, well-formed ness of specifications, and the synthesis of reactive systems. We give faster algorithms for the computation of the winning set for (1) one-pair Streett objectives (aka parity-3 problem) in game graphs and (2) for k-pair Streett objectives in graphs. For both problems this represents the first improvement in asymptotic running time in 15 years.
AU - Chatterjee, Krishnendu
AU - Henzinger, Monika
AU - Loitzenbauer, Veronika
ID - 1661
T2 - Proceedings - Symposium on Logic in Computer Science
TI - Improved algorithms for one-pair and k-pair Streett objectives
VL - 2015-July
ER -
TY - JOUR
AB - CREB-binding protein (CBP) and p300 are transcriptional coactivators involved in numerous biological processes that affect cell growth, transformation, differentiation, and development. In this study, we provide evidence of the involvement of homeodomain-interacting protein kinase 2 (HIPK2) in the regulation of CBP activity. We show that HIPK2 interacts with and phosphorylates several regions of CBP. We demonstrate that serines 2361, 2363, 2371, 2376, and 2381 are responsible for the HIPK2-induced mobility shift of CBP C-terminal activation domain. Moreover, we show that HIPK2 strongly potentiates the transcriptional activity of CBP. However, our data suggest that HIPK2 activates CBP mainly by counteracting the repressive action of cell cycle regulatory domain 1 (CRD1), located between amino acids 977 and 1076, independently of CBP phosphorylation. Our findings thus highlight a complex regulation of CBP activity by HIPK2, which might be relevant for the control of specific sets of target genes involved in cellular proliferation, differentiation and apoptosis.
AU - Kovács, Krisztián
AU - Steinmann, Myriam
AU - Halfon, Olivier
AU - Magistretti, Pierre
AU - Cardinaux, Jean
ID - 1663
IS - 11
JF - Cellular Signalling
TI - Complex regulation of CREB-binding protein by homeodomain-interacting protein kinase 2
VL - 27
ER -
TY - JOUR
AB - Over a century of research into the origin of turbulence in wall-bounded shear flows has resulted in a puzzling picture in which turbulence appears in a variety of different states competing with laminar background flow. At moderate flow speeds, turbulence is confined to localized patches; it is only at higher speeds that the entire flow becomes turbulent. The origin of the different states encountered during this transition, the front dynamics of the turbulent regions and the transformation to full turbulence have yet to be explained. By combining experiments, theory and computer simulations, here we uncover a bifurcation scenario that explains the transformation to fully turbulent pipe flow and describe the front dynamics of the different states encountered in the process. Key to resolving this problem is the interpretation of the flow as a bistable system with nonlinear propagation (advection) of turbulent fronts. These findings bridge the gap between our understanding of the onset of turbulence and fully turbulent flows.
AU - Barkley, Dwight
AU - Song, Baofang
AU - Vasudevan, Mukund
AU - Lemoult, Grégoire M
AU - Avila, Marc
AU - Hof, Björn
ID - 1664
IS - 7574
JF - Nature
TI - The rise of fully turbulent flow
VL - 526
ER -
TY - JOUR
AB - Which genetic alterations drive tumorigenesis and how they evolve over the course of disease and therapy are central questions in cancer biology. Here we identify 44 recurrently mutated genes and 11 recurrent somatic copy number variations through whole-exome sequencing of 538 chronic lymphocytic leukaemia (CLL) and matched germline DNA samples, 278 of which were collected in a prospective clinical trial. These include previously unrecognized putative cancer drivers (RPS15, IKZF3), and collectively identify RNA processing and export, MYC activity, and MAPK signalling as central pathways involved in CLL. Clonality analysis of this large data set further enabled reconstruction of temporal relationships between driver events. Direct comparison between matched pre-treatment and relapse samples from 59 patients demonstrated highly frequent clonal evolution. Thus, large sequencing data sets of clinically informative samples enable the discovery of novel genes associated with cancer, the network of relationships between the driver events, and their impact on disease relapse and clinical outcome.
AU - Landau, Dan
AU - Tausch, Eugen
AU - Taylor Weiner, Amaro
AU - Stewart, Chip
AU - Reiter, Johannes
AU - Bahlo, Jasmin
AU - Kluth, Sandra
AU - Božić, Ivana
AU - Lawrence, Michael
AU - Böttcher, Sebastian
AU - Carter, Scott
AU - Cibulskis, Kristian
AU - Mertens, Daniel
AU - Sougnez, Carrie
AU - Rosenberg, Mara
AU - Hess, Julian
AU - Edelmann, Jennifer
AU - Kless, Sabrina
AU - Kneba, Michael
AU - Ritgen, Matthias
AU - Fink, Anna
AU - Fischer, Kirsten
AU - Gabriel, Stacey
AU - Lander, Eric
AU - Nowak, Martin
AU - Döhner, Hartmut
AU - Hallek, Michael
AU - Neuberg, Donna
AU - Getz, Gad
AU - Stilgenbauer, Stephan
AU - Wu, Catherine
ID - 1665
IS - 7574
JF - Nature
TI - Mutations driving CLL and their evolution in progression and relapse
VL - 526
ER -
TY - CONF
AB - We consider parametric version of fixed-delay continuoustime Markov chains (or equivalently deterministic and stochastic Petri nets, DSPN) where fixed-delay transitions are specified by parameters, rather than concrete values. Our goal is to synthesize values of these parameters that, for a given cost function, minimise expected total cost incurred before reaching a given set of target states. We show that under mild assumptions, optimal values of parameters can be effectively approximated using translation to a Markov decision process (MDP) whose actions correspond to discretized values of these parameters. To this end we identify and overcome several interesting phenomena arising in systems with fixed delays.
AU - Brázdil, Tomáš
AU - Korenčiak, L'Uboš
AU - Krčál, Jan
AU - Novotny, Petr
AU - Řehák, Vojtěch
ID - 1667
TI - Optimizing performance of continuous-time stochastic systems using timeout synthesis
VL - 9259
ER -
TY - CONF
AB - We revisit the security (as a pseudorandom permutation) of cascading-based constructions for block-cipher key-length extension. Previous works typically considered the extreme case where the adversary is given the entire codebook of the construction, the only complexity measure being the number qe of queries to the underlying ideal block cipher, representing adversary’s secret-key-independent computation. Here, we initiate a systematic study of the more natural case of an adversary restricted to adaptively learning a number qc of plaintext/ciphertext pairs that is less than the entire codebook. For any such qc, we aim to determine the highest number of block-cipher queries qe the adversary can issue without being able to successfully distinguish the construction (under a secret key) from a random permutation.
More concretely, we show the following results for key-length extension schemes using a block cipher with n-bit blocks and κ-bit keys:
Plain cascades of length ℓ=2r+1 are secure whenever qcqre≪2r(κ+n), qc≪2κ and qe≪22κ. The bound for r=1 also applies to two-key triple encryption (as used within Triple DES).
The r-round XOR-cascade is secure as long as qcqre≪2r(κ+n), matching an attack by Gaži (CRYPTO 2013).
We fully characterize the security of Gaži and Tessaro’s two-call
AU - Gazi, Peter
AU - Lee, Jooyoung
AU - Seurin, Yannick
AU - Steinberger, John
AU - Tessaro, Stefano
ID - 1668
TI - Relaxing full-codebook security: A refined analysis of key-length extension schemes
VL - 9054
ER -
TY - CONF
AB - Computational notions of entropy (a.k.a. pseudoentropy) have found many applications, including leakage-resilient cryptography, deterministic encryption or memory delegation. The most important tools to argue about pseudoentropy are chain rules, which quantify by how much (in terms of quantity and quality) the pseudoentropy of a given random variable X decreases when conditioned on some other variable Z (think for example of X as a secret key and Z as information leaked by a side-channel). In this paper we give a very simple and modular proof of the chain rule for HILL pseudoentropy, improving best known parameters. Our version allows for increasing the acceptable length of leakage in applications up to a constant factor compared to the best previous bounds. As a contribution of independent interest, we provide a comprehensive study of all known versions of the chain rule, comparing their worst-case strength and limitations.
AU - Pietrzak, Krzysztof Z
AU - Skórski, Maciej
ID - 1669
TI - The chain rule for HILL pseudoentropy, revisited
VL - 9230
ER -
TY - CONF
AB - Planning in hybrid domains poses a special challenge due to the involved mixed discrete-continuous dynamics. A recent solving approach for such domains is based on applying model checking techniques on a translation of PDDL+ planning problems to hybrid automata. However, the proposed translation is limited because must behavior is only overapproximated, and hence, processes and events are not reflected exactly. In this paper, we present the theoretical foundation of an exact PDDL+ translation. We propose a schema to convert a hybrid automaton with must transitions into an equivalent hybrid automaton featuring only may transitions.
AU - Bogomolov, Sergiy
AU - Magazzeni, Daniele
AU - Minopoli, Stefano
AU - Wehrle, Martin
ID - 1670
TI - PDDL+ planning with hybrid automata: Foundations of translating must behavior
ER -
TY - CONF
AB - This paper studies the concrete security of PRFs and MACs obtained by keying hash functions based on the sponge paradigm. One such hash function is KECCAK, selected as NIST’s new SHA-3 standard. In contrast to other approaches like HMAC, the exact security of keyed sponges is not well understood. Indeed, recent security analyses delivered concrete security bounds which are far from existing attacks. This paper aims to close this gap. We prove (nearly) exact bounds on the concrete PRF security of keyed sponges using a random permutation. These bounds are tight for the most relevant ranges of parameters, i.e., for messages of length (roughly) l ≤ min{2n/4, 2r} blocks, where n is the state size and r is the desired output length; and for l ≤ q queries (to the construction or the underlying permutation). Moreover, we also improve standard-model bounds. As an intermediate step of independent interest, we prove tight bounds on the PRF security of the truncated CBC-MAC construction, which operates as plain CBC-MAC, but only returns a prefix of the output.
AU - Gazi, Peter
AU - Pietrzak, Krzysztof Z
AU - Tessaro, Stefano
ID - 1671
TI - The exact PRF security of truncation: Tight bounds for keyed sponges and truncated CBC
VL - 9215
ER -