[{"quality_controlled":"1","publisher":"Springer International Publishing","oa":1,"date_published":"2019-04-24T00:00:00Z","doi":"10.1007/978-3-030-17656-3_10","date_created":"2020-01-30T09:26:14Z","page":"277-291","day":"24","publication":"Advances in Cryptology – EUROCRYPT 2019","isi":1,"year":"2019","project":[{"grant_number":"682815","name":"Teaching Old Crypto New Tricks","call_identifier":"H2020","_id":"258AA5B2-B435-11E9-9278-68D0E5697425"}],"title":"Reversible proofs of sequential work","author":[{"full_name":"Abusalah, Hamza M","last_name":"Abusalah","id":"40297222-F248-11E8-B48F-1D18A9856A87","first_name":"Hamza M"},{"last_name":"Kamath Hosdurg","full_name":"Kamath Hosdurg, Chethan","first_name":"Chethan","id":"4BD3F30E-F248-11E8-B48F-1D18A9856A87"},{"id":"3E83A2F8-F248-11E8-B48F-1D18A9856A87","first_name":"Karen","full_name":"Klein, Karen","last_name":"Klein"},{"last_name":"Pietrzak","orcid":"0000-0002-9139-1654","full_name":"Pietrzak, Krzysztof Z","first_name":"Krzysztof Z","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87"},{"orcid":"0000-0003-3186-2482","full_name":"Walter, Michael","last_name":"Walter","id":"488F98B0-F248-11E8-B48F-1D18A9856A87","first_name":"Michael"}],"article_processing_charge":"No","external_id":{"isi":["000483516200010"]},"user_id":"c635000d-4b10-11ee-a964-aac5a93f6ac1","citation":{"ieee":"H. M. Abusalah, C. Kamath Hosdurg, K. Klein, K. Z. Pietrzak, and M. Walter, “Reversible proofs of sequential work,” in Advances in Cryptology – EUROCRYPT 2019, Darmstadt, Germany, 2019, vol. 11477, pp. 277–291.","short":"H.M. Abusalah, C. Kamath Hosdurg, K. Klein, K.Z. Pietrzak, M. Walter, in:, Advances in Cryptology – EUROCRYPT 2019, Springer International Publishing, 2019, pp. 277–291.","ama":"Abusalah HM, Kamath Hosdurg C, Klein K, Pietrzak KZ, Walter M. Reversible proofs of sequential work. In: Advances in Cryptology – EUROCRYPT 2019. Vol 11477. Springer International Publishing; 2019:277-291. doi:10.1007/978-3-030-17656-3_10","apa":"Abusalah, H. M., Kamath Hosdurg, C., Klein, K., Pietrzak, K. Z., & Walter, M. (2019). Reversible proofs of sequential work. In Advances in Cryptology – EUROCRYPT 2019 (Vol. 11477, pp. 277–291). Darmstadt, Germany: Springer International Publishing. https://doi.org/10.1007/978-3-030-17656-3_10","mla":"Abusalah, Hamza M., et al. “Reversible Proofs of Sequential Work.” Advances in Cryptology – EUROCRYPT 2019, vol. 11477, Springer International Publishing, 2019, pp. 277–91, doi:10.1007/978-3-030-17656-3_10.","ista":"Abusalah HM, Kamath Hosdurg C, Klein K, Pietrzak KZ, Walter M. 2019. Reversible proofs of sequential work. Advances in Cryptology – EUROCRYPT 2019. International Conference on the Theory and Applications of Cryptographic Techniques, LNCS, vol. 11477, 277–291.","chicago":"Abusalah, Hamza M, Chethan Kamath Hosdurg, Karen Klein, Krzysztof Z Pietrzak, and Michael Walter. “Reversible Proofs of Sequential Work.” In Advances in Cryptology – EUROCRYPT 2019, 11477:277–91. Springer International Publishing, 2019. https://doi.org/10.1007/978-3-030-17656-3_10."},"month":"04","intvolume":" 11477","scopus_import":"1","alternative_title":["LNCS"],"main_file_link":[{"url":"https://eprint.iacr.org/2019/252","open_access":"1"}],"oa_version":"Submitted Version","abstract":[{"text":"Proofs of sequential work (PoSW) are proof systems where a prover, upon receiving a statement χ and a time parameter T computes a proof ϕ(χ,T) which is efficiently and publicly verifiable. The proof can be computed in T sequential steps, but not much less, even by a malicious party having large parallelism. A PoSW thus serves as a proof that T units of time have passed since χ\r\n\r\nwas received.\r\n\r\nPoSW were introduced by Mahmoody, Moran and Vadhan [MMV11], a simple and practical construction was only recently proposed by Cohen and Pietrzak [CP18].\r\n\r\nIn this work we construct a new simple PoSW in the random permutation model which is almost as simple and efficient as [CP18] but conceptually very different. Whereas the structure underlying [CP18] is a hash tree, our construction is based on skip lists and has the interesting property that computing the PoSW is a reversible computation.\r\nThe fact that the construction is reversible can potentially be used for new applications like constructing proofs of replication. We also show how to “embed” the sloth function of Lenstra and Weselowski [LW17] into our PoSW to get a PoSW where one additionally can verify correctness of the output much more efficiently than recomputing it (though recent constructions of “verifiable delay functions” subsume most of the applications this construction was aiming at).","lang":"eng"}],"volume":11477,"ec_funded":1,"language":[{"iso":"eng"}],"publication_identifier":{"issn":["0302-9743"],"eissn":["1611-3349"],"isbn":["9783030176556","9783030176563"]},"publication_status":"published","status":"public","type":"conference","conference":{"name":"International Conference on the Theory and Applications of Cryptographic Techniques","location":"Darmstadt, Germany","end_date":"2019-05-23","start_date":"2019-05-19"},"_id":"7411","department":[{"_id":"KrPi"}],"date_updated":"2023-09-06T15:26:06Z"},{"department":[{"_id":"KrPi"}],"date_updated":"2023-09-07T13:15:55Z","status":"public","conference":{"start_date":"2019-06-23","end_date":"2019-06-26","location":"Phoenix, AZ, United States","name":"STOC: Symposium on Theory of Computing"},"type":"conference","_id":"6677","ec_funded":1,"related_material":{"record":[{"id":"7896","status":"public","relation":"dissertation_contains"}]},"language":[{"iso":"eng"}],"publication_status":"published","publication_identifier":{"isbn":["9781450367059"]},"month":"06","main_file_link":[{"url":"https://eprint.iacr.org/2019/549","open_access":"1"}],"scopus_import":"1","oa_version":"Preprint","abstract":[{"text":"The Fiat-Shamir heuristic transforms a public-coin interactive proof into a non-interactive argument, by replacing the verifier with a cryptographic hash function that is applied to the protocol’s transcript. Constructing hash functions for which this transformation is sound is a central and long-standing open question in cryptography.\r\n\r\nWe show that solving the END−OF−METERED−LINE problem is no easier than breaking the soundness of the Fiat-Shamir transformation when applied to the sumcheck protocol. In particular, if the transformed protocol is sound, then any hard problem in #P gives rise to a hard distribution in the class CLS, which is contained in PPAD. Our result opens up the possibility of sampling moderately-sized games for which it is hard to find a Nash equilibrium, by reducing the inversion of appropriately chosen one-way functions to #SAT.\r\n\r\nOur main technical contribution is a stateful incrementally verifiable procedure that, given a SAT instance over n variables, counts the number of satisfying assignments. This is accomplished via an exponential sequence of small steps, each computable in time poly(n). Incremental verifiability means that each intermediate state includes a sumcheck-based proof of its correctness, and the proof can be updated and verified in time poly(n).","lang":"eng"}],"title":"Finding a Nash equilibrium is no easier than breaking Fiat-Shamir","article_processing_charge":"No","external_id":{"isi":["000523199100100"]},"author":[{"full_name":"Choudhuri, Arka Rai","last_name":"Choudhuri","first_name":"Arka Rai"},{"first_name":"Pavel","last_name":"Hubáček","full_name":"Hubáček, Pavel"},{"full_name":"Kamath Hosdurg, Chethan","last_name":"Kamath Hosdurg","first_name":"Chethan","id":"4BD3F30E-F248-11E8-B48F-1D18A9856A87"},{"id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","first_name":"Krzysztof Z","orcid":"0000-0002-9139-1654","full_name":"Pietrzak, Krzysztof Z","last_name":"Pietrzak"},{"first_name":"Alon","last_name":"Rosen","full_name":"Rosen, Alon"},{"first_name":"Guy N.","last_name":"Rothblum","full_name":"Rothblum, Guy N."}],"user_id":"4359f0d1-fa6c-11eb-b949-802e58b17ae8","citation":{"mla":"Choudhuri, Arka Rai, et al. “Finding a Nash Equilibrium Is No Easier than Breaking Fiat-Shamir.” Proceedings of the 51st Annual ACM SIGACT Symposium on Theory of Computing - STOC 2019, ACM Press, 2019, pp. 1103–14, doi:10.1145/3313276.3316400.","apa":"Choudhuri, A. R., Hubáček, P., Kamath Hosdurg, C., Pietrzak, K. Z., Rosen, A., & Rothblum, G. N. (2019). Finding a Nash equilibrium is no easier than breaking Fiat-Shamir. In Proceedings of the 51st Annual ACM SIGACT Symposium on Theory of Computing - STOC 2019 (pp. 1103–1114). Phoenix, AZ, United States: ACM Press. https://doi.org/10.1145/3313276.3316400","ama":"Choudhuri AR, Hubáček P, Kamath Hosdurg C, Pietrzak KZ, Rosen A, Rothblum GN. Finding a Nash equilibrium is no easier than breaking Fiat-Shamir. In: Proceedings of the 51st Annual ACM SIGACT Symposium on Theory of Computing - STOC 2019. ACM Press; 2019:1103-1114. doi:10.1145/3313276.3316400","ieee":"A. R. Choudhuri, P. Hubáček, C. Kamath Hosdurg, K. Z. Pietrzak, A. Rosen, and G. N. Rothblum, “Finding a Nash equilibrium is no easier than breaking Fiat-Shamir,” in Proceedings of the 51st Annual ACM SIGACT Symposium on Theory of Computing - STOC 2019, Phoenix, AZ, United States, 2019, pp. 1103–1114.","short":"A.R. Choudhuri, P. Hubáček, C. Kamath Hosdurg, K.Z. Pietrzak, A. Rosen, G.N. Rothblum, in:, Proceedings of the 51st Annual ACM SIGACT Symposium on Theory of Computing - STOC 2019, ACM Press, 2019, pp. 1103–1114.","chicago":"Choudhuri, Arka Rai, Pavel Hubáček, Chethan Kamath Hosdurg, Krzysztof Z Pietrzak, Alon Rosen, and Guy N. Rothblum. “Finding a Nash Equilibrium Is No Easier than Breaking Fiat-Shamir.” In Proceedings of the 51st Annual ACM SIGACT Symposium on Theory of Computing - STOC 2019, 1103–14. ACM Press, 2019. https://doi.org/10.1145/3313276.3316400.","ista":"Choudhuri AR, Hubáček P, Kamath Hosdurg C, Pietrzak KZ, Rosen A, Rothblum GN. 2019. Finding a Nash equilibrium is no easier than breaking Fiat-Shamir. Proceedings of the 51st Annual ACM SIGACT Symposium on Theory of Computing - STOC 2019. STOC: Symposium on Theory of Computing, 1103–1114."},"project":[{"call_identifier":"H2020","_id":"258AA5B2-B435-11E9-9278-68D0E5697425","grant_number":"682815","name":"Teaching Old Crypto New Tricks"}],"date_created":"2019-07-24T09:20:53Z","doi":"10.1145/3313276.3316400","date_published":"2019-06-01T00:00:00Z","page":"1103-1114","publication":"Proceedings of the 51st Annual ACM SIGACT Symposium on Theory of Computing - STOC 2019","day":"01","year":"2019","isi":1,"oa":1,"publisher":"ACM Press","quality_controlled":"1"},{"user_id":"c635000d-4b10-11ee-a964-aac5a93f6ac1","citation":{"ista":"Fuchsbauer G, Kamath Hosdurg C, Klein K, Pietrzak KZ. 2019. Adaptively secure proxy re-encryption. PKC: Public-Key Cryptograhy, LNCS, vol. 11443, 317–346.","chicago":"Fuchsbauer, Georg, Chethan Kamath Hosdurg, Karen Klein, and Krzysztof Z Pietrzak. “Adaptively Secure Proxy Re-Encryption,” 11443:317–46. Springer Nature, 2019. https://doi.org/10.1007/978-3-030-17259-6_11.","short":"G. Fuchsbauer, C. Kamath Hosdurg, K. Klein, K.Z. Pietrzak, in:, Springer Nature, 2019, pp. 317–346.","ieee":"G. Fuchsbauer, C. Kamath Hosdurg, K. Klein, and K. Z. Pietrzak, “Adaptively secure proxy re-encryption,” presented at the PKC: Public-Key Cryptograhy, Beijing, China, 2019, vol. 11443, pp. 317–346.","ama":"Fuchsbauer G, Kamath Hosdurg C, Klein K, Pietrzak KZ. Adaptively secure proxy re-encryption. In: Vol 11443. Springer Nature; 2019:317-346. doi:10.1007/978-3-030-17259-6_11","apa":"Fuchsbauer, G., Kamath Hosdurg, C., Klein, K., & Pietrzak, K. Z. (2019). Adaptively secure proxy re-encryption (Vol. 11443, pp. 317–346). Presented at the PKC: Public-Key Cryptograhy, Beijing, China: Springer Nature. https://doi.org/10.1007/978-3-030-17259-6_11","mla":"Fuchsbauer, Georg, et al. Adaptively Secure Proxy Re-Encryption. Vol. 11443, Springer Nature, 2019, pp. 317–46, doi:10.1007/978-3-030-17259-6_11."},"title":"Adaptively secure proxy re-encryption","article_processing_charge":"No","author":[{"first_name":"Georg","id":"46B4C3EE-F248-11E8-B48F-1D18A9856A87","full_name":"Fuchsbauer, Georg","last_name":"Fuchsbauer"},{"first_name":"Chethan","id":"4BD3F30E-F248-11E8-B48F-1D18A9856A87","last_name":"Kamath Hosdurg","full_name":"Kamath Hosdurg, Chethan"},{"id":"3E83A2F8-F248-11E8-B48F-1D18A9856A87","first_name":"Karen","last_name":"Klein","full_name":"Klein, Karen"},{"last_name":"Pietrzak","orcid":"0000-0002-9139-1654","full_name":"Pietrzak, Krzysztof Z","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","first_name":"Krzysztof Z"}],"project":[{"_id":"258AA5B2-B435-11E9-9278-68D0E5697425","call_identifier":"H2020","name":"Teaching Old Crypto New Tricks","grant_number":"682815"}],"day":"06","year":"2019","date_created":"2019-05-13T08:13:46Z","date_published":"2019-04-06T00:00:00Z","doi":"10.1007/978-3-030-17259-6_11","page":"317-346","oa":1,"publisher":"Springer Nature","quality_controlled":"1","date_updated":"2023-09-08T11:33:20Z","department":[{"_id":"KrPi"}],"_id":"6430","status":"public","conference":{"location":"Beijing, China","end_date":"2019-04-17","start_date":"2019-04-14","name":"PKC: Public-Key Cryptograhy"},"type":"conference","language":[{"iso":"eng"}],"publication_status":"published","publication_identifier":{"issn":["03029743"],"isbn":["9783030172589"],"eissn":["16113349"]},"ec_funded":1,"related_material":{"record":[{"id":"10035","status":"public","relation":"dissertation_contains"}]},"volume":11443,"oa_version":"Preprint","abstract":[{"lang":"eng","text":"A proxy re-encryption (PRE) scheme is a public-key encryption scheme that allows the holder of a key pk to derive a re-encryption key for any other key 𝑝𝑘′. This re-encryption key lets anyone transform ciphertexts under pk into ciphertexts under 𝑝𝑘′ without having to know the underlying message, while transformations from 𝑝𝑘′ to pk should not be possible (unidirectional). Security is defined in a multi-user setting against an adversary that gets the users’ public keys and can ask for re-encryption keys and can corrupt users by requesting their secret keys. Any ciphertext that the adversary cannot trivially decrypt given the obtained secret and re-encryption keys should be secure.\r\n\r\nAll existing security proofs for PRE only show selective security, where the adversary must first declare the users it wants to corrupt. This can be lifted to more meaningful adaptive security by guessing the set of corrupted users among the n users, which loses a factor exponential in Open image in new window , rendering the result meaningless already for moderate Open image in new window .\r\n\r\nJafargholi et al. (CRYPTO’17) proposed a framework that in some cases allows to give adaptive security proofs for schemes which were previously only known to be selectively secure, while avoiding the exponential loss that results from guessing the adaptive choices made by an adversary. We apply their framework to PREs that satisfy some natural additional properties. Concretely, we give a more fine-grained reduction for several unidirectional PREs, proving adaptive security at a much smaller loss. The loss depends on the graph of users whose edges represent the re-encryption keys queried by the adversary. For trees and chains the loss is quasi-polynomial in the size and for general graphs it is exponential in their depth and indegree (instead of their size as for previous reductions). Fortunately, trees and low-depth graphs cover many, if not most, interesting applications.\r\n\r\nOur results apply e.g. to the bilinear-map based PRE schemes by Ateniese et al. (NDSS’05 and CT-RSA’09), Gentry’s FHE-based scheme (STOC’09) and the LWE-based scheme by Chandran et al. (PKC’14)."}],"intvolume":" 11443","month":"04","main_file_link":[{"url":"https://eprint.iacr.org/2018/426","open_access":"1"}],"scopus_import":"1","alternative_title":["LNCS"]},{"quality_controlled":"1","publisher":"International Association for Cryptologic Research","oa":1,"day":"01","publication":"IACR Transactions on Cryptographic Hardware and Embedded Systems","has_accepted_license":"1","year":"2018","date_published":"2018-01-01T00:00:00Z","doi":"10.13154/tches.v2018.i3.214-242","date_created":"2021-11-14T23:01:25Z","page":"214-242","user_id":"8b945eb4-e2f2-11eb-945a-df72226e66a9","citation":{"ista":"Allini EN, Skórski M, Petura O, Bernard F, Laban M, Fischer V. 2018. Evaluation and monitoring of free running oscillators serving as source of randomness. IACR Transactions on Cryptographic Hardware and Embedded Systems. 2018(3), 214–242.","chicago":"Allini, Elie Noumon, Maciej Skórski, Oto Petura, Florent Bernard, Marek Laban, and Viktor Fischer. “Evaluation and Monitoring of Free Running Oscillators Serving as Source of Randomness.” IACR Transactions on Cryptographic Hardware and Embedded Systems. International Association for Cryptologic Research, 2018. https://doi.org/10.13154/tches.v2018.i3.214-242.","ama":"Allini EN, Skórski M, Petura O, Bernard F, Laban M, Fischer V. Evaluation and monitoring of free running oscillators serving as source of randomness. IACR Transactions on Cryptographic Hardware and Embedded Systems. 2018;2018(3):214-242. doi:10.13154/tches.v2018.i3.214-242","apa":"Allini, E. N., Skórski, M., Petura, O., Bernard, F., Laban, M., & Fischer, V. (2018). Evaluation and monitoring of free running oscillators serving as source of randomness. IACR Transactions on Cryptographic Hardware and Embedded Systems. International Association for Cryptologic Research. https://doi.org/10.13154/tches.v2018.i3.214-242","ieee":"E. N. Allini, M. Skórski, O. Petura, F. Bernard, M. Laban, and V. Fischer, “Evaluation and monitoring of free running oscillators serving as source of randomness,” IACR Transactions on Cryptographic Hardware and Embedded Systems, vol. 2018, no. 3. International Association for Cryptologic Research, pp. 214–242, 2018.","short":"E.N. Allini, M. Skórski, O. Petura, F. Bernard, M. Laban, V. Fischer, IACR Transactions on Cryptographic Hardware and Embedded Systems 2018 (2018) 214–242.","mla":"Allini, Elie Noumon, et al. “Evaluation and Monitoring of Free Running Oscillators Serving as Source of Randomness.” IACR Transactions on Cryptographic Hardware and Embedded Systems, vol. 2018, no. 3, International Association for Cryptologic Research, 2018, pp. 214–42, doi:10.13154/tches.v2018.i3.214-242."},"title":"Evaluation and monitoring of free running oscillators serving as source of randomness","author":[{"last_name":"Allini","full_name":"Allini, Elie Noumon","first_name":"Elie Noumon"},{"first_name":"Maciej","id":"EC09FA6A-02D0-11E9-8223-86B7C91467DD","full_name":"Skórski, Maciej","last_name":"Skórski"},{"first_name":"Oto","last_name":"Petura","full_name":"Petura, Oto"},{"first_name":"Florent","full_name":"Bernard, Florent","last_name":"Bernard"},{"last_name":"Laban","full_name":"Laban, Marek","first_name":"Marek"},{"first_name":"Viktor","full_name":"Fischer, Viktor","last_name":"Fischer"}],"article_processing_charge":"No","oa_version":"Published Version","abstract":[{"text":"In this paper, we evaluate clock signals generated in ring oscillators and self-timed rings and the way their jitter can be transformed into random numbers. We show that counting the periods of the jittery clock signal produces random numbers of significantly better quality than the methods in which the jittery signal is simply sampled (the case in almost all current methods). Moreover, we use the counter values to characterize and continuously monitor the source of randomness. However, instead of using the widely used statistical variance, we propose to use Allan variance to do so. There are two main advantages: Allan variance is insensitive to low frequency noises such as flicker noise that are known to be autocorrelated and significantly less circuitry is required for its computation than that used to compute commonly used variance. We also show that it is essential to use a differential principle of randomness extraction from the jitter based on the use of two identical oscillators to avoid autocorrelations originating from external and internal global jitter sources and that this fact is valid for both kinds of rings. Last but not least, we propose a method of statistical testing based on high order Markov model to show the reduced dependencies when the proposed randomness extraction is applied.","lang":"eng"}],"month":"01","intvolume":" 2018","scopus_import":"1","file":[{"file_id":"10289","checksum":"b816b848f046c48a8357700d9305dce5","success":1,"access_level":"open_access","relation":"main_file","content_type":"application/pdf","date_created":"2021-11-15T10:27:29Z","file_name":"2018_IACR_Allini.pdf","creator":"cchlebak","date_updated":"2021-11-15T10:27:29Z","file_size":955755}],"language":[{"iso":"eng"}],"publication_identifier":{"eissn":["2569-2925"]},"publication_status":"published","issue":"3","volume":2018,"license":"https://creativecommons.org/licenses/by/4.0/","_id":"10286","status":"public","article_type":"original","type":"journal_article","tmp":{"legal_code_url":"https://creativecommons.org/licenses/by/4.0/legalcode","image":"/images/cc_by.png","name":"Creative Commons Attribution 4.0 International Public License (CC-BY 4.0)","short":"CC BY (4.0)"},"ddc":["000"],"date_updated":"2021-11-15T10:48:49Z","department":[{"_id":"KrPi"}],"file_date_updated":"2021-11-15T10:27:29Z"},{"language":[{"iso":"eng"}],"file":[{"creator":"dernst","date_updated":"2020-07-14T12:47:57Z","file_size":822884,"date_created":"2020-02-04T08:17:52Z","file_name":"2018_LIPIcs_Pietrzak.pdf","access_level":"open_access","relation":"main_file","content_type":"application/pdf","file_id":"7443","checksum":"5cebb7f7849a3beda898f697d755dd96"}],"publication_status":"published","publication_identifier":{"issn":["1868-8969"],"isbn":["978-3-95977-095-8"]},"ec_funded":1,"volume":124,"oa_version":"Published Version","abstract":[{"text":"Proofs of space (PoS) [Dziembowski et al., CRYPTO'15] are proof systems where a prover can convince a verifier that he \"wastes\" disk space. PoS were introduced as a more ecological and economical replacement for proofs of work which are currently used to secure blockchains like Bitcoin. In this work we investigate extensions of PoS which allow the prover to embed useful data into the dedicated space, which later can be recovered. Our first contribution is a security proof for the original PoS from CRYPTO'15 in the random oracle model (the original proof only applied to a restricted class of adversaries which can store a subset of the data an honest prover would store). When this PoS is instantiated with recent constructions of maximally depth robust graphs, our proof implies basically optimal security. As a second contribution we show three different extensions of this PoS where useful data can be embedded into the space required by the prover. Our security proof for the PoS extends (non-trivially) to these constructions. We discuss how some of these variants can be used as proofs of catalytic space (PoCS), a notion we put forward in this work, and which basically is a PoS where most of the space required by the prover can be used to backup useful data. Finally we discuss how one of the extensions is a candidate construction for a proof of replication (PoR), a proof system recently suggested in the Filecoin whitepaper. ","lang":"eng"}],"intvolume":" 124","month":"12","main_file_link":[{"open_access":"1","url":"https://eprint.iacr.org/2018/194"}],"scopus_import":1,"alternative_title":["LIPIcs"],"ddc":["000"],"date_updated":"2021-01-12T08:13:26Z","file_date_updated":"2020-07-14T12:47:57Z","department":[{"_id":"KrPi"}],"_id":"7407","status":"public","conference":{"start_date":"2019-01-10","end_date":"2019-01-12","location":"San Diego, CA, United States","name":"ITCS: Innovations in theoretical Computer Science Conference"},"tmp":{"legal_code_url":"https://creativecommons.org/licenses/by/4.0/legalcode","image":"/images/cc_by.png","name":"Creative Commons Attribution 4.0 International Public License (CC-BY 4.0)","short":"CC BY (4.0)"},"type":"conference","publication":"10th Innovations in Theoretical Computer Science Conference (ITCS 2019)","day":"31","year":"2018","has_accepted_license":"1","date_created":"2020-01-30T09:16:05Z","date_published":"2018-12-31T00:00:00Z","doi":"10.4230/LIPICS.ITCS.2019.59","page":"59:1-59:25","oa":1,"publisher":"Schloss Dagstuhl - Leibniz-Zentrum für Informatik","quality_controlled":"1","user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","citation":{"mla":"Pietrzak, Krzysztof Z. “Proofs of Catalytic Space.” 10th Innovations in Theoretical Computer Science Conference (ITCS 2019), vol. 124, Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 2018, p. 59:1-59:25, doi:10.4230/LIPICS.ITCS.2019.59.","ieee":"K. Z. Pietrzak, “Proofs of catalytic space,” in 10th Innovations in Theoretical Computer Science Conference (ITCS 2019), San Diego, CA, United States, 2018, vol. 124, p. 59:1-59:25.","short":"K.Z. Pietrzak, in:, 10th Innovations in Theoretical Computer Science Conference (ITCS 2019), Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 2018, p. 59:1-59:25.","ama":"Pietrzak KZ. Proofs of catalytic space. In: 10th Innovations in Theoretical Computer Science Conference (ITCS 2019). Vol 124. Schloss Dagstuhl - Leibniz-Zentrum für Informatik; 2018:59:1-59:25. doi:10.4230/LIPICS.ITCS.2019.59","apa":"Pietrzak, K. Z. (2018). Proofs of catalytic space. In 10th Innovations in Theoretical Computer Science Conference (ITCS 2019) (Vol. 124, p. 59:1-59:25). San Diego, CA, United States: Schloss Dagstuhl - Leibniz-Zentrum für Informatik. https://doi.org/10.4230/LIPICS.ITCS.2019.59","chicago":"Pietrzak, Krzysztof Z. “Proofs of Catalytic Space.” In 10th Innovations in Theoretical Computer Science Conference (ITCS 2019), 124:59:1-59:25. Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 2018. https://doi.org/10.4230/LIPICS.ITCS.2019.59.","ista":"Pietrzak KZ. 2018. Proofs of catalytic space. 10th Innovations in Theoretical Computer Science Conference (ITCS 2019). ITCS: Innovations in theoretical Computer Science Conference, LIPIcs, vol. 124, 59:1-59:25."},"title":"Proofs of catalytic space","article_processing_charge":"No","author":[{"id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","first_name":"Krzysztof Z","orcid":"0000-0002-9139-1654","full_name":"Pietrzak, Krzysztof Z","last_name":"Pietrzak"}],"project":[{"name":"Teaching Old Crypto New Tricks","grant_number":"682815","_id":"258AA5B2-B435-11E9-9278-68D0E5697425","call_identifier":"H2020"}]},{"alternative_title":["ISTA Thesis"],"month":"09","abstract":[{"text":"A proof system is a protocol between a prover and a verifier over a common input in which an honest prover convinces the verifier of the validity of true statements. Motivated by the success of decentralized cryptocurrencies, exemplified by Bitcoin, the focus of this thesis will be on proof systems which found applications in some sustainable alternatives to Bitcoin, such as the Spacemint and Chia cryptocurrencies. In particular, we focus on proofs of space and proofs of sequential work.\r\nProofs of space (PoSpace) were suggested as more ecological, economical, and egalitarian alternative to the energy-wasteful proof-of-work mining of Bitcoin. However, the state-of-the-art constructions of PoSpace are based on sophisticated graph pebbling lower bounds, and are therefore complex. Moreover, when these PoSpace are used in cryptocurrencies like Spacemint, miners can only start mining after ensuring that a commitment to their space is already added in a special transaction to the blockchain. Proofs of sequential work (PoSW) are proof systems in which a prover, upon receiving a statement x and a time parameter T, computes a proof which convinces the verifier that T time units had passed since x was received. Whereas Spacemint assumes synchrony to retain some interesting Bitcoin dynamics, Chia requires PoSW with unique proofs, i.e., PoSW in which it is hard to come up with more than one accepting proof for any true statement. In this thesis we construct simple and practically-efficient PoSpace and PoSW. When using our PoSpace in cryptocurrencies, miners can start mining on the fly, like in Bitcoin, and unlike current constructions of PoSW, which either achieve efficient verification of sequential work, or faster-than-recomputing verification of correctness of proofs, but not both at the same time, ours achieve the best of these two worlds.","lang":"eng"}],"oa_version":"Published Version","related_material":{"record":[{"id":"1229","status":"public","relation":"part_of_dissertation"},{"status":"public","id":"1235","relation":"part_of_dissertation"},{"relation":"part_of_dissertation","id":"1236","status":"public"},{"relation":"part_of_dissertation","id":"559","status":"public"}]},"ec_funded":1,"publication_identifier":{"issn":["2663-337X"]},"publication_status":"published","degree_awarded":"PhD","file":[{"file_id":"6245","checksum":"c4b5f7d111755d1396787f41886fc674","access_level":"open_access","relation":"main_file","content_type":"application/pdf","date_created":"2019-04-09T06:43:41Z","file_name":"2018_Thesis_Abusalah.pdf","creator":"dernst","date_updated":"2020-07-14T12:48:11Z","file_size":876241},{"file_id":"6246","checksum":"0f382ac56b471c48fd907d63eb87dafe","access_level":"closed","relation":"source_file","content_type":"application/x-gzip","date_created":"2019-04-09T06:43:41Z","file_name":"2018_Thesis_Abusalah_source.tar.gz","creator":"dernst","date_updated":"2020-07-14T12:48:11Z","file_size":2029190}],"language":[{"iso":"eng"}],"type":"dissertation","status":"public","pubrep_id":"1046","_id":"83","department":[{"_id":"KrPi"}],"file_date_updated":"2020-07-14T12:48:11Z","supervisor":[{"full_name":"Pietrzak, Krzysztof Z","orcid":"0000-0002-9139-1654","last_name":"Pietrzak","first_name":"Krzysztof Z","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87"}],"date_updated":"2023-09-07T12:30:23Z","ddc":["004"],"publisher":"Institute of Science and Technology Austria","oa":1,"page":"59","doi":"10.15479/AT:ISTA:TH_1046","date_published":"2018-09-05T00:00:00Z","date_created":"2018-12-11T11:44:32Z","has_accepted_license":"1","year":"2018","day":"05","project":[{"call_identifier":"FP7","_id":"258C570E-B435-11E9-9278-68D0E5697425","grant_number":"259668","name":"Provable Security for Physical Cryptography"},{"grant_number":"682815","name":"Teaching Old Crypto New Tricks","call_identifier":"H2020","_id":"258AA5B2-B435-11E9-9278-68D0E5697425"}],"publist_id":"7971","author":[{"id":"40297222-F248-11E8-B48F-1D18A9856A87","first_name":"Hamza M","full_name":"Abusalah, Hamza M","last_name":"Abusalah"}],"article_processing_charge":"No","title":"Proof systems for sustainable decentralized cryptocurrencies","citation":{"short":"H.M. Abusalah, Proof Systems for Sustainable Decentralized Cryptocurrencies, Institute of Science and Technology Austria, 2018.","ieee":"H. M. Abusalah, “Proof systems for sustainable decentralized cryptocurrencies,” Institute of Science and Technology Austria, 2018.","apa":"Abusalah, H. M. (2018). Proof systems for sustainable decentralized cryptocurrencies. Institute of Science and Technology Austria. https://doi.org/10.15479/AT:ISTA:TH_1046","ama":"Abusalah HM. Proof systems for sustainable decentralized cryptocurrencies. 2018. doi:10.15479/AT:ISTA:TH_1046","mla":"Abusalah, Hamza M. Proof Systems for Sustainable Decentralized Cryptocurrencies. Institute of Science and Technology Austria, 2018, doi:10.15479/AT:ISTA:TH_1046.","ista":"Abusalah HM. 2018. Proof systems for sustainable decentralized cryptocurrencies. Institute of Science and Technology Austria.","chicago":"Abusalah, Hamza M. “Proof Systems for Sustainable Decentralized Cryptocurrencies.” Institute of Science and Technology Austria, 2018. https://doi.org/10.15479/AT:ISTA:TH_1046."},"user_id":"c635000d-4b10-11ee-a964-aac5a93f6ac1"},{"doi":"10.1109/ISIT.2018.8437654","date_published":"2018-08-16T00:00:00Z","date_created":"2018-12-11T11:44:40Z","isi":1,"year":"2018","day":"16","quality_controlled":"1","publisher":"IEEE","oa":1,"author":[{"first_name":"Marciej","last_name":"Obremski","full_name":"Obremski, Marciej"},{"first_name":"Maciej","id":"EC09FA6A-02D0-11E9-8223-86B7C91467DD","last_name":"Skorski","full_name":"Skorski, Maciej"}],"publist_id":"7946","external_id":{"isi":["000448139300368"]},"article_processing_charge":"No","title":"Inverted leftover hash lemma","citation":{"ista":"Obremski M, Skórski M. 2018. Inverted leftover hash lemma. ISIT: International Symposium on Information Theory, ISIT Proceedings, vol. 2018.","chicago":"Obremski, Marciej, and Maciej Skórski. “Inverted Leftover Hash Lemma,” Vol. 2018. IEEE, 2018. https://doi.org/10.1109/ISIT.2018.8437654.","ieee":"M. Obremski and M. Skórski, “Inverted leftover hash lemma,” presented at the ISIT: International Symposium on Information Theory, Vail, CO, USA, 2018, vol. 2018.","short":"M. Obremski, M. Skórski, in:, IEEE, 2018.","ama":"Obremski M, Skórski M. Inverted leftover hash lemma. In: Vol 2018. IEEE; 2018. doi:10.1109/ISIT.2018.8437654","apa":"Obremski, M., & Skórski, M. (2018). Inverted leftover hash lemma (Vol. 2018). Presented at the ISIT: International Symposium on Information Theory, Vail, CO, USA: IEEE. https://doi.org/10.1109/ISIT.2018.8437654","mla":"Obremski, Marciej, and Maciej Skórski. Inverted Leftover Hash Lemma. Vol. 2018, IEEE, 2018, doi:10.1109/ISIT.2018.8437654."},"user_id":"c635000d-4b10-11ee-a964-aac5a93f6ac1","volume":2018,"publication_status":"published","language":[{"iso":"eng"}],"scopus_import":"1","alternative_title":["ISIT Proceedings"],"main_file_link":[{"open_access":"1","url":"https://eprint.iacr.org/2017/507"}],"month":"08","intvolume":" 2018","abstract":[{"lang":"eng","text":"Universal hashing found a lot of applications in computer science. In cryptography the most important fact about universal families is the so called Leftover Hash Lemma, proved by Impagliazzo, Levin and Luby. In the language of modern cryptography it states that almost universal families are good extractors. In this work we provide a somewhat surprising characterization in the opposite direction. Namely, every extractor with sufficiently good parameters yields a universal family on a noticeable fraction of its inputs. Our proof technique is based on tools from extremal graph theory applied to the \\'collision graph\\' induced by the extractor, and may be of independent interest. We discuss possible applications to the theory of randomness extractors and non-malleable codes."}],"oa_version":"Submitted Version","department":[{"_id":"KrPi"}],"date_updated":"2023-09-13T08:23:18Z","type":"conference","conference":{"name":"ISIT: International Symposium on Information Theory","start_date":"2018-06-17 ","end_date":"2018-06-22","location":"Vail, CO, USA"},"status":"public","_id":"108"},{"publisher":"ACM","quality_controlled":"1","oa":1,"doi":"10.1145/3178432","date_published":"2018-08-01T00:00:00Z","date_created":"2018-12-11T11:44:40Z","isi":1,"year":"2018","day":"01","publication":"Journal of the ACM","project":[{"_id":"258AA5B2-B435-11E9-9278-68D0E5697425","call_identifier":"H2020","name":"Teaching Old Crypto New Tricks","grant_number":"682815"},{"name":"Provable Security for Physical Cryptography","grant_number":"259668","call_identifier":"FP7","_id":"258C570E-B435-11E9-9278-68D0E5697425"}],"article_number":"20","author":[{"last_name":"Dziembowski","full_name":"Dziembowski, Stefan","first_name":"Stefan"},{"full_name":"Pietrzak, Krzysztof Z","orcid":"0000-0002-9139-1654","last_name":"Pietrzak","first_name":"Krzysztof Z","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87"},{"first_name":"Daniel","full_name":"Wichs, Daniel","last_name":"Wichs"}],"publist_id":"7947","external_id":{"isi":["000442938200004"]},"article_processing_charge":"No","title":"Non-malleable codes","citation":{"apa":"Dziembowski, S., Pietrzak, K. Z., & Wichs, D. (2018). Non-malleable codes. Journal of the ACM. ACM. https://doi.org/10.1145/3178432","ama":"Dziembowski S, Pietrzak KZ, Wichs D. Non-malleable codes. Journal of the ACM. 2018;65(4). doi:10.1145/3178432","short":"S. Dziembowski, K.Z. Pietrzak, D. Wichs, Journal of the ACM 65 (2018).","ieee":"S. Dziembowski, K. Z. Pietrzak, and D. Wichs, “Non-malleable codes,” Journal of the ACM, vol. 65, no. 4. ACM, 2018.","mla":"Dziembowski, Stefan, et al. “Non-Malleable Codes.” Journal of the ACM, vol. 65, no. 4, 20, ACM, 2018, doi:10.1145/3178432.","ista":"Dziembowski S, Pietrzak KZ, Wichs D. 2018. Non-malleable codes. Journal of the ACM. 65(4), 20.","chicago":"Dziembowski, Stefan, Krzysztof Z Pietrzak, and Daniel Wichs. “Non-Malleable Codes.” Journal of the ACM. ACM, 2018. https://doi.org/10.1145/3178432."},"user_id":"c635000d-4b10-11ee-a964-aac5a93f6ac1","scopus_import":"1","main_file_link":[{"url":"https://eprint.iacr.org/2009/608","open_access":"1"}],"month":"08","intvolume":" 65","abstract":[{"lang":"eng","text":"We introduce the notion of “non-malleable codes” which relaxes the notion of error correction and error detection. Informally, a code is non-malleable if the message contained in a modified codeword is either the original message, or a completely unrelated value. In contrast to error correction and error detection, non-malleability can be achieved for very rich classes of modifications. We construct an efficient code that is non-malleable with respect to modifications that affect each bit of the codeword arbitrarily (i.e., leave it untouched, flip it, or set it to either 0 or 1), but independently of the value of the other bits of the codeword. Using the probabilistic method, we also show a very strong and general statement: there exists a non-malleable code for every “small enough” family F of functions via which codewords can be modified. Although this probabilistic method argument does not directly yield efficient constructions, it gives us efficient non-malleable codes in the random-oracle model for very general classes of tampering functions—e.g., functions where every bit in the tampered codeword can depend arbitrarily on any 99% of the bits in the original codeword. As an application of non-malleable codes, we show that they provide an elegant algorithmic solution to the task of protecting functionalities implemented in hardware (e.g., signature cards) against “tampering attacks.” In such attacks, the secret state of a physical system is tampered, in the hopes that future interaction with the modified system will reveal some secret information. This problem was previously studied in the work of Gennaro et al. in 2004 under the name “algorithmic tamper proof security” (ATP). We show that non-malleable codes can be used to achieve important improvements over the prior work. In particular, we show that any functionality can be made secure against a large class of tampering attacks, simply by encoding the secret state with a non-malleable code while it is stored in memory."}],"oa_version":"Preprint","volume":65,"issue":"4","ec_funded":1,"publication_status":"published","language":[{"iso":"eng"}],"article_type":"original","type":"journal_article","status":"public","_id":"107","department":[{"_id":"KrPi"}],"date_updated":"2023-09-13T09:05:17Z"},{"publication_status":"published","language":[{"iso":"eng"}],"ec_funded":1,"abstract":[{"lang":"eng","text":"We show attacks on five data-independent memory-hard functions (iMHF) that were submitted to the password hashing competition (PHC). Informally, an MHF is a function which cannot be evaluated on dedicated hardware, like ASICs, at significantly lower hardware and/or energy cost than evaluating a single instance on a standard single-core architecture. Data-independent means the memory access pattern of the function is independent of the input; this makes iMHFs harder to construct than data-dependent ones, but the latter can be attacked by various side-channel attacks. Following [Alwen-Blocki'16], we capture the evaluation of an iMHF as a directed acyclic graph (DAG). The cumulative parallel pebbling complexity of this DAG is a measure for the hardware cost of evaluating the iMHF on an ASIC. Ideally, one would like the complexity of a DAG underlying an iMHF to be as close to quadratic in the number of nodes of the graph as possible. Instead, we show that (the DAGs underlying) the following iMHFs are far from this bound: Rig.v2, TwoCats and Gambit each having an exponent no more than 1.75. Moreover, we show that the complexity of the iMHF modes of the PHC finalists Pomelo and Lyra2 have exponents at most 1.83 and 1.67 respectively. To show this we investigate a combinatorial property of each underlying DAG (called its depth-robustness. By establishing upper bounds on this property we are then able to apply the general technique of [Alwen-Block'16] for analyzing the hardware costs of an iMHF."}],"oa_version":"Submitted Version","scopus_import":"1","main_file_link":[{"url":"https://eprint.iacr.org/2016/783","open_access":"1"}],"month":"06","date_updated":"2023-09-13T09:13:12Z","department":[{"_id":"KrPi"},{"_id":"HeEd"},{"_id":"VlKo"}],"_id":"193","type":"conference","conference":{"name":"ASIACCS: Asia Conference on Computer and Communications Security ","start_date":"2018-06-04","end_date":"2018-06-08","location":"Incheon, Republic of Korea"},"status":"public","isi":1,"year":"2018","day":"01","publication":"Proceedings of the 2018 on Asia Conference on Computer and Communication Security","page":"51 - 65","doi":"10.1145/3196494.3196534","date_published":"2018-06-01T00:00:00Z","date_created":"2018-12-11T11:45:07Z","acknowledgement":"Leonid Reyzin was supported in part by IST Austria and by US NSF grants 1012910, 1012798, and 1422965; this research was performed while he was visiting IST Austria.","publisher":"ACM","quality_controlled":"1","oa":1,"citation":{"ieee":"J. F. Alwen et al., “On the memory hardness of data independent password hashing functions,” in Proceedings of the 2018 on Asia Conference on Computer and Communication Security, Incheon, Republic of Korea, 2018, pp. 51–65.","short":"J.F. Alwen, P. Gazi, C. Kamath Hosdurg, K. Klein, G.F. Osang, K.Z. Pietrzak, L. Reyzin, M. Rolinek, M. Rybar, in:, Proceedings of the 2018 on Asia Conference on Computer and Communication Security, ACM, 2018, pp. 51–65.","ama":"Alwen JF, Gazi P, Kamath Hosdurg C, et al. On the memory hardness of data independent password hashing functions. In: Proceedings of the 2018 on Asia Conference on Computer and Communication Security. ACM; 2018:51-65. doi:10.1145/3196494.3196534","apa":"Alwen, J. F., Gazi, P., Kamath Hosdurg, C., Klein, K., Osang, G. F., Pietrzak, K. Z., … Rybar, M. (2018). On the memory hardness of data independent password hashing functions. In Proceedings of the 2018 on Asia Conference on Computer and Communication Security (pp. 51–65). Incheon, Republic of Korea: ACM. https://doi.org/10.1145/3196494.3196534","mla":"Alwen, Joel F., et al. “On the Memory Hardness of Data Independent Password Hashing Functions.” Proceedings of the 2018 on Asia Conference on Computer and Communication Security, ACM, 2018, pp. 51–65, doi:10.1145/3196494.3196534.","ista":"Alwen JF, Gazi P, Kamath Hosdurg C, Klein K, Osang GF, Pietrzak KZ, Reyzin L, Rolinek M, Rybar M. 2018. On the memory hardness of data independent password hashing functions. Proceedings of the 2018 on Asia Conference on Computer and Communication Security. ASIACCS: Asia Conference on Computer and Communications Security , 51–65.","chicago":"Alwen, Joel F, Peter Gazi, Chethan Kamath Hosdurg, Karen Klein, Georg F Osang, Krzysztof Z Pietrzak, Lenoid Reyzin, Michal Rolinek, and Michal Rybar. “On the Memory Hardness of Data Independent Password Hashing Functions.” In Proceedings of the 2018 on Asia Conference on Computer and Communication Security, 51–65. ACM, 2018. https://doi.org/10.1145/3196494.3196534."},"user_id":"c635000d-4b10-11ee-a964-aac5a93f6ac1","publist_id":"7723","author":[{"id":"2A8DFA8C-F248-11E8-B48F-1D18A9856A87","first_name":"Joel F","full_name":"Alwen, Joel F","last_name":"Alwen"},{"first_name":"Peter","last_name":"Gazi","full_name":"Gazi, Peter"},{"first_name":"Chethan","id":"4BD3F30E-F248-11E8-B48F-1D18A9856A87","full_name":"Kamath Hosdurg, Chethan","last_name":"Kamath Hosdurg"},{"full_name":"Klein, Karen","last_name":"Klein","first_name":"Karen","id":"3E83A2F8-F248-11E8-B48F-1D18A9856A87"},{"last_name":"Osang","orcid":"0000-0002-8882-5116","full_name":"Osang, Georg F","first_name":"Georg F","id":"464B40D6-F248-11E8-B48F-1D18A9856A87"},{"id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","first_name":"Krzysztof Z","last_name":"Pietrzak","full_name":"Pietrzak, Krzysztof Z","orcid":"0000-0002-9139-1654"},{"last_name":"Reyzin","full_name":"Reyzin, Lenoid","first_name":"Lenoid"},{"last_name":"Rolinek","full_name":"Rolinek, Michal","first_name":"Michal","id":"3CB3BC06-F248-11E8-B48F-1D18A9856A87"},{"id":"2B3E3DE8-F248-11E8-B48F-1D18A9856A87","first_name":"Michal","full_name":"Rybar, Michal","last_name":"Rybar"}],"article_processing_charge":"No","external_id":{"isi":["000516620100005"]},"title":"On the memory hardness of data independent password hashing functions","project":[{"name":"Discrete Optimization in Computer Vision: Theory and Practice","grant_number":"616160","_id":"25FBA906-B435-11E9-9278-68D0E5697425","call_identifier":"FP7"},{"name":"Teaching Old Crypto New Tricks","grant_number":"682815","call_identifier":"H2020","_id":"258AA5B2-B435-11E9-9278-68D0E5697425"}]},{"volume":10820,"ec_funded":1,"publication_status":"published","language":[{"iso":"eng"}],"scopus_import":"1","alternative_title":["LNCS"],"main_file_link":[{"open_access":"1","url":"https://eprint.iacr.org/2018/077"}],"month":"03","intvolume":" 10820","abstract":[{"lang":"eng","text":"We introduce a formal quantitative notion of “bit security” for a general type of cryptographic games (capturing both decision and search problems), aimed at capturing the intuition that a cryptographic primitive with k-bit security is as hard to break as an ideal cryptographic function requiring a brute force attack on a k-bit key space. Our new definition matches the notion of bit security commonly used by cryptographers and cryptanalysts when studying search (e.g., key recovery) problems, where the use of the traditional definition is well established. However, it produces a quantitatively different metric in the case of decision (indistinguishability) problems, where the use of (a straightforward generalization of) the traditional definition is more problematic and leads to a number of paradoxical situations or mismatches between theoretical/provable security and practical/common sense intuition. Key to our new definition is to consider adversaries that may explicitly declare failure of the attack. We support and justify the new definition by proving a number of technical results, including tight reductions between several standard cryptographic problems, a new hybrid theorem that preserves bit security, and an application to the security analysis of indistinguishability primitives making use of (approximate) floating point numbers. This is the first result showing that (standard precision) 53-bit floating point numbers can be used to achieve 100-bit security in the context of cryptographic primitives with general indistinguishability-based security definitions. Previous results of this type applied only to search problems, or special types of decision problems."}],"oa_version":"Submitted Version","department":[{"_id":"KrPi"}],"date_updated":"2023-09-13T09:12:04Z","type":"conference","conference":{"location":"Tel Aviv, Israel","end_date":"2018-05-03","start_date":"2018-04-29","name":"Eurocrypt: Advances in Cryptology"},"status":"public","_id":"300","page":"3 - 28","date_published":"2018-03-31T00:00:00Z","doi":"10.1007/978-3-319-78381-9_1","date_created":"2018-12-11T11:45:42Z","isi":1,"year":"2018","day":"31","publisher":"Springer","quality_controlled":"1","oa":1,"acknowledgement":"Research supported in part by the Defense Advanced Research Projects Agency (DARPA) and the U.S. Army Research Office under the SafeWare program. Opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views, position or policy of the Government. The second author was also supported by the European Research Council, ERC consolidator grant (682815 - TOCNeT).","publist_id":"7581","author":[{"first_name":"Daniele","full_name":"Micciancio, Daniele","last_name":"Micciancio"},{"first_name":"Michael","id":"488F98B0-F248-11E8-B48F-1D18A9856A87","full_name":"Walter, Michael","orcid":"0000-0003-3186-2482","last_name":"Walter"}],"article_processing_charge":"No","external_id":{"isi":["000517097500001"]},"title":"On the bit security of cryptographic primitives","citation":{"mla":"Micciancio, Daniele, and Michael Walter. On the Bit Security of Cryptographic Primitives. Vol. 10820, Springer, 2018, pp. 3–28, doi:10.1007/978-3-319-78381-9_1.","ieee":"D. Micciancio and M. Walter, “On the bit security of cryptographic primitives,” presented at the Eurocrypt: Advances in Cryptology, Tel Aviv, Israel, 2018, vol. 10820, pp. 3–28.","short":"D. Micciancio, M. Walter, in:, Springer, 2018, pp. 3–28.","ama":"Micciancio D, Walter M. On the bit security of cryptographic primitives. In: Vol 10820. Springer; 2018:3-28. doi:10.1007/978-3-319-78381-9_1","apa":"Micciancio, D., & Walter, M. (2018). On the bit security of cryptographic primitives (Vol. 10820, pp. 3–28). Presented at the Eurocrypt: Advances in Cryptology, Tel Aviv, Israel: Springer. https://doi.org/10.1007/978-3-319-78381-9_1","chicago":"Micciancio, Daniele, and Michael Walter. “On the Bit Security of Cryptographic Primitives,” 10820:3–28. Springer, 2018. https://doi.org/10.1007/978-3-319-78381-9_1.","ista":"Micciancio D, Walter M. 2018. On the bit security of cryptographic primitives. Eurocrypt: Advances in Cryptology, LNCS, vol. 10820, 3–28."},"user_id":"c635000d-4b10-11ee-a964-aac5a93f6ac1","project":[{"_id":"258AA5B2-B435-11E9-9278-68D0E5697425","call_identifier":"H2020","name":"Teaching Old Crypto New Tricks","grant_number":"682815"}]},{"publication_status":"published","language":[{"iso":"eng"}],"ec_funded":1,"volume":10821,"abstract":[{"lang":"eng","text":"At ITCS 2013, Mahmoody, Moran and Vadhan [MMV13] introduce and construct publicly verifiable proofs of sequential work, which is a protocol for proving that one spent sequential computational work related to some statement. The original motivation for such proofs included non-interactive time-stamping and universally verifiable CPU benchmarks. A more recent application, and our main motivation, are blockchain designs, where proofs of sequential work can be used – in combination with proofs of space – as a more ecological and economical substitute for proofs of work which are currently used to secure Bitcoin and other cryptocurrencies. The construction proposed by [MMV13] is based on a hash function and can be proven secure in the random oracle model, or assuming inherently sequential hash-functions, which is a new standard model assumption introduced in their work. In a proof of sequential work, a prover gets a “statement” χ, a time parameter N and access to a hash-function H, which for the security proof is modelled as a random oracle. Correctness requires that an honest prover can make a verifier accept making only N queries to H, while soundness requires that any prover who makes the verifier accept must have made (almost) N sequential queries to H. Thus a solution constitutes a proof that N time passed since χ was received. Solutions must be publicly verifiable in time at most polylogarithmic in N. The construction of [MMV13] is based on “depth-robust” graphs, and as a consequence has rather poor concrete parameters. But the major drawback is that the prover needs not just N time, but also N space to compute a proof. In this work we propose a proof of sequential work which is much simpler, more efficient and achieves much better concrete bounds. Most importantly, the space required can be as small as log (N) (but we get better soundness using slightly more memory than that). An open problem stated by [MMV13] that our construction does not solve either is achieving a “unique” proof, where even a cheating prover can only generate a single accepting proof. This property would be extremely useful for applications to blockchains."}],"oa_version":"Submitted Version","main_file_link":[{"url":"https://eprint.iacr.org/2018/183.pdf","open_access":"1"}],"alternative_title":["LNCS"],"scopus_import":"1","intvolume":" 10821","month":"05","date_updated":"2023-09-18T09:29:33Z","department":[{"_id":"KrPi"}],"_id":"302","conference":{"name":"Eurocrypt: Advances in Cryptology","start_date":"2018-04-29","location":"Tel Aviv, Israel","end_date":"2018-05-03"},"type":"conference","status":"public","year":"2018","isi":1,"day":"29","page":"451 - 467","date_created":"2018-12-11T11:45:42Z","doi":"10.1007/978-3-319-78375-8_15","date_published":"2018-05-29T00:00:00Z","oa":1,"quality_controlled":"1","publisher":"Springer","citation":{"chicago":"Cohen, Bram, and Krzysztof Z Pietrzak. “Simple Proofs of Sequential Work,” 10821:451–67. Springer, 2018. https://doi.org/10.1007/978-3-319-78375-8_15.","ista":"Cohen B, Pietrzak KZ. 2018. Simple proofs of sequential work. Eurocrypt: Advances in Cryptology, LNCS, vol. 10821, 451–467.","mla":"Cohen, Bram, and Krzysztof Z. Pietrzak. Simple Proofs of Sequential Work. Vol. 10821, Springer, 2018, pp. 451–67, doi:10.1007/978-3-319-78375-8_15.","ama":"Cohen B, Pietrzak KZ. Simple proofs of sequential work. In: Vol 10821. Springer; 2018:451-467. doi:10.1007/978-3-319-78375-8_15","apa":"Cohen, B., & Pietrzak, K. Z. (2018). Simple proofs of sequential work (Vol. 10821, pp. 451–467). Presented at the Eurocrypt: Advances in Cryptology, Tel Aviv, Israel: Springer. https://doi.org/10.1007/978-3-319-78375-8_15","ieee":"B. Cohen and K. Z. Pietrzak, “Simple proofs of sequential work,” presented at the Eurocrypt: Advances in Cryptology, Tel Aviv, Israel, 2018, vol. 10821, pp. 451–467.","short":"B. Cohen, K.Z. Pietrzak, in:, Springer, 2018, pp. 451–467."},"user_id":"c635000d-4b10-11ee-a964-aac5a93f6ac1","article_processing_charge":"No","external_id":{"isi":["000517098700015"]},"publist_id":"7579","author":[{"last_name":"Cohen","full_name":"Cohen, Bram","first_name":"Bram"},{"full_name":"Pietrzak, Krzysztof Z","orcid":"0000-0002-9139-1654","last_name":"Pietrzak","first_name":"Krzysztof Z","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87"}],"title":"Simple proofs of sequential work","project":[{"call_identifier":"H2020","_id":"258AA5B2-B435-11E9-9278-68D0E5697425","name":"Teaching Old Crypto New Tricks","grant_number":"682815"}]},{"publication_status":"published","language":[{"iso":"eng"}],"ec_funded":1,"volume":10821,"abstract":[{"text":"Memory-hard functions (MHF) are functions whose evaluation cost is dominated by memory cost. MHFs are egalitarian, in the sense that evaluating them on dedicated hardware (like FPGAs or ASICs) is not much cheaper than on off-the-shelf hardware (like x86 CPUs). MHFs have interesting cryptographic applications, most notably to password hashing and securing blockchains.\r\n\r\nAlwen and Serbinenko [STOC’15] define the cumulative memory complexity (cmc) of a function as the sum (over all time-steps) of the amount of memory required to compute the function. They advocate that a good MHF must have high cmc. Unlike previous notions, cmc takes into account that dedicated hardware might exploit amortization and parallelism. Still, cmc has been critizised as insufficient, as it fails to capture possible time-memory trade-offs; as memory cost doesn’t scale linearly, functions with the same cmc could still have very different actual hardware cost.\r\n\r\nIn this work we address this problem, and introduce the notion of sustained-memory complexity, which requires that any algorithm evaluating the function must use a large amount of memory for many steps. We construct functions (in the parallel random oracle model) whose sustained-memory complexity is almost optimal: our function can be evaluated using n steps and O(n/log(n)) memory, in each step making one query to the (fixed-input length) random oracle, while any algorithm that can make arbitrary many parallel queries to the random oracle, still needs Ω(n/log(n)) memory for Ω(n) steps.\r\n\r\nAs has been done for various notions (including cmc) before, we reduce the task of constructing an MHFs with high sustained-memory complexity to proving pebbling lower bounds on DAGs. Our main technical contribution is the construction is a family of DAGs on n nodes with constant indegree with high “sustained-space complexity”, meaning that any parallel black-pebbling strategy requires Ω(n/log(n)) pebbles for at least Ω(n) steps.\r\n\r\nAlong the way we construct a family of maximally “depth-robust” DAGs with maximum indegree O(logn) , improving upon the construction of Mahmoody et al. [ITCS’13] which had maximum indegree O(log2n⋅","lang":"eng"}],"oa_version":"Preprint","main_file_link":[{"open_access":"1","url":"https://arxiv.org/abs/1705.05313"}],"scopus_import":"1","alternative_title":["LNCS"],"intvolume":" 10821","month":"03","date_updated":"2023-09-19T09:59:30Z","department":[{"_id":"KrPi"}],"_id":"298","conference":{"end_date":"2018-05-03","location":"Tel Aviv, Israel","start_date":"2018-04-29","name":"Eurocrypt 2018: Advances in Cryptology"},"type":"conference","status":"public","year":"2018","isi":1,"day":"31","page":"99 - 130","date_created":"2018-12-11T11:45:41Z","doi":"10.1007/978-3-319-78375-8_4","date_published":"2018-03-31T00:00:00Z","oa":1,"publisher":"Springer","quality_controlled":"1","citation":{"mla":"Alwen, Joel F., et al. Sustained Space Complexity. Vol. 10821, Springer, 2018, pp. 99–130, doi:10.1007/978-3-319-78375-8_4.","ama":"Alwen JF, Blocki J, Pietrzak KZ. Sustained space complexity. In: Vol 10821. Springer; 2018:99-130. doi:10.1007/978-3-319-78375-8_4","apa":"Alwen, J. F., Blocki, J., & Pietrzak, K. Z. (2018). Sustained space complexity (Vol. 10821, pp. 99–130). Presented at the Eurocrypt 2018: Advances in Cryptology, Tel Aviv, Israel: Springer. https://doi.org/10.1007/978-3-319-78375-8_4","short":"J.F. Alwen, J. Blocki, K.Z. Pietrzak, in:, Springer, 2018, pp. 99–130.","ieee":"J. F. Alwen, J. Blocki, and K. Z. Pietrzak, “Sustained space complexity,” presented at the Eurocrypt 2018: Advances in Cryptology, Tel Aviv, Israel, 2018, vol. 10821, pp. 99–130.","chicago":"Alwen, Joel F, Jeremiah Blocki, and Krzysztof Z Pietrzak. “Sustained Space Complexity,” 10821:99–130. Springer, 2018. https://doi.org/10.1007/978-3-319-78375-8_4.","ista":"Alwen JF, Blocki J, Pietrzak KZ. 2018. Sustained space complexity. Eurocrypt 2018: Advances in Cryptology, LNCS, vol. 10821, 99–130."},"user_id":"c635000d-4b10-11ee-a964-aac5a93f6ac1","article_processing_charge":"No","external_id":{"isi":["000517098700004"],"arxiv":["1705.05313"]},"publist_id":"7583","author":[{"first_name":"Joel F","id":"2A8DFA8C-F248-11E8-B48F-1D18A9856A87","last_name":"Alwen","full_name":"Alwen, Joel F"},{"last_name":"Blocki","full_name":"Blocki, Jeremiah","first_name":"Jeremiah"},{"id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","first_name":"Krzysztof Z","last_name":"Pietrzak","orcid":"0000-0002-9139-1654","full_name":"Pietrzak, Krzysztof Z"}],"title":"Sustained space complexity","project":[{"_id":"258AA5B2-B435-11E9-9278-68D0E5697425","call_identifier":"H2020","name":"Teaching Old Crypto New Tricks","grant_number":"682815"}]},{"date_published":"2018-02-01T00:00:00Z","issue":"1","doi":"10.3934/amc.2018002","volume":12,"date_created":"2019-02-13T13:49:41Z","page":"17-47","day":"01","language":[{"iso":"eng"}],"publication":"American Institute of Mathematical Sciences","isi":1,"publication_status":"published","year":"2018","month":"02","intvolume":" 12","publisher":"AIMS","scopus_import":"1","quality_controlled":"1","oa_version":"None","abstract":[{"lang":"eng","text":"The problem of private set-intersection (PSI) has been traditionally treated as an instance of the more general problem of multi-party computation (MPC). Consequently, in order to argue security, or compose these protocols one has to rely on the general theory that was developed for the purpose of MPC. The pursuit of efficient protocols, however, has resulted in designs that exploit properties pertaining to PSI. In almost all practical applications where a PSI protocol is deployed, it is expected to be executed multiple times, possibly on related inputs. In this work we initiate a dedicated study of PSI in the multi-interaction (MI) setting. In this model a server sets up the common system parameters and executes set-intersection multiple times with potentially different clients. We discuss a few attacks that arise when protocols are naïvely composed in this manner and, accordingly, craft security definitions for the MI setting and study their inter-relation. Finally, we suggest a set of protocols that are MI-secure, at the same time almost as efficient as their parent, stand-alone, protocols."}],"title":"Private set-intersection with common set-up","department":[{"_id":"KrPi"}],"author":[{"first_name":"Sanjit","last_name":"Chatterjee","full_name":"Chatterjee, Sanjit"},{"full_name":"Kamath Hosdurg, Chethan","last_name":"Kamath Hosdurg","first_name":"Chethan","id":"4BD3F30E-F248-11E8-B48F-1D18A9856A87"},{"last_name":"Kumar","full_name":"Kumar, Vikas","first_name":"Vikas"}],"external_id":{"isi":["000430950400002"]},"article_processing_charge":"No","user_id":"c635000d-4b10-11ee-a964-aac5a93f6ac1","date_updated":"2023-09-19T14:27:59Z","citation":{"chicago":"Chatterjee, Sanjit, Chethan Kamath Hosdurg, and Vikas Kumar. “Private Set-Intersection with Common Set-Up.” American Institute of Mathematical Sciences. AIMS, 2018. https://doi.org/10.3934/amc.2018002.","ista":"Chatterjee S, Kamath Hosdurg C, Kumar V. 2018. Private set-intersection with common set-up. American Institute of Mathematical Sciences. 12(1), 17–47.","mla":"Chatterjee, Sanjit, et al. “Private Set-Intersection with Common Set-Up.” American Institute of Mathematical Sciences, vol. 12, no. 1, AIMS, 2018, pp. 17–47, doi:10.3934/amc.2018002.","ama":"Chatterjee S, Kamath Hosdurg C, Kumar V. Private set-intersection with common set-up. American Institute of Mathematical Sciences. 2018;12(1):17-47. doi:10.3934/amc.2018002","apa":"Chatterjee, S., Kamath Hosdurg, C., & Kumar, V. (2018). Private set-intersection with common set-up. American Institute of Mathematical Sciences. AIMS. https://doi.org/10.3934/amc.2018002","ieee":"S. Chatterjee, C. Kamath Hosdurg, and V. Kumar, “Private set-intersection with common set-up,” American Institute of Mathematical Sciences, vol. 12, no. 1. AIMS, pp. 17–47, 2018.","short":"S. Chatterjee, C. Kamath Hosdurg, V. Kumar, American Institute of Mathematical Sciences 12 (2018) 17–47."},"status":"public","type":"journal_article","_id":"5980"},{"project":[{"name":"Teaching Old Crypto New Tricks","grant_number":"682815","call_identifier":"H2020","_id":"258AA5B2-B435-11E9-9278-68D0E5697425"}],"user_id":"c635000d-4b10-11ee-a964-aac5a93f6ac1","citation":{"ista":"Park S, Kwon A, Fuchsbauer G, Gazi P, Alwen JF, Pietrzak KZ. 2018. SpaceMint: A cryptocurrency based on proofs of space. 22nd International Conference on Financial Cryptography and Data Security. FC: Financial Cryptography and Data Security, LNCS, vol. 10957, 480–499.","chicago":"Park, Sunoo, Albert Kwon, Georg Fuchsbauer, Peter Gazi, Joel F Alwen, and Krzysztof Z Pietrzak. “SpaceMint: A Cryptocurrency Based on Proofs of Space.” In 22nd International Conference on Financial Cryptography and Data Security, 10957:480–99. Springer Nature, 2018. https://doi.org/10.1007/978-3-662-58387-6_26.","ama":"Park S, Kwon A, Fuchsbauer G, Gazi P, Alwen JF, Pietrzak KZ. SpaceMint: A cryptocurrency based on proofs of space. In: 22nd International Conference on Financial Cryptography and Data Security. Vol 10957. Springer Nature; 2018:480-499. doi:10.1007/978-3-662-58387-6_26","apa":"Park, S., Kwon, A., Fuchsbauer, G., Gazi, P., Alwen, J. F., & Pietrzak, K. Z. (2018). SpaceMint: A cryptocurrency based on proofs of space. In 22nd International Conference on Financial Cryptography and Data Security (Vol. 10957, pp. 480–499). Nieuwpoort, Curacao: Springer Nature. https://doi.org/10.1007/978-3-662-58387-6_26","short":"S. Park, A. Kwon, G. Fuchsbauer, P. Gazi, J.F. Alwen, K.Z. Pietrzak, in:, 22nd International Conference on Financial Cryptography and Data Security, Springer Nature, 2018, pp. 480–499.","ieee":"S. Park, A. Kwon, G. Fuchsbauer, P. Gazi, J. F. Alwen, and K. Z. Pietrzak, “SpaceMint: A cryptocurrency based on proofs of space,” in 22nd International Conference on Financial Cryptography and Data Security, Nieuwpoort, Curacao, 2018, vol. 10957, pp. 480–499.","mla":"Park, Sunoo, et al. “SpaceMint: A Cryptocurrency Based on Proofs of Space.” 22nd International Conference on Financial Cryptography and Data Security, vol. 10957, Springer Nature, 2018, pp. 480–99, doi:10.1007/978-3-662-58387-6_26."},"title":"SpaceMint: A cryptocurrency based on proofs of space","author":[{"first_name":"Sunoo","last_name":"Park","full_name":"Park, Sunoo"},{"first_name":"Albert","full_name":"Kwon, Albert","last_name":"Kwon"},{"last_name":"Fuchsbauer","full_name":"Fuchsbauer, Georg","first_name":"Georg","id":"46B4C3EE-F248-11E8-B48F-1D18A9856A87"},{"last_name":"Gazi","full_name":"Gazi, Peter","first_name":"Peter","id":"3E0BFE38-F248-11E8-B48F-1D18A9856A87"},{"first_name":"Joel F","id":"2A8DFA8C-F248-11E8-B48F-1D18A9856A87","full_name":"Alwen, Joel F","last_name":"Alwen"},{"first_name":"Krzysztof Z","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","last_name":"Pietrzak","orcid":"0000-0002-9139-1654","full_name":"Pietrzak, Krzysztof Z"}],"external_id":{"isi":["000540656400026"]},"article_processing_charge":"No","quality_controlled":"1","publisher":"Springer Nature","oa":1,"day":"07","publication":"22nd International Conference on Financial Cryptography and Data Security","isi":1,"year":"2018","doi":"10.1007/978-3-662-58387-6_26","date_published":"2018-12-07T00:00:00Z","date_created":"2019-10-14T06:35:38Z","page":"480-499","_id":"6941","status":"public","type":"conference","conference":{"name":"FC: Financial Cryptography and Data Security","start_date":"2018-02-26","location":"Nieuwpoort, Curacao","end_date":"2018-03-02"},"date_updated":"2023-09-19T15:02:13Z","department":[{"_id":"KrPi"}],"oa_version":"Submitted Version","abstract":[{"lang":"eng","text":"Bitcoin has become the most successful cryptocurrency ever deployed, and its most distinctive feature is that it is decentralized. Its underlying protocol (Nakamoto consensus) achieves this by using proof of work, which has the drawback that it causes the consumption of vast amounts of energy to maintain the ledger. Moreover, Bitcoin mining dynamics have become less distributed over time.\r\n\r\nTowards addressing these issues, we propose SpaceMint, a cryptocurrency based on proofs of space instead of proofs of work. Miners in SpaceMint dedicate disk space rather than computation. We argue that SpaceMint’s design solves or alleviates several of Bitcoin’s issues: most notably, its large energy consumption. SpaceMint also rewards smaller miners fairly according to their contribution to the network, thus incentivizing more distributed participation.\r\n\r\nThis paper adapts proof of space to enable its use in cryptocurrency, studies the attacks that can arise against a Bitcoin-like blockchain that uses proof of space, and proposes a new blockchain format and transaction types to address these attacks. Our prototype shows that initializing 1 TB for mining takes about a day (a one-off setup cost), and miners spend on average just a fraction of a second per block mined. Finally, we provide a game-theoretic analysis modeling SpaceMint as an extensive game (the canonical game-theoretic notion for games that take place over time) and show that this stylized game satisfies a strong equilibrium notion, thereby arguing for SpaceMint ’s stability and consensus."}],"month":"12","intvolume":" 10957","alternative_title":["LNCS"],"scopus_import":"1","main_file_link":[{"open_access":"1","url":"https://eprint.iacr.org/2015/528"}],"language":[{"iso":"eng"}],"publication_identifier":{"issn":["0302-9743"],"eissn":["1611-3349"],"isbn":["9783662583869","9783662583876"]},"publication_status":"published","volume":10957,"ec_funded":1},{"date_created":"2018-12-11T11:50:33Z","doi":"10.4230/LIPIcs.ITCS.2017.38","date_published":"2017-01-01T00:00:00Z","page":"38:1-38-21","day":"01","year":"2017","has_accepted_license":"1","oa":1,"quality_controlled":"1","publisher":"Schloss Dagstuhl - Leibniz-Zentrum für Informatik","editor":[{"full_name":"Papadimitriou, Christos","last_name":"Papadimitriou","first_name":"Christos"}],"title":"Cumulative space in black-white pebbling and resolution","publist_id":"6179","author":[{"full_name":"Alwen, Joel F","last_name":"Alwen","id":"2A8DFA8C-F248-11E8-B48F-1D18A9856A87","first_name":"Joel F"},{"last_name":"De Rezende","full_name":"De Rezende, Susanna","first_name":"Susanna"},{"full_name":"Nordstrom, Jakob","last_name":"Nordstrom","first_name":"Jakob"},{"first_name":"Marc","last_name":"Vinyals","full_name":"Vinyals, Marc"}],"user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","citation":{"mla":"Alwen, Joel F., et al. Cumulative Space in Black-White Pebbling and Resolution. Edited by Christos Papadimitriou, vol. 67, Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 2017, p. 38:1-38-21, doi:10.4230/LIPIcs.ITCS.2017.38.","apa":"Alwen, J. F., De Rezende, S., Nordstrom, J., & Vinyals, M. (2017). Cumulative space in black-white pebbling and resolution. In C. Papadimitriou (Ed.) (Vol. 67, p. 38:1-38-21). Presented at the ITCS: Innovations in Theoretical Computer Science, Berkeley, CA, United States: Schloss Dagstuhl - Leibniz-Zentrum für Informatik. https://doi.org/10.4230/LIPIcs.ITCS.2017.38","ama":"Alwen JF, De Rezende S, Nordstrom J, Vinyals M. Cumulative space in black-white pebbling and resolution. In: Papadimitriou C, ed. Vol 67. Schloss Dagstuhl - Leibniz-Zentrum für Informatik; 2017:38:1-38-21. doi:10.4230/LIPIcs.ITCS.2017.38","short":"J.F. Alwen, S. De Rezende, J. Nordstrom, M. Vinyals, in:, C. Papadimitriou (Ed.), Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 2017, p. 38:1-38-21.","ieee":"J. F. Alwen, S. De Rezende, J. Nordstrom, and M. Vinyals, “Cumulative space in black-white pebbling and resolution,” presented at the ITCS: Innovations in Theoretical Computer Science, Berkeley, CA, United States, 2017, vol. 67, p. 38:1-38-21.","chicago":"Alwen, Joel F, Susanna De Rezende, Jakob Nordstrom, and Marc Vinyals. “Cumulative Space in Black-White Pebbling and Resolution.” edited by Christos Papadimitriou, 67:38:1-38-21. Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 2017. https://doi.org/10.4230/LIPIcs.ITCS.2017.38.","ista":"Alwen JF, De Rezende S, Nordstrom J, Vinyals M. 2017. Cumulative space in black-white pebbling and resolution. ITCS: Innovations in Theoretical Computer Science, LIPIcs, vol. 67, 38:1-38-21."},"volume":67,"language":[{"iso":"eng"}],"file":[{"content_type":"application/pdf","relation":"main_file","access_level":"open_access","file_id":"5263","checksum":"dbc94810be07c2fb1945d5c2a6130e6c","file_size":557769,"date_updated":"2020-07-14T12:44:37Z","creator":"system","file_name":"IST-2018-927-v1+1_LIPIcs-ITCS-2017-38.pdf","date_created":"2018-12-12T10:17:11Z"}],"publication_status":"published","publication_identifier":{"issn":["18688969"]},"intvolume":" 67","month":"01","alternative_title":["LIPIcs"],"scopus_import":1,"oa_version":"Published Version","abstract":[{"lang":"eng","text":"We study space complexity and time-space trade-offs with a focus not on peak memory usage but on overall memory consumption throughout the computation. Such a cumulative space measure was introduced for the computational model of parallel black pebbling by [Alwen and Serbinenko ’15] as a tool for obtaining results in cryptography. We consider instead the non- deterministic black-white pebble game and prove optimal cumulative space lower bounds and trade-offs, where in order to minimize pebbling time the space has to remain large during a significant fraction of the pebbling. We also initiate the study of cumulative space in proof complexity, an area where other space complexity measures have been extensively studied during the last 10–15 years. Using and extending the connection between proof complexity and pebble games in [Ben-Sasson and Nordström ’08, ’11] we obtain several strong cumulative space results for (even parallel versions of) the resolution proof system, and outline some possible future directions of study of this, in our opinion, natural and interesting space measure."}],"file_date_updated":"2020-07-14T12:44:37Z","department":[{"_id":"KrPi"}],"ddc":["005","600"],"date_updated":"2021-01-12T06:48:51Z","pubrep_id":"927","status":"public","tmp":{"legal_code_url":"https://creativecommons.org/licenses/by/4.0/legalcode","image":"/images/cc_by.png","name":"Creative Commons Attribution 4.0 International Public License (CC-BY 4.0)","short":"CC BY (4.0)"},"conference":{"end_date":"2017-01-11","location":"Berkeley, CA, United States","start_date":"2017-01-09","name":"ITCS: Innovations in Theoretical Computer Science"},"type":"conference","_id":"1175"},{"oa":1,"quality_controlled":"1","publisher":"Springer","date_created":"2018-12-11T11:47:27Z","doi":"10.1007/978-3-319-70500-2_3","date_published":"2017-11-05T00:00:00Z","page":"56 - 81","day":"05","year":"2017","project":[{"grant_number":"682815","name":"Teaching Old Crypto New Tricks","_id":"258AA5B2-B435-11E9-9278-68D0E5697425","call_identifier":"H2020"}],"title":"Position based cryptography and multiparty communication complexity","editor":[{"full_name":"Kalai, Yael","last_name":"Kalai","first_name":"Yael"},{"first_name":"Leonid","full_name":"Reyzin, Leonid","last_name":"Reyzin"}],"publist_id":"7200","author":[{"first_name":"Joshua","last_name":"Brody","full_name":"Brody, Joshua"},{"last_name":"Dziembowski","full_name":"Dziembowski, Stefan","first_name":"Stefan"},{"last_name":"Faust","full_name":"Faust, Sebastian","first_name":"Sebastian"},{"first_name":"Krzysztof Z","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","full_name":"Pietrzak, Krzysztof Z","orcid":"0000-0002-9139-1654","last_name":"Pietrzak"}],"user_id":"3E5EF7F0-F248-11E8-B48F-1D18A9856A87","citation":{"mla":"Brody, Joshua, et al. Position Based Cryptography and Multiparty Communication Complexity. Edited by Yael Kalai and Leonid Reyzin, vol. 10677, Springer, 2017, pp. 56–81, doi:10.1007/978-3-319-70500-2_3.","short":"J. Brody, S. Dziembowski, S. Faust, K.Z. Pietrzak, in:, Y. Kalai, L. Reyzin (Eds.), Springer, 2017, pp. 56–81.","ieee":"J. Brody, S. Dziembowski, S. Faust, and K. Z. Pietrzak, “Position based cryptography and multiparty communication complexity,” presented at the TCC: Theory of Cryptography Conference, Baltimore, MD, United States, 2017, vol. 10677, pp. 56–81.","ama":"Brody J, Dziembowski S, Faust S, Pietrzak KZ. Position based cryptography and multiparty communication complexity. In: Kalai Y, Reyzin L, eds. Vol 10677. Springer; 2017:56-81. doi:10.1007/978-3-319-70500-2_3","apa":"Brody, J., Dziembowski, S., Faust, S., & Pietrzak, K. Z. (2017). Position based cryptography and multiparty communication complexity. In Y. Kalai & L. Reyzin (Eds.) (Vol. 10677, pp. 56–81). Presented at the TCC: Theory of Cryptography Conference, Baltimore, MD, United States: Springer. https://doi.org/10.1007/978-3-319-70500-2_3","chicago":"Brody, Joshua, Stefan Dziembowski, Sebastian Faust, and Krzysztof Z Pietrzak. “Position Based Cryptography and Multiparty Communication Complexity.” edited by Yael Kalai and Leonid Reyzin, 10677:56–81. Springer, 2017. https://doi.org/10.1007/978-3-319-70500-2_3.","ista":"Brody J, Dziembowski S, Faust S, Pietrzak KZ. 2017. Position based cryptography and multiparty communication complexity. TCC: Theory of Cryptography Conference, LNCS, vol. 10677, 56–81."},"intvolume":" 10677","month":"11","main_file_link":[{"url":"https://eprint.iacr.org/2016/536","open_access":"1"}],"scopus_import":1,"alternative_title":["LNCS"],"oa_version":"Submitted Version","abstract":[{"text":"Position based cryptography (PBC), proposed in the seminal work of Chandran, Goyal, Moriarty, and Ostrovsky (SIAM J. Computing, 2014), aims at constructing cryptographic schemes in which the identity of the user is his geographic position. Chandran et al. construct PBC schemes for secure positioning and position-based key agreement in the bounded-storage model (Maurer, J. Cryptology, 1992). Apart from bounded memory, their security proofs need a strong additional restriction on the power of the adversary: he cannot compute joint functions of his inputs. Removing this assumption is left as an open problem. We show that an answer to this question would resolve a long standing open problem in multiparty communication complexity: finding a function that is hard to compute with low communication complexity in the simultaneous message model, but easy to compute in the fully adaptive model. On a more positive side: we also show some implications in the other direction, i.e.: we prove that lower bounds on the communication complexity of certain multiparty problems imply existence of PBC primitives. Using this result we then show two attractive ways to “bypass” our hardness result: the first uses the random oracle model, the second weakens the locality requirement in the bounded-storage model to online computability. The random oracle construction is arguably one of the simplest proposed so far in this area. Our results indicate that constructing improved provably secure protocols for PBC requires a better understanding of multiparty communication complexity. This is yet another example where negative results in one area (in our case: lower bounds in multiparty communication complexity) can be used to construct secure cryptographic schemes.","lang":"eng"}],"ec_funded":1,"volume":10677,"language":[{"iso":"eng"}],"publication_status":"published","publication_identifier":{"isbn":["978-331970499-9"]},"status":"public","conference":{"name":"TCC: Theory of Cryptography Conference","start_date":"2017-11-12","end_date":"2017-11-15","location":"Baltimore, MD, United States"},"type":"conference","_id":"605","department":[{"_id":"KrPi"}],"date_updated":"2021-01-12T08:05:53Z"},{"publication_status":"published","publication_identifier":{"isbn":["978-331970499-9"]},"language":[{"iso":"eng"}],"volume":10677,"abstract":[{"text":"Several cryptographic schemes and applications are based on functions that are both reasonably efficient to compute and moderately hard to invert, including client puzzles for Denial-of-Service protection, password protection via salted hashes, or recent proof-of-work blockchain systems. Despite their wide use, a definition of this concept has not yet been distilled and formalized explicitly. Instead, either the applications are proven directly based on the assumptions underlying the function, or some property of the function is proven, but the security of the application is argued only informally. The goal of this work is to provide a (universal) definition that decouples the efforts of designing new moderately hard functions and of building protocols based on them, serving as an interface between the two. On a technical level, beyond the mentioned definitions, we instantiate the model for four different notions of hardness. We extend the work of Alwen and Serbinenko (STOC 2015) by providing a general tool for proving security for the first notion of memory-hard functions that allows for provably secure applications. The tool allows us to recover all of the graph-theoretic techniques developed for proving security under the older, non-composable, notion of security used by Alwen and Serbinenko. As an application of our definition of moderately hard functions, we prove the security of two different schemes for proofs of effort (PoE). We also formalize and instantiate the concept of a non-interactive proof of effort (niPoE), in which the proof is not bound to a particular communication context but rather any bit-string chosen by the prover.","lang":"eng"}],"oa_version":"Submitted Version","main_file_link":[{"open_access":"1","url":"https://eprint.iacr.org/2017/945"}],"scopus_import":1,"alternative_title":["LNCS"],"intvolume":" 10677","month":"11","date_updated":"2021-01-12T08:06:04Z","department":[{"_id":"KrPi"}],"_id":"609","conference":{"location":"Baltimore, MD, United States","end_date":"2017-11-15","start_date":"2017-11-12","name":"TCC: Theory of Cryptography"},"type":"conference","status":"public","year":"2017","day":"05","page":"493 - 526","date_created":"2018-12-11T11:47:28Z","date_published":"2017-11-05T00:00:00Z","doi":"10.1007/978-3-319-70500-2_17","oa":1,"quality_controlled":"1","publisher":"Springer","citation":{"mla":"Alwen, Joel F., and Björn Tackmann. Moderately Hard Functions: Definition, Instantiations, and Applications. Edited by Yael Kalai and Leonid Reyzin, vol. 10677, Springer, 2017, pp. 493–526, doi:10.1007/978-3-319-70500-2_17.","ama":"Alwen JF, Tackmann B. Moderately hard functions: Definition, instantiations, and applications. In: Kalai Y, Reyzin L, eds. Vol 10677. Springer; 2017:493-526. doi:10.1007/978-3-319-70500-2_17","apa":"Alwen, J. F., & Tackmann, B. (2017). Moderately hard functions: Definition, instantiations, and applications. In Y. Kalai & L. Reyzin (Eds.) (Vol. 10677, pp. 493–526). Presented at the TCC: Theory of Cryptography, Baltimore, MD, United States: Springer. https://doi.org/10.1007/978-3-319-70500-2_17","ieee":"J. F. Alwen and B. Tackmann, “Moderately hard functions: Definition, instantiations, and applications,” presented at the TCC: Theory of Cryptography, Baltimore, MD, United States, 2017, vol. 10677, pp. 493–526.","short":"J.F. Alwen, B. Tackmann, in:, Y. Kalai, L. Reyzin (Eds.), Springer, 2017, pp. 493–526.","chicago":"Alwen, Joel F, and Björn Tackmann. “Moderately Hard Functions: Definition, Instantiations, and Applications.” edited by Yael Kalai and Leonid Reyzin, 10677:493–526. Springer, 2017. https://doi.org/10.1007/978-3-319-70500-2_17.","ista":"Alwen JF, Tackmann B. 2017. Moderately hard functions: Definition, instantiations, and applications. TCC: Theory of Cryptography, LNCS, vol. 10677, 493–526."},"user_id":"3E5EF7F0-F248-11E8-B48F-1D18A9856A87","author":[{"last_name":"Alwen","full_name":"Alwen, Joel F","first_name":"Joel F","id":"2A8DFA8C-F248-11E8-B48F-1D18A9856A87"},{"last_name":"Tackmann","full_name":"Tackmann, Björn","first_name":"Björn"}],"publist_id":"7196","title":"Moderately hard functions: Definition, instantiations, and applications","editor":[{"full_name":"Kalai, Yael","last_name":"Kalai","first_name":"Yael"},{"full_name":"Reyzin, Leonid","last_name":"Reyzin","first_name":"Leonid"}]},{"citation":{"apa":"Alwen, J. F., Chen, B., Pietrzak, K. Z., Reyzin, L., & Tessaro, S. (2017). Scrypt is maximally memory hard. In J.-S. Coron & J. Buus Nielsen (Eds.) (Vol. 10212, pp. 33–62). Presented at the EUROCRYPT: Theory and Applications of Cryptographic Techniques, Paris, France: Springer. https://doi.org/10.1007/978-3-319-56617-7_2","ama":"Alwen JF, Chen B, Pietrzak KZ, Reyzin L, Tessaro S. Scrypt is maximally memory hard. In: Coron J-S, Buus Nielsen J, eds. Vol 10212. Springer; 2017:33-62. doi:10.1007/978-3-319-56617-7_2","short":"J.F. Alwen, B. Chen, K.Z. Pietrzak, L. Reyzin, S. Tessaro, in:, J.-S. Coron, J. Buus Nielsen (Eds.), Springer, 2017, pp. 33–62.","ieee":"J. F. Alwen, B. Chen, K. Z. Pietrzak, L. Reyzin, and S. Tessaro, “Scrypt is maximally memory hard,” presented at the EUROCRYPT: Theory and Applications of Cryptographic Techniques, Paris, France, 2017, vol. 10212, pp. 33–62.","mla":"Alwen, Joel F., et al. Scrypt Is Maximally Memory Hard. Edited by Jean-Sébastien Coron and Jesper Buus Nielsen, vol. 10212, Springer, 2017, pp. 33–62, doi:10.1007/978-3-319-56617-7_2.","ista":"Alwen JF, Chen B, Pietrzak KZ, Reyzin L, Tessaro S. 2017. Scrypt is maximally memory hard. EUROCRYPT: Theory and Applications of Cryptographic Techniques, LNCS, vol. 10212, 33–62.","chicago":"Alwen, Joel F, Binchi Chen, Krzysztof Z Pietrzak, Leonid Reyzin, and Stefano Tessaro. “Scrypt Is Maximally Memory Hard.” edited by Jean-Sébastien Coron and Jesper Buus Nielsen, 10212:33–62. Springer, 2017. https://doi.org/10.1007/978-3-319-56617-7_2."},"user_id":"4435EBFC-F248-11E8-B48F-1D18A9856A87","author":[{"id":"2A8DFA8C-F248-11E8-B48F-1D18A9856A87","first_name":"Joel F","last_name":"Alwen","full_name":"Alwen, Joel F"},{"first_name":"Binchi","full_name":"Chen, Binchi","last_name":"Chen"},{"last_name":"Pietrzak","full_name":"Pietrzak, Krzysztof Z","orcid":"0000-0002-9139-1654","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","first_name":"Krzysztof Z"},{"full_name":"Reyzin, Leonid","last_name":"Reyzin","first_name":"Leonid"},{"full_name":"Tessaro, Stefano","last_name":"Tessaro","first_name":"Stefano"}],"publist_id":"7154","title":"Scrypt is maximally memory hard","editor":[{"last_name":"Coron","full_name":"Coron, Jean-Sébastien","first_name":"Jean-Sébastien"},{"first_name":"Jesper","last_name":"Buus Nielsen","full_name":"Buus Nielsen, Jesper"}],"project":[{"grant_number":"682815","name":"Teaching Old Crypto New Tricks","call_identifier":"H2020","_id":"258AA5B2-B435-11E9-9278-68D0E5697425"}],"year":"2017","day":"01","page":"33 - 62","doi":"10.1007/978-3-319-56617-7_2","date_published":"2017-01-01T00:00:00Z","date_created":"2018-12-11T11:47:37Z","quality_controlled":"1","publisher":"Springer","oa":1,"date_updated":"2021-01-12T08:07:10Z","department":[{"_id":"KrPi"}],"_id":"635","type":"conference","conference":{"name":"EUROCRYPT: Theory and Applications of Cryptographic Techniques","start_date":"2017-04-30","location":"Paris, France","end_date":"2017-05-04"},"status":"public","publication_identifier":{"isbn":["978-331956616-0"]},"publication_status":"published","language":[{"iso":"eng"}],"volume":10212,"ec_funded":1,"abstract":[{"lang":"eng","text":"Memory-hard functions (MHFs) are hash algorithms whose evaluation cost is dominated by memory cost. As memory, unlike computation, costs about the same across different platforms, MHFs cannot be evaluated at significantly lower cost on dedicated hardware like ASICs. MHFs have found widespread applications including password hashing, key derivation, and proofs-of-work. This paper focuses on scrypt, a simple candidate MHF designed by Percival, and described in RFC 7914. It has been used within a number of cryptocurrencies (e.g., Litecoin and Dogecoin) and has been an inspiration for Argon2d, one of the winners of the recent password-hashing competition. Despite its popularity, no rigorous lower bounds on its memory complexity are known. We prove that scrypt is optimally memory-hard, i.e., its cumulative memory complexity (cmc) in the parallel random oracle model is Ω(n2w), where w and n are the output length and number of invocations of the underlying hash function, respectively. High cmc is a strong security target for MHFs introduced by Alwen and Serbinenko (STOC’15) which implies high memory cost even for adversaries who can amortize the cost over many evaluations and evaluate the underlying hash functions many times in parallel. Our proof is the first showing optimal memory-hardness for any MHF. Our result improves both quantitatively and qualitatively upon the recent work by Alwen et al. (EUROCRYPT’16) who proved a weaker lower bound of Ω(n2w/ log2 n) for a restricted class of adversaries."}],"oa_version":"Submitted Version","alternative_title":["LNCS"],"scopus_import":1,"main_file_link":[{"url":"https://eprint.iacr.org/2016/989","open_access":"1"}],"month":"01","intvolume":" 10212"},{"month":"04","intvolume":" 10212","alternative_title":["LNCS"],"scopus_import":1,"main_file_link":[{"open_access":"1","url":"https://eprint.iacr.org/2016/875"}],"oa_version":"Submitted Version","abstract":[{"text":"Data-independent Memory Hard Functions (iMHFS) are finding a growing number of applications in security; especially in the domain of password hashing. An important property of a concrete iMHF is specified by fixing a directed acyclic graph (DAG) Gn on n nodes. The quality of that iMHF is then captured by the following two pebbling complexities of Gn: – The parallel cumulative pebbling complexity Π∥cc(Gn) must be as high as possible (to ensure that the amortized cost of computing the function on dedicated hardware is dominated by the cost of memory). – The sequential space-time pebbling complexity Πst(Gn) should be as close as possible to Π∥cc(Gn) (to ensure that using many cores in parallel and amortizing over many instances does not give much of an advantage). In this paper we construct a family of DAGs with best possible parameters in an asymptotic sense, i.e., where Π∥cc(Gn) = Ω(n2/ log(n)) (which matches a known upper bound) and Πst(Gn) is within a constant factor of Π∥cc(Gn). Our analysis relies on a new connection between the pebbling complexity of a DAG and its depth-robustness (DR) – a well studied combinatorial property. We show that high DR is sufficient for high Π∥cc. Alwen and Blocki (CRYPTO’16) showed that high DR is necessary and so, together, these results fully characterize DAGs with high Π∥cc in terms of DR. Complementing these results, we provide new upper and lower bounds on the Π∥cc of several important candidate iMHFs from the literature. We give the first lower bounds on the memory hardness of the Catena and Balloon Hashing functions in a parallel model of computation and we give the first lower bounds of any kind for (a version) of Argon2i. Finally we describe a new class of pebbling attacks improving on those of Alwen and Blocki (CRYPTO’16). By instantiating these attacks we upperbound the Π∥cc of the Password Hashing Competition winner Argon2i and one of the Balloon Hashing functions by O (n1.71). We also show an upper bound of O(n1.625) for the Catena functions and the two remaining Balloon Hashing functions.","lang":"eng"}],"volume":10212,"ec_funded":1,"language":[{"iso":"eng"}],"publication_identifier":{"isbn":["978-331956616-0"]},"publication_status":"published","status":"public","type":"conference","conference":{"start_date":"2017-04-30","location":"Paris, France","end_date":"2017-05-04","name":"EUROCRYPT: Theory and Applications of Cryptographic Techniques"},"_id":"640","department":[{"_id":"KrPi"}],"date_updated":"2021-01-12T08:07:22Z","quality_controlled":"1","publisher":"Springer","oa":1,"date_published":"2017-04-01T00:00:00Z","doi":"10.1007/978-3-319-56617-7_1","date_created":"2018-12-11T11:47:39Z","page":"3 - 32","day":"01","year":"2017","project":[{"grant_number":"682815","name":"Teaching Old Crypto New Tricks","call_identifier":"H2020","_id":"258AA5B2-B435-11E9-9278-68D0E5697425"}],"editor":[{"full_name":"Coron, Jean-Sébastien","last_name":"Coron","first_name":"Jean-Sébastien"},{"first_name":"Jesper","last_name":"Buus Nielsen","full_name":"Buus Nielsen, Jesper"}],"title":"Depth-robust graphs and their cumulative memory complexity","author":[{"full_name":"Alwen, Joel F","last_name":"Alwen","id":"2A8DFA8C-F248-11E8-B48F-1D18A9856A87","first_name":"Joel F"},{"last_name":"Blocki","full_name":"Blocki, Jeremiah","first_name":"Jeremiah"},{"id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","first_name":"Krzysztof Z","last_name":"Pietrzak","full_name":"Pietrzak, Krzysztof Z","orcid":"0000-0002-9139-1654"}],"publist_id":"7148","user_id":"3E5EF7F0-F248-11E8-B48F-1D18A9856A87","citation":{"short":"J.F. Alwen, J. Blocki, K.Z. Pietrzak, in:, J.-S. Coron, J. Buus Nielsen (Eds.), Springer, 2017, pp. 3–32.","ieee":"J. F. Alwen, J. Blocki, and K. Z. Pietrzak, “Depth-robust graphs and their cumulative memory complexity,” presented at the EUROCRYPT: Theory and Applications of Cryptographic Techniques, Paris, France, 2017, vol. 10212, pp. 3–32.","apa":"Alwen, J. F., Blocki, J., & Pietrzak, K. Z. (2017). Depth-robust graphs and their cumulative memory complexity. In J.-S. Coron & J. Buus Nielsen (Eds.) (Vol. 10212, pp. 3–32). Presented at the EUROCRYPT: Theory and Applications of Cryptographic Techniques, Paris, France: Springer. https://doi.org/10.1007/978-3-319-56617-7_1","ama":"Alwen JF, Blocki J, Pietrzak KZ. Depth-robust graphs and their cumulative memory complexity. In: Coron J-S, Buus Nielsen J, eds. Vol 10212. Springer; 2017:3-32. doi:10.1007/978-3-319-56617-7_1","mla":"Alwen, Joel F., et al. Depth-Robust Graphs and Their Cumulative Memory Complexity. Edited by Jean-Sébastien Coron and Jesper Buus Nielsen, vol. 10212, Springer, 2017, pp. 3–32, doi:10.1007/978-3-319-56617-7_1.","ista":"Alwen JF, Blocki J, Pietrzak KZ. 2017. Depth-robust graphs and their cumulative memory complexity. EUROCRYPT: Theory and Applications of Cryptographic Techniques, LNCS, vol. 10212, 3–32.","chicago":"Alwen, Joel F, Jeremiah Blocki, and Krzysztof Z Pietrzak. “Depth-Robust Graphs and Their Cumulative Memory Complexity.” edited by Jean-Sébastien Coron and Jesper Buus Nielsen, 10212:3–32. Springer, 2017. https://doi.org/10.1007/978-3-319-56617-7_1."}},{"date_created":"2018-12-11T11:47:42Z","date_published":"2017-04-01T00:00:00Z","doi":"10.1007/978-3-319-55911-7_43","page":"600 - 613","day":"01","year":"2017","oa":1,"quality_controlled":"1","publisher":"Springer","title":"On the complexity of breaking pseudoentropy","editor":[{"last_name":"Jäger","full_name":"Jäger, Gerhard","first_name":"Gerhard"},{"last_name":"Steila","full_name":"Steila, Silvia","first_name":"Silvia"}],"publist_id":"7125","author":[{"full_name":"Skórski, Maciej","last_name":"Skórski","first_name":"Maciej","id":"EC09FA6A-02D0-11E9-8223-86B7C91467DD"}],"user_id":"3E5EF7F0-F248-11E8-B48F-1D18A9856A87","citation":{"mla":"Skórski, Maciej. On the Complexity of Breaking Pseudoentropy. Edited by Gerhard Jäger and Silvia Steila, vol. 10185, Springer, 2017, pp. 600–13, doi:10.1007/978-3-319-55911-7_43.","ama":"Skórski M. On the complexity of breaking pseudoentropy. In: Jäger G, Steila S, eds. Vol 10185. Springer; 2017:600-613. doi:10.1007/978-3-319-55911-7_43","apa":"Skórski, M. (2017). On the complexity of breaking pseudoentropy. In G. Jäger & S. Steila (Eds.) (Vol. 10185, pp. 600–613). Presented at the TAMC: Theory and Applications of Models of Computation, Bern, Switzerland: Springer. https://doi.org/10.1007/978-3-319-55911-7_43","ieee":"M. Skórski, “On the complexity of breaking pseudoentropy,” presented at the TAMC: Theory and Applications of Models of Computation, Bern, Switzerland, 2017, vol. 10185, pp. 600–613.","short":"M. Skórski, in:, G. Jäger, S. Steila (Eds.), Springer, 2017, pp. 600–613.","chicago":"Skórski, Maciej. “On the Complexity of Breaking Pseudoentropy.” edited by Gerhard Jäger and Silvia Steila, 10185:600–613. Springer, 2017. https://doi.org/10.1007/978-3-319-55911-7_43.","ista":"Skórski M. 2017. On the complexity of breaking pseudoentropy. TAMC: Theory and Applications of Models of Computation, LNCS, vol. 10185, 600–613."},"volume":10185,"language":[{"iso":"eng"}],"publication_status":"published","publication_identifier":{"isbn":["978-331955910-0"]},"intvolume":" 10185","month":"04","main_file_link":[{"url":"https://eprint.iacr.org/2016/1186.pdf","open_access":"1"}],"alternative_title":["LNCS"],"scopus_import":1,"oa_version":"Submitted Version","abstract":[{"text":"Pseudoentropy has found a lot of important applications to cryptography and complexity theory. In this paper we focus on the foundational problem that has not been investigated so far, namely by how much pseudoentropy (the amount seen by computationally bounded attackers) differs from its information-theoretic counterpart (seen by unbounded observers), given certain limits on attacker’s computational power? We provide the following answer for HILL pseudoentropy, which exhibits a threshold behavior around the size exponential in the entropy amount:– If the attacker size (s) and advantage () satisfy s (formula presented) where k is the claimed amount of pseudoentropy, then the pseudoentropy boils down to the information-theoretic smooth entropy. – If s (formula presented) then pseudoentropy could be arbitrarily bigger than the information-theoretic smooth entropy. Besides answering the posted question, we show an elegant application of our result to the complexity theory, namely that it implies the clas-sical result on the existence of functions hard to approximate (due to Pippenger). In our approach we utilize non-constructive techniques: the duality of linear programming and the probabilistic method.","lang":"eng"}],"department":[{"_id":"KrPi"}],"date_updated":"2021-01-12T08:07:39Z","status":"public","conference":{"name":"TAMC: Theory and Applications of Models of Computation","location":"Bern, Switzerland","end_date":"2017-04-22","start_date":"2017-04-20"},"type":"conference","_id":"648"},{"day":"01","year":"2017","date_created":"2018-12-11T11:47:42Z","date_published":"2017-01-01T00:00:00Z","doi":"10.1007/978-3-319-55911-7_42","page":"586 - 599","oa":1,"publisher":"Springer","quality_controlled":"1","user_id":"3E5EF7F0-F248-11E8-B48F-1D18A9856A87","citation":{"short":"M. Skórski, in:, G. Jäger, S. Steila (Eds.), Springer, 2017, pp. 586–599.","ieee":"M. Skórski, “A cryptographic view of regularity lemmas: Simpler unified proofs and refined bounds,” presented at the TAMC: Theory and Applications of Models of Computation, Bern, Switzerland, 2017, vol. 10185, pp. 586–599.","ama":"Skórski M. A cryptographic view of regularity lemmas: Simpler unified proofs and refined bounds. In: Jäger G, Steila S, eds. Vol 10185. Springer; 2017:586-599. doi:10.1007/978-3-319-55911-7_42","apa":"Skórski, M. (2017). A cryptographic view of regularity lemmas: Simpler unified proofs and refined bounds. In G. Jäger & S. Steila (Eds.) (Vol. 10185, pp. 586–599). Presented at the TAMC: Theory and Applications of Models of Computation, Bern, Switzerland: Springer. https://doi.org/10.1007/978-3-319-55911-7_42","mla":"Skórski, Maciej. A Cryptographic View of Regularity Lemmas: Simpler Unified Proofs and Refined Bounds. Edited by Gerhard Jäger and Silvia Steila, vol. 10185, Springer, 2017, pp. 586–99, doi:10.1007/978-3-319-55911-7_42.","ista":"Skórski M. 2017. A cryptographic view of regularity lemmas: Simpler unified proofs and refined bounds. TAMC: Theory and Applications of Models of Computation, LNCS, vol. 10185, 586–599.","chicago":"Skórski, Maciej. “A Cryptographic View of Regularity Lemmas: Simpler Unified Proofs and Refined Bounds.” edited by Gerhard Jäger and Silvia Steila, 10185:586–99. Springer, 2017. https://doi.org/10.1007/978-3-319-55911-7_42."},"editor":[{"first_name":"Gerhard","full_name":"Jäger, Gerhard","last_name":"Jäger"},{"full_name":"Steila, Silvia","last_name":"Steila","first_name":"Silvia"}],"title":"A cryptographic view of regularity lemmas: Simpler unified proofs and refined bounds","publist_id":"7119","author":[{"first_name":"Maciej","id":"EC09FA6A-02D0-11E9-8223-86B7C91467DD","last_name":"Skórski","full_name":"Skórski, Maciej"}],"language":[{"iso":"eng"}],"publication_status":"published","publication_identifier":{"issn":["03029743"]},"volume":10185,"oa_version":"Submitted Version","abstract":[{"text":"In this work we present a short and unified proof for the Strong and Weak Regularity Lemma, based on the cryptographic tech-nique called low-complexity approximations. In short, both problems reduce to a task of finding constructively an approximation for a certain target function under a class of distinguishers (test functions), where dis-tinguishers are combinations of simple rectangle-indicators. In our case these approximations can be learned by a simple iterative procedure, which yields a unified and simple proof, achieving for any graph with density d and any approximation parameter the partition size. The novelty in our proof is: (a) a simple approach which yields both strong and weaker variant, and (b) improvements when d = o(1). At an abstract level, our proof can be seen a refinement and simplification of the “analytic” proof given by Lovasz and Szegedy.","lang":"eng"}],"intvolume":" 10185","month":"01","main_file_link":[{"open_access":"1","url":"https://eprint.iacr.org/2016/965.pdf"}],"scopus_import":1,"alternative_title":["LNCS"],"date_updated":"2021-01-12T08:07:46Z","department":[{"_id":"KrPi"}],"_id":"650","status":"public","conference":{"location":"Bern, Switzerland","end_date":"2017-04-22","start_date":"2017-04-20","name":"TAMC: Theory and Applications of Models of Computation"},"type":"conference"},{"status":"public","project":[{"grant_number":"682815","name":"Teaching Old Crypto New Tricks","call_identifier":"H2020","_id":"258AA5B2-B435-11E9-9278-68D0E5697425"}],"conference":{"start_date":"2017-10-30","end_date":"2017-11-03","location":"Dallas, TX, USA","name":"CCS: Conference on Computer and Communications Security"},"type":"conference","_id":"6527","title":"Practical graphs for optimal side-channel resistant memory-hard functions","department":[{"_id":"KrPi"}],"author":[{"id":"2A8DFA8C-F248-11E8-B48F-1D18A9856A87","first_name":"Joel F","last_name":"Alwen","full_name":"Alwen, Joel F"},{"first_name":"Jeremiah","full_name":"Blocki, Jeremiah","last_name":"Blocki"},{"first_name":"Ben","last_name":"Harsha","full_name":"Harsha, Ben"}],"user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","citation":{"ista":"Alwen JF, Blocki J, Harsha B. 2017. Practical graphs for optimal side-channel resistant memory-hard functions. Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. CCS: Conference on Computer and Communications Security, 1001–1017.","chicago":"Alwen, Joel F, Jeremiah Blocki, and Ben Harsha. “Practical Graphs for Optimal Side-Channel Resistant Memory-Hard Functions.” In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, 1001–17. ACM Press, 2017. https://doi.org/10.1145/3133956.3134031.","short":"J.F. Alwen, J. Blocki, B. Harsha, in:, Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, ACM Press, 2017, pp. 1001–1017.","ieee":"J. F. Alwen, J. Blocki, and B. Harsha, “Practical graphs for optimal side-channel resistant memory-hard functions,” in Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, Dallas, TX, USA, 2017, pp. 1001–1017.","ama":"Alwen JF, Blocki J, Harsha B. Practical graphs for optimal side-channel resistant memory-hard functions. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. ACM Press; 2017:1001-1017. doi:10.1145/3133956.3134031","apa":"Alwen, J. F., Blocki, J., & Harsha, B. (2017). Practical graphs for optimal side-channel resistant memory-hard functions. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (pp. 1001–1017). Dallas, TX, USA: ACM Press. https://doi.org/10.1145/3133956.3134031","mla":"Alwen, Joel F., et al. “Practical Graphs for Optimal Side-Channel Resistant Memory-Hard Functions.” Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, ACM Press, 2017, pp. 1001–17, doi:10.1145/3133956.3134031."},"date_updated":"2021-01-12T08:07:53Z","month":"10","main_file_link":[{"url":"https://eprint.iacr.org/2017/443","open_access":"1"}],"oa":1,"quality_controlled":"1","scopus_import":1,"publisher":"ACM Press","oa_version":"Submitted Version","abstract":[{"lang":"eng","text":"A memory-hard function (MHF) ƒn with parameter n can be computed in sequential time and space n. Simultaneously, a high amortized parallel area-time complexity (aAT) is incurred per evaluation. In practice, MHFs are used to limit the rate at which an adversary (using a custom computational device) can evaluate a security sensitive function that still occasionally needs to be evaluated by honest users (using an off-the-shelf general purpose device). The most prevalent examples of such sensitive functions are Key Derivation Functions (KDFs) and password hashing algorithms where rate limits help mitigate off-line dictionary attacks. As the honest users' inputs to these functions are often (low-entropy) passwords special attention is given to a class of side-channel resistant MHFs called iMHFs.\r\n\r\nEssentially all iMHFs can be viewed as some mode of operation (making n calls to some round function) given by a directed acyclic graph (DAG) with very low indegree. Recently, a combinatorial property of a DAG has been identified (called \"depth-robustness\") which results in good provable security for an iMHF based on that DAG. Depth-robust DAGs have also proven useful in other cryptographic applications. Unfortunately, up till now, all known very depth-robust DAGs are impractically complicated and little is known about their exact (i.e. non-asymptotic) depth-robustness both in theory and in practice.\r\n\r\nIn this work we build and analyze (both formally and empirically) several exceedingly simple and efficient to navigate practical DAGs for use in iMHFs and other applications. For each DAG we:\r\n*Prove that their depth-robustness is asymptotically maximal.\r\n*Prove bounds of at least 3 orders of magnitude better on their exact depth-robustness compared to known bounds for other practical iMHF.\r\n*Implement and empirically evaluate their depth-robustness and aAT against a variety of state-of-the art (and several new) depth-reduction and low aAT attacks. \r\nWe find that, against all attacks, the new DAGs perform significantly better in practice than Argon2i, the most widely deployed iMHF in practice.\r\n\r\nAlong the way we also improve the best known empirical attacks on the aAT of Argon2i by implementing and testing several heuristic versions of a (hitherto purely theoretical) depth-reduction attack. Finally, we demonstrate practicality of our constructions by modifying the Argon2i code base to use one of the new high aAT DAGs. Experimental benchmarks on a standard off-the-shelf CPU show that the new modifications do not adversely affect the impressive throughput of Argon2i (despite seemingly enjoying significantly higher aAT).\r\n"}],"ec_funded":1,"date_created":"2019-06-06T13:21:29Z","doi":"10.1145/3133956.3134031","date_published":"2017-10-30T00:00:00Z","page":"1001-1017","publication":"Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security","language":[{"iso":"eng"}],"day":"30","publication_status":"published","year":"2017","publication_identifier":{"isbn":["9781450349468"]}},{"day":"09","publication":"2017 IEEE International Symposium on Information Theory (ISIT)","year":"2017","doi":"10.1109/isit.2017.8006529","date_published":"2017-08-09T00:00:00Z","date_created":"2019-06-06T12:53:09Z","quality_controlled":"1","publisher":"IEEE","oa":1,"user_id":"3E5EF7F0-F248-11E8-B48F-1D18A9856A87","citation":{"mla":"Skórski, Maciej. “On the Complexity of Estimating Rènyi Divergences.” 2017 IEEE International Symposium on Information Theory (ISIT), 8006529, IEEE, 2017, doi:10.1109/isit.2017.8006529.","short":"M. Skórski, in:, 2017 IEEE International Symposium on Information Theory (ISIT), IEEE, 2017.","ieee":"M. Skórski, “On the complexity of estimating Rènyi divergences,” in 2017 IEEE International Symposium on Information Theory (ISIT), Aachen, Germany, 2017.","ama":"Skórski M. On the complexity of estimating Rènyi divergences. In: 2017 IEEE International Symposium on Information Theory (ISIT). IEEE; 2017. doi:10.1109/isit.2017.8006529","apa":"Skórski, M. (2017). On the complexity of estimating Rènyi divergences. In 2017 IEEE International Symposium on Information Theory (ISIT). Aachen, Germany: IEEE. https://doi.org/10.1109/isit.2017.8006529","chicago":"Skórski, Maciej. “On the Complexity of Estimating Rènyi Divergences.” In 2017 IEEE International Symposium on Information Theory (ISIT). IEEE, 2017. https://doi.org/10.1109/isit.2017.8006529.","ista":"Skórski M. 2017. On the complexity of estimating Rènyi divergences. 2017 IEEE International Symposium on Information Theory (ISIT). ISIT: International Symposium on Information Theory, 8006529."},"title":"On the complexity of estimating Rènyi divergences","author":[{"first_name":"Maciej","id":"EC09FA6A-02D0-11E9-8223-86B7C91467DD","last_name":"Skórski","full_name":"Skórski, Maciej"}],"external_id":{"arxiv":["1702.01666"]},"article_number":"8006529","project":[{"name":"Teaching Old Crypto New Tricks","grant_number":"682815","call_identifier":"H2020","_id":"258AA5B2-B435-11E9-9278-68D0E5697425"}],"language":[{"iso":"eng"}],"publication_identifier":{"isbn":["9781509040964"]},"publication_status":"published","ec_funded":1,"oa_version":"Preprint","abstract":[{"lang":"eng","text":"This paper studies the complexity of estimating Rényi divergences of discrete distributions: p observed from samples and the baseline distribution q known a priori. Extending the results of Acharya et al. (SODA'15) on estimating Rényi entropy, we present improved estimation techniques together with upper and lower bounds on the sample complexity. We show that, contrarily to estimating Rényi entropy where a sublinear (in the alphabet size) number of samples suffices, the sample complexity is heavily dependent on events occurring unlikely in q, and is unbounded in general (no matter what an estimation technique is used). For any divergence of integer order bigger than 1, we provide upper and lower bounds on the number of samples dependent on probabilities of p and q (the lower bounds hold for non-integer orders as well). We conclude that the worst-case sample complexity is polynomial in the alphabet size if and only if the probabilities of q are non-negligible. This gives theoretical insights into heuristics used in the applied literature to handle numerical instability, which occurs for small probabilities of q. Our result shows that they should be handled with care not only because of numerical issues, but also because of a blow up in the sample complexity."}],"month":"08","scopus_import":1,"main_file_link":[{"url":"https://arxiv.org/abs/1702.01666","open_access":"1"}],"date_updated":"2021-01-12T08:07:53Z","department":[{"_id":"KrPi"}],"_id":"6526","status":"public","type":"conference","conference":{"name":"ISIT: International Symposium on Information Theory","start_date":"2017-06-25","location":"Aachen, Germany","end_date":"2017-06-30"}},{"year":"2017","has_accepted_license":"1","day":"01","date_created":"2018-12-11T11:47:59Z","date_published":"2017-07-01T00:00:00Z","doi":"10.4230/LIPIcs.ICALP.2017.39","oa":1,"quality_controlled":"1","publisher":"Schloss Dagstuhl - Leibniz-Zentrum für Informatik","citation":{"chicago":"Pietrzak, Krzysztof Z, and Maciej Skórski. “Non Uniform Attacks against Pseudoentropy,” Vol. 80. Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 2017. https://doi.org/10.4230/LIPIcs.ICALP.2017.39.","ista":"Pietrzak KZ, Skórski M. 2017. Non uniform attacks against pseudoentropy. ICALP: International Colloquium on Automata, Languages, and Programming, LIPIcs, vol. 80, 39.","mla":"Pietrzak, Krzysztof Z., and Maciej Skórski. Non Uniform Attacks against Pseudoentropy. Vol. 80, 39, Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 2017, doi:10.4230/LIPIcs.ICALP.2017.39.","short":"K.Z. Pietrzak, M. Skórski, in:, Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 2017.","ieee":"K. Z. Pietrzak and M. Skórski, “Non uniform attacks against pseudoentropy,” presented at the ICALP: International Colloquium on Automata, Languages, and Programming, Warsaw, Poland, 2017, vol. 80.","apa":"Pietrzak, K. Z., & Skórski, M. (2017). Non uniform attacks against pseudoentropy (Vol. 80). Presented at the ICALP: International Colloquium on Automata, Languages, and Programming, Warsaw, Poland: Schloss Dagstuhl - Leibniz-Zentrum für Informatik. https://doi.org/10.4230/LIPIcs.ICALP.2017.39","ama":"Pietrzak KZ, Skórski M. Non uniform attacks against pseudoentropy. In: Vol 80. Schloss Dagstuhl - Leibniz-Zentrum für Informatik; 2017. doi:10.4230/LIPIcs.ICALP.2017.39"},"user_id":"3E5EF7F0-F248-11E8-B48F-1D18A9856A87","author":[{"id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","first_name":"Krzysztof Z","full_name":"Pietrzak, Krzysztof Z","orcid":"0000-0002-9139-1654","last_name":"Pietrzak"},{"last_name":"Skórski","full_name":"Skórski, Maciej","id":"EC09FA6A-02D0-11E9-8223-86B7C91467DD","first_name":"Maciej"}],"publist_id":"7003","title":"Non uniform attacks against pseudoentropy","article_number":"39","project":[{"name":"Teaching Old Crypto New Tricks","grant_number":"682815","_id":"258AA5B2-B435-11E9-9278-68D0E5697425","call_identifier":"H2020"}],"publication_status":"published","publication_identifier":{"issn":["18688969"]},"language":[{"iso":"eng"}],"file":[{"creator":"system","date_updated":"2020-07-14T12:47:46Z","file_size":601004,"date_created":"2018-12-12T10:08:40Z","file_name":"IST-2017-893-v1+1_LIPIcs-ICALP-2017-39.pdf","access_level":"open_access","relation":"main_file","content_type":"application/pdf","file_id":"4701","checksum":"e95618a001692f1af2d68f5fde43bc1f"}],"ec_funded":1,"volume":80,"abstract":[{"lang":"eng","text":"De, Trevisan and Tulsiani [CRYPTO 2010] show that every distribution over n-bit strings which has constant statistical distance to uniform (e.g., the output of a pseudorandom generator mapping n-1 to n bit strings), can be distinguished from the uniform distribution with advantage epsilon by a circuit of size O( 2^n epsilon^2). We generalize this result, showing that a distribution which has less than k bits of min-entropy, can be distinguished from any distribution with k bits of delta-smooth min-entropy with advantage epsilon by a circuit of size O(2^k epsilon^2/delta^2). As a special case, this implies that any distribution with support at most 2^k (e.g., the output of a pseudoentropy generator mapping k to n bit strings) can be distinguished from any given distribution with min-entropy k+1 with advantage epsilon by a circuit of size O(2^k epsilon^2). Our result thus shows that pseudoentropy distributions face basically the same non-uniform attacks as pseudorandom distributions. "}],"oa_version":"Published Version","scopus_import":1,"alternative_title":["LIPIcs"],"intvolume":" 80","month":"07","date_updated":"2021-01-12T08:11:15Z","ddc":["005"],"file_date_updated":"2020-07-14T12:47:46Z","department":[{"_id":"KrPi"}],"_id":"697","conference":{"start_date":"2017-07-10","end_date":"2017-07-14","location":"Warsaw, Poland","name":"ICALP: International Colloquium on Automata, Languages, and Programming"},"tmp":{"legal_code_url":"https://creativecommons.org/licenses/by/4.0/legalcode","image":"/images/cc_by.png","name":"Creative Commons Attribution 4.0 International Public License (CC-BY 4.0)","short":"CC BY (4.0)"},"type":"conference","pubrep_id":"893","status":"public"},{"intvolume":" 81","month":"08","alternative_title":["LIPIcs"],"scopus_import":1,"oa_version":"Published Version","abstract":[{"text":"We revisit the problem of estimating entropy of discrete distributions from independent samples, studied recently by Acharya, Orlitsky, Suresh and Tyagi (SODA 2015), improving their upper and lower bounds on the necessary sample size n. For estimating Renyi entropy of order alpha, up to constant accuracy and error probability, we show the following * Upper bounds n = O(1) 2^{(1-1/alpha)H_alpha} for integer alpha>1, as the worst case over distributions with Renyi entropy equal to H_alpha. * Lower bounds n = Omega(1) K^{1-1/alpha} for any real alpha>1, with the constant being an inverse polynomial of the accuracy, as the worst case over all distributions on K elements. Our upper bounds essentially replace the alphabet size by a factor exponential in the entropy, which offers improvements especially in low or medium entropy regimes (interesting for example in anomaly detection). As for the lower bounds, our proof explicitly shows how the complexity depends on both alphabet and accuracy, partially solving the open problem posted in previous works. The argument for upper bounds derives a clean identity for the variance of falling-power sum of a multinomial distribution. Our approach for lower bounds utilizes convex optimization to find a distribution with possibly worse estimation performance, and may be of independent interest as a tool to work with Le Cam’s two point method. ","lang":"eng"}],"ec_funded":1,"volume":81,"language":[{"iso":"eng"}],"file":[{"file_name":"IST-2017-888-v1+1_LIPIcs-APPROX-RANDOM-2017-20.pdf","date_created":"2018-12-12T10:13:10Z","creator":"system","file_size":604813,"date_updated":"2020-07-14T12:47:49Z","file_id":"4991","checksum":"89225c7dcec2c93838458c9102858985","relation":"main_file","access_level":"open_access","content_type":"application/pdf"}],"publication_status":"published","publication_identifier":{"issn":["18688969"]},"pubrep_id":"888","status":"public","conference":{"name":"20th International Workshop on Approximation Algorithms for Combinatorial Optimization Problems, APPROX","location":"Berkeley, USA","end_date":"2017-08-18","start_date":"2017-08-18"},"tmp":{"legal_code_url":"https://creativecommons.org/licenses/by/4.0/legalcode","image":"/images/cc_by.png","name":"Creative Commons Attribution 4.0 International Public License (CC-BY 4.0)","short":"CC BY (4.0)"},"type":"conference","_id":"710","department":[{"_id":"KrPi"}],"file_date_updated":"2020-07-14T12:47:49Z","ddc":["005","600"],"date_updated":"2021-01-12T08:11:50Z","oa":1,"quality_controlled":"1","publisher":"Schloss Dagstuhl - Leibniz-Zentrum für Informatik","date_created":"2018-12-11T11:48:04Z","date_published":"2017-08-01T00:00:00Z","doi":"10.4230/LIPIcs.APPROX-RANDOM.2017.20","day":"01","year":"2017","has_accepted_license":"1","project":[{"grant_number":"682815","name":"Teaching Old Crypto New Tricks","call_identifier":"H2020","_id":"258AA5B2-B435-11E9-9278-68D0E5697425"}],"article_number":"20","title":"Renyi entropy estimation revisited","publist_id":"6979","author":[{"full_name":"Obremski, Maciej","last_name":"Obremski","first_name":"Maciej"},{"last_name":"Skórski","full_name":"Skórski, Maciej","id":"EC09FA6A-02D0-11E9-8223-86B7C91467DD","first_name":"Maciej"}],"user_id":"3E5EF7F0-F248-11E8-B48F-1D18A9856A87","citation":{"short":"M. Obremski, M. Skórski, in:, Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 2017.","ieee":"M. Obremski and M. Skórski, “Renyi entropy estimation revisited,” presented at the 20th International Workshop on Approximation Algorithms for Combinatorial Optimization Problems, APPROX, Berkeley, USA, 2017, vol. 81.","ama":"Obremski M, Skórski M. Renyi entropy estimation revisited. In: Vol 81. Schloss Dagstuhl - Leibniz-Zentrum für Informatik; 2017. doi:10.4230/LIPIcs.APPROX-RANDOM.2017.20","apa":"Obremski, M., & Skórski, M. (2017). Renyi entropy estimation revisited (Vol. 81). Presented at the 20th International Workshop on Approximation Algorithms for Combinatorial Optimization Problems, APPROX, Berkeley, USA: Schloss Dagstuhl - Leibniz-Zentrum für Informatik. https://doi.org/10.4230/LIPIcs.APPROX-RANDOM.2017.20","mla":"Obremski, Maciej, and Maciej Skórski. Renyi Entropy Estimation Revisited. Vol. 81, 20, Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 2017, doi:10.4230/LIPIcs.APPROX-RANDOM.2017.20.","ista":"Obremski M, Skórski M. 2017. Renyi entropy estimation revisited. 20th International Workshop on Approximation Algorithms for Combinatorial Optimization Problems, APPROX, LIPIcs, vol. 81, 20.","chicago":"Obremski, Maciej, and Maciej Skórski. “Renyi Entropy Estimation Revisited,” Vol. 81. Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 2017. https://doi.org/10.4230/LIPIcs.APPROX-RANDOM.2017.20."}},{"title":"(The exact security of) Message authentication codes","article_processing_charge":"No","author":[{"first_name":"Michal","id":"2B3E3DE8-F248-11E8-B48F-1D18A9856A87","last_name":"Rybar","full_name":"Rybar, Michal"}],"publist_id":"6810","user_id":"c635000d-4b10-11ee-a964-aac5a93f6ac1","citation":{"chicago":"Rybar, Michal. “(The Exact Security of) Message Authentication Codes.” Institute of Science and Technology Austria, 2017. https://doi.org/10.15479/AT:ISTA:th_828.","ista":"Rybar M. 2017. (The exact security of) Message authentication codes. Institute of Science and Technology Austria.","mla":"Rybar, Michal. (The Exact Security of) Message Authentication Codes. Institute of Science and Technology Austria, 2017, doi:10.15479/AT:ISTA:th_828.","short":"M. Rybar, (The Exact Security of) Message Authentication Codes, Institute of Science and Technology Austria, 2017.","ieee":"M. Rybar, “(The exact security of) Message authentication codes,” Institute of Science and Technology Austria, 2017.","ama":"Rybar M. (The exact security of) Message authentication codes. 2017. doi:10.15479/AT:ISTA:th_828","apa":"Rybar, M. (2017). (The exact security of) Message authentication codes. Institute of Science and Technology Austria. https://doi.org/10.15479/AT:ISTA:th_828"},"oa":1,"publisher":"Institute of Science and Technology Austria","date_created":"2018-12-11T11:48:46Z","doi":"10.15479/AT:ISTA:th_828","date_published":"2017-06-26T00:00:00Z","page":"86","day":"26","year":"2017","has_accepted_license":"1","pubrep_id":"828","status":"public","type":"dissertation","_id":"838","department":[{"_id":"KrPi"}],"file_date_updated":"2020-07-14T12:48:12Z","ddc":["000"],"date_updated":"2023-09-07T12:02:28Z","month":"06","alternative_title":["ISTA Thesis"],"oa_version":"Published Version","abstract":[{"text":"In this thesis we discuss the exact security of message authentications codes HMAC , NMAC , and PMAC . NMAC is a mode of operation which turns a fixed input-length keyed hash function f into a variable input-length function. A practical single-key variant of NMAC called HMAC is a very popular and widely deployed message authentication code (MAC). PMAC is a block-cipher based mode of operation, which also happens to be the most famous fully parallel MAC. NMAC was introduced by Bellare, Canetti and Krawczyk Crypto’96, who proved it to be a secure pseudorandom function (PRF), and thus also a MAC, under two assumptions. Unfortunately, for many instantiations of HMAC one of them has been found to be wrong. To restore the provable guarantees for NMAC , Bellare [Crypto’06] showed its security without this assumption. PMAC was introduced by Black and Rogaway at Eurocrypt 2002. If instantiated with a pseudorandom permutation over n -bit strings, PMAC constitutes a provably secure variable input-length PRF. For adversaries making q queries, each of length at most ` (in n -bit blocks), and of total length σ ≤ q` , the original paper proves an upper bound on the distinguishing advantage of O ( σ 2 / 2 n ), while the currently best bound is O ( qσ/ 2 n ). In this work we show that this bound is tight by giving an attack with advantage Ω( q 2 `/ 2 n ). In the PMAC construction one initially XORs a mask to every message block, where the mask for the i th block is computed as τ i := γ i · L , where L is a (secret) random value, and γ i is the i -th codeword of the Gray code. Our attack applies more generally to any sequence of γ i ’s which contains a large coset of a subgroup of GF (2 n ). As for NMAC , our first contribution is a simpler and uniform proof: If f is an ε -secure PRF (against q queries) and a δ - non-adaptively secure PRF (against q queries), then NMAC f is an ( ε + `qδ )-secure PRF against q queries of length at most ` blocks each. We also show that this ε + `qδ bound is basically tight by constructing an f for which an attack with advantage `qδ exists. Moreover, we analyze the PRF-security of a modification of NMAC called NI by An and Bellare that avoids the constant rekeying on multi-block messages in NMAC and allows for an information-theoretic analysis. We carry out such an analysis, obtaining a tight `q 2 / 2 c bound for this step, improving over the trivial bound of ` 2 q 2 / 2 c . Finally, we investigate, if the security of PMAC can be further improved by using τ i ’s that are k -wise independent, for k > 1 (the original has k = 1). We observe that the security of PMAC will not increase in general if k = 2, and then prove that the security increases to O ( q 2 / 2 n ), if the k = 4. Due to simple extension attacks, this is the best bound one can hope for, using any distribution on the masks. Whether k = 3 is already sufficient to get this level of security is left as an open problem. Keywords: Message authentication codes, Pseudorandom functions, HMAC, PMAC. ","lang":"eng"}],"related_material":{"record":[{"relation":"part_of_dissertation","status":"public","id":"2082"},{"id":"6196","status":"public","relation":"part_of_dissertation"}]},"language":[{"iso":"eng"}],"file":[{"date_created":"2018-12-12T10:10:13Z","file_name":"IST-2017-828-v1+3_2017_Rybar_thesis.pdf","date_updated":"2020-07-14T12:48:12Z","file_size":847400,"creator":"system","file_id":"4799","checksum":"ff8639ec4bded6186f44c7bd3ee26804","content_type":"application/pdf","access_level":"open_access","relation":"main_file"},{"checksum":"3462101745ce8ad199c2d0f75dae4a7e","file_id":"6202","access_level":"closed","relation":"source_file","content_type":"application/zip","date_created":"2019-04-05T08:24:11Z","file_name":"2017_Thesis_Rybar_source.zip","creator":"dernst","date_updated":"2020-07-14T12:48:12Z","file_size":26054879}],"degree_awarded":"PhD","publication_status":"published","publication_identifier":{"issn":["2663-337X"]}},{"ddc":["000"],"date_updated":"2023-09-07T12:02:27Z","file_date_updated":"2020-07-14T12:47:24Z","department":[{"_id":"KrPi"}],"_id":"6196","status":"public","type":"journal_article","tmp":{"legal_code_url":"https://creativecommons.org/licenses/by/4.0/legalcode","image":"/images/cc_by.png","name":"Creative Commons Attribution 4.0 International Public License (CC-BY 4.0)","short":"CC BY (4.0)"},"file":[{"checksum":"f23161d685dd957ae8d7274132999684","file_id":"6197","relation":"main_file","access_level":"open_access","content_type":"application/pdf","file_name":"2017_IACR_Gazi.pdf","date_created":"2019-04-04T13:53:58Z","creator":"dernst","file_size":597335,"date_updated":"2020-07-14T12:47:24Z"}],"language":[{"iso":"eng"}],"publication_identifier":{"eissn":["2519-173X"]},"publication_status":"published","related_material":{"record":[{"relation":"dissertation_contains","id":"838","status":"public"}]},"issue":"2","volume":2016,"ec_funded":1,"oa_version":"Published Version","abstract":[{"text":"PMAC is a simple and parallel block-cipher mode of operation, which was introduced by Black and Rogaway at Eurocrypt 2002. If instantiated with a (pseudo)random permutation over n-bit strings, PMAC constitutes a provably secure variable input-length (pseudo)random function. For adversaries making q queries, each of length at most l (in n-bit blocks), and of total length σ ≤ ql, the original paper proves an upper bound on the distinguishing advantage of Ο(σ2/2n), while the currently best bound is Ο (qσ/2n).In this work we show that this bound is tight by giving an attack with advantage Ω (q2l/2n). In the PMAC construction one initially XORs a mask to every message block, where the mask for the ith block is computed as τi := γi·L, where L is a (secret) random value, and γi is the i-th codeword of the Gray code. Our attack applies more generally to any sequence of γi’s which contains a large coset of a subgroup of GF(2n). We then investigate if the security of PMAC can be further improved by using τi’s that are k-wise independent, for k > 1 (the original distribution is only 1-wise independent). We observe that the security of PMAC will not increase in general, even if the masks are chosen from a 2-wise independent distribution, and then prove that the security increases to O(q<2/2n), if the τi are 4-wise independent. Due to simple extension attacks, this is the best bound one can hope for, using any distribution on the masks. Whether 3-wise independence is already sufficient to get this level of security is left as an open problem.","lang":"eng"}],"month":"02","intvolume":" 2016","user_id":"3E5EF7F0-F248-11E8-B48F-1D18A9856A87","citation":{"ama":"Gazi P, Pietrzak KZ, Rybar M. The exact security of PMAC. IACR Transactions on Symmetric Cryptology. 2017;2016(2):145-161. doi:10.13154/TOSC.V2016.I2.145-161","apa":"Gazi, P., Pietrzak, K. Z., & Rybar, M. (2017). The exact security of PMAC. IACR Transactions on Symmetric Cryptology. Ruhr University Bochum. https://doi.org/10.13154/TOSC.V2016.I2.145-161","short":"P. Gazi, K.Z. Pietrzak, M. Rybar, IACR Transactions on Symmetric Cryptology 2016 (2017) 145–161.","ieee":"P. Gazi, K. Z. Pietrzak, and M. Rybar, “The exact security of PMAC,” IACR Transactions on Symmetric Cryptology, vol. 2016, no. 2. Ruhr University Bochum, pp. 145–161, 2017.","mla":"Gazi, Peter, et al. “The Exact Security of PMAC.” IACR Transactions on Symmetric Cryptology, vol. 2016, no. 2, Ruhr University Bochum, 2017, pp. 145–61, doi:10.13154/TOSC.V2016.I2.145-161.","ista":"Gazi P, Pietrzak KZ, Rybar M. 2017. The exact security of PMAC. IACR Transactions on Symmetric Cryptology. 2016(2), 145–161.","chicago":"Gazi, Peter, Krzysztof Z Pietrzak, and Michal Rybar. “The Exact Security of PMAC.” IACR Transactions on Symmetric Cryptology. Ruhr University Bochum, 2017. https://doi.org/10.13154/TOSC.V2016.I2.145-161."},"title":"The exact security of PMAC","author":[{"first_name":"Peter","id":"3E0BFE38-F248-11E8-B48F-1D18A9856A87","full_name":"Gazi, Peter","last_name":"Gazi"},{"id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","first_name":"Krzysztof Z","orcid":"0000-0002-9139-1654","full_name":"Pietrzak, Krzysztof Z","last_name":"Pietrzak"},{"last_name":"Rybar","full_name":"Rybar, Michal","first_name":"Michal","id":"2B3E3DE8-F248-11E8-B48F-1D18A9856A87"}],"project":[{"name":"Teaching Old Crypto New Tricks","grant_number":"682815","call_identifier":"H2020","_id":"258AA5B2-B435-11E9-9278-68D0E5697425"}],"day":"03","publication":"IACR Transactions on Symmetric Cryptology","has_accepted_license":"1","year":"2017","doi":"10.13154/TOSC.V2016.I2.145-161","date_published":"2017-02-03T00:00:00Z","date_created":"2019-04-04T13:48:23Z","page":"145-161","publisher":"Ruhr University Bochum","quality_controlled":"1","oa":1},{"date_updated":"2023-09-07T12:30:22Z","department":[{"_id":"KrPi"}],"_id":"559","type":"conference","conference":{"name":"ASIACRYPT: Theory and Applications of Cryptology and Information Security","start_date":"2017-12-03","location":"Hong Kong, China","end_date":"2017-12-07"},"status":"public","publication_identifier":{"isbn":["978-331970696-2"]},"publication_status":"published","language":[{"iso":"eng"}],"volume":10625,"related_material":{"record":[{"relation":"dissertation_contains","status":"public","id":"83"}]},"ec_funded":1,"abstract":[{"text":"Proofs of space (PoS) were suggested as more ecological and economical alternative to proofs of work, which are currently used in blockchain designs like Bitcoin. The existing PoS are based on rather sophisticated graph pebbling lower bounds. Much simpler and in several aspects more efficient schemes based on inverting random functions have been suggested, but they don’t give meaningful security guarantees due to existing time-memory trade-offs. In particular, Hellman showed that any permutation over a domain of size N can be inverted in time T by an algorithm that is given S bits of auxiliary information whenever (Formula presented). For functions Hellman gives a weaker attack with S2· T≈ N2 (e.g., S= T≈ N2/3). To prove lower bounds, one considers an adversary who has access to an oracle f: [ N] → [N] and can make T oracle queries. The best known lower bound is S· T∈ Ω(N) and holds for random functions and permutations. We construct functions that provably require more time and/or space to invert. Specifically, for any constant k we construct a function [N] → [N] that cannot be inverted unless Sk· T∈ Ω(Nk) (in particular, S= T≈ (Formula presented). Our construction does not contradict Hellman’s time-memory trade-off, because it cannot be efficiently evaluated in forward direction. However, its entire function table can be computed in time quasilinear in N, which is sufficient for the PoS application. Our simplest construction is built from a random function oracle g: [N] × [N] → [ N] and a random permutation oracle f: [N] → N] and is defined as h(x) = g(x, x′) where f(x) = π(f(x′)) with π being any involution without a fixed point, e.g. flipping all the bits. For this function we prove that any adversary who gets S bits of auxiliary information, makes at most T oracle queries, and inverts h on an ϵ fraction of outputs must satisfy S2· T∈ Ω(ϵ2N2).","lang":"eng"}],"oa_version":"Submitted Version","scopus_import":1,"alternative_title":["LNCS"],"main_file_link":[{"url":"https://eprint.iacr.org/2017/893.pdf","open_access":"1"}],"month":"11","intvolume":" 10625","citation":{"chicago":"Abusalah, Hamza M, Joel F Alwen, Bram Cohen, Danylo Khilko, Krzysztof Z Pietrzak, and Leonid Reyzin. “Beyond Hellman’s Time-Memory Trade-Offs with Applications to Proofs of Space,” 10625:357–79. Springer, 2017. https://doi.org/10.1007/978-3-319-70697-9_13.","ista":"Abusalah HM, Alwen JF, Cohen B, Khilko D, Pietrzak KZ, Reyzin L. 2017. Beyond Hellman’s time-memory trade-offs with applications to proofs of space. ASIACRYPT: Theory and Applications of Cryptology and Information Security, LNCS, vol. 10625, 357–379.","mla":"Abusalah, Hamza M., et al. Beyond Hellman’s Time-Memory Trade-Offs with Applications to Proofs of Space. Vol. 10625, Springer, 2017, pp. 357–79, doi:10.1007/978-3-319-70697-9_13.","ieee":"H. M. Abusalah, J. F. Alwen, B. Cohen, D. Khilko, K. Z. Pietrzak, and L. Reyzin, “Beyond Hellman’s time-memory trade-offs with applications to proofs of space,” presented at the ASIACRYPT: Theory and Applications of Cryptology and Information Security, Hong Kong, China, 2017, vol. 10625, pp. 357–379.","short":"H.M. Abusalah, J.F. Alwen, B. Cohen, D. Khilko, K.Z. Pietrzak, L. Reyzin, in:, Springer, 2017, pp. 357–379.","ama":"Abusalah HM, Alwen JF, Cohen B, Khilko D, Pietrzak KZ, Reyzin L. Beyond Hellman’s time-memory trade-offs with applications to proofs of space. In: Vol 10625. Springer; 2017:357-379. doi:10.1007/978-3-319-70697-9_13","apa":"Abusalah, H. M., Alwen, J. F., Cohen, B., Khilko, D., Pietrzak, K. Z., & Reyzin, L. (2017). Beyond Hellman’s time-memory trade-offs with applications to proofs of space (Vol. 10625, pp. 357–379). Presented at the ASIACRYPT: Theory and Applications of Cryptology and Information Security, Hong Kong, China: Springer. https://doi.org/10.1007/978-3-319-70697-9_13"},"user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","author":[{"first_name":"Hamza M","id":"40297222-F248-11E8-B48F-1D18A9856A87","last_name":"Abusalah","full_name":"Abusalah, Hamza M"},{"first_name":"Joel F","id":"2A8DFA8C-F248-11E8-B48F-1D18A9856A87","last_name":"Alwen","full_name":"Alwen, Joel F"},{"full_name":"Cohen, Bram","last_name":"Cohen","first_name":"Bram"},{"first_name":"Danylo","last_name":"Khilko","full_name":"Khilko, Danylo"},{"first_name":"Krzysztof Z","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","orcid":"0000-0002-9139-1654","full_name":"Pietrzak, Krzysztof Z","last_name":"Pietrzak"},{"first_name":"Leonid","last_name":"Reyzin","full_name":"Reyzin, Leonid"}],"publist_id":"7257","title":"Beyond Hellman’s time-memory trade-offs with applications to proofs of space","project":[{"_id":"258AA5B2-B435-11E9-9278-68D0E5697425","call_identifier":"H2020","grant_number":"682815","name":"Teaching Old Crypto New Tricks"}],"year":"2017","day":"18","page":"357 - 379","date_published":"2017-11-18T00:00:00Z","doi":"10.1007/978-3-319-70697-9_13","date_created":"2018-12-11T11:47:10Z","quality_controlled":"1","publisher":"Springer","oa":1},{"publication_status":"published","publication_identifier":{"isbn":["978-331963687-0"]},"language":[{"iso":"eng"}],"ec_funded":1,"related_material":{"record":[{"relation":"dissertation_contains","id":"10035","status":"public"}]},"volume":10401,"abstract":[{"text":"For many cryptographic primitives, it is relatively easy to achieve selective security (where the adversary commits a-priori to some of the choices to be made later in the attack) but appears difficult to achieve the more natural notion of adaptive security (where the adversary can make all choices on the go as the attack progresses). A series of several recent works shows how to cleverly achieve adaptive security in several such scenarios including generalized selective decryption (Panjwani, TCC ’07 and Fuchsbauer et al., CRYPTO ’15), constrained PRFs (Fuchsbauer et al., ASIACRYPT ’14), and Yao garbled circuits (Jafargholi and Wichs, TCC ’16b). Although the above works expressed vague intuition that they share a common technique, the connection was never made precise. In this work we present a new framework that connects all of these works and allows us to present them in a unified and simplified fashion. Moreover, we use the framework to derive a new result for adaptively secure secret sharing over access structures defined via monotone circuits. We envision that further applications will follow in the future. Underlying our framework is the following simple idea. It is well known that selective security, where the adversary commits to n-bits of information about his future choices, automatically implies adaptive security at the cost of amplifying the adversary’s advantage by a factor of up to 2n. However, in some cases the proof of selective security proceeds via a sequence of hybrids, where each pair of adjacent hybrids locally only requires some smaller partial information consisting of m ≪ n bits. The partial information needed might be completely different between different pairs of hybrids, and if we look across all the hybrids we might rely on the entire n-bit commitment. Nevertheless, the above is sufficient to prove adaptive security, at the cost of amplifying the adversary’s advantage by a factor of only 2m ≪ 2n. In all of our examples using the above framework, the different hybrids are captured by some sort of a graph pebbling game and the amount of information that the adversary needs to commit to in each pair of hybrids is bounded by the maximum number of pebbles in play at any point in time. Therefore, coming up with better strategies for proving adaptive security translates to various pebbling strategies for different types of graphs.","lang":"eng"}],"oa_version":"Submitted Version","main_file_link":[{"open_access":"1","url":"https://eprint.iacr.org/2017/515"}],"alternative_title":["LNCS"],"scopus_import":1,"intvolume":" 10401","month":"01","date_updated":"2023-09-07T13:32:11Z","department":[{"_id":"KrPi"}],"_id":"637","conference":{"name":"CRYPTO: Cryptology","location":"Santa Barbara, CA, United States","end_date":"2017-07-24","start_date":"2017-07-20"},"type":"conference","status":"public","year":"2017","day":"01","page":"133 - 163","date_created":"2018-12-11T11:47:38Z","doi":"10.1007/978-3-319-63688-7_5","date_published":"2017-01-01T00:00:00Z","oa":1,"publisher":"Springer","quality_controlled":"1","citation":{"ista":"Jafargholi Z, Kamath Hosdurg C, Klein K, Komargodski I, Pietrzak KZ, Wichs D. 2017. Be adaptive avoid overcommitting. CRYPTO: Cryptology, LNCS, vol. 10401, 133–163.","chicago":"Jafargholi, Zahra, Chethan Kamath Hosdurg, Karen Klein, Ilan Komargodski, Krzysztof Z Pietrzak, and Daniel Wichs. “Be Adaptive Avoid Overcommitting.” edited by Jonathan Katz and Hovav Shacham, 10401:133–63. Springer, 2017. https://doi.org/10.1007/978-3-319-63688-7_5.","ama":"Jafargholi Z, Kamath Hosdurg C, Klein K, Komargodski I, Pietrzak KZ, Wichs D. Be adaptive avoid overcommitting. In: Katz J, Shacham H, eds. Vol 10401. Springer; 2017:133-163. doi:10.1007/978-3-319-63688-7_5","apa":"Jafargholi, Z., Kamath Hosdurg, C., Klein, K., Komargodski, I., Pietrzak, K. Z., & Wichs, D. (2017). Be adaptive avoid overcommitting. In J. Katz & H. Shacham (Eds.) (Vol. 10401, pp. 133–163). Presented at the CRYPTO: Cryptology, Santa Barbara, CA, United States: Springer. https://doi.org/10.1007/978-3-319-63688-7_5","ieee":"Z. Jafargholi, C. Kamath Hosdurg, K. Klein, I. Komargodski, K. Z. Pietrzak, and D. Wichs, “Be adaptive avoid overcommitting,” presented at the CRYPTO: Cryptology, Santa Barbara, CA, United States, 2017, vol. 10401, pp. 133–163.","short":"Z. Jafargholi, C. Kamath Hosdurg, K. Klein, I. Komargodski, K.Z. Pietrzak, D. Wichs, in:, J. Katz, H. Shacham (Eds.), Springer, 2017, pp. 133–163.","mla":"Jafargholi, Zahra, et al. Be Adaptive Avoid Overcommitting. Edited by Jonathan Katz and Hovav Shacham, vol. 10401, Springer, 2017, pp. 133–63, doi:10.1007/978-3-319-63688-7_5."},"user_id":"3E5EF7F0-F248-11E8-B48F-1D18A9856A87","publist_id":"7151","author":[{"first_name":"Zahra","last_name":"Jafargholi","full_name":"Jafargholi, Zahra"},{"last_name":"Kamath Hosdurg","full_name":"Kamath Hosdurg, Chethan","first_name":"Chethan","id":"4BD3F30E-F248-11E8-B48F-1D18A9856A87"},{"full_name":"Klein, Karen","last_name":"Klein","id":"3E83A2F8-F248-11E8-B48F-1D18A9856A87","first_name":"Karen"},{"last_name":"Komargodski","full_name":"Komargodski, Ilan","first_name":"Ilan"},{"orcid":"0000-0002-9139-1654","full_name":"Pietrzak, Krzysztof Z","last_name":"Pietrzak","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","first_name":"Krzysztof Z"},{"full_name":"Wichs, Daniel","last_name":"Wichs","first_name":"Daniel"}],"editor":[{"first_name":"Jonathan","last_name":"Katz","full_name":"Katz, Jonathan"},{"full_name":"Shacham, Hovav","last_name":"Shacham","first_name":"Hovav"}],"title":"Be adaptive avoid overcommitting","project":[{"_id":"258AA5B2-B435-11E9-9278-68D0E5697425","call_identifier":"H2020","name":"Teaching Old Crypto New Tricks","grant_number":"682815"}]},{"oa_version":"Submitted Version","abstract":[{"lang":"eng","text":"Security of cryptographic applications is typically defined by security games. The adversary, within certain resources, cannot win with probability much better than 0 (for unpredictability applications, like one-way functions) or much better than 1/2 (indistinguishability applications for instance encryption schemes). In so called squared-friendly applications the winning probability of the adversary, for different values of the application secret randomness, is not only close to 0 or 1/2 on average, but also concentrated in the sense that its second central moment is small. The class of squared-friendly applications, which contains all unpredictability applications and many indistinguishability applications, is particularly important for key derivation. Barak et al. observed that for square-friendly applications one can beat the "RT-bound", extracting secure keys with significantly smaller entropy loss. In turn Dodis and Yu showed that in squared-friendly applications one can directly use a "weak" key, which has only high entropy, as a secure key. In this paper we give sharp lower bounds on square security assuming security for "weak" keys. We show that any application which is either (a) secure with weak keys or (b) allows for entropy savings for keys derived by universal hashing, must be square-friendly. Quantitatively, our lower bounds match the positive results of Dodis and Yu and Barak et al. (TCC\\'13, CRYPTO\\'11) Hence, they can be understood as a general characterization of squared-friendly applications. While the positive results on squared-friendly applications where derived by one clever application of the Cauchy-Schwarz Inequality, for tight lower bounds we need more machinery. In our approach we use convex optimization techniques and some theory of circular matrices."}],"intvolume":" 66","month":"03","main_file_link":[{"open_access":"1","url":"http://drops.dagstuhl.de/opus/volltexte/2017/6976"}],"scopus_import":"1","alternative_title":["LIPIcs"],"language":[{"iso":"eng"}],"publication_status":"published","publication_identifier":{"issn":["18688969"]},"ec_funded":1,"volume":66,"_id":"1174","status":"public","conference":{"name":"STACS: Symposium on Theoretical Aspects of Computer Science","start_date":"2017-03-08","end_date":"2017-03-11","location":"Hannover, Germany"},"type":"conference","date_updated":"2023-09-20T11:23:15Z","department":[{"_id":"KrPi"}],"oa":1,"publisher":"Schloss Dagstuhl - Leibniz-Zentrum für Informatik","quality_controlled":"1","day":"01","year":"2017","isi":1,"date_created":"2018-12-11T11:50:32Z","doi":"10.4230/LIPIcs.STACS.2017.57","date_published":"2017-03-01T00:00:00Z","article_number":"57","project":[{"call_identifier":"H2020","_id":"258AA5B2-B435-11E9-9278-68D0E5697425","grant_number":"682815","name":"Teaching Old Crypto New Tricks"}],"user_id":"c635000d-4b10-11ee-a964-aac5a93f6ac1","citation":{"chicago":"Skórski, Maciej. “Lower Bounds on Key Derivation for Square-Friendly Applications,” Vol. 66. Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 2017. https://doi.org/10.4230/LIPIcs.STACS.2017.57.","ista":"Skórski M. 2017. Lower bounds on key derivation for square-friendly applications. STACS: Symposium on Theoretical Aspects of Computer Science, LIPIcs, vol. 66, 57.","mla":"Skórski, Maciej. Lower Bounds on Key Derivation for Square-Friendly Applications. Vol. 66, 57, Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 2017, doi:10.4230/LIPIcs.STACS.2017.57.","apa":"Skórski, M. (2017). Lower bounds on key derivation for square-friendly applications (Vol. 66). Presented at the STACS: Symposium on Theoretical Aspects of Computer Science, Hannover, Germany: Schloss Dagstuhl - Leibniz-Zentrum für Informatik. https://doi.org/10.4230/LIPIcs.STACS.2017.57","ama":"Skórski M. Lower bounds on key derivation for square-friendly applications. In: Vol 66. Schloss Dagstuhl - Leibniz-Zentrum für Informatik; 2017. doi:10.4230/LIPIcs.STACS.2017.57","short":"M. Skórski, in:, Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 2017.","ieee":"M. Skórski, “Lower bounds on key derivation for square-friendly applications,” presented at the STACS: Symposium on Theoretical Aspects of Computer Science, Hannover, Germany, 2017, vol. 66."},"title":"Lower bounds on key derivation for square-friendly applications","external_id":{"isi":["000521077300057"]},"article_processing_charge":"No","publist_id":"6180","author":[{"full_name":"Skórski, Maciej","last_name":"Skórski","first_name":"Maciej","id":"EC09FA6A-02D0-11E9-8223-86B7C91467DD"}]},{"date_updated":"2023-09-20T11:22:25Z","department":[{"_id":"KrPi"}],"_id":"1176","status":"public","conference":{"name":"EuroS&P: European Symposium on Security and Privacy","start_date":"2017-04-26","location":"Paris, France","end_date":"2017-04-28"},"type":"conference","language":[{"iso":"eng"}],"publication_status":"published","publication_identifier":{"isbn":["978-150905761-0"]},"oa_version":"Submitted Version","abstract":[{"text":"The algorithm Argon2i-B of Biryukov, Dinu and Khovratovich is currently being considered by the IRTF (Internet Research Task Force) as a new de-facto standard for password hashing. An older version (Argon2i-A) of the same algorithm was chosen as the winner of the recent Password Hashing Competition. An important competitor to Argon2i-B is the recently introduced Balloon Hashing (BH) algorithm of Corrigan-Gibs, Boneh and Schechter. A key security desiderata for any such algorithm is that evaluating it (even using a custom device) requires a large amount of memory amortized across multiple instances. Alwen and Blocki (CRYPTO 2016) introduced a class of theoretical attacks against Argon2i-A and BH. While these attacks yield large asymptotic reductions in the amount of memory, it was not, a priori, clear if (1) they can be extended to the newer Argon2i-B, (2) the attacks are effective on any algorithm for practical parameter ranges (e.g., 1GB of memory) and (3) if they can be effectively instantiated against any algorithm under realistic hardware constrains. In this work we answer all three of these questions in the affirmative for all three algorithms. This is also the first work to analyze the security of Argon2i-B. In more detail, we extend the theoretical attacks of Alwen and Blocki (CRYPTO 2016) to the recent Argon2i-B proposal demonstrating severe asymptotic deficiencies in its security. Next we introduce several novel heuristics for improving the attack's concrete memory efficiency even when on-chip memory bandwidth is bounded. We then simulate our attacks on randomly sampled Argon2i-A, Argon2i-B and BH instances and measure the resulting memory consumption for various practical parameter ranges and for a variety of upperbounds on the amount of parallelism available to the attacker. Finally we describe, implement, and test a new heuristic for applying the Alwen-Blocki attack to functions employing a technique developed by Corrigan-Gibs et al. for improving concrete security of memory-hard functions. We analyze the collected data and show the effects various parameters have on the memory consumption of the attack. In particular, we can draw several interesting conclusions about the level of security provided by these functions. · For the Alwen-Blocki attack to fail against practical memory parameters, Argon2i-B must be instantiated with more than 10 passes on memory - beyond the \"paranoid\" parameter setting in the current IRTF proposal. · The technique of Corrigan-Gibs for improving security can also be overcome by the Alwen-Blocki attack under realistic hardware constraints. · On a positive note, both the asymptotic and concrete security of Argon2i-B seem to improve on that of Argon2i-A.","lang":"eng"}],"month":"07","main_file_link":[{"url":"https://eprint.iacr.org/2016/759","open_access":"1"}],"scopus_import":"1","user_id":"c635000d-4b10-11ee-a964-aac5a93f6ac1","citation":{"ista":"Alwen JF, Blocki J. 2017. Towards practical attacks on Argon2i and balloon hashing. EuroS&P: European Symposium on Security and Privacy, 7961977.","chicago":"Alwen, Joel F, and Jeremiah Blocki. “Towards Practical Attacks on Argon2i and Balloon Hashing.” IEEE, 2017. https://doi.org/10.1109/EuroSP.2017.47.","ama":"Alwen JF, Blocki J. Towards practical attacks on Argon2i and balloon hashing. In: IEEE; 2017. doi:10.1109/EuroSP.2017.47","apa":"Alwen, J. F., & Blocki, J. (2017). Towards practical attacks on Argon2i and balloon hashing. Presented at the EuroS&P: European Symposium on Security and Privacy, Paris, France: IEEE. https://doi.org/10.1109/EuroSP.2017.47","short":"J.F. Alwen, J. Blocki, in:, IEEE, 2017.","ieee":"J. F. Alwen and J. Blocki, “Towards practical attacks on Argon2i and balloon hashing,” presented at the EuroS&P: European Symposium on Security and Privacy, Paris, France, 2017.","mla":"Alwen, Joel F., and Jeremiah Blocki. Towards Practical Attacks on Argon2i and Balloon Hashing. 7961977, IEEE, 2017, doi:10.1109/EuroSP.2017.47."},"title":"Towards practical attacks on Argon2i and balloon hashing","article_processing_charge":"No","external_id":{"isi":["000424197300011"]},"publist_id":"6178","author":[{"first_name":"Joel F","id":"2A8DFA8C-F248-11E8-B48F-1D18A9856A87","full_name":"Alwen, Joel F","last_name":"Alwen"},{"last_name":"Blocki","full_name":"Blocki, Jeremiah","first_name":"Jeremiah"}],"article_number":"7961977","day":"03","year":"2017","isi":1,"date_created":"2018-12-11T11:50:33Z","date_published":"2017-07-03T00:00:00Z","doi":"10.1109/EuroSP.2017.47","oa":1,"publisher":"IEEE","quality_controlled":"1"},{"publisher":"Springer","quality_controlled":"1","oa":1,"day":"01","publication":"Journal of Cryptology","has_accepted_license":"1","isi":1,"year":"2017","doi":"10.1007/s00145-016-9247-3","date_published":"2017-10-01T00:00:00Z","date_created":"2018-12-11T11:50:37Z","page":"1238 - 1275","project":[{"grant_number":"682815","name":"Teaching Old Crypto New Tricks","_id":"258AA5B2-B435-11E9-9278-68D0E5697425","call_identifier":"H2020"},{"grant_number":"259668","name":"Provable Security for Physical Cryptography","call_identifier":"FP7","_id":"258C570E-B435-11E9-9278-68D0E5697425"}],"user_id":"c635000d-4b10-11ee-a964-aac5a93f6ac1","citation":{"short":"E. Kiltz, K.Z. Pietrzak, D. Venturi, D. Cash, A. Jain, Journal of Cryptology 30 (2017) 1238–1275.","ieee":"E. Kiltz, K. Z. Pietrzak, D. Venturi, D. Cash, and A. Jain, “Efficient authentication from hard learning problems,” Journal of Cryptology, vol. 30, no. 4. Springer, pp. 1238–1275, 2017.","apa":"Kiltz, E., Pietrzak, K. Z., Venturi, D., Cash, D., & Jain, A. (2017). Efficient authentication from hard learning problems. Journal of Cryptology. Springer. https://doi.org/10.1007/s00145-016-9247-3","ama":"Kiltz E, Pietrzak KZ, Venturi D, Cash D, Jain A. Efficient authentication from hard learning problems. Journal of Cryptology. 2017;30(4):1238-1275. doi:10.1007/s00145-016-9247-3","mla":"Kiltz, Eike, et al. “Efficient Authentication from Hard Learning Problems.” Journal of Cryptology, vol. 30, no. 4, Springer, 2017, pp. 1238–75, doi:10.1007/s00145-016-9247-3.","ista":"Kiltz E, Pietrzak KZ, Venturi D, Cash D, Jain A. 2017. Efficient authentication from hard learning problems. Journal of Cryptology. 30(4), 1238–1275.","chicago":"Kiltz, Eike, Krzysztof Z Pietrzak, Daniele Venturi, David Cash, and Abhishek Jain. “Efficient Authentication from Hard Learning Problems.” Journal of Cryptology. Springer, 2017. https://doi.org/10.1007/s00145-016-9247-3."},"title":"Efficient authentication from hard learning problems","publist_id":"6166","author":[{"last_name":"Kiltz","full_name":"Kiltz, Eike","first_name":"Eike"},{"last_name":"Pietrzak","full_name":"Pietrzak, Krzysztof Z","orcid":"0000-0002-9139-1654","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","first_name":"Krzysztof Z"},{"first_name":"Daniele","last_name":"Venturi","full_name":"Venturi, Daniele"},{"first_name":"David","full_name":"Cash, David","last_name":"Cash"},{"first_name":"Abhishek","last_name":"Jain","full_name":"Jain, Abhishek"}],"article_processing_charge":"No","external_id":{"isi":["000410788600007"]},"oa_version":"Submitted Version","abstract":[{"text":"We construct efficient authentication protocols and message authentication codes (MACs) whose security can be reduced to the learning parity with noise (LPN) problem. Despite a large body of work—starting with the (Formula presented.) protocol of Hopper and Blum in 2001—until now it was not even known how to construct an efficient authentication protocol from LPN which is secure against man-in-the-middle attacks. A MAC implies such a (two-round) protocol.","lang":"eng"}],"month":"10","intvolume":" 30","scopus_import":"1","file":[{"creator":"dernst","date_updated":"2020-07-14T12:44:37Z","file_size":516959,"date_created":"2020-05-14T16:30:17Z","file_name":"2017_JournalCrypto_Kiltz.pdf","access_level":"open_access","relation":"main_file","content_type":"application/pdf","file_id":"7843","checksum":"c647520d115b772a1682fc06fa273eb1"}],"language":[{"iso":"eng"}],"publication_status":"published","related_material":{"record":[{"relation":"earlier_version","id":"3238","status":"public"}]},"issue":"4","volume":30,"ec_funded":1,"_id":"1187","status":"public","type":"journal_article","article_type":"original","ddc":["000"],"date_updated":"2023-09-20T11:20:58Z","department":[{"_id":"KrPi"}],"file_date_updated":"2020-07-14T12:44:37Z"},{"type":"journal_article","status":"public","_id":"1177","author":[{"full_name":"Kamath Hosdurg, Chethan","last_name":"Kamath Hosdurg","id":"4BD3F30E-F248-11E8-B48F-1D18A9856A87","first_name":"Chethan"},{"first_name":"Sanjit","last_name":"Chatterjee","full_name":"Chatterjee, Sanjit"}],"publist_id":"6177","title":"A closer look at multiple-forking: Leveraging (in)dependence for a tighter bound","department":[{"_id":"KrPi"}],"date_updated":"2021-01-12T06:48:52Z","citation":{"ama":"Kamath Hosdurg C, Chatterjee S. A closer look at multiple-forking: Leveraging (in)dependence for a tighter bound. Algorithmica. 2016;74(4):1321-1362. doi:10.1007/s00453-015-9997-6","apa":"Kamath Hosdurg, C., & Chatterjee, S. (2016). A closer look at multiple-forking: Leveraging (in)dependence for a tighter bound. Algorithmica. Springer. https://doi.org/10.1007/s00453-015-9997-6","ieee":"C. Kamath Hosdurg and S. Chatterjee, “A closer look at multiple-forking: Leveraging (in)dependence for a tighter bound,” Algorithmica, vol. 74, no. 4. Springer, pp. 1321–1362, 2016.","short":"C. Kamath Hosdurg, S. Chatterjee, Algorithmica 74 (2016) 1321–1362.","mla":"Kamath Hosdurg, Chethan, and Sanjit Chatterjee. “A Closer Look at Multiple-Forking: Leveraging (in)Dependence for a Tighter Bound.” Algorithmica, vol. 74, no. 4, Springer, 2016, pp. 1321–62, doi:10.1007/s00453-015-9997-6.","ista":"Kamath Hosdurg C, Chatterjee S. 2016. A closer look at multiple-forking: Leveraging (in)dependence for a tighter bound. Algorithmica. 74(4), 1321–1362.","chicago":"Kamath Hosdurg, Chethan, and Sanjit Chatterjee. “A Closer Look at Multiple-Forking: Leveraging (in)Dependence for a Tighter Bound.” Algorithmica. Springer, 2016. https://doi.org/10.1007/s00453-015-9997-6."},"user_id":"3E5EF7F0-F248-11E8-B48F-1D18A9856A87","main_file_link":[{"open_access":"1","url":"http://eprint.iacr.org/2013/651"}],"oa":1,"quality_controlled":"1","publisher":"Springer","intvolume":" 74","month":"04","abstract":[{"lang":"eng","text":"Boldyreva, Palacio and Warinschi introduced a multiple forking game as an extension of general forking. The notion of (multiple) forking is a useful abstraction from the actual simulation of cryptographic scheme to the adversary in a security reduction, and is achieved through the intermediary of a so-called wrapper algorithm. Multiple forking has turned out to be a useful tool in the security argument of several cryptographic protocols. However, a reduction employing multiple forking incurs a significant degradation of (Formula presented.) , where (Formula presented.) denotes the upper bound on the underlying random oracle calls and (Formula presented.) , the number of forkings. In this work we take a closer look at the reasons for the degradation with a tighter security bound in mind. We nail down the exact set of conditions for success in the multiple forking game. A careful analysis of the cryptographic schemes and corresponding security reduction employing multiple forking leads to the formulation of ‘dependence’ and ‘independence’ conditions pertaining to the output of the wrapper in different rounds. Based on the (in)dependence conditions we propose a general framework of multiple forking and a General Multiple Forking Lemma. Leveraging (in)dependence to the full allows us to improve the degradation factor in the multiple forking game by a factor of (Formula presented.). By implication, the cost of a single forking involving two random oracles (augmented forking) matches that involving a single random oracle (elementary forking). Finally, we study the effect of these observations on the concrete security of existing schemes employing multiple forking. We conclude that by careful design of the protocol (and the wrapper in the security reduction) it is possible to harness our observations to the full extent."}],"acknowledgement":"We are grateful to the anonymous reviewers for their insightful comments. The\r\ndetailed reports helped us a lot to address the technical mistakes as well as to improve the overall presentation of the paper.","oa_version":"Submitted Version","page":"1321 - 1362","date_created":"2018-12-11T11:50:33Z","doi":"10.1007/s00453-015-9997-6","issue":"4","volume":74,"date_published":"2016-04-01T00:00:00Z","year":"2016","publication_status":"published","language":[{"iso":"eng"}],"publication":"Algorithmica","day":"01"},{"citation":{"chicago":"Pietrzak, Krzysztof Z, and Skorski Maciej. “Pseudoentropy: Lower-Bounds for Chain Rules and Transformations,” 9985:183–203. Springer, 2016. https://doi.org/10.1007/978-3-662-53641-4_8.","ista":"Pietrzak KZ, Maciej S. 2016. Pseudoentropy: Lower-bounds for chain rules and transformations. TCC: Theory of Cryptography Conference, LNCS, vol. 9985, 183–203.","mla":"Pietrzak, Krzysztof Z., and Skorski Maciej. Pseudoentropy: Lower-Bounds for Chain Rules and Transformations. Vol. 9985, Springer, 2016, pp. 183–203, doi:10.1007/978-3-662-53641-4_8.","short":"K.Z. Pietrzak, S. Maciej, in:, Springer, 2016, pp. 183–203.","ieee":"K. Z. Pietrzak and S. Maciej, “Pseudoentropy: Lower-bounds for chain rules and transformations,” presented at the TCC: Theory of Cryptography Conference, Beijing, China, 2016, vol. 9985, pp. 183–203.","ama":"Pietrzak KZ, Maciej S. Pseudoentropy: Lower-bounds for chain rules and transformations. In: Vol 9985. Springer; 2016:183-203. doi:10.1007/978-3-662-53641-4_8","apa":"Pietrzak, K. Z., & Maciej, S. (2016). Pseudoentropy: Lower-bounds for chain rules and transformations (Vol. 9985, pp. 183–203). Presented at the TCC: Theory of Cryptography Conference, Beijing, China: Springer. https://doi.org/10.1007/978-3-662-53641-4_8"},"user_id":"3E5EF7F0-F248-11E8-B48F-1D18A9856A87","author":[{"last_name":"Pietrzak","orcid":"0000-0002-9139-1654","full_name":"Pietrzak, Krzysztof Z","first_name":"Krzysztof Z","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87"},{"full_name":"Maciej, Skorski","last_name":"Maciej","first_name":"Skorski"}],"publist_id":"6175","title":"Pseudoentropy: Lower-bounds for chain rules and transformations","project":[{"grant_number":"682815","name":"Teaching Old Crypto New Tricks","call_identifier":"H2020","_id":"258AA5B2-B435-11E9-9278-68D0E5697425"}],"year":"2016","day":"22","page":"183 - 203","date_published":"2016-10-22T00:00:00Z","doi":"10.1007/978-3-662-53641-4_8","date_created":"2018-12-11T11:50:34Z","acknowledgement":"K. Pietrzak—Supported by the European Research Council consolidator grant (682815-TOCNeT).\r\nM. Skórski—Supported by the National Science Center, Poland (2015/17/N/ST6/03564).","quality_controlled":"1","publisher":"Springer","oa":1,"date_updated":"2021-01-12T06:48:53Z","department":[{"_id":"KrPi"}],"_id":"1179","type":"conference","conference":{"start_date":"2016-10-31","end_date":"2016-11-03","location":"Beijing, China","name":"TCC: Theory of Cryptography Conference"},"status":"public","publication_status":"published","language":[{"iso":"eng"}],"volume":9985,"ec_funded":1,"abstract":[{"lang":"eng","text":"Computational notions of entropy have recently found many applications, including leakage-resilient cryptography, deterministic encryption or memory delegation. The two main types of results which make computational notions so useful are (1) Chain rules, which quantify by how much the computational entropy of a variable decreases if conditioned on some other variable (2) Transformations, which quantify to which extend one type of entropy implies another.\r\n\r\nSuch chain rules and transformations typically lose a significant amount in quality of the entropy, and are the reason why applying these results one gets rather weak quantitative security bounds. In this paper we for the first time prove lower bounds in this context, showing that existing results for transformations are, unfortunately, basically optimal for non-adaptive black-box reductions (and it’s hard to imagine how non black-box reductions or adaptivity could be useful here.)\r\n\r\nA variable X has k bits of HILL entropy of quality (ϵ,s)\r\nif there exists a variable Y with k bits min-entropy which cannot be distinguished from X with advantage ϵ\r\n\r\nby distinguishing circuits of size s. A weaker notion is Metric entropy, where we switch quantifiers, and only require that for every distinguisher of size s, such a Y exists.\r\n\r\nWe first describe our result concerning transformations. By definition, HILL implies Metric without any loss in quality. Metric entropy often comes up in applications, but must be transformed to HILL for meaningful security guarantees. The best known result states that if a variable X has k bits of Metric entropy of quality (ϵ,s)\r\n, then it has k bits of HILL with quality (2ϵ,s⋅ϵ2). We show that this loss of a factor Ω(ϵ−2)\r\n\r\nin circuit size is necessary. In fact, we show the stronger result that this loss is already necessary when transforming so called deterministic real valued Metric entropy to randomised boolean Metric (both these variants of Metric entropy are implied by HILL without loss in quality).\r\n\r\nThe chain rule for HILL entropy states that if X has k bits of HILL entropy of quality (ϵ,s)\r\n, then for any variable Z of length m, X conditioned on Z has k−m bits of HILL entropy with quality (ϵ,s⋅ϵ2/2m). We show that a loss of Ω(2m/ϵ) in circuit size necessary here. Note that this still leaves a gap of ϵ between the known bound and our lower bound."}],"oa_version":"Preprint","scopus_import":1,"alternative_title":["LNCS"],"main_file_link":[{"open_access":"1","url":"https://eprint.iacr.org/2016/159"}],"month":"10","intvolume":" 9985"},{"project":[{"grant_number":"259668","name":"Provable Security for Physical Cryptography","_id":"258C570E-B435-11E9-9278-68D0E5697425","call_identifier":"FP7"},{"call_identifier":"FP7","_id":"25FBA906-B435-11E9-9278-68D0E5697425","grant_number":"616160","name":"Discrete Optimization in Computer Vision: Theory and Practice"}],"user_id":"3E5EF7F0-F248-11E8-B48F-1D18A9856A87","citation":{"ista":"Alwen JF, Chen B, Kamath Hosdurg C, Kolmogorov V, Pietrzak KZ, Tessaro S. 2016. On the complexity of scrypt and proofs of space in the parallel random oracle model. EUROCRYPT: Theory and Applications of Cryptographic Techniques, LNCS, vol. 9666, 358–387.","chicago":"Alwen, Joel F, Binyi Chen, Chethan Kamath Hosdurg, Vladimir Kolmogorov, Krzysztof Z Pietrzak, and Stefano Tessaro. “On the Complexity of Scrypt and Proofs of Space in the Parallel Random Oracle Model,” 9666:358–87. Springer, 2016. https://doi.org/10.1007/978-3-662-49896-5_13.","ieee":"J. F. Alwen, B. Chen, C. Kamath Hosdurg, V. Kolmogorov, K. Z. Pietrzak, and S. Tessaro, “On the complexity of scrypt and proofs of space in the parallel random oracle model,” presented at the EUROCRYPT: Theory and Applications of Cryptographic Techniques, Vienna, Austria, 2016, vol. 9666, pp. 358–387.","short":"J.F. Alwen, B. Chen, C. Kamath Hosdurg, V. Kolmogorov, K.Z. Pietrzak, S. Tessaro, in:, Springer, 2016, pp. 358–387.","ama":"Alwen JF, Chen B, Kamath Hosdurg C, Kolmogorov V, Pietrzak KZ, Tessaro S. On the complexity of scrypt and proofs of space in the parallel random oracle model. In: Vol 9666. Springer; 2016:358-387. doi:10.1007/978-3-662-49896-5_13","apa":"Alwen, J. F., Chen, B., Kamath Hosdurg, C., Kolmogorov, V., Pietrzak, K. Z., & Tessaro, S. (2016). On the complexity of scrypt and proofs of space in the parallel random oracle model (Vol. 9666, pp. 358–387). Presented at the EUROCRYPT: Theory and Applications of Cryptographic Techniques, Vienna, Austria: Springer. https://doi.org/10.1007/978-3-662-49896-5_13","mla":"Alwen, Joel F., et al. On the Complexity of Scrypt and Proofs of Space in the Parallel Random Oracle Model. Vol. 9666, Springer, 2016, pp. 358–87, doi:10.1007/978-3-662-49896-5_13."},"title":"On the complexity of scrypt and proofs of space in the parallel random oracle model","publist_id":"6103","author":[{"last_name":"Alwen","full_name":"Alwen, Joel F","first_name":"Joel F","id":"2A8DFA8C-F248-11E8-B48F-1D18A9856A87"},{"full_name":"Chen, Binyi","last_name":"Chen","first_name":"Binyi"},{"full_name":"Kamath Hosdurg, Chethan","last_name":"Kamath Hosdurg","id":"4BD3F30E-F248-11E8-B48F-1D18A9856A87","first_name":"Chethan"},{"last_name":"Kolmogorov","full_name":"Kolmogorov, Vladimir","first_name":"Vladimir","id":"3D50B0BA-F248-11E8-B48F-1D18A9856A87"},{"first_name":"Krzysztof Z","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","orcid":"0000-0002-9139-1654","full_name":"Pietrzak, Krzysztof Z","last_name":"Pietrzak"},{"first_name":"Stefano","last_name":"Tessaro","full_name":"Tessaro, Stefano"}],"acknowledgement":"Joël Alwen, Chethan Kamath, and Krzysztof Pietrzak’s research is partially supported by an ERC starting grant (259668-PSPC). Vladimir Kolmogorov is partially supported by an ERC consolidator grant (616160-DOICV). Binyi Chen was partially supported by NSF grants CNS-1423566 and CNS-1514526, and a gift from the Gareatis Foundation. Stefano Tessaro was partially supported by NSF grants CNS-1423566, CNS-1528178, a Hellman Fellowship, and the Glen and Susanne Culler Chair.\r\n\r\nThis work was done in part while the authors were visiting the Simons Institute for the Theory of Computing, supported by the Simons Foundation and by the DIMACS/Simons Collaboration in Cryptography through NSF grant CNS-1523467.","oa":1,"quality_controlled":"1","publisher":"Springer","day":"28","year":"2016","date_created":"2018-12-11T11:50:51Z","doi":"10.1007/978-3-662-49896-5_13","date_published":"2016-04-28T00:00:00Z","page":"358 - 387","_id":"1231","status":"public","conference":{"end_date":"2016-05-12","location":"Vienna, Austria","start_date":"2016-05-08","name":"EUROCRYPT: Theory and Applications of Cryptographic Techniques"},"type":"conference","date_updated":"2021-01-12T06:49:15Z","department":[{"_id":"KrPi"},{"_id":"VlKo"}],"oa_version":"Submitted Version","abstract":[{"lang":"eng","text":"We study the time-and memory-complexities of the problem of computing labels of (multiple) randomly selected challenge-nodes in a directed acyclic graph. The w-bit label of a node is the hash of the labels of its parents, and the hash function is modeled as a random oracle. Specific instances of this problem underlie both proofs of space [Dziembowski et al. CRYPTO’15] as well as popular memory-hard functions like scrypt. As our main tool, we introduce the new notion of a probabilistic parallel entangled pebbling game, a new type of combinatorial pebbling game on a graph, which is closely related to the labeling game on the same graph. As a first application of our framework, we prove that for scrypt, when the underlying hash function is invoked n times, the cumulative memory complexity (CMC) (a notion recently introduced by Alwen and Serbinenko (STOC’15) to capture amortized memory-hardness for parallel adversaries) is at least Ω(w · (n/ log(n))2). This bound holds for adversaries that can store many natural functions of the labels (e.g., linear combinations), but still not arbitrary functions thereof. We then introduce and study a combinatorial quantity, and show how a sufficiently small upper bound on it (which we conjecture) extends our CMC bound for scrypt to hold against arbitrary adversaries. We also show that such an upper bound solves the main open problem for proofs-of-space protocols: namely, establishing that the time complexity of computing the label of a random node in a graph on n nodes (given an initial kw-bit state) reduces tightly to the time complexity for black pebbling on the same graph (given an initial k-node pebbling)."}],"intvolume":" 9666","month":"04","main_file_link":[{"url":"https://eprint.iacr.org/2016/100","open_access":"1"}],"alternative_title":["LNCS"],"scopus_import":1,"language":[{"iso":"eng"}],"publication_status":"published","ec_funded":1,"volume":9666},{"date_updated":"2021-01-12T06:49:16Z","department":[{"_id":"KrPi"}],"_id":"1233","conference":{"location":"Tel Aviv, Israel","end_date":"2016-01-13","start_date":"2016-01-10","name":"TCC: Theory of Cryptography Conference"},"type":"conference","status":"public","publication_status":"published","language":[{"iso":"eng"}],"ec_funded":1,"volume":9562,"abstract":[{"lang":"eng","text":"About three decades ago it was realized that implementing private channels between parties which can be adaptively corrupted requires an encryption scheme that is secure against selective opening attacks. Whether standard (IND-CPA) security implies security against selective opening attacks has been a major open question since. The only known reduction from selective opening to IND-CPA security loses an exponential factor. A polynomial reduction is only known for the very special case where the distribution considered in the selective opening security experiment is a product distribution, i.e., the messages are sampled independently from each other. In this paper we give a reduction whose loss is quantified via the dependence graph (where message dependencies correspond to edges) of the underlying message distribution. In particular, for some concrete distributions including Markov distributions, our reduction is polynomial."}],"oa_version":"Submitted Version","main_file_link":[{"url":"https://eprint.iacr.org/2015/853","open_access":"1"}],"alternative_title":["LNCS"],"scopus_import":1,"intvolume":" 9562","month":"01","citation":{"mla":"Fuchsbauer, Georg, et al. Standard Security Does Imply Security against Selective Opening for Markov Distributions. Vol. 9562, Springer, 2016, pp. 282–305, doi:10.1007/978-3-662-49096-9_12.","short":"G. Fuchsbauer, F. Heuer, E. Kiltz, K.Z. Pietrzak, in:, Springer, 2016, pp. 282–305.","ieee":"G. Fuchsbauer, F. Heuer, E. Kiltz, and K. Z. Pietrzak, “Standard security does imply security against selective opening for markov distributions,” presented at the TCC: Theory of Cryptography Conference, Tel Aviv, Israel, 2016, vol. 9562, pp. 282–305.","apa":"Fuchsbauer, G., Heuer, F., Kiltz, E., & Pietrzak, K. Z. (2016). Standard security does imply security against selective opening for markov distributions (Vol. 9562, pp. 282–305). Presented at the TCC: Theory of Cryptography Conference, Tel Aviv, Israel: Springer. https://doi.org/10.1007/978-3-662-49096-9_12","ama":"Fuchsbauer G, Heuer F, Kiltz E, Pietrzak KZ. Standard security does imply security against selective opening for markov distributions. In: Vol 9562. Springer; 2016:282-305. doi:10.1007/978-3-662-49096-9_12","chicago":"Fuchsbauer, Georg, Felix Heuer, Eike Kiltz, and Krzysztof Z Pietrzak. “Standard Security Does Imply Security against Selective Opening for Markov Distributions,” 9562:282–305. Springer, 2016. https://doi.org/10.1007/978-3-662-49096-9_12.","ista":"Fuchsbauer G, Heuer F, Kiltz E, Pietrzak KZ. 2016. Standard security does imply security against selective opening for markov distributions. TCC: Theory of Cryptography Conference, LNCS, vol. 9562, 282–305."},"user_id":"3E5EF7F0-F248-11E8-B48F-1D18A9856A87","author":[{"first_name":"Georg","id":"46B4C3EE-F248-11E8-B48F-1D18A9856A87","last_name":"Fuchsbauer","full_name":"Fuchsbauer, Georg"},{"last_name":"Heuer","full_name":"Heuer, Felix","first_name":"Felix"},{"last_name":"Kiltz","full_name":"Kiltz, Eike","first_name":"Eike"},{"first_name":"Krzysztof Z","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","full_name":"Pietrzak, Krzysztof Z","orcid":"0000-0002-9139-1654","last_name":"Pietrzak"}],"publist_id":"6100","title":"Standard security does imply security against selective opening for markov distributions","project":[{"call_identifier":"FP7","_id":"258C570E-B435-11E9-9278-68D0E5697425","name":"Provable Security for Physical Cryptography","grant_number":"259668"}],"year":"2016","day":"01","page":"282 - 305","date_created":"2018-12-11T11:50:51Z","date_published":"2016-01-01T00:00:00Z","doi":"10.1007/978-3-662-49096-9_12","acknowledgement":"G. Fuchsbauer and K. Pietrzak are supported by the European Research Council, ERC Starting Grant (259668-PSPC). F. Heuer is funded by a Sofja Kovalevskaja Award of the Alexander von Humboldt Foundation and DFG SPP 1736, Algorithms for BIG DATA. E. Kiltz is supported by a Sofja Kovalevskaja Award of the Alexander von Humboldt Foundation, the German Israel Foundation, and ERC Project ERCC (FP7/615074).","oa":1,"publisher":"Springer","quality_controlled":"1"},{"language":[{"iso":"eng"}],"day":"01","publication_status":"published","year":"2016","date_created":"2018-12-11T11:51:36Z","date_published":"2016-08-01T00:00:00Z","doi":"10.1007/978-3-662-53008-5_9","volume":9815,"page":"241 - 271","oa_version":"Preprint","abstract":[{"text":"A memory-hard function (MHF) f is equipped with a space cost σ and time cost τ parameter such that repeatedly computing fσ,τ on an application specific integrated circuit (ASIC) is not economically advantageous relative to a general purpose computer. Technically we would like that any (generalized) circuit for evaluating an iMHF fσ,τ has area × time (AT) complexity at Θ(σ2 ∗ τ). A data-independent MHF (iMHF) has the added property that it can be computed with almost optimal memory and time complexity by an algorithm which accesses memory in a pattern independent of the input value. Such functions can be specified by fixing a directed acyclic graph (DAG) G on n = Θ(σ ∗ τ) nodes representing its computation graph. In this work we develop new tools for analyzing iMHFs. First we define and motivate a new complexity measure capturing the amount of energy (i.e. electricity) required to compute a function. We argue that, in practice, this measure is at least as important as the more traditional AT-complexity. Next we describe an algorithm A for repeatedly evaluating an iMHF based on an arbitrary DAG G. We upperbound both its energy and AT complexities per instance evaluated in terms of a certain combinatorial property of G. Next we instantiate our attack for several general classes of DAGs which include those underlying many of the most important iMHF candidates in the literature. In particular, we obtain the following results which hold for all choices of parameters σ and τ (and thread-count) such that n = σ ∗ τ. -The Catena-Dragonfly function of [FLW13] has AT and energy complexities O(n1.67). -The Catena-Butterfly function of [FLW13] has complexities is O(n1.67). -The Double-Buffer and the Linear functions of [CGBS16] both have complexities in O(n1.67). -The Argon2i function of [BDK15] (winner of the Password Hashing Competition [PHC]) has complexities O(n7/4 log(n)). -The Single-Buffer function of [CGBS16] has complexities O(n7/4 log(n)). -Any iMHF can be computed by an algorithm with complexities O(n2/ log1 −ε(n)) for all ε > 0. In particular when τ = 1 this shows that the goal of constructing an iMHF with AT-complexity Θ(σ2 ∗ τ ) is unachievable. Along the way we prove a lemma upper-bounding the depth-robustness of any DAG which may prove to be of independent interest.","lang":"eng"}],"intvolume":" 9815","month":"08","oa":1,"main_file_link":[{"url":"http://eprint.iacr.org/2016/115","open_access":"1"}],"alternative_title":["LNCS"],"scopus_import":1,"publisher":"Springer","quality_controlled":"1","user_id":"3E5EF7F0-F248-11E8-B48F-1D18A9856A87","citation":{"mla":"Alwen, Joel F., and Jeremiah Blocki. Efficiently Computing Data-Independent Memory-Hard Functions. Vol. 9815, Springer, 2016, pp. 241–71, doi:10.1007/978-3-662-53008-5_9.","ama":"Alwen JF, Blocki J. Efficiently computing data-independent memory-hard functions. In: Vol 9815. Springer; 2016:241-271. doi:10.1007/978-3-662-53008-5_9","apa":"Alwen, J. F., & Blocki, J. (2016). Efficiently computing data-independent memory-hard functions (Vol. 9815, pp. 241–271). Presented at the CRYPTO: International Cryptology Conference, Santa Barbara, CA, USA: Springer. https://doi.org/10.1007/978-3-662-53008-5_9","short":"J.F. Alwen, J. Blocki, in:, Springer, 2016, pp. 241–271.","ieee":"J. F. Alwen and J. Blocki, “Efficiently computing data-independent memory-hard functions,” presented at the CRYPTO: International Cryptology Conference, Santa Barbara, CA, USA, 2016, vol. 9815, pp. 241–271.","chicago":"Alwen, Joel F, and Jeremiah Blocki. “Efficiently Computing Data-Independent Memory-Hard Functions,” 9815:241–71. Springer, 2016. https://doi.org/10.1007/978-3-662-53008-5_9.","ista":"Alwen JF, Blocki J. 2016. Efficiently computing data-independent memory-hard functions. CRYPTO: International Cryptology Conference, LNCS, vol. 9815, 241–271."},"date_updated":"2021-01-12T06:50:11Z","department":[{"_id":"KrPi"}],"title":"Efficiently computing data-independent memory-hard functions","publist_id":"5876","author":[{"last_name":"Alwen","full_name":"Alwen, Joel F","id":"2A8DFA8C-F248-11E8-B48F-1D18A9856A87","first_name":"Joel F"},{"first_name":"Jeremiah","full_name":"Blocki, Jeremiah","last_name":"Blocki"}],"_id":"1365","status":"public","conference":{"name":"CRYPTO: International Cryptology Conference","start_date":"2016-08-14","location":"Santa Barbara, CA, USA","end_date":"2016-08-18"},"type":"conference"},{"oa_version":"Preprint","abstract":[{"lang":"eng","text":"We study the problem of devising provably secure PRNGs with input based on the sponge paradigm. Such constructions are very appealing, as efficient software/hardware implementations of SHA-3 can easily be translated into a PRNG in a nearly black-box way. The only existing sponge-based construction, proposed by Bertoni et al. (CHES 2010), fails to achieve the security notion of robustness recently considered by Dodis et al. (CCS 2013), for two reasons: (1) The construction is deterministic, and thus there are high-entropy input distributions on which the construction fails to extract random bits, and (2) The construction is not forward secure, and presented solutions aiming at restoring forward security have not been rigorously analyzed. We propose a seeded variant of Bertoni et al.’s PRNG with input which we prove secure in the sense of robustness, delivering in particular concrete security bounds. On the way, we make what we believe to be an important conceptual contribution, developing a variant of the security framework of Dodis et al. tailored at the ideal permutation model that captures PRNG security in settings where the weakly random inputs are provided from a large class of possible adversarial samplers which are also allowed to query the random permutation. As a further application of our techniques, we also present an efficient sponge-based key-derivation function (which can be instantiated from SHA-3 in a black-box fashion), which we also prove secure when fed with samples from permutation-dependent distributions."}],"intvolume":" 9665","month":"05","main_file_link":[{"open_access":"1","url":"https://eprint.iacr.org/2016/169/20160219:201940"}],"scopus_import":1,"alternative_title":["LNCS"],"language":[{"iso":"eng"}],"publication_status":"published","ec_funded":1,"volume":9665,"_id":"1366","status":"public","conference":{"name":"EUROCRYPT: Theory and Applications of Cryptographic Techniques","location":"Vienna, Austria","end_date":"2016-05-12","start_date":"2016-05-08"},"type":"conference","date_updated":"2021-01-12T06:50:11Z","department":[{"_id":"KrPi"}],"oa":1,"publisher":"Springer","quality_controlled":"1","day":"01","year":"2016","date_created":"2018-12-11T11:51:36Z","date_published":"2016-05-01T00:00:00Z","doi":"10.1007/978-3-662-49890-3_4","page":"87 - 116","project":[{"call_identifier":"FP7","_id":"258C570E-B435-11E9-9278-68D0E5697425","grant_number":"259668","name":"Provable Security for Physical Cryptography"}],"user_id":"3E5EF7F0-F248-11E8-B48F-1D18A9856A87","citation":{"chicago":"Gazi, Peter, and Stefano Tessaro. “Provably Robust Sponge-Based PRNGs and KDFs,” 9665:87–116. Springer, 2016. https://doi.org/10.1007/978-3-662-49890-3_4.","ista":"Gazi P, Tessaro S. 2016. Provably robust sponge-based PRNGs and KDFs. EUROCRYPT: Theory and Applications of Cryptographic Techniques, LNCS, vol. 9665, 87–116.","mla":"Gazi, Peter, and Stefano Tessaro. Provably Robust Sponge-Based PRNGs and KDFs. Vol. 9665, Springer, 2016, pp. 87–116, doi:10.1007/978-3-662-49890-3_4.","ieee":"P. Gazi and S. Tessaro, “Provably robust sponge-based PRNGs and KDFs,” presented at the EUROCRYPT: Theory and Applications of Cryptographic Techniques, Vienna, Austria, 2016, vol. 9665, pp. 87–116.","short":"P. Gazi, S. Tessaro, in:, Springer, 2016, pp. 87–116.","apa":"Gazi, P., & Tessaro, S. (2016). Provably robust sponge-based PRNGs and KDFs (Vol. 9665, pp. 87–116). Presented at the EUROCRYPT: Theory and Applications of Cryptographic Techniques, Vienna, Austria: Springer. https://doi.org/10.1007/978-3-662-49890-3_4","ama":"Gazi P, Tessaro S. Provably robust sponge-based PRNGs and KDFs. In: Vol 9665. Springer; 2016:87-116. doi:10.1007/978-3-662-49890-3_4"},"title":"Provably robust sponge-based PRNGs and KDFs","author":[{"id":"3E0BFE38-F248-11E8-B48F-1D18A9856A87","first_name":"Peter","last_name":"Gazi","full_name":"Gazi, Peter"},{"first_name":"Stefano","last_name":"Tessaro","full_name":"Tessaro, Stefano"}],"publist_id":"5872"},{"_id":"1592","type":"journal_article","status":"public","citation":{"ista":"Abe M, Fuchsbauer G, Groth J, Haralambiev K, Ohkubo M. 2016. Structure preserving signatures and commitments to group elements. Journal of Cryptology. 29(2), 363–421.","chicago":"Abe, Masayuki, Georg Fuchsbauer, Jens Groth, Kristiyan Haralambiev, and Miyako Ohkubo. “Structure Preserving Signatures and Commitments to Group Elements.” Journal of Cryptology. Springer, 2016. https://doi.org/10.1007/s00145-014-9196-7.","short":"M. Abe, G. Fuchsbauer, J. Groth, K. Haralambiev, M. Ohkubo, Journal of Cryptology 29 (2016) 363–421.","ieee":"M. Abe, G. Fuchsbauer, J. Groth, K. Haralambiev, and M. Ohkubo, “Structure preserving signatures and commitments to group elements,” Journal of Cryptology, vol. 29, no. 2. Springer, pp. 363–421, 2016.","apa":"Abe, M., Fuchsbauer, G., Groth, J., Haralambiev, K., & Ohkubo, M. (2016). Structure preserving signatures and commitments to group elements. Journal of Cryptology. Springer. https://doi.org/10.1007/s00145-014-9196-7","ama":"Abe M, Fuchsbauer G, Groth J, Haralambiev K, Ohkubo M. Structure preserving signatures and commitments to group elements. Journal of Cryptology. 2016;29(2):363-421. doi:10.1007/s00145-014-9196-7","mla":"Abe, Masayuki, et al. “Structure Preserving Signatures and Commitments to Group Elements.” Journal of Cryptology, vol. 29, no. 2, Springer, 2016, pp. 363–421, doi:10.1007/s00145-014-9196-7."},"date_updated":"2021-01-12T06:51:49Z","user_id":"3E5EF7F0-F248-11E8-B48F-1D18A9856A87","author":[{"last_name":"Abe","full_name":"Abe, Masayuki","first_name":"Masayuki"},{"full_name":"Fuchsbauer, Georg","last_name":"Fuchsbauer","id":"46B4C3EE-F248-11E8-B48F-1D18A9856A87","first_name":"Georg"},{"full_name":"Groth, Jens","last_name":"Groth","first_name":"Jens"},{"first_name":"Kristiyan","last_name":"Haralambiev","full_name":"Haralambiev, Kristiyan"},{"first_name":"Miyako","last_name":"Ohkubo","full_name":"Ohkubo, Miyako"}],"publist_id":"5579","title":"Structure preserving signatures and commitments to group elements","department":[{"_id":"KrPi"}],"abstract":[{"text":"A modular approach to constructing cryptographic protocols leads to simple designs but often inefficient instantiations. On the other hand, ad hoc constructions may yield efficient protocols at the cost of losing conceptual simplicity. We suggest a new design paradigm, structure-preserving cryptography, that provides a way to construct modular protocols with reasonable efficiency while retaining conceptual simplicity. A cryptographic scheme over a bilinear group is called structure-preserving if its public inputs and outputs consist of elements from the bilinear groups and their consistency can be verified by evaluating pairing-product equations. As structure-preserving schemes smoothly interoperate with each other, they are useful as building blocks in modular design of cryptographic applications. This paper introduces structure-preserving commitment and signature schemes over bilinear groups with several desirable properties. The commitment schemes include homomorphic, trapdoor and length-reducing commitments to group elements, and the structure-preserving signature schemes are the first ones that yield constant-size signatures on multiple group elements. A structure-preserving signature scheme is called automorphic if the public keys lie in the message space, which cannot be achieved by compressing inputs via a cryptographic hash function, as this would destroy the mathematical structure we are trying to preserve. Automorphic signatures can be used for building certification chains underlying privacy-preserving protocols. Among a vast number of applications of structure-preserving protocols, we present an efficient round-optimal blind-signature scheme and a group signature scheme with an efficient and concurrently secure protocol for enrolling new members.","lang":"eng"}],"oa_version":"None","acknowledgement":"The authors would like to thank the anonymous reviewers of this paper. We also would like to express our appreciation to the program committee and the anonymous reviewers for CRYPTO 2010. The first author thanks Sherman S. M. Chow for his comment on group signatures in Sect. 7.1.","scopus_import":1,"quality_controlled":"1","publisher":"Springer","month":"04","intvolume":" 29","publication_status":"published","year":"2016","day":"01","publication":"Journal of Cryptology","language":[{"iso":"eng"}],"page":"363 - 421","doi":"10.1007/s00145-014-9196-7","issue":"2","volume":29,"date_published":"2016-04-01T00:00:00Z","date_created":"2018-12-11T11:52:54Z"},{"related_material":{"record":[{"relation":"earlier_version","status":"public","id":"1647"}]},"volume":9841,"ec_funded":1,"language":[{"iso":"eng"}],"publication_status":"published","month":"08","intvolume":" 9841","scopus_import":1,"alternative_title":["LNCS"],"main_file_link":[{"url":"https://eprint.iacr.org/2016/662","open_access":"1"}],"oa_version":"Submitted Version","abstract":[{"lang":"eng","text":"At Crypto 2015 Fuchsbauer, Hanser and Slamanig (FHS) presented the first standard-model construction of efficient roundoptimal blind signatures that does not require complexity leveraging. It is conceptually simple and builds on the primitive of structure-preserving signatures on equivalence classes (SPS-EQ). FHS prove the unforgeability of their scheme assuming EUF-CMA security of the SPS-EQ scheme and hardness of a version of the DH inversion problem. Blindness under adversarially chosen keys is proven under an interactive variant of the DDH assumption. We propose a variant of their scheme whose blindness can be proven under a non-interactive assumption, namely a variant of the bilinear DDH assumption. We moreover prove its unforgeability assuming only unforgeability of the underlying SPS-EQ but no additional assumptions as needed for the FHS scheme."}],"department":[{"_id":"KrPi"}],"date_updated":"2023-02-23T10:08:16Z","status":"public","type":"conference","conference":{"name":"SCN: Security and Cryptography for Networks","location":"Amalfi, Italy","end_date":"2016-09-02","start_date":"2016-08-31"},"_id":"1225","date_published":"2016-08-11T00:00:00Z","doi":"10.1007/978-3-319-44618-9_21","date_created":"2018-12-11T11:50:49Z","page":"391 - 408","day":"11","year":"2016","publisher":"Springer","quality_controlled":"1","oa":1,"title":"Practical round-optimal blind signatures in the standard model from weaker assumptions","author":[{"last_name":"Fuchsbauer","full_name":"Fuchsbauer, Georg","id":"46B4C3EE-F248-11E8-B48F-1D18A9856A87","first_name":"Georg"},{"last_name":"Hanser","full_name":"Hanser, Christian","first_name":"Christian"},{"last_name":"Kamath Hosdurg","full_name":"Kamath Hosdurg, Chethan","id":"4BD3F30E-F248-11E8-B48F-1D18A9856A87","first_name":"Chethan"},{"full_name":"Slamanig, Daniel","last_name":"Slamanig","first_name":"Daniel"}],"publist_id":"6109","user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","citation":{"chicago":"Fuchsbauer, Georg, Christian Hanser, Chethan Kamath Hosdurg, and Daniel Slamanig. “Practical Round-Optimal Blind Signatures in the Standard Model from Weaker Assumptions,” 9841:391–408. Springer, 2016. https://doi.org/10.1007/978-3-319-44618-9_21.","ista":"Fuchsbauer G, Hanser C, Kamath Hosdurg C, Slamanig D. 2016. Practical round-optimal blind signatures in the standard model from weaker assumptions. SCN: Security and Cryptography for Networks, LNCS, vol. 9841, 391–408.","mla":"Fuchsbauer, Georg, et al. Practical Round-Optimal Blind Signatures in the Standard Model from Weaker Assumptions. Vol. 9841, Springer, 2016, pp. 391–408, doi:10.1007/978-3-319-44618-9_21.","ama":"Fuchsbauer G, Hanser C, Kamath Hosdurg C, Slamanig D. Practical round-optimal blind signatures in the standard model from weaker assumptions. In: Vol 9841. Springer; 2016:391-408. doi:10.1007/978-3-319-44618-9_21","apa":"Fuchsbauer, G., Hanser, C., Kamath Hosdurg, C., & Slamanig, D. (2016). Practical round-optimal blind signatures in the standard model from weaker assumptions (Vol. 9841, pp. 391–408). Presented at the SCN: Security and Cryptography for Networks, Amalfi, Italy: Springer. https://doi.org/10.1007/978-3-319-44618-9_21","short":"G. Fuchsbauer, C. Hanser, C. Kamath Hosdurg, D. Slamanig, in:, Springer, 2016, pp. 391–408.","ieee":"G. Fuchsbauer, C. Hanser, C. Kamath Hosdurg, and D. Slamanig, “Practical round-optimal blind signatures in the standard model from weaker assumptions,” presented at the SCN: Security and Cryptography for Networks, Amalfi, Italy, 2016, vol. 9841, pp. 391–408."},"project":[{"_id":"258C570E-B435-11E9-9278-68D0E5697425","call_identifier":"FP7","name":"Provable Security for Physical Cryptography","grant_number":"259668"},{"_id":"258AA5B2-B435-11E9-9278-68D0E5697425","call_identifier":"H2020","name":"Teaching Old Crypto New Tricks","grant_number":"682815"}]},{"oa":1,"publisher":"Springer","quality_controlled":"1","day":"08","year":"2016","has_accepted_license":"1","date_created":"2018-12-11T11:53:16Z","doi":"10.1007/978-3-662-48797-6_6","date_published":"2016-01-08T00:00:00Z","page":"121 - 145","project":[{"call_identifier":"FP7","_id":"258C570E-B435-11E9-9278-68D0E5697425","name":"Provable Security for Physical Cryptography","grant_number":"259668"}],"user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","citation":{"mla":"Okamoto, Tatsuaki, et al. New Realizations of Somewhere Statistically Binding Hashing and Positional Accumulators. Vol. 9452, Springer, 2016, pp. 121–45, doi:10.1007/978-3-662-48797-6_6.","ama":"Okamoto T, Pietrzak KZ, Waters B, Wichs D. New realizations of somewhere statistically binding hashing and positional accumulators. In: Vol 9452. Springer; 2016:121-145. doi:10.1007/978-3-662-48797-6_6","apa":"Okamoto, T., Pietrzak, K. Z., Waters, B., & Wichs, D. (2016). New realizations of somewhere statistically binding hashing and positional accumulators (Vol. 9452, pp. 121–145). Presented at the ASIACRYPT: Theory and Application of Cryptology and Information Security, Auckland, New Zealand: Springer. https://doi.org/10.1007/978-3-662-48797-6_6","ieee":"T. Okamoto, K. Z. Pietrzak, B. Waters, and D. Wichs, “New realizations of somewhere statistically binding hashing and positional accumulators,” presented at the ASIACRYPT: Theory and Application of Cryptology and Information Security, Auckland, New Zealand, 2016, vol. 9452, pp. 121–145.","short":"T. Okamoto, K.Z. Pietrzak, B. Waters, D. Wichs, in:, Springer, 2016, pp. 121–145.","chicago":"Okamoto, Tatsuaki, Krzysztof Z Pietrzak, Brent Waters, and Daniel Wichs. “New Realizations of Somewhere Statistically Binding Hashing and Positional Accumulators,” 9452:121–45. Springer, 2016. https://doi.org/10.1007/978-3-662-48797-6_6.","ista":"Okamoto T, Pietrzak KZ, Waters B, Wichs D. 2016. New realizations of somewhere statistically binding hashing and positional accumulators. ASIACRYPT: Theory and Application of Cryptology and Information Security, LNCS, vol. 9452, 121–145."},"title":"New realizations of somewhere statistically binding hashing and positional accumulators","author":[{"full_name":"Okamoto, Tatsuaki","last_name":"Okamoto","first_name":"Tatsuaki"},{"id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","first_name":"Krzysztof Z","last_name":"Pietrzak","full_name":"Pietrzak, Krzysztof Z","orcid":"0000-0002-9139-1654"},{"full_name":"Waters, Brent","last_name":"Waters","first_name":"Brent"},{"first_name":"Daniel","last_name":"Wichs","full_name":"Wichs, Daniel"}],"publist_id":"5497","oa_version":"Submitted Version","abstract":[{"lang":"eng","text":"A somewhere statistically binding (SSB) hash, introduced by Hubáček and Wichs (ITCS ’15), can be used to hash a long string x to a short digest y = H hk (x) using a public hashing-key hk. Furthermore, there is a way to set up the hash key hk to make it statistically binding on some arbitrary hidden position i, meaning that: (1) the digest y completely determines the i’th bit (or symbol) of x so that all pre-images of y have the same value in the i’th position, (2) it is computationally infeasible to distinguish the position i on which hk is statistically binding from any other position i’. Lastly, the hash should have a local opening property analogous to Merkle-Tree hashing, meaning that given x and y = H hk (x) it should be possible to create a short proof π that certifies the value of the i’th bit (or symbol) of x without having to provide the entire input x. A similar primitive called a positional accumulator, introduced by Koppula, Lewko and Waters (STOC ’15) further supports dynamic updates of the hashed value. These tools, which are interesting in their own right, also serve as one of the main technical components in several recent works building advanced applications from indistinguishability obfuscation (iO).\r\n\r\nThe prior constructions of SSB hashing and positional accumulators required fully homomorphic encryption (FHE) and iO respectively. In this work, we give new constructions of these tools based on well studied number-theoretic assumptions such as DDH, Phi-Hiding and DCR, as well as a general construction from lossy/injective functions."}],"intvolume":" 9452","month":"01","scopus_import":1,"alternative_title":["LNCS"],"language":[{"iso":"eng"}],"file":[{"date_created":"2018-12-12T10:12:05Z","file_name":"IST-2016-677-v1+1_869.pdf","date_updated":"2020-07-14T12:45:08Z","file_size":580088,"creator":"system","checksum":"a57711cb660c5b17b42bb47275a00180","file_id":"4923","content_type":"application/pdf","access_level":"open_access","relation":"main_file"}],"publication_status":"published","ec_funded":1,"volume":9452,"_id":"1653","pubrep_id":"677","status":"public","conference":{"name":"ASIACRYPT: Theory and Application of Cryptology and Information Security","end_date":"2015-12-03","location":"Auckland, New Zealand","start_date":"2015-11-29"},"type":"conference","ddc":["000"],"date_updated":"2021-01-12T06:52:16Z","file_date_updated":"2020-07-14T12:45:08Z","department":[{"_id":"KrPi"}]},{"pubrep_id":"766","status":"public","tmp":{"legal_code_url":"https://creativecommons.org/licenses/by/4.0/legalcode","image":"/images/cc_by.png","name":"Creative Commons Attribution 4.0 International Public License (CC-BY 4.0)","short":"CC BY (4.0)"},"type":"journal_article","_id":"1479","file_date_updated":"2020-07-14T12:44:56Z","department":[{"_id":"KrPi"}],"ddc":["004"],"date_updated":"2023-02-23T11:05:09Z","intvolume":" 25","month":"09","scopus_import":1,"oa_version":"Submitted Version","abstract":[{"text":"Most entropy notions H(.) like Shannon or min-entropy satisfy a chain rule stating that for random variables X,Z, and A we have H(X|Z,A)≥H(X|Z)−|A|. That is, by conditioning on A the entropy of X can decrease by at most the bitlength |A| of A. Such chain rules are known to hold for some computational entropy notions like Yao’s and unpredictability-entropy. For HILL entropy, the computational analogue of min-entropy, the chain rule is of special interest and has found many applications, including leakage-resilient cryptography, deterministic encryption, and memory delegation. These applications rely on restricted special cases of the chain rule. Whether the chain rule for conditional HILL entropy holds in general was an open problem for which we give a strong negative answer: we construct joint distributions (X,Z,A), where A is a distribution over a single bit, such that the HILL entropy H HILL (X|Z) is large but H HILL (X|Z,A) is basically zero.\r\n\r\nOur counterexample just makes the minimal assumption that NP⊈P/poly. Under the stronger assumption that injective one-way function exist, we can make all the distributions efficiently samplable.\r\n\r\nFinally, we show that some more sophisticated cryptographic objects like lossy functions can be used to sample a distribution constituting a counterexample to the chain rule making only a single invocation to the underlying object.","lang":"eng"}],"ec_funded":1,"volume":25,"issue":"3","related_material":{"record":[{"relation":"earlier_version","id":"2940","status":"public"}]},"language":[{"iso":"eng"}],"file":[{"access_level":"open_access","relation":"main_file","content_type":"application/pdf","file_id":"5012","checksum":"7659296174fa75f5f0364f31f46f4bcf","creator":"system","date_updated":"2020-07-14T12:44:56Z","file_size":483258,"date_created":"2018-12-12T10:13:29Z","file_name":"IST-2017-766-v1+1_678.pdf"}],"publication_status":"published","project":[{"_id":"258C570E-B435-11E9-9278-68D0E5697425","call_identifier":"FP7","grant_number":"259668","name":"Provable Security for Physical Cryptography"}],"title":"A counterexample to the chain rule for conditional HILL entropy","author":[{"last_name":"Krenn","full_name":"Krenn, Stephan","orcid":"0000-0003-2835-9093","id":"329FCCF0-F248-11E8-B48F-1D18A9856A87","first_name":"Stephan"},{"last_name":"Pietrzak","full_name":"Pietrzak, Krzysztof Z","orcid":"0000-0002-9139-1654","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","first_name":"Krzysztof Z"},{"first_name":"Akshay","last_name":"Wadia","full_name":"Wadia, Akshay"},{"full_name":"Wichs, Daniel","last_name":"Wichs","first_name":"Daniel"}],"publist_id":"5715","user_id":"3E5EF7F0-F248-11E8-B48F-1D18A9856A87","citation":{"ista":"Krenn S, Pietrzak KZ, Wadia A, Wichs D. 2016. A counterexample to the chain rule for conditional HILL entropy. Computational Complexity. 25(3), 567–605.","chicago":"Krenn, Stephan, Krzysztof Z Pietrzak, Akshay Wadia, and Daniel Wichs. “A Counterexample to the Chain Rule for Conditional HILL Entropy.” Computational Complexity. Springer, 2016. https://doi.org/10.1007/s00037-015-0120-9.","ieee":"S. Krenn, K. Z. Pietrzak, A. Wadia, and D. Wichs, “A counterexample to the chain rule for conditional HILL entropy,” Computational Complexity, vol. 25, no. 3. Springer, pp. 567–605, 2016.","short":"S. Krenn, K.Z. Pietrzak, A. Wadia, D. Wichs, Computational Complexity 25 (2016) 567–605.","ama":"Krenn S, Pietrzak KZ, Wadia A, Wichs D. A counterexample to the chain rule for conditional HILL entropy. Computational Complexity. 2016;25(3):567-605. doi:10.1007/s00037-015-0120-9","apa":"Krenn, S., Pietrzak, K. Z., Wadia, A., & Wichs, D. (2016). A counterexample to the chain rule for conditional HILL entropy. Computational Complexity. Springer. https://doi.org/10.1007/s00037-015-0120-9","mla":"Krenn, Stephan, et al. “A Counterexample to the Chain Rule for Conditional HILL Entropy.” Computational Complexity, vol. 25, no. 3, Springer, 2016, pp. 567–605, doi:10.1007/s00037-015-0120-9."},"oa":1,"publisher":"Springer","quality_controlled":"1","acknowledgement":"This work was partly funded by the European Research Council under ERC Starting Grant 259668-PSPC and ERC Advanced Grant 321310-PERCY.\r\n","date_created":"2018-12-11T11:52:16Z","date_published":"2016-09-01T00:00:00Z","doi":"10.1007/s00037-015-0120-9","page":"567 - 605","publication":"Computational Complexity","day":"01","year":"2016","has_accepted_license":"1"},{"citation":{"chicago":"Abusalah, Hamza M, Georg Fuchsbauer, and Krzysztof Z Pietrzak. “Offline Witness Encryption,” 9696:285–303. Springer, 2016. https://doi.org/10.1007/978-3-319-39555-5_16.","ista":"Abusalah HM, Fuchsbauer G, Pietrzak KZ. 2016. Offline witness encryption. ACNS: Applied Cryptography and Network Security, LNCS, vol. 9696, 285–303.","mla":"Abusalah, Hamza M., et al. Offline Witness Encryption. Vol. 9696, Springer, 2016, pp. 285–303, doi:10.1007/978-3-319-39555-5_16.","ieee":"H. M. Abusalah, G. Fuchsbauer, and K. Z. Pietrzak, “Offline witness encryption,” presented at the ACNS: Applied Cryptography and Network Security, Guildford, UK, 2016, vol. 9696, pp. 285–303.","short":"H.M. Abusalah, G. Fuchsbauer, K.Z. Pietrzak, in:, Springer, 2016, pp. 285–303.","apa":"Abusalah, H. M., Fuchsbauer, G., & Pietrzak, K. Z. (2016). Offline witness encryption (Vol. 9696, pp. 285–303). Presented at the ACNS: Applied Cryptography and Network Security, Guildford, UK: Springer. https://doi.org/10.1007/978-3-319-39555-5_16","ama":"Abusalah HM, Fuchsbauer G, Pietrzak KZ. Offline witness encryption. In: Vol 9696. Springer; 2016:285-303. doi:10.1007/978-3-319-39555-5_16"},"user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","author":[{"last_name":"Abusalah","full_name":"Abusalah, Hamza M","first_name":"Hamza M","id":"40297222-F248-11E8-B48F-1D18A9856A87"},{"full_name":"Fuchsbauer, Georg","last_name":"Fuchsbauer","first_name":"Georg","id":"46B4C3EE-F248-11E8-B48F-1D18A9856A87"},{"last_name":"Pietrzak","full_name":"Pietrzak, Krzysztof Z","orcid":"0000-0002-9139-1654","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","first_name":"Krzysztof Z"}],"publist_id":"6105","title":"Offline witness encryption","project":[{"name":"Provable Security for Physical Cryptography","grant_number":"259668","call_identifier":"FP7","_id":"258C570E-B435-11E9-9278-68D0E5697425"},{"name":"Teaching Old Crypto New Tricks","grant_number":"682815","call_identifier":"H2020","_id":"258AA5B2-B435-11E9-9278-68D0E5697425"}],"has_accepted_license":"1","year":"2016","day":"09","page":"285 - 303","date_published":"2016-06-09T00:00:00Z","doi":"10.1007/978-3-319-39555-5_16","date_created":"2018-12-11T11:50:50Z","acknowledgement":"Research supported by the European Research Council, ERC starting grant (259668-PSPC) and ERC consolidator grant (682815 - TOCNeT).","quality_controlled":"1","publisher":"Springer","oa":1,"date_updated":"2023-09-07T12:30:22Z","ddc":["005","600"],"department":[{"_id":"KrPi"}],"file_date_updated":"2020-07-14T12:44:39Z","_id":"1229","type":"conference","conference":{"name":"ACNS: Applied Cryptography and Network Security","start_date":"2016-06-19","location":"Guildford, UK","end_date":"2016-06-22"},"status":"public","pubrep_id":"765","publication_status":"published","file":[{"access_level":"open_access","relation":"main_file","content_type":"application/pdf","file_id":"5273","checksum":"34fa9ce681da845a1ba945ba3dc57867","creator":"system","date_updated":"2020-07-14T12:44:39Z","file_size":515000,"date_created":"2018-12-12T10:17:20Z","file_name":"IST-2017-765-v1+1_838.pdf"}],"language":[{"iso":"eng"}],"related_material":{"record":[{"relation":"dissertation_contains","status":"public","id":"83"}]},"volume":9696,"ec_funded":1,"abstract":[{"lang":"eng","text":"Witness encryption (WE) was introduced by Garg et al. [GGSW13]. A WE scheme is defined for some NP language L and lets a sender encrypt messages relative to instances x. A ciphertext for x can be decrypted using w witnessing x ∈ L, but hides the message if x ∈ L. Garg et al. construct WE from multilinear maps and give another construction [GGH+13b] using indistinguishability obfuscation (iO) for circuits. Due to the reliance on such heavy tools, WE can cur- rently hardly be implemented on powerful hardware and will unlikely be realizable on constrained devices like smart cards any time soon. We construct a WE scheme where encryption is done by simply computing a Naor-Yung ciphertext (two CPA encryptions and a NIZK proof). To achieve this, our scheme has a setup phase, which outputs public parameters containing an obfuscated circuit (only required for decryption), two encryption keys and a common reference string (used for encryption). This setup need only be run once, and the parame- ters can be used for arbitrary many encryptions. Our scheme can also be turned into a functional WE scheme, where a message is encrypted w.r.t. a statement and a function f, and decryption with a witness w yields f (m, w). Our construction is inspired by the functional encryption scheme by Garg et al. and we prove (selective) security assuming iO and statistically simulation-sound NIZK. We give a construction of the latter in bilinear groups and combining it with ElGamal encryption, our ciphertexts are of size 1.3 kB at a 128-bit security level and can be computed on a smart card."}],"oa_version":"Submitted Version","scopus_import":1,"alternative_title":["LNCS"],"month":"06","intvolume":" 9696"},{"_id":"1236","status":"public","pubrep_id":"764","type":"conference","conference":{"name":"CT-RSA: Topics in Cryptology","location":"San Francisco, CA, USA","end_date":"2016-03-04","start_date":"2016-02-29"},"ddc":["005","600"],"date_updated":"2023-09-07T12:30:22Z","department":[{"_id":"KrPi"}],"file_date_updated":"2020-07-14T12:44:41Z","oa_version":"Submitted Version","abstract":[{"text":"A constrained pseudorandom function F: K × X → Y for a family T ⊆ 2X of subsets of X is a function where for any key k ∈ K and set S ∈ T one can efficiently compute a constrained key kS which allows to evaluate F (k, ·) on all inputs x ∈ S, while even given this key, the outputs on all inputs x ∉ S look random. At Asiacrypt’13 Boneh and Waters gave a construction which supports the most general set family so far. Its keys kc are defined for sets decided by boolean circuits C and enable evaluation of the PRF on any x ∈ X where C(x) = 1. In their construction the PRF input length and the size of the circuits C for which constrained keys can be computed must be fixed beforehand during key generation. We construct a constrained PRF that has an unbounded input length and whose constrained keys can be defined for any set recognized by a Turing machine. The only a priori bound we make is on the description size of the machines. We prove our construction secure assuming publiccoin differing-input obfuscation. As applications of our constrained PRF we build a broadcast encryption scheme where the number of potential receivers need not be fixed at setup (in particular, the length of the keys is independent of the number of parties) and the first identity-based non-interactive key exchange protocol with no bound on the number of parties that can agree on a shared key.","lang":"eng"}],"month":"02","intvolume":" 9610","scopus_import":1,"alternative_title":["LNCS"],"file":[{"file_id":"4664","checksum":"3851cee49933ae13b1272e516f213e13","content_type":"application/pdf","relation":"main_file","access_level":"open_access","file_name":"IST-2017-764-v1+1_279.pdf","date_created":"2018-12-12T10:08:05Z","file_size":495176,"date_updated":"2020-07-14T12:44:41Z","creator":"system"}],"language":[{"iso":"eng"}],"publication_status":"published","volume":9610,"related_material":{"record":[{"status":"public","id":"83","relation":"dissertation_contains"}]},"ec_funded":1,"project":[{"call_identifier":"FP7","_id":"258C570E-B435-11E9-9278-68D0E5697425","grant_number":"259668","name":"Provable Security for Physical Cryptography"}],"user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","citation":{"ieee":"H. M. Abusalah, G. Fuchsbauer, and K. Z. Pietrzak, “Constrained PRFs for unbounded inputs,” presented at the CT-RSA: Topics in Cryptology, San Francisco, CA, USA, 2016, vol. 9610, pp. 413–428.","short":"H.M. Abusalah, G. Fuchsbauer, K.Z. Pietrzak, in:, Springer, 2016, pp. 413–428.","ama":"Abusalah HM, Fuchsbauer G, Pietrzak KZ. Constrained PRFs for unbounded inputs. In: Vol 9610. Springer; 2016:413-428. doi:10.1007/978-3-319-29485-8_24","apa":"Abusalah, H. M., Fuchsbauer, G., & Pietrzak, K. Z. (2016). Constrained PRFs for unbounded inputs (Vol. 9610, pp. 413–428). Presented at the CT-RSA: Topics in Cryptology, San Francisco, CA, USA: Springer. https://doi.org/10.1007/978-3-319-29485-8_24","mla":"Abusalah, Hamza M., et al. Constrained PRFs for Unbounded Inputs. Vol. 9610, Springer, 2016, pp. 413–28, doi:10.1007/978-3-319-29485-8_24.","ista":"Abusalah HM, Fuchsbauer G, Pietrzak KZ. 2016. Constrained PRFs for unbounded inputs. CT-RSA: Topics in Cryptology, LNCS, vol. 9610, 413–428.","chicago":"Abusalah, Hamza M, Georg Fuchsbauer, and Krzysztof Z Pietrzak. “Constrained PRFs for Unbounded Inputs,” 9610:413–28. Springer, 2016. https://doi.org/10.1007/978-3-319-29485-8_24."},"title":"Constrained PRFs for unbounded inputs","author":[{"last_name":"Abusalah","full_name":"Abusalah, Hamza M","id":"40297222-F248-11E8-B48F-1D18A9856A87","first_name":"Hamza M"},{"full_name":"Fuchsbauer, Georg","last_name":"Fuchsbauer","first_name":"Georg","id":"46B4C3EE-F248-11E8-B48F-1D18A9856A87"},{"id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","first_name":"Krzysztof Z","last_name":"Pietrzak","orcid":"0000-0002-9139-1654","full_name":"Pietrzak, Krzysztof Z"}],"publist_id":"6097","acknowledgement":"Supported by the European Research Council, ERC Starting Grant (259668-PSPC).","publisher":"Springer","quality_controlled":"1","oa":1,"day":"02","has_accepted_license":"1","year":"2016","date_published":"2016-02-02T00:00:00Z","doi":"10.1007/978-3-319-29485-8_24","date_created":"2018-12-11T11:50:52Z","page":"413 - 428"},{"department":[{"_id":"KrPi"}],"date_updated":"2023-09-07T12:30:22Z","conference":{"end_date":"2016-06-22","location":"Guildford, UK","start_date":"2016-06-19","name":"ACNS: Applied Cryptography and Network Security"},"type":"conference","status":"public","_id":"1235","ec_funded":1,"related_material":{"record":[{"id":"83","status":"public","relation":"dissertation_contains"}]},"volume":9696,"publication_status":"published","language":[{"iso":"eng"}],"main_file_link":[{"open_access":"1","url":"https://eprint.iacr.org/2016/279.pdf"}],"alternative_title":["LNCS"],"scopus_import":1,"intvolume":" 9696","month":"01","abstract":[{"text":"A constrained pseudorandom function (CPRF) F: K×X → Y for a family T of subsets of χ is a function where for any key k ∈ K and set S ∈ T one can efficiently compute a short constrained key kS, which allows to evaluate F(k, ·) on all inputs x ∈ S, while the outputs on all inputs x /∈ S look random even given kS. Abusalah et al. recently constructed the first constrained PRF for inputs of arbitrary length whose sets S are decided by Turing machines. They use their CPRF to build broadcast encryption and the first ID-based non-interactive key exchange for an unbounded number of users. Their constrained keys are obfuscated circuits and are therefore large. In this work we drastically reduce the key size and define a constrained key for a Turing machine M as a short signature on M. For this, we introduce a new signature primitive with constrained signing keys that let one only sign certain messages, while forging a signature on others is hard even when knowing the coins for key generation.","lang":"eng"}],"oa_version":"Submitted Version","publist_id":"6098","author":[{"first_name":"Hamza M","id":"40297222-F248-11E8-B48F-1D18A9856A87","full_name":"Abusalah, Hamza M","last_name":"Abusalah"},{"first_name":"Georg","id":"46B4C3EE-F248-11E8-B48F-1D18A9856A87","full_name":"Fuchsbauer, Georg","last_name":"Fuchsbauer"}],"title":"Constrained PRFs for unbounded inputs with short keys","citation":{"ista":"Abusalah HM, Fuchsbauer G. 2016. Constrained PRFs for unbounded inputs with short keys. ACNS: Applied Cryptography and Network Security, LNCS, vol. 9696, 445–463.","chicago":"Abusalah, Hamza M, and Georg Fuchsbauer. “Constrained PRFs for Unbounded Inputs with Short Keys,” 9696:445–63. Springer, 2016. https://doi.org/10.1007/978-3-319-39555-5_24.","apa":"Abusalah, H. M., & Fuchsbauer, G. (2016). Constrained PRFs for unbounded inputs with short keys (Vol. 9696, pp. 445–463). Presented at the ACNS: Applied Cryptography and Network Security, Guildford, UK: Springer. https://doi.org/10.1007/978-3-319-39555-5_24","ama":"Abusalah HM, Fuchsbauer G. Constrained PRFs for unbounded inputs with short keys. In: Vol 9696. Springer; 2016:445-463. doi:10.1007/978-3-319-39555-5_24","ieee":"H. M. Abusalah and G. Fuchsbauer, “Constrained PRFs for unbounded inputs with short keys,” presented at the ACNS: Applied Cryptography and Network Security, Guildford, UK, 2016, vol. 9696, pp. 445–463.","short":"H.M. Abusalah, G. Fuchsbauer, in:, Springer, 2016, pp. 445–463.","mla":"Abusalah, Hamza M., and Georg Fuchsbauer. Constrained PRFs for Unbounded Inputs with Short Keys. Vol. 9696, Springer, 2016, pp. 445–63, doi:10.1007/978-3-319-39555-5_24."},"user_id":"3E5EF7F0-F248-11E8-B48F-1D18A9856A87","project":[{"grant_number":"259668","name":"Provable Security for Physical Cryptography","_id":"258C570E-B435-11E9-9278-68D0E5697425","call_identifier":"FP7"},{"_id":"258AA5B2-B435-11E9-9278-68D0E5697425","call_identifier":"H2020","grant_number":"682815","name":"Teaching Old Crypto New Tricks"}],"page":"445 - 463","date_created":"2018-12-11T11:50:52Z","date_published":"2016-01-01T00:00:00Z","doi":"10.1007/978-3-319-39555-5_24","year":"2016","day":"01","oa":1,"quality_controlled":"1","publisher":"Springer","acknowledgement":"H. Abusalah—Research supported by the European Research Council, ERC starting grant (259668-PSPC) and ERC consolidator grant (682815 - TOCNeT)."},{"user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","date_updated":"2021-01-12T06:50:59Z","citation":{"ista":"Ferrara A, Fuchsbauer G, Liu B, Warinschi B. 2015. Policy privacy in cryptographic access control. CSF: Computer Security Foundations, 46–60.","chicago":"Ferrara, Anna, Georg Fuchsbauer, Bin Liu, and Bogdan Warinschi. “Policy Privacy in Cryptographic Access Control,” 46–60. IEEE, 2015. https://doi.org/10.1109/CSF.2015.11.","short":"A. Ferrara, G. Fuchsbauer, B. Liu, B. Warinschi, in:, IEEE, 2015, pp. 46–60.","ieee":"A. Ferrara, G. Fuchsbauer, B. Liu, and B. Warinschi, “Policy privacy in cryptographic access control,” presented at the CSF: Computer Security Foundations, Verona, Italy, 2015, pp. 46–60.","ama":"Ferrara A, Fuchsbauer G, Liu B, Warinschi B. Policy privacy in cryptographic access control. In: IEEE; 2015:46-60. doi:10.1109/CSF.2015.11","apa":"Ferrara, A., Fuchsbauer, G., Liu, B., & Warinschi, B. (2015). Policy privacy in cryptographic access control (pp. 46–60). Presented at the CSF: Computer Security Foundations, Verona, Italy: IEEE. https://doi.org/10.1109/CSF.2015.11","mla":"Ferrara, Anna, et al. Policy Privacy in Cryptographic Access Control. IEEE, 2015, pp. 46–60, doi:10.1109/CSF.2015.11."},"department":[{"_id":"KrPi"}],"title":"Policy privacy in cryptographic access control","article_processing_charge":"No","author":[{"first_name":"Anna","last_name":"Ferrara","full_name":"Ferrara, Anna"},{"first_name":"Georg","id":"46B4C3EE-F248-11E8-B48F-1D18A9856A87","full_name":"Fuchsbauer, Georg","last_name":"Fuchsbauer"},{"first_name":"Bin","last_name":"Liu","full_name":"Liu, Bin"},{"first_name":"Bogdan","last_name":"Warinschi","full_name":"Warinschi, Bogdan"}],"publist_id":"5722","_id":"1474","project":[{"_id":"258C570E-B435-11E9-9278-68D0E5697425","call_identifier":"FP7","grant_number":"259668","name":"Provable Security for Physical Cryptography"}],"status":"public","conference":{"name":"CSF: Computer Security Foundations","start_date":"2015-07-13","end_date":"2015-07-17","location":"Verona, Italy"},"type":"conference","language":[{"iso":"eng"}],"day":"04","year":"2015","publication_status":"published","ec_funded":1,"date_created":"2018-12-11T11:52:14Z","date_published":"2015-09-04T00:00:00Z","doi":"10.1109/CSF.2015.11","page":"46-60","oa_version":"Submitted Version","abstract":[{"text":"Cryptographic access control offers selective access to encrypted data via a combination of key management and functionality-rich cryptographic schemes, such as attribute-based encryption. Using this approach, publicly available meta-data may inadvertently leak information on the access policy that is enforced by cryptography, which renders cryptographic access control unusable in settings where this information is highly sensitive. We begin to address this problem by presenting rigorous definitions for policy privacy in cryptographic access control. For concreteness we set our results in the model of Role-Based Access Control (RBAC), where we identify and formalize several different flavors of privacy, however, our framework should serve as inspiration for other models of access control. Based on our insights we propose a new system which significantly improves on the privacy properties of state-of-the-art constructions. Our design is based on a novel type of privacy-preserving attribute-based encryption, which we introduce and show how to instantiate. We present our results in the context of a cryptographic RBAC system by Ferrara et al. (CSF'13), which uses cryptography to control read access to files, while write access is still delegated to trusted monitors. We give an extension of the construction that permits cryptographic control over write access. Our construction assumes that key management uses out-of-band channels between the policy enforcer and the users but eliminates completely the need for monitoring read/write access to the data.","lang":"eng"}],"month":"09","oa":1,"main_file_link":[{"url":"http://epubs.surrey.ac.uk/808055/","open_access":"1"}],"quality_controlled":"1","publisher":"IEEE"},{"quality_controlled":"1","publisher":"Springer Nature","oa":1,"day":"01","publication":"12th Theory of Cryptography Conference","has_accepted_license":"1","year":"2015","doi":"10.1007/978-3-662-46497-7_2","date_published":"2015-03-01T00:00:00Z","date_created":"2018-12-11T11:53:14Z","page":"31 - 60","project":[{"name":"Provable Security for Physical Cryptography","grant_number":"259668","_id":"258C570E-B435-11E9-9278-68D0E5697425","call_identifier":"FP7"}],"user_id":"8b945eb4-e2f2-11eb-945a-df72226e66a9","citation":{"ista":"Banerjee A, Fuchsbauer G, Peikert C, Pietrzak KZ, Stevens S. 2015. Key-homomorphic constrained pseudorandom functions. 12th Theory of Cryptography Conference. TCC: Theory of Cryptography Conference, LNCS, vol. 9015, 31–60.","chicago":"Banerjee, Abishek, Georg Fuchsbauer, Chris Peikert, Krzysztof Z Pietrzak, and Sophie Stevens. “Key-Homomorphic Constrained Pseudorandom Functions.” In 12th Theory of Cryptography Conference, 9015:31–60. Springer Nature, 2015. https://doi.org/10.1007/978-3-662-46497-7_2.","ama":"Banerjee A, Fuchsbauer G, Peikert C, Pietrzak KZ, Stevens S. Key-homomorphic constrained pseudorandom functions. In: 12th Theory of Cryptography Conference. Vol 9015. Springer Nature; 2015:31-60. doi:10.1007/978-3-662-46497-7_2","apa":"Banerjee, A., Fuchsbauer, G., Peikert, C., Pietrzak, K. Z., & Stevens, S. (2015). Key-homomorphic constrained pseudorandom functions. In 12th Theory of Cryptography Conference (Vol. 9015, pp. 31–60). Warsaw, Poland: Springer Nature. https://doi.org/10.1007/978-3-662-46497-7_2","short":"A. Banerjee, G. Fuchsbauer, C. Peikert, K.Z. Pietrzak, S. Stevens, in:, 12th Theory of Cryptography Conference, Springer Nature, 2015, pp. 31–60.","ieee":"A. Banerjee, G. Fuchsbauer, C. Peikert, K. Z. Pietrzak, and S. Stevens, “Key-homomorphic constrained pseudorandom functions,” in 12th Theory of Cryptography Conference, Warsaw, Poland, 2015, vol. 9015, pp. 31–60.","mla":"Banerjee, Abishek, et al. “Key-Homomorphic Constrained Pseudorandom Functions.” 12th Theory of Cryptography Conference, vol. 9015, Springer Nature, 2015, pp. 31–60, doi:10.1007/978-3-662-46497-7_2."},"title":"Key-homomorphic constrained pseudorandom functions","publist_id":"5505","author":[{"last_name":"Banerjee","full_name":"Banerjee, Abishek","first_name":"Abishek"},{"last_name":"Fuchsbauer","full_name":"Fuchsbauer, Georg","id":"46B4C3EE-F248-11E8-B48F-1D18A9856A87","first_name":"Georg"},{"last_name":"Peikert","full_name":"Peikert, Chris","first_name":"Chris"},{"first_name":"Krzysztof Z","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","last_name":"Pietrzak","orcid":"0000-0002-9139-1654","full_name":"Pietrzak, Krzysztof Z"},{"first_name":"Sophie","full_name":"Stevens, Sophie","last_name":"Stevens"}],"article_processing_charge":"No","oa_version":"Submitted Version","abstract":[{"lang":"eng","text":"A pseudorandom function (PRF) is a keyed function F : K × X → Y where, for a random key k ∈ K, the function F(k, ·) is indistinguishable from a uniformly random function, given black-box access. A key-homomorphic PRF has the additional feature that for any keys k, k' and any input x, we have F(k+k', x) = F(k, x)⊕F(k', x) for some group operations +,⊕ on K and Y, respectively. A constrained PRF for a family of setsS ⊆ P(X) has the property that, given any key k and set S ∈ S, one can efficiently compute a “constrained” key kS that enables evaluation of F(k, x) on all inputs x ∈ S, while the values F(k, x) for x /∈ S remain pseudorandom even given kS. In this paper we construct PRFs that are simultaneously constrained and key homomorphic, where the homomorphic property holds even for constrained keys. We first show that the multilinear map-based bit-fixing and circuit-constrained PRFs of Boneh and Waters (Asiacrypt 2013) can be modified to also be keyhomomorphic. We then show that the LWE-based key-homomorphic PRFs of Banerjee and Peikert (Crypto 2014) are essentially already prefix-constrained PRFs, using a (non-obvious) definition of constrained keys and associated group operation. Moreover, the constrained keys themselves are pseudorandom, and the constraining and evaluation functions can all be computed in low depth. As an application of key-homomorphic constrained PRFs,we construct a proxy re-encryption schemewith fine-grained access control. This scheme allows storing encrypted data on an untrusted server, where each file can be encrypted relative to some attributes, so that only parties whose constrained keys match the attributes can decrypt. Moreover, the server can re-key (arbitrary subsets of) the ciphertexts without learning anything about the plaintexts, thus permitting efficient and finegrained revocation."}],"month":"03","intvolume":" 9015","scopus_import":"1","alternative_title":["LNCS"],"main_file_link":[{"url":"https://eprint.iacr.org/2015/180","open_access":"1"}],"file":[{"content_type":"application/pdf","relation":"main_file","access_level":"open_access","file_id":"5136","checksum":"3c5093bda5783c89beaacabf1aa0e60e","file_size":450665,"date_updated":"2020-07-14T12:45:08Z","creator":"system","file_name":"IST-2016-679-v1+1_180.pdf","date_created":"2018-12-12T10:15:17Z"}],"language":[{"iso":"eng"}],"publication_identifier":{"isbn":["978-3-662-46496-0"]},"publication_status":"published","volume":9015,"ec_funded":1,"_id":"1646","status":"public","pubrep_id":"679","type":"conference","conference":{"start_date":"2015-03-23","end_date":"2015-03-25","location":"Warsaw, Poland","name":"TCC: Theory of Cryptography Conference"},"ddc":["000","004"],"date_updated":"2022-02-03T08:41:46Z","file_date_updated":"2020-07-14T12:45:08Z","department":[{"_id":"KrPi"}]},{"publist_id":"5502","author":[{"last_name":"Fuchsbauer","full_name":"Fuchsbauer, Georg","first_name":"Georg","id":"46B4C3EE-F248-11E8-B48F-1D18A9856A87"},{"first_name":"Zahra","full_name":"Jafargholi, Zahra","last_name":"Jafargholi"},{"first_name":"Krzysztof Z","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","last_name":"Pietrzak","orcid":"0000-0002-9139-1654","full_name":"Pietrzak, Krzysztof Z"}],"title":"A quasipolynomial reduction for generalized selective decryption on trees","citation":{"chicago":"Fuchsbauer, Georg, Zahra Jafargholi, and Krzysztof Z Pietrzak. “A Quasipolynomial Reduction for Generalized Selective Decryption on Trees,” 9215:601–20. Springer, 2015. https://doi.org/10.1007/978-3-662-47989-6_29.","ista":"Fuchsbauer G, Jafargholi Z, Pietrzak KZ. 2015. A quasipolynomial reduction for generalized selective decryption on trees. CRYPTO: International Cryptology Conference, LNCS, vol. 9215, 601–620.","mla":"Fuchsbauer, Georg, et al. A Quasipolynomial Reduction for Generalized Selective Decryption on Trees. Vol. 9215, Springer, 2015, pp. 601–20, doi:10.1007/978-3-662-47989-6_29.","ieee":"G. Fuchsbauer, Z. Jafargholi, and K. Z. Pietrzak, “A quasipolynomial reduction for generalized selective decryption on trees,” presented at the CRYPTO: International Cryptology Conference, Santa Barbara, CA, USA, 2015, vol. 9215, pp. 601–620.","short":"G. Fuchsbauer, Z. Jafargholi, K.Z. Pietrzak, in:, Springer, 2015, pp. 601–620.","apa":"Fuchsbauer, G., Jafargholi, Z., & Pietrzak, K. Z. (2015). A quasipolynomial reduction for generalized selective decryption on trees (Vol. 9215, pp. 601–620). Presented at the CRYPTO: International Cryptology Conference, Santa Barbara, CA, USA: Springer. https://doi.org/10.1007/978-3-662-47989-6_29","ama":"Fuchsbauer G, Jafargholi Z, Pietrzak KZ. A quasipolynomial reduction for generalized selective decryption on trees. In: Vol 9215. Springer; 2015:601-620. doi:10.1007/978-3-662-47989-6_29"},"user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","project":[{"call_identifier":"FP7","_id":"258C570E-B435-11E9-9278-68D0E5697425","grant_number":"259668","name":"Provable Security for Physical Cryptography"}],"page":"601 - 620","date_published":"2015-08-01T00:00:00Z","doi":"10.1007/978-3-662-47989-6_29","date_created":"2018-12-11T11:53:14Z","has_accepted_license":"1","year":"2015","day":"01","publisher":"Springer","quality_controlled":"1","oa":1,"file_date_updated":"2020-07-14T12:45:08Z","department":[{"_id":"KrPi"}],"date_updated":"2021-01-12T06:52:14Z","ddc":["004"],"type":"conference","conference":{"start_date":"2015-08-16","location":"Santa Barbara, CA, USA","end_date":"2015-08-20","name":"CRYPTO: International Cryptology Conference"},"tmp":{"legal_code_url":"https://creativecommons.org/licenses/by/4.0/legalcode","image":"/images/cc_by.png","name":"Creative Commons Attribution 4.0 International Public License (CC-BY 4.0)","short":"CC BY (4.0)"},"status":"public","pubrep_id":"674","_id":"1648","volume":9215,"ec_funded":1,"publication_status":"published","file":[{"access_level":"open_access","relation":"main_file","content_type":"application/pdf","file_id":"5015","checksum":"99b76b3263d5082554d0a9cbdeca3a22","creator":"system","date_updated":"2020-07-14T12:45:08Z","file_size":505618,"date_created":"2018-12-12T10:13:31Z","file_name":"IST-2016-674-v1+1_389.pdf"}],"language":[{"iso":"eng"}],"scopus_import":1,"alternative_title":["LNCS"],"month":"08","intvolume":" 9215","abstract":[{"lang":"eng","text":"Generalized Selective Decryption (GSD), introduced by Panjwani [TCC’07], is a game for a symmetric encryption scheme Enc that captures the difficulty of proving adaptive security of certain protocols, most notably the Logical Key Hierarchy (LKH) multicast encryption protocol. In the GSD game there are n keys k1,..., kn, which the adversary may adaptively corrupt (learn); moreover, it can ask for encryptions Encki (kj) of keys under other keys. The adversary’s task is to distinguish keys (which it cannot trivially compute) from random. Proving the hardness of GSD assuming only IND-CPA security of Enc is surprisingly hard. Using “complexity leveraging” loses a factor exponential in n, which makes the proof practically meaningless. We can think of the GSD game as building a graph on n vertices, where we add an edge i → j when the adversary asks for an encryption of kj under ki. If restricted to graphs of depth ℓ, Panjwani gave a reduction that loses only a factor exponential in ℓ (not n). To date, this is the only non-trivial result known for GSD. In this paper we give almost-polynomial reductions for large classes of graphs. Most importantly, we prove the security of the GSD game restricted to trees losing only a quasi-polynomial factor n3 log n+5. Trees are an important special case capturing real-world protocols like the LKH protocol. Our new bound improves upon Panjwani’s on some LKH variants proposed in the literature where the underlying tree is not balanced. Our proof builds on ideas from the “nested hybrids” technique recently introduced by Fuchsbauer et al. [Asiacrypt’14] for proving the adaptive security of constrained PRFs."}],"oa_version":"Submitted Version"},{"ddc":["000","004"],"date_updated":"2021-01-12T06:52:14Z","file_date_updated":"2020-07-14T12:45:08Z","department":[{"_id":"KrPi"}],"_id":"1649","series_title":"Lecture Notes in Computer Science","pubrep_id":"678","status":"public","conference":{"name":"ESORICS: European Symposium on Research in Computer Security","start_date":"2015-09-21","end_date":"2015-09-25","location":"Vienna, Austria"},"tmp":{"legal_code_url":"https://creativecommons.org/licenses/by-nc/4.0/legalcode","image":"/images/cc_by_nc.png","name":"Creative Commons Attribution-NonCommercial 4.0 International (CC BY-NC 4.0)","short":"CC BY-NC (4.0)"},"type":"conference","language":[{"iso":"eng"}],"file":[{"relation":"main_file","access_level":"open_access","content_type":"application/pdf","file_id":"4883","checksum":"6eac4a485b2aa644b2d3f753ed0b280b","creator":"system","file_size":494239,"date_updated":"2020-07-14T12:45:08Z","file_name":"IST-2016-678-v1+1_889.pdf","date_created":"2018-12-12T10:11:28Z"}],"publication_status":"published","license":"https://creativecommons.org/licenses/by-nc/4.0/","ec_funded":1,"volume":9326,"oa_version":"Published Version","abstract":[{"lang":"eng","text":"We extend a commitment scheme based on the learning with errors over rings (RLWE) problem, and present efficient companion zeroknowledge proofs of knowledge. Our scheme maps elements from the ring (or equivalently, n elements from "}],"intvolume":" 9326","month":"01","alternative_title":["LNCS"],"scopus_import":1,"user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","citation":{"chicago":"Benhamouda, Fabrice, Stephan Krenn, Vadim Lyubashevsky, and Krzysztof Z Pietrzak. “Efficient Zero-Knowledge Proofs for Commitments from Learning with Errors over Rings.” Lecture Notes in Computer Science. Springer, 2015. https://doi.org/10.1007/978-3-319-24174-6_16.","ista":"Benhamouda F, Krenn S, Lyubashevsky V, Pietrzak KZ. 2015. Efficient zero-knowledge proofs for commitments from learning with errors over rings. 9326, 305–325.","mla":"Benhamouda, Fabrice, et al. Efficient Zero-Knowledge Proofs for Commitments from Learning with Errors over Rings. Vol. 9326, Springer, 2015, pp. 305–25, doi:10.1007/978-3-319-24174-6_16.","apa":"Benhamouda, F., Krenn, S., Lyubashevsky, V., & Pietrzak, K. Z. (2015). Efficient zero-knowledge proofs for commitments from learning with errors over rings. Presented at the ESORICS: European Symposium on Research in Computer Security, Vienna, Austria: Springer. https://doi.org/10.1007/978-3-319-24174-6_16","ama":"Benhamouda F, Krenn S, Lyubashevsky V, Pietrzak KZ. Efficient zero-knowledge proofs for commitments from learning with errors over rings. 2015;9326:305-325. doi:10.1007/978-3-319-24174-6_16","ieee":"F. Benhamouda, S. Krenn, V. Lyubashevsky, and K. Z. Pietrzak, “Efficient zero-knowledge proofs for commitments from learning with errors over rings,” vol. 9326. Springer, pp. 305–325, 2015.","short":"F. Benhamouda, S. Krenn, V. Lyubashevsky, K.Z. Pietrzak, 9326 (2015) 305–325."},"title":"Efficient zero-knowledge proofs for commitments from learning with errors over rings","author":[{"last_name":"Benhamouda","full_name":"Benhamouda, Fabrice","first_name":"Fabrice"},{"last_name":"Krenn","full_name":"Krenn, Stephan","first_name":"Stephan"},{"first_name":"Vadim","full_name":"Lyubashevsky, Vadim","last_name":"Lyubashevsky"},{"first_name":"Krzysztof Z","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","last_name":"Pietrzak","full_name":"Pietrzak, Krzysztof Z","orcid":"0000-0002-9139-1654"}],"publist_id":"5501","project":[{"grant_number":"259668","name":"Provable Security for Physical Cryptography","call_identifier":"FP7","_id":"258C570E-B435-11E9-9278-68D0E5697425"}],"day":"01","year":"2015","has_accepted_license":"1","date_created":"2018-12-11T11:53:15Z","date_published":"2015-01-01T00:00:00Z","doi":"10.1007/978-3-319-24174-6_16","page":"305 - 325","oa":1,"publisher":"Springer","quality_controlled":"1"},{"user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","citation":{"chicago":"Demay, Grégory, Peter Gazi, Ueli Maurer, and Björn Tackmann. “Query-Complexity Amplification for Random Oracles,” 9063:159–80. Springer, 2015. https://doi.org/10.1007/978-3-319-17470-9_10.","ista":"Demay G, Gazi P, Maurer U, Tackmann B. 2015. Query-complexity amplification for random oracles. ICITS: International Conference on Information Theoretic Security, LNCS, vol. 9063, 159–180.","mla":"Demay, Grégory, et al. Query-Complexity Amplification for Random Oracles. Vol. 9063, Springer, 2015, pp. 159–80, doi:10.1007/978-3-319-17470-9_10.","ama":"Demay G, Gazi P, Maurer U, Tackmann B. Query-complexity amplification for random oracles. In: Vol 9063. Springer; 2015:159-180. doi:10.1007/978-3-319-17470-9_10","apa":"Demay, G., Gazi, P., Maurer, U., & Tackmann, B. (2015). Query-complexity amplification for random oracles (Vol. 9063, pp. 159–180). Presented at the ICITS: International Conference on Information Theoretic Security, Lugano, Switzerland: Springer. https://doi.org/10.1007/978-3-319-17470-9_10","short":"G. Demay, P. Gazi, U. Maurer, B. Tackmann, in:, Springer, 2015, pp. 159–180.","ieee":"G. Demay, P. Gazi, U. Maurer, and B. Tackmann, “Query-complexity amplification for random oracles,” presented at the ICITS: International Conference on Information Theoretic Security, Lugano, Switzerland, 2015, vol. 9063, pp. 159–180."},"title":"Query-complexity amplification for random oracles","author":[{"first_name":"Grégory","last_name":"Demay","full_name":"Demay, Grégory"},{"full_name":"Gazi, Peter","last_name":"Gazi","id":"3E0BFE38-F248-11E8-B48F-1D18A9856A87","first_name":"Peter"},{"full_name":"Maurer, Ueli","last_name":"Maurer","first_name":"Ueli"},{"last_name":"Tackmann","full_name":"Tackmann, Björn","first_name":"Björn"}],"publist_id":"5507","project":[{"call_identifier":"FP7","_id":"258C570E-B435-11E9-9278-68D0E5697425","grant_number":"259668","name":"Provable Security for Physical Cryptography"}],"day":"01","year":"2015","date_created":"2018-12-11T11:53:13Z","doi":"10.1007/978-3-319-17470-9_10","date_published":"2015-01-01T00:00:00Z","page":"159 - 180","oa":1,"publisher":"Springer","quality_controlled":"1","date_updated":"2021-01-12T06:52:13Z","department":[{"_id":"KrPi"}],"_id":"1644","status":"public","conference":{"location":"Lugano, Switzerland","end_date":"2015-05-05","start_date":"2015-05-02","name":"ICITS: International Conference on Information Theoretic Security"},"type":"conference","language":[{"iso":"eng"}],"publication_status":"published","ec_funded":1,"volume":9063,"oa_version":"Submitted Version","abstract":[{"lang":"eng","text":"Increasing the computational complexity of evaluating a hash function, both for the honest users as well as for an adversary, is a useful technique employed for example in password-based cryptographic schemes to impede brute-force attacks, and also in so-called proofs of work (used in protocols like Bitcoin) to show that a certain amount of computation was performed by a legitimate user. A natural approach to adjust the complexity of a hash function is to iterate it c times, for some parameter c, in the hope that any query to the scheme requires c evaluations of the underlying hash function. However, results by Dodis et al. (Crypto 2012) imply that plain iteration falls short of achieving this goal, and designing schemes which provably have such a desirable property remained an open problem. This paper formalizes explicitly what it means for a given scheme to amplify the query complexity of a hash function. In the random oracle model, the goal of a secure query-complexity amplifier (QCA) scheme is captured as transforming, in the sense of indifferentiability, a random oracle allowing R queries (for the adversary) into one provably allowing only r < R queries. Turned around, this means that making r queries to the scheme requires at least R queries to the actual random oracle. Second, a new scheme, called collision-free iteration, is proposed and proven to achieve c-fold QCA for both the honest parties and the adversary, for any fixed parameter c."}],"intvolume":" 9063","month":"01","main_file_link":[{"url":"http://eprint.iacr.org/2015/315","open_access":"1"}],"alternative_title":["LNCS"],"scopus_import":1},{"oa":1,"publisher":"Springer","quality_controlled":"1","page":"233 - 253","date_created":"2018-12-11T11:53:14Z","doi":"10.1007/978-3-662-48000-7_12","date_published":"2015-08-01T00:00:00Z","year":"2015","day":"01","project":[{"grant_number":"259668","name":"Provable Security for Physical Cryptography","_id":"258C570E-B435-11E9-9278-68D0E5697425","call_identifier":"FP7"}],"article_processing_charge":"No","author":[{"last_name":"Fuchsbauer","full_name":"Fuchsbauer, Georg","id":"46B4C3EE-F248-11E8-B48F-1D18A9856A87","first_name":"Georg"},{"first_name":"Christian","full_name":"Hanser, Christian","last_name":"Hanser"},{"last_name":"Slamanig","full_name":"Slamanig, Daniel","first_name":"Daniel"}],"publist_id":"5503","title":"Practical round-optimal blind signatures in the standard model","citation":{"ista":"Fuchsbauer G, Hanser C, Slamanig D. 2015. Practical round-optimal blind signatures in the standard model. CRYPTO: International Cryptology Conference, LNCS, vol. 9216, 233–253.","chicago":"Fuchsbauer, Georg, Christian Hanser, and Daniel Slamanig. “Practical Round-Optimal Blind Signatures in the Standard Model,” 9216:233–53. Springer, 2015. https://doi.org/10.1007/978-3-662-48000-7_12.","ieee":"G. Fuchsbauer, C. Hanser, and D. Slamanig, “Practical round-optimal blind signatures in the standard model,” presented at the CRYPTO: International Cryptology Conference, Santa Barbara, CA, United States, 2015, vol. 9216, pp. 233–253.","short":"G. Fuchsbauer, C. Hanser, D. Slamanig, in:, Springer, 2015, pp. 233–253.","ama":"Fuchsbauer G, Hanser C, Slamanig D. Practical round-optimal blind signatures in the standard model. In: Vol 9216. Springer; 2015:233-253. doi:10.1007/978-3-662-48000-7_12","apa":"Fuchsbauer, G., Hanser, C., & Slamanig, D. (2015). Practical round-optimal blind signatures in the standard model (Vol. 9216, pp. 233–253). Presented at the CRYPTO: International Cryptology Conference, Santa Barbara, CA, United States: Springer. https://doi.org/10.1007/978-3-662-48000-7_12","mla":"Fuchsbauer, Georg, et al. Practical Round-Optimal Blind Signatures in the Standard Model. Vol. 9216, Springer, 2015, pp. 233–53, doi:10.1007/978-3-662-48000-7_12."},"user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","main_file_link":[{"url":"https://eprint.iacr.org/2015/626.pdf","open_access":"1"}],"scopus_import":1,"alternative_title":["LNCS"],"intvolume":" 9216","month":"08","abstract":[{"text":"Round-optimal blind signatures are notoriously hard to construct in the standard model, especially in the malicious-signer model, where blindness must hold under adversarially chosen keys. This is substantiated by several impossibility results. The only construction that can be termed theoretically efficient, by Garg and Gupta (Eurocrypt’14), requires complexity leveraging, inducing an exponential security loss. We present a construction of practically efficient round-optimal blind signatures in the standard model. It is conceptually simple and builds on the recent structure-preserving signatures on equivalence classes (SPSEQ) from Asiacrypt’14. While the traditional notion of blindness follows from standard assumptions, we prove blindness under adversarially chosen keys under an interactive variant of DDH. However, we neither require non-uniform assumptions nor complexity leveraging. We then show how to extend our construction to partially blind signatures and to blind signatures on message vectors, which yield a construction of one-show anonymous credentials à la “anonymous credentials light” (CCS’13) in the standard model. Furthermore, we give the first SPS-EQ construction under noninteractive assumptions and show how SPS-EQ schemes imply conventional structure-preserving signatures, which allows us to apply optimality results for the latter to SPS-EQ.","lang":"eng"}],"oa_version":"Submitted Version","ec_funded":1,"related_material":{"record":[{"status":"public","id":"1225","relation":"later_version"}]},"volume":9216,"publication_status":"published","language":[{"iso":"eng"}],"conference":{"name":"CRYPTO: International Cryptology Conference","start_date":"2015-08-16","location":"Santa Barbara, CA, United States","end_date":"2015-08-20"},"type":"conference","status":"public","_id":"1647","department":[{"_id":"KrPi"}],"date_updated":"2023-02-21T16:44:51Z"},{"date_published":"2015-06-24T00:00:00Z","doi":"10.1109/ITW.2015.7133163","ec_funded":1,"date_created":"2018-12-11T11:53:13Z","year":"2015","publication_status":"published","day":"24","language":[{"iso":"eng"}],"publication":"2015 IEEE Information Theory Workshop","quality_controlled":"1","publisher":"IEEE","scopus_import":1,"month":"06","abstract":[{"lang":"eng","text":"Secret-key constructions are often proved secure in a model where one or more underlying components are replaced by an idealized oracle accessible to the attacker. This model gives rise to information-theoretic security analyses, and several advances have been made in this area over the last few years. This paper provides a systematic overview of what is achievable in this model, and how existing works fit into this view."}],"oa_version":"None","author":[{"last_name":"Gazi","full_name":"Gazi, Peter","id":"3E0BFE38-F248-11E8-B48F-1D18A9856A87","first_name":"Peter"},{"first_name":"Stefano","full_name":"Tessaro, Stefano","last_name":"Tessaro"}],"publist_id":"5506","department":[{"_id":"KrPi"}],"title":"Secret-key cryptography from ideal primitives: A systematic verview","citation":{"chicago":"Gazi, Peter, and Stefano Tessaro. “Secret-Key Cryptography from Ideal Primitives: A Systematic Verview.” In 2015 IEEE Information Theory Workshop. IEEE, 2015. https://doi.org/10.1109/ITW.2015.7133163.","ista":"Gazi P, Tessaro S. 2015. Secret-key cryptography from ideal primitives: A systematic verview. 2015 IEEE Information Theory Workshop. ITW 2015: IEEE Information Theory Workshop, 7133163.","mla":"Gazi, Peter, and Stefano Tessaro. “Secret-Key Cryptography from Ideal Primitives: A Systematic Verview.” 2015 IEEE Information Theory Workshop, 7133163, IEEE, 2015, doi:10.1109/ITW.2015.7133163.","ama":"Gazi P, Tessaro S. Secret-key cryptography from ideal primitives: A systematic verview. In: 2015 IEEE Information Theory Workshop. IEEE; 2015. doi:10.1109/ITW.2015.7133163","apa":"Gazi, P., & Tessaro, S. (2015). Secret-key cryptography from ideal primitives: A systematic verview. In 2015 IEEE Information Theory Workshop. Jerusalem, Israel: IEEE. https://doi.org/10.1109/ITW.2015.7133163","ieee":"P. Gazi and S. Tessaro, “Secret-key cryptography from ideal primitives: A systematic verview,” in 2015 IEEE Information Theory Workshop, Jerusalem, Israel, 2015.","short":"P. Gazi, S. Tessaro, in:, 2015 IEEE Information Theory Workshop, IEEE, 2015."},"date_updated":"2021-01-12T06:52:13Z","user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","type":"conference","conference":{"end_date":"2015-05-01","location":"Jerusalem, Israel","start_date":"2015-04-26","name":"ITW 2015: IEEE Information Theory Workshop"},"project":[{"_id":"258C570E-B435-11E9-9278-68D0E5697425","call_identifier":"FP7","name":"Provable Security for Physical Cryptography","grant_number":"259668"}],"status":"public","_id":"1645","article_number":"7133163"},{"page":"85 - 109","date_published":"2015-12-30T00:00:00Z","doi":"10.1007/978-3-662-48800-3_4","date_created":"2018-12-11T11:53:17Z","has_accepted_license":"1","year":"2015","day":"30","quality_controlled":"1","publisher":"Springer","oa":1,"publist_id":"5496","author":[{"last_name":"Gazi","full_name":"Gazi, Peter","id":"3E0BFE38-F248-11E8-B48F-1D18A9856A87","first_name":"Peter"},{"first_name":"Krzysztof Z","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","full_name":"Pietrzak, Krzysztof Z","orcid":"0000-0002-9139-1654","last_name":"Pietrzak"},{"full_name":"Tessaro, Stefano","last_name":"Tessaro","first_name":"Stefano"}],"title":"Generic security of NMAC and HMAC with input whitening","citation":{"ieee":"P. Gazi, K. Z. Pietrzak, and S. Tessaro, “Generic security of NMAC and HMAC with input whitening,” vol. 9453. Springer, pp. 85–109, 2015.","short":"P. Gazi, K.Z. Pietrzak, S. Tessaro, 9453 (2015) 85–109.","ama":"Gazi P, Pietrzak KZ, Tessaro S. Generic security of NMAC and HMAC with input whitening. 2015;9453:85-109. doi:10.1007/978-3-662-48800-3_4","apa":"Gazi, P., Pietrzak, K. Z., & Tessaro, S. (2015). Generic security of NMAC and HMAC with input whitening. Presented at the ASIACRYPT: Theory and Application of Cryptology and Information Security, Auckland, New Zealand: Springer. https://doi.org/10.1007/978-3-662-48800-3_4","mla":"Gazi, Peter, et al. Generic Security of NMAC and HMAC with Input Whitening. Vol. 9453, Springer, 2015, pp. 85–109, doi:10.1007/978-3-662-48800-3_4.","ista":"Gazi P, Pietrzak KZ, Tessaro S. 2015. Generic security of NMAC and HMAC with input whitening. 9453, 85–109.","chicago":"Gazi, Peter, Krzysztof Z Pietrzak, and Stefano Tessaro. “Generic Security of NMAC and HMAC with Input Whitening.” Lecture Notes in Computer Science. Springer, 2015. https://doi.org/10.1007/978-3-662-48800-3_4."},"user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","project":[{"_id":"258C570E-B435-11E9-9278-68D0E5697425","call_identifier":"FP7","grant_number":"259668","name":"Provable Security for Physical Cryptography"}],"volume":9453,"ec_funded":1,"publication_status":"published","file":[{"creator":"system","date_updated":"2020-07-14T12:45:08Z","file_size":512071,"date_created":"2018-12-12T10:09:09Z","file_name":"IST-2016-676-v1+1_881.pdf","access_level":"open_access","relation":"main_file","content_type":"application/pdf","checksum":"d1e53203db2d8573a560995ccdffac62","file_id":"4732"}],"language":[{"iso":"eng"}],"scopus_import":1,"alternative_title":["LNCS"],"month":"12","intvolume":" 9453","abstract":[{"text":"HMAC and its variant NMAC are the most popular approaches to deriving a MAC (and more generally, a PRF) from a cryptographic hash function. Despite nearly two decades of research, their exact security still remains far from understood in many different contexts. Indeed, recent works have re-surfaced interest for {\\em generic} attacks, i.e., attacks that treat the compression function of the underlying hash function as a black box.\r\n\r\nGeneric security can be proved in a model where the underlying compression function is modeled as a random function -- yet, to date, the question of proving tight, non-trivial bounds on the generic security of HMAC/NMAC even as a PRF remains a challenging open question.\r\n\r\nIn this paper, we ask the question of whether a small modification to HMAC and NMAC can allow us to exactly characterize the security of the resulting constructions, while only incurring little penalty with respect to efficiency. To this end, we present simple variants of NMAC and HMAC, for which we prove tight bounds on the generic PRF security, expressed in terms of numbers of construction and compression function queries necessary to break the construction. All of our constructions are obtained via a (near) {\\em black-box} modification of NMAC and HMAC, which can be interpreted as an initial step of key-dependent message pre-processing.\r\n\r\nWhile our focus is on PRF security, a further attractive feature of our new constructions is that they clearly defeat all recent generic attacks against properties such as state recovery and universal forgery. These exploit properties of the so-called ``functional graph'' which are not directly accessible in our new constructions. ","lang":"eng"}],"oa_version":"Submitted Version","department":[{"_id":"KrPi"}],"file_date_updated":"2020-07-14T12:45:08Z","date_updated":"2021-01-12T06:52:16Z","ddc":["004","005"],"type":"conference","conference":{"name":"ASIACRYPT: Theory and Application of Cryptology and Information Security","start_date":"2015-11-29","location":"Auckland, New Zealand","end_date":"2015-12-03"},"status":"public","pubrep_id":"676","series_title":"Lecture Notes in Computer Science","_id":"1654"},{"ec_funded":1,"volume":9134,"language":[{"iso":"eng"}],"file":[{"content_type":"application/pdf","access_level":"open_access","relation":"main_file","checksum":"e808c7eecb631336fc9f9bf2e8d4ecae","file_id":"4693","date_updated":"2020-07-14T12:45:08Z","file_size":525503,"creator":"system","date_created":"2018-12-12T10:08:32Z","file_name":"IST-2016-675-v1+1_384.pdf"}],"publication_status":"published","intvolume":" 9134","month":"06","alternative_title":["LNCS"],"scopus_import":1,"oa_version":"Published Version","abstract":[{"text":"We consider the task of deriving a key with high HILL entropy (i.e., being computationally indistinguishable from a key with high min-entropy) from an unpredictable source.\r\n\r\nPrevious to this work, the only known way to transform unpredictability into a key that was ϵ indistinguishable from having min-entropy was via pseudorandomness, for example by Goldreich-Levin (GL) hardcore bits. This approach has the inherent limitation that from a source with k bits of unpredictability entropy one can derive a key of length (and thus HILL entropy) at most k−2log(1/ϵ) bits. In many settings, e.g. when dealing with biometric data, such a 2log(1/ϵ) bit entropy loss in not an option. Our main technical contribution is a theorem that states that in the high entropy regime, unpredictability implies HILL entropy. Concretely, any variable K with |K|−d bits of unpredictability entropy has the same amount of so called metric entropy (against real-valued, deterministic distinguishers), which is known to imply the same amount of HILL entropy. The loss in circuit size in this argument is exponential in the entropy gap d, and thus this result only applies for small d (i.e., where the size of distinguishers considered is exponential in d).\r\n\r\nTo overcome the above restriction, we investigate if it’s possible to first “condense” unpredictability entropy and make the entropy gap small. We show that any source with k bits of unpredictability can be condensed into a source of length k with k−3 bits of unpredictability entropy. Our condenser simply “abuses" the GL construction and derives a k bit key from a source with k bits of unpredicatibily. The original GL theorem implies nothing when extracting that many bits, but we show that in this regime, GL still behaves like a “condenser" for unpredictability. This result comes with two caveats (1) the loss in circuit size is exponential in k and (2) we require that the source we start with has no HILL entropy (equivalently, one can efficiently check if a guess is correct). We leave it as an intriguing open problem to overcome these restrictions or to prove they’re inherent.","lang":"eng"}],"file_date_updated":"2020-07-14T12:45:08Z","department":[{"_id":"KrPi"}],"ddc":["000","005"],"date_updated":"2021-01-12T06:52:15Z","pubrep_id":"675","status":"public","conference":{"name":"ICALP: Automata, Languages and Programming","location":"Kyoto, Japan","end_date":"2015-07-10","start_date":"2015-07-06"},"tmp":{"legal_code_url":"https://creativecommons.org/licenses/by/4.0/legalcode","image":"/images/cc_by.png","name":"Creative Commons Attribution 4.0 International Public License (CC-BY 4.0)","short":"CC BY (4.0)"},"type":"conference","_id":"1650","date_created":"2018-12-11T11:53:15Z","date_published":"2015-06-20T00:00:00Z","doi":"10.1007/978-3-662-47672-7_85","page":"1046 - 1057","day":"20","year":"2015","has_accepted_license":"1","oa":1,"publisher":"Springer","quality_controlled":"1","title":"Condensed unpredictability ","publist_id":"5500","author":[{"first_name":"Maciej","last_name":"Skórski","full_name":"Skórski, Maciej"},{"first_name":"Alexander","last_name":"Golovnev","full_name":"Golovnev, Alexander"},{"id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","first_name":"Krzysztof Z","orcid":"0000-0002-9139-1654","full_name":"Pietrzak, Krzysztof Z","last_name":"Pietrzak"}],"user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","citation":{"ista":"Skórski M, Golovnev A, Pietrzak KZ. 2015. Condensed unpredictability . ICALP: Automata, Languages and Programming, LNCS, vol. 9134, 1046–1057.","chicago":"Skórski, Maciej, Alexander Golovnev, and Krzysztof Z Pietrzak. “Condensed Unpredictability ,” 9134:1046–57. Springer, 2015. https://doi.org/10.1007/978-3-662-47672-7_85.","ama":"Skórski M, Golovnev A, Pietrzak KZ. Condensed unpredictability . In: Vol 9134. Springer; 2015:1046-1057. doi:10.1007/978-3-662-47672-7_85","apa":"Skórski, M., Golovnev, A., & Pietrzak, K. Z. (2015). Condensed unpredictability (Vol. 9134, pp. 1046–1057). Presented at the ICALP: Automata, Languages and Programming, Kyoto, Japan: Springer. https://doi.org/10.1007/978-3-662-47672-7_85","ieee":"M. Skórski, A. Golovnev, and K. Z. Pietrzak, “Condensed unpredictability ,” presented at the ICALP: Automata, Languages and Programming, Kyoto, Japan, 2015, vol. 9134, pp. 1046–1057.","short":"M. Skórski, A. Golovnev, K.Z. Pietrzak, in:, Springer, 2015, pp. 1046–1057.","mla":"Skórski, Maciej, et al. Condensed Unpredictability . Vol. 9134, Springer, 2015, pp. 1046–57, doi:10.1007/978-3-662-47672-7_85."},"project":[{"grant_number":"259668","name":"Provable Security for Physical Cryptography","_id":"258C570E-B435-11E9-9278-68D0E5697425","call_identifier":"FP7"}]},{"date_updated":"2022-05-23T10:08:37Z","department":[{"_id":"KrPi"}],"_id":"1651","status":"public","conference":{"start_date":"2015-03-30","end_date":"2015-04-01","location":"Gaithersburg, MD, United States","name":"PKC: Public Key Crypography"},"type":"conference","language":[{"iso":"eng"}],"publication_status":"published","publication_identifier":{"isbn":["978-3-662-46446-5"]},"ec_funded":1,"volume":9020,"oa_version":"Published Version","abstract":[{"text":"Cryptographic e-cash allows off-line electronic transactions between a bank, users and merchants in a secure and anonymous fashion. A plethora of e-cash constructions has been proposed in the literature; however, these traditional e-cash schemes only allow coins to be transferred once between users and merchants. Ideally, we would like users to be able to transfer coins between each other multiple times before deposit, as happens with physical cash. “Transferable” e-cash schemes are the solution to this problem. Unfortunately, the currently proposed schemes are either completely impractical or do not achieve the desirable anonymity properties without compromises, such as assuming the existence of a trusted “judge” who can trace all coins and users in the system. This paper presents the first efficient and fully anonymous transferable e-cash scheme without any trusted third parties. We start by revising the security and anonymity properties of transferable e-cash to capture issues that were previously overlooked. For our construction we use the recently proposed malleable signatures by Chase et al. to allow the secure and anonymous transfer of coins, combined with a new efficient double-spending detection mechanism. Finally, we discuss an instantiation of our construction.","lang":"eng"}],"intvolume":" 9020","month":"03","main_file_link":[{"open_access":"1","url":"https://doi.org/10.1007/978-3-662-46447-2_5"}],"scopus_import":"1","alternative_title":["LNCS"],"user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","citation":{"ista":"Baldimtsi F, Chase M, Fuchsbauer G, Kohlweiss M. 2015. Anonymous transferable e-cash. Public-Key Cryptography - PKC 2015. PKC: Public Key Crypography, LNCS, vol. 9020, 101–124.","chicago":"Baldimtsi, Foteini, Melissa Chase, Georg Fuchsbauer, and Markulf Kohlweiss. “Anonymous Transferable E-Cash.” In Public-Key Cryptography - PKC 2015, 9020:101–24. Springer, 2015. https://doi.org/10.1007/978-3-662-46447-2_5.","short":"F. Baldimtsi, M. Chase, G. Fuchsbauer, M. Kohlweiss, in:, Public-Key Cryptography - PKC 2015, Springer, 2015, pp. 101–124.","ieee":"F. Baldimtsi, M. Chase, G. Fuchsbauer, and M. Kohlweiss, “Anonymous transferable e-cash,” in Public-Key Cryptography - PKC 2015, Gaithersburg, MD, United States, 2015, vol. 9020, pp. 101–124.","ama":"Baldimtsi F, Chase M, Fuchsbauer G, Kohlweiss M. Anonymous transferable e-cash. In: Public-Key Cryptography - PKC 2015. Vol 9020. Springer; 2015:101-124. doi:10.1007/978-3-662-46447-2_5","apa":"Baldimtsi, F., Chase, M., Fuchsbauer, G., & Kohlweiss, M. (2015). Anonymous transferable e-cash. In Public-Key Cryptography - PKC 2015 (Vol. 9020, pp. 101–124). Gaithersburg, MD, United States: Springer. https://doi.org/10.1007/978-3-662-46447-2_5","mla":"Baldimtsi, Foteini, et al. “Anonymous Transferable E-Cash.” Public-Key Cryptography - PKC 2015, vol. 9020, Springer, 2015, pp. 101–24, doi:10.1007/978-3-662-46447-2_5."},"title":"Anonymous transferable e-cash","article_processing_charge":"No","author":[{"last_name":"Baldimtsi","full_name":"Baldimtsi, Foteini","first_name":"Foteini"},{"last_name":"Chase","full_name":"Chase, Melissa","first_name":"Melissa"},{"id":"46B4C3EE-F248-11E8-B48F-1D18A9856A87","first_name":"Georg","last_name":"Fuchsbauer","full_name":"Fuchsbauer, Georg"},{"first_name":"Markulf","full_name":"Kohlweiss, Markulf","last_name":"Kohlweiss"}],"publist_id":"5499","project":[{"grant_number":"259668","name":"Provable Security for Physical Cryptography","_id":"258C570E-B435-11E9-9278-68D0E5697425","call_identifier":"FP7"}],"publication":"Public-Key Cryptography - PKC 2015","day":"17","year":"2015","date_created":"2018-12-11T11:53:15Z","doi":"10.1007/978-3-662-46447-2_5","date_published":"2015-03-17T00:00:00Z","page":"101 - 124","acknowledgement":"Work done as an intern in Microsoft Research Redmond and as a student at Brown University, where supported by NSF grant 0964379. Supported by the European Research Council, ERC Starting Grant (259668-PSPC).","oa":1,"publisher":"Springer","quality_controlled":"1"},{"title":"High parallel complexity graphs and memory-hard functions","department":[{"_id":"KrPi"}],"author":[{"first_name":"Joel F","id":"2A8DFA8C-F248-11E8-B48F-1D18A9856A87","full_name":"Alwen, Joel F","last_name":"Alwen"},{"first_name":"Vladimir","last_name":"Serbinenko","full_name":"Serbinenko, Vladimir"}],"publist_id":"5498","user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","citation":{"apa":"Alwen, J. F., & Serbinenko, V. (2015). High parallel complexity graphs and memory-hard functions. In Proceedings of the 47th annual ACM symposium on Theory of computing (pp. 595–603). Portland, OR, United States: ACM. https://doi.org/10.1145/2746539.2746622","ama":"Alwen JF, Serbinenko V. High parallel complexity graphs and memory-hard functions. In: Proceedings of the 47th Annual ACM Symposium on Theory of Computing. ACM; 2015:595-603. doi:10.1145/2746539.2746622","short":"J.F. Alwen, V. Serbinenko, in:, Proceedings of the 47th Annual ACM Symposium on Theory of Computing, ACM, 2015, pp. 595–603.","ieee":"J. F. Alwen and V. Serbinenko, “High parallel complexity graphs and memory-hard functions,” in Proceedings of the 47th annual ACM symposium on Theory of computing, Portland, OR, United States, 2015, pp. 595–603.","mla":"Alwen, Joel F., and Vladimir Serbinenko. “High Parallel Complexity Graphs and Memory-Hard Functions.” Proceedings of the 47th Annual ACM Symposium on Theory of Computing, ACM, 2015, pp. 595–603, doi:10.1145/2746539.2746622.","ista":"Alwen JF, Serbinenko V. 2015. High parallel complexity graphs and memory-hard functions. Proceedings of the 47th annual ACM symposium on Theory of computing. STOC: Symposium on the Theory of Computing, 595–603.","chicago":"Alwen, Joel F, and Vladimir Serbinenko. “High Parallel Complexity Graphs and Memory-Hard Functions.” In Proceedings of the 47th Annual ACM Symposium on Theory of Computing, 595–603. ACM, 2015. https://doi.org/10.1145/2746539.2746622."},"date_updated":"2021-01-12T06:52:16Z","project":[{"call_identifier":"FP7","_id":"258C570E-B435-11E9-9278-68D0E5697425","grant_number":"259668","name":"Provable Security for Physical Cryptography"}],"status":"public","conference":{"name":"STOC: Symposium on the Theory of Computing","start_date":"2015-06-14","end_date":"2015-06-17","location":"Portland, OR, United States"},"type":"conference","_id":"1652","ec_funded":1,"date_created":"2018-12-11T11:53:16Z","doi":"10.1145/2746539.2746622","date_published":"2015-06-01T00:00:00Z","page":"595 - 603","publication":"Proceedings of the 47th annual ACM symposium on Theory of computing","language":[{"iso":"eng"}],"day":"01","publication_status":"published","year":"2015","month":"06","main_file_link":[{"open_access":"1","url":"http://eprint.iacr.org/2014/238"}],"oa":1,"publisher":"ACM","scopus_import":1,"quality_controlled":"1","oa_version":"Submitted Version","abstract":[{"lang":"eng","text":"We develop new theoretical tools for proving lower-bounds on the (amortized) complexity of certain functions in models of parallel computation. We apply the tools to construct a class of functions with high amortized memory complexity in the parallel Random Oracle Model (pROM); a variant of the standard ROM allowing for batches of simultaneous queries. In particular we obtain a new, more robust, type of Memory-Hard Functions (MHF); a security primitive which has recently been gaining acceptance in practice as an effective means of countering brute-force attacks on security relevant functions. Along the way we also demonstrate an important shortcoming of previous definitions of MHFs and give a new definition addressing the problem. The tools we develop represent an adaptation of the powerful pebbling paradigm (initially introduced by Hewitt and Paterson [HP70] and Cook [Coo73]) to a simple and intuitive parallel setting. We define a simple pebbling game Gp over graphs which aims to abstract parallel computation in an intuitive way. As a conceptual contribution we define a measure of pebbling complexity for graphs called cumulative complexity (CC) and show how it overcomes a crucial shortcoming (in the parallel setting) exhibited by more traditional complexity measures used in the past. As a main technical contribution we give an explicit construction of a constant in-degree family of graphs whose CC in Gp approaches maximality to within a polylogarithmic factor for any graph of equal size (analogous to the graphs of Tarjan et. al. [PTC76, LT82] for sequential pebbling games). Finally, for a given graph G and related function fG, we derive a lower-bound on the amortized memory complexity of fG in the pROM in terms of the CC of G in the game Gp."}]},{"ddc":["000"],"date_updated":"2022-06-07T09:51:55Z","file_date_updated":"2020-07-14T12:45:11Z","department":[{"_id":"KrPi"}],"series_title":"Lecture Notes in Computer Science","_id":"1672","status":"public","type":"conference","conference":{"end_date":"2015-08-20","location":"Santa Barbara, CA, United States","start_date":"2015-08-16","name":"CRYPTO: International Cryptology Conference"},"file":[{"date_created":"2020-05-15T08:55:29Z","file_name":"2015_CRYPTO_Alwen.pdf","date_updated":"2020-07-14T12:45:11Z","file_size":397363,"creator":"dernst","checksum":"5b6649e80d1f781a8910f7cce6427f78","file_id":"7853","content_type":"application/pdf","access_level":"open_access","relation":"main_file"}],"language":[{"iso":"eng"}],"publication_identifier":{"isbn":["978-3-662-47999-5"],"eisbn":["978-3-662-48000-7"]},"publication_status":"published","volume":9216,"ec_funded":1,"oa_version":"Submitted Version","abstract":[{"text":"Composable notions of incoercibility aim to forbid a coercer from using anything beyond the coerced parties’ inputs and outputs to catch them when they try to deceive him. Existing definitions are restricted to weak coercion types, and/or are not universally composable. Furthermore, they often make too strong assumptions on the knowledge of coerced parties—e.g., they assume they known the identities and/or the strategies of other coerced parties, or those of corrupted parties— which makes them unsuitable for applications of incoercibility such as e-voting, where colluding adversarial parties may attempt to coerce honest voters, e.g., by offering them money for a promised vote, and use their own view to check that the voter keeps his end of the bargain. In this work we put forward the first universally composable notion of incoercible multi-party computation, which satisfies the above intuition and does not assume collusions among coerced parties or knowledge of the corrupted set. We define natural notions of UC incoercibility corresponding to standard coercion-types, i.e., receipt-freeness and resistance to full-active coercion. Importantly, our suggested notion has the unique property that it builds on top of the well studied UC framework by Canetti instead of modifying it. This guarantees backwards compatibility, and allows us to inherit results from the rich UC literature. We then present MPC protocols which realize our notions of UC incoercibility given access to an arguably minimal setup—namely honestly generate tamper-proof hardware performing a very simple cryptographic operation—e.g., a smart card. This is, to our knowledge, the first proposed construction of an MPC protocol (for more than two parties) that is incoercibly secure and universally composable, and therefore the first construction of a universally composable receipt-free e-voting protocol.","lang":"eng"}],"month":"08","intvolume":" 9216","scopus_import":"1","alternative_title":["LNCS"],"user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","citation":{"chicago":"Alwen, Joel F, Rafail Ostrovsky, Hongsheng Zhou, and Vassilis Zikas. “Incoercible Multi-Party Computation and Universally Composable Receipt-Free Voting.” In Advances in Cryptology - CRYPTO 2015, 9216:763–80. Lecture Notes in Computer Science. Springer, 2015. https://doi.org/10.1007/978-3-662-48000-7_37.","ista":"Alwen JF, Ostrovsky R, Zhou H, Zikas V. 2015. Incoercible multi-party computation and universally composable receipt-free voting. Advances in Cryptology - CRYPTO 2015. CRYPTO: International Cryptology ConferenceLecture Notes in Computer Science, LNCS, vol. 9216, 763–780.","mla":"Alwen, Joel F., et al. “Incoercible Multi-Party Computation and Universally Composable Receipt-Free Voting.” Advances in Cryptology - CRYPTO 2015, vol. 9216, Springer, 2015, pp. 763–80, doi:10.1007/978-3-662-48000-7_37.","ieee":"J. F. Alwen, R. Ostrovsky, H. Zhou, and V. Zikas, “Incoercible multi-party computation and universally composable receipt-free voting,” in Advances in Cryptology - CRYPTO 2015, Santa Barbara, CA, United States, 2015, vol. 9216, pp. 763–780.","short":"J.F. Alwen, R. Ostrovsky, H. Zhou, V. Zikas, in:, Advances in Cryptology - CRYPTO 2015, Springer, 2015, pp. 763–780.","apa":"Alwen, J. F., Ostrovsky, R., Zhou, H., & Zikas, V. (2015). Incoercible multi-party computation and universally composable receipt-free voting. In Advances in Cryptology - CRYPTO 2015 (Vol. 9216, pp. 763–780). Santa Barbara, CA, United States: Springer. https://doi.org/10.1007/978-3-662-48000-7_37","ama":"Alwen JF, Ostrovsky R, Zhou H, Zikas V. Incoercible multi-party computation and universally composable receipt-free voting. In: Advances in Cryptology - CRYPTO 2015. Vol 9216. Lecture Notes in Computer Science. Springer; 2015:763-780. doi:10.1007/978-3-662-48000-7_37"},"title":"Incoercible multi-party computation and universally composable receipt-free voting","author":[{"id":"2A8DFA8C-F248-11E8-B48F-1D18A9856A87","first_name":"Joel F","last_name":"Alwen","full_name":"Alwen, Joel F"},{"first_name":"Rafail","full_name":"Ostrovsky, Rafail","last_name":"Ostrovsky"},{"first_name":"Hongsheng","last_name":"Zhou","full_name":"Zhou, Hongsheng"},{"last_name":"Zikas","full_name":"Zikas, Vassilis","first_name":"Vassilis"}],"publist_id":"5476","article_processing_charge":"No","project":[{"call_identifier":"FP7","_id":"258C570E-B435-11E9-9278-68D0E5697425","grant_number":"259668","name":"Provable Security for Physical Cryptography"}],"day":"01","publication":"Advances in Cryptology - CRYPTO 2015","has_accepted_license":"1","year":"2015","date_published":"2015-08-01T00:00:00Z","doi":"10.1007/978-3-662-48000-7_37","date_created":"2018-12-11T11:53:23Z","page":"763 - 780","acknowledgement":"Joël Alwen was supported by the ERC starting grant (259668-PSPC). Rafail Ostrovsky was supported in part by NSF grants 09165174, 1065276, 1118126 and 1136174, US-Israel BSF grant 2008411, OKAWA Foundation Research Award, IBM Faculty Research Award, Xerox Faculty Research Award, B. John Garrick Foundation Award, Teradata Research Award, Lockheed-Martin Corporation Research Award, and the Defense Advanced Research Projects Agency through the U.S. Office of Naval Research under Contract N00014 -11 -1-0392. The views expressed are those of the author and do not reflect the official policy or position of the Department of Defense or the U.S. Government. Vassilis Zikas was supported in part by the Swiss National Science Foundation (SNF) via the Ambizione grant PZ00P-2142549.","publisher":"Springer","quality_controlled":"1","oa":1},{"date_published":"2015-08-15T00:00:00Z","doi":"10.1007/978-3-319-22174-8_5","date_created":"2018-12-11T11:53:22Z","page":"81 - 98","day":"15","has_accepted_license":"1","year":"2015","quality_controlled":"1","publisher":"Springer","oa":1,"title":"The chain rule for HILL pseudoentropy, revisited","author":[{"first_name":"Krzysztof Z","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","full_name":"Pietrzak, Krzysztof Z","orcid":"0000-0002-9139-1654","last_name":"Pietrzak"},{"last_name":"Skórski","full_name":"Skórski, Maciej","first_name":"Maciej"}],"publist_id":"5480","user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","citation":{"mla":"Pietrzak, Krzysztof Z., and Maciej Skórski. The Chain Rule for HILL Pseudoentropy, Revisited. Vol. 9230, Springer, 2015, pp. 81–98, doi:10.1007/978-3-319-22174-8_5.","short":"K.Z. Pietrzak, M. Skórski, 9230 (2015) 81–98.","ieee":"K. Z. Pietrzak and M. Skórski, “The chain rule for HILL pseudoentropy, revisited,” vol. 9230. Springer, pp. 81–98, 2015.","ama":"Pietrzak KZ, Skórski M. The chain rule for HILL pseudoentropy, revisited. 2015;9230:81-98. doi:10.1007/978-3-319-22174-8_5","apa":"Pietrzak, K. Z., & Skórski, M. (2015). The chain rule for HILL pseudoentropy, revisited. Presented at the LATINCRYPT: Cryptology and Information Security in Latin America, Guadalajara, Mexico: Springer. https://doi.org/10.1007/978-3-319-22174-8_5","chicago":"Pietrzak, Krzysztof Z, and Maciej Skórski. “The Chain Rule for HILL Pseudoentropy, Revisited.” Lecture Notes in Computer Science. Springer, 2015. https://doi.org/10.1007/978-3-319-22174-8_5.","ista":"Pietrzak KZ, Skórski M. 2015. The chain rule for HILL pseudoentropy, revisited. 9230, 81–98."},"project":[{"grant_number":"259668","name":"Provable Security for Physical Cryptography","call_identifier":"FP7","_id":"258C570E-B435-11E9-9278-68D0E5697425"}],"volume":9230,"ec_funded":1,"file":[{"relation":"main_file","access_level":"open_access","content_type":"application/pdf","checksum":"8cd4215b83efba720e8cf27c23ff4781","file_id":"5351","creator":"system","file_size":443340,"date_updated":"2020-07-14T12:45:11Z","file_name":"IST-2016-669-v1+1_599.pdf","date_created":"2018-12-12T10:18:29Z"}],"language":[{"iso":"eng"}],"publication_status":"published","month":"08","intvolume":" 9230","scopus_import":1,"alternative_title":["LNCS"],"oa_version":"Submitted Version","abstract":[{"lang":"eng","text":"Computational notions of entropy (a.k.a. pseudoentropy) have found many applications, including leakage-resilient cryptography, deterministic encryption or memory delegation. The most important tools to argue about pseudoentropy are chain rules, which quantify by how much (in terms of quantity and quality) the pseudoentropy of a given random variable X decreases when conditioned on some other variable Z (think for example of X as a secret key and Z as information leaked by a side-channel). In this paper we give a very simple and modular proof of the chain rule for HILL pseudoentropy, improving best known parameters. Our version allows for increasing the acceptable length of leakage in applications up to a constant factor compared to the best previous bounds. As a contribution of independent interest, we provide a comprehensive study of all known versions of the chain rule, comparing their worst-case strength and limitations."}],"file_date_updated":"2020-07-14T12:45:11Z","department":[{"_id":"KrPi"}],"ddc":["005"],"date_updated":"2021-01-12T06:52:24Z","status":"public","pubrep_id":"669","type":"conference","conference":{"name":"LATINCRYPT: Cryptology and Information Security in Latin America","start_date":"2015-08-23","end_date":"2015-08-26","location":"Guadalajara, Mexico"},"series_title":"Lecture Notes in Computer Science","_id":"1669"},{"quality_controlled":"1","publisher":"Springer","oa":1,"day":"01","has_accepted_license":"1","year":"2015","doi":"10.1007/978-3-662-47989-6_18","date_published":"2015-08-01T00:00:00Z","date_created":"2018-12-11T11:53:23Z","page":"368 - 387","project":[{"name":"Provable Security for Physical Cryptography","grant_number":"259668","_id":"258C570E-B435-11E9-9278-68D0E5697425","call_identifier":"FP7"}],"user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","citation":{"chicago":"Gazi, Peter, Krzysztof Z Pietrzak, and Stefano Tessaro. “The Exact PRF Security of Truncation: Tight Bounds for Keyed Sponges and Truncated CBC,” 9215:368–87. Springer, 2015. https://doi.org/10.1007/978-3-662-47989-6_18.","ista":"Gazi P, Pietrzak KZ, Tessaro S. 2015. The exact PRF security of truncation: Tight bounds for keyed sponges and truncated CBC. CRYPTO: International Cryptology Conference, LNCS, vol. 9215, 368–387.","mla":"Gazi, Peter, et al. The Exact PRF Security of Truncation: Tight Bounds for Keyed Sponges and Truncated CBC. Vol. 9215, Springer, 2015, pp. 368–87, doi:10.1007/978-3-662-47989-6_18.","ieee":"P. Gazi, K. Z. Pietrzak, and S. Tessaro, “The exact PRF security of truncation: Tight bounds for keyed sponges and truncated CBC,” presented at the CRYPTO: International Cryptology Conference, Santa Barbara, CA, United States, 2015, vol. 9215, pp. 368–387.","short":"P. Gazi, K.Z. Pietrzak, S. Tessaro, in:, Springer, 2015, pp. 368–387.","ama":"Gazi P, Pietrzak KZ, Tessaro S. The exact PRF security of truncation: Tight bounds for keyed sponges and truncated CBC. In: Vol 9215. Springer; 2015:368-387. doi:10.1007/978-3-662-47989-6_18","apa":"Gazi, P., Pietrzak, K. Z., & Tessaro, S. (2015). The exact PRF security of truncation: Tight bounds for keyed sponges and truncated CBC (Vol. 9215, pp. 368–387). Presented at the CRYPTO: International Cryptology Conference, Santa Barbara, CA, United States: Springer. https://doi.org/10.1007/978-3-662-47989-6_18"},"title":"The exact PRF security of truncation: Tight bounds for keyed sponges and truncated CBC","publist_id":"5478","author":[{"id":"3E0BFE38-F248-11E8-B48F-1D18A9856A87","first_name":"Peter","full_name":"Gazi, Peter","last_name":"Gazi"},{"last_name":"Pietrzak","orcid":"0000-0002-9139-1654","full_name":"Pietrzak, Krzysztof Z","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","first_name":"Krzysztof Z"},{"last_name":"Tessaro","full_name":"Tessaro, Stefano","first_name":"Stefano"}],"oa_version":"Submitted Version","abstract":[{"lang":"eng","text":"This paper studies the concrete security of PRFs and MACs obtained by keying hash functions based on the sponge paradigm. One such hash function is KECCAK, selected as NIST’s new SHA-3 standard. In contrast to other approaches like HMAC, the exact security of keyed sponges is not well understood. Indeed, recent security analyses delivered concrete security bounds which are far from existing attacks. This paper aims to close this gap. We prove (nearly) exact bounds on the concrete PRF security of keyed sponges using a random permutation. These bounds are tight for the most relevant ranges of parameters, i.e., for messages of length (roughly) l ≤ min{2n/4, 2r} blocks, where n is the state size and r is the desired output length; and for l ≤ q queries (to the construction or the underlying permutation). Moreover, we also improve standard-model bounds. As an intermediate step of independent interest, we prove tight bounds on the PRF security of the truncated CBC-MAC construction, which operates as plain CBC-MAC, but only returns a prefix of the output."}],"month":"08","intvolume":" 9215","scopus_import":1,"alternative_title":["LNCS"],"file":[{"creator":"system","date_updated":"2020-07-14T12:45:11Z","file_size":592296,"date_created":"2018-12-12T10:10:38Z","file_name":"IST-2016-673-v1+1_053.pdf","access_level":"open_access","relation":"main_file","content_type":"application/pdf","file_id":"4827","checksum":"17d854227b3b753fd34f5d29e5b5a32e"}],"language":[{"iso":"eng"}],"publication_status":"published","volume":9215,"ec_funded":1,"_id":"1671","status":"public","pubrep_id":"673","type":"conference","conference":{"start_date":"2015-08-16","end_date":"2015-08-20","location":"Santa Barbara, CA, United States","name":"CRYPTO: International Cryptology Conference"},"ddc":["004","005"],"date_updated":"2021-01-12T06:52:25Z","file_date_updated":"2020-07-14T12:45:11Z","department":[{"_id":"KrPi"}]},{"day":"12","year":"2015","date_published":"2015-08-12T00:00:00Z","doi":"10.1007/978-3-662-48116-5_16","date_created":"2018-12-11T11:53:22Z","page":"319 - 341","quality_controlled":"1","publisher":"Springer","oa":1,"user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","citation":{"ista":"Gazi P, Lee J, Seurin Y, Steinberger J, Tessaro S. 2015. Relaxing full-codebook security: A refined analysis of key-length extension schemes. 9054, 319–341.","chicago":"Gazi, Peter, Jooyoung Lee, Yannick Seurin, John Steinberger, and Stefano Tessaro. “Relaxing Full-Codebook Security: A Refined Analysis of Key-Length Extension Schemes.” Lecture Notes in Computer Science. Springer, 2015. https://doi.org/10.1007/978-3-662-48116-5_16.","ama":"Gazi P, Lee J, Seurin Y, Steinberger J, Tessaro S. Relaxing full-codebook security: A refined analysis of key-length extension schemes. 2015;9054:319-341. doi:10.1007/978-3-662-48116-5_16","apa":"Gazi, P., Lee, J., Seurin, Y., Steinberger, J., & Tessaro, S. (2015). Relaxing full-codebook security: A refined analysis of key-length extension schemes. Presented at the FSE: Fast Software Encryption, Istanbul, Turkey: Springer. https://doi.org/10.1007/978-3-662-48116-5_16","short":"P. Gazi, J. Lee, Y. Seurin, J. Steinberger, S. Tessaro, 9054 (2015) 319–341.","ieee":"P. Gazi, J. Lee, Y. Seurin, J. Steinberger, and S. Tessaro, “Relaxing full-codebook security: A refined analysis of key-length extension schemes,” vol. 9054. Springer, pp. 319–341, 2015.","mla":"Gazi, Peter, et al. Relaxing Full-Codebook Security: A Refined Analysis of Key-Length Extension Schemes. Vol. 9054, Springer, 2015, pp. 319–41, doi:10.1007/978-3-662-48116-5_16."},"title":"Relaxing full-codebook security: A refined analysis of key-length extension schemes","publist_id":"5481","author":[{"full_name":"Gazi, Peter","last_name":"Gazi","id":"3E0BFE38-F248-11E8-B48F-1D18A9856A87","first_name":"Peter"},{"first_name":"Jooyoung","full_name":"Lee, Jooyoung","last_name":"Lee"},{"first_name":"Yannick","last_name":"Seurin","full_name":"Seurin, Yannick"},{"last_name":"Steinberger","full_name":"Steinberger, John","first_name":"John"},{"first_name":"Stefano","full_name":"Tessaro, Stefano","last_name":"Tessaro"}],"project":[{"_id":"258C570E-B435-11E9-9278-68D0E5697425","call_identifier":"FP7","name":"Provable Security for Physical Cryptography","grant_number":"259668"}],"language":[{"iso":"eng"}],"publication_status":"published","volume":9054,"ec_funded":1,"oa_version":"Submitted Version","abstract":[{"text":"We revisit the security (as a pseudorandom permutation) of cascading-based constructions for block-cipher key-length extension. Previous works typically considered the extreme case where the adversary is given the entire codebook of the construction, the only complexity measure being the number qe of queries to the underlying ideal block cipher, representing adversary’s secret-key-independent computation. Here, we initiate a systematic study of the more natural case of an adversary restricted to adaptively learning a number qc of plaintext/ciphertext pairs that is less than the entire codebook. For any such qc, we aim to determine the highest number of block-cipher queries qe the adversary can issue without being able to successfully distinguish the construction (under a secret key) from a random permutation.\r\nMore concretely, we show the following results for key-length extension schemes using a block cipher with n-bit blocks and κ-bit keys:\r\nPlain cascades of length ℓ=2r+1 are secure whenever qcqre≪2r(κ+n), qc≪2κ and qe≪22κ. The bound for r=1 also applies to two-key triple encryption (as used within Triple DES).\r\nThe r-round XOR-cascade is secure as long as qcqre≪2r(κ+n), matching an attack by Gaži (CRYPTO 2013).\r\nWe fully characterize the security of Gaži and Tessaro’s two-call ","lang":"eng"}],"month":"08","intvolume":" 9054","alternative_title":["LNCS"],"scopus_import":1,"main_file_link":[{"open_access":"1","url":"http://eprint.iacr.org/2015/397"}],"date_updated":"2020-08-11T10:09:26Z","department":[{"_id":"KrPi"}],"_id":"1668","series_title":"Lecture Notes in Computer Science","status":"public","type":"conference","conference":{"name":"FSE: Fast Software Encryption","start_date":"2015-03-08","location":"Istanbul, Turkey","end_date":"2015-03-11"}},{"pubrep_id":"671","status":"public","conference":{"location":"Santa Barbara, CA, United States","end_date":"2015-08-20","start_date":"2015-08-16","name":"CRYPTO: International Cryptology Conference"},"type":"conference","_id":"1675","department":[{"_id":"VlKo"},{"_id":"KrPi"}],"date_updated":"2024-03-20T08:31:49Z","intvolume":" 9216","month":"08","main_file_link":[{"url":"https://eprint.iacr.org/2013/796.pdf","open_access":"1"}],"scopus_import":"1","alternative_title":["LNCS"],"oa_version":"Preprint","abstract":[{"lang":"eng","text":"Proofs of work (PoW) have been suggested by Dwork and Naor (Crypto’92) as protection to a shared resource. The basic idea is to ask the service requestor to dedicate some non-trivial amount of computational work to every request. The original applications included prevention of spam and protection against denial of service attacks. More recently, PoWs have been used to prevent double spending in the Bitcoin digital currency system. In this work, we put forward an alternative concept for PoWs - so-called proofs of space (PoS), where a service requestor must dedicate a significant amount of disk space as opposed to computation. We construct secure PoS schemes in the random oracle model (with one additional mild assumption required for the proof to go through), using graphs with high “pebbling complexity” and Merkle hash-trees. We discuss some applications, including follow-up work where a decentralized digital currency scheme called Spacecoin is constructed that uses PoS (instead of wasteful PoW like in Bitcoin) to prevent double spending. The main technical contribution of this work is the construction of (directed, loop-free) graphs on N vertices with in-degree O(log logN) such that even if one places Θ(N) pebbles on the nodes of the graph, there’s a constant fraction of nodes that needs Θ(N) steps to be pebbled (where in every step one can put a pebble on a node if all its parents have a pebble)."}],"ec_funded":1,"related_material":{"record":[{"relation":"earlier_version","id":"2274","status":"public"}]},"volume":9216,"language":[{"iso":"eng"}],"publication_status":"published","publication_identifier":{"issn":["0302-9743"],"isbn":["9783662479995"]},"project":[{"_id":"25FBA906-B435-11E9-9278-68D0E5697425","call_identifier":"FP7","name":"Discrete Optimization in Computer Vision: Theory and Practice","grant_number":"616160"},{"call_identifier":"FP7","_id":"258C570E-B435-11E9-9278-68D0E5697425","name":"Provable Security for Physical Cryptography","grant_number":"259668"}],"title":"Proofs of space","article_processing_charge":"No","author":[{"full_name":"Dziembowski, Stefan","last_name":"Dziembowski","first_name":"Stefan"},{"last_name":"Faust","full_name":"Faust, Sebastian","first_name":"Sebastian"},{"id":"3D50B0BA-F248-11E8-B48F-1D18A9856A87","first_name":"Vladimir","full_name":"Kolmogorov, Vladimir","last_name":"Kolmogorov"},{"first_name":"Krzysztof Z","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","orcid":"0000-0002-9139-1654","full_name":"Pietrzak, Krzysztof Z","last_name":"Pietrzak"}],"publist_id":"5474","user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","citation":{"chicago":"Dziembowski, Stefan, Sebastian Faust, Vladimir Kolmogorov, and Krzysztof Z Pietrzak. “Proofs of Space.” In 35th Annual Cryptology Conference, 9216:585–605. Springer, 2015. https://doi.org/10.1007/978-3-662-48000-7_29.","ista":"Dziembowski S, Faust S, Kolmogorov V, Pietrzak KZ. 2015. Proofs of space. 35th Annual Cryptology Conference. CRYPTO: International Cryptology Conference, LNCS, vol. 9216, 585–605.","mla":"Dziembowski, Stefan, et al. “Proofs of Space.” 35th Annual Cryptology Conference, vol. 9216, Springer, 2015, pp. 585–605, doi:10.1007/978-3-662-48000-7_29.","ieee":"S. Dziembowski, S. Faust, V. Kolmogorov, and K. Z. Pietrzak, “Proofs of space,” in 35th Annual Cryptology Conference, Santa Barbara, CA, United States, 2015, vol. 9216, pp. 585–605.","short":"S. Dziembowski, S. Faust, V. Kolmogorov, K.Z. Pietrzak, in:, 35th Annual Cryptology Conference, Springer, 2015, pp. 585–605.","ama":"Dziembowski S, Faust S, Kolmogorov V, Pietrzak KZ. Proofs of space. In: 35th Annual Cryptology Conference. Vol 9216. Springer; 2015:585-605. doi:10.1007/978-3-662-48000-7_29","apa":"Dziembowski, S., Faust, S., Kolmogorov, V., & Pietrzak, K. Z. (2015). Proofs of space. In 35th Annual Cryptology Conference (Vol. 9216, pp. 585–605). Santa Barbara, CA, United States: Springer. https://doi.org/10.1007/978-3-662-48000-7_29"},"oa":1,"publisher":"Springer","quality_controlled":"1","date_created":"2018-12-11T11:53:24Z","doi":"10.1007/978-3-662-48000-7_29","date_published":"2015-08-01T00:00:00Z","page":"585 - 605","publication":"35th Annual Cryptology Conference","day":"01","year":"2015"},{"date_updated":"2021-01-12T06:52:12Z","department":[{"_id":"KrPi"}],"_id":"1643","status":"public","conference":{"start_date":"2014-09-03","end_date":"2014-09-05","location":"Amalfi, Italy","name":"SCN: Security and Cryptography for Networks"},"type":"conference","language":[{"iso":"eng"}],"publication_status":"published","ec_funded":1,"volume":8642,"oa_version":"Submitted Version","abstract":[{"text":"We extend the notion of verifiable random functions (VRF) to constrained VRFs, which generalize the concept of constrained pseudorandom functions, put forward by Boneh and Waters (Asiacrypt’13), and independently by Kiayias et al. (CCS’13) and Boyle et al. (PKC’14), who call them delegatable PRFs and functional PRFs, respectively. In a standard VRF the secret key sk allows one to evaluate a pseudorandom function at any point of its domain; in addition, it enables computation of a non-interactive proof that the function value was computed correctly. In a constrained VRF from the key sk one can derive constrained keys skS for subsets S of the domain, which allow computation of function values and proofs only at points in S. After formally defining constrained VRFs, we derive instantiations from the multilinear-maps-based constrained PRFs by Boneh and Waters, yielding a VRF with constrained keys for any set that can be decided by a polynomial-size circuit. Our VRFs have the same function values as the Boneh-Waters PRFs and are proved secure under the same hardness assumption, showing that verifiability comes at no cost. Constrained (functional) VRFs were stated as an open problem by Boyle et al.","lang":"eng"}],"intvolume":" 8642","month":"01","main_file_link":[{"open_access":"1","url":"http://eprint.iacr.org/2014/537"}],"scopus_import":1,"alternative_title":["LNCS"],"user_id":"4435EBFC-F248-11E8-B48F-1D18A9856A87","citation":{"chicago":"Fuchsbauer, Georg. “Constrained Verifiable Random Functions .” In SCN 2014, edited by Michel Abdalla and Roberto De Prisco, 8642:95–114. Springer, 2014. https://doi.org/10.1007/978-3-319-10879-7_7.","ista":"Fuchsbauer G. 2014. Constrained Verifiable Random Functions . SCN 2014. SCN: Security and Cryptography for Networks, LNCS, vol. 8642, 95–114.","mla":"Fuchsbauer, Georg. “Constrained Verifiable Random Functions .” SCN 2014, edited by Michel Abdalla and Roberto De Prisco, vol. 8642, Springer, 2014, pp. 95–114, doi:10.1007/978-3-319-10879-7_7.","apa":"Fuchsbauer, G. (2014). Constrained Verifiable Random Functions . In M. Abdalla & R. De Prisco (Eds.), SCN 2014 (Vol. 8642, pp. 95–114). Amalfi, Italy: Springer. https://doi.org/10.1007/978-3-319-10879-7_7","ama":"Fuchsbauer G. Constrained Verifiable Random Functions . In: Abdalla M, De Prisco R, eds. SCN 2014. Vol 8642. Springer; 2014:95-114. doi:10.1007/978-3-319-10879-7_7","short":"G. Fuchsbauer, in:, M. Abdalla, R. De Prisco (Eds.), SCN 2014, Springer, 2014, pp. 95–114.","ieee":"G. Fuchsbauer, “Constrained Verifiable Random Functions ,” in SCN 2014, Amalfi, Italy, 2014, vol. 8642, pp. 95–114."},"title":"Constrained Verifiable Random Functions ","editor":[{"full_name":"Abdalla, Michel","last_name":"Abdalla","first_name":"Michel"},{"first_name":"Roberto","full_name":"De Prisco, Roberto","last_name":"De Prisco"}],"publist_id":"5509","author":[{"id":"46B4C3EE-F248-11E8-B48F-1D18A9856A87","first_name":"Georg","full_name":"Fuchsbauer, Georg","last_name":"Fuchsbauer"}],"project":[{"name":"Provable Security for Physical Cryptography","grant_number":"259668","call_identifier":"FP7","_id":"258C570E-B435-11E9-9278-68D0E5697425"}],"publication":"SCN 2014","day":"01","year":"2014","date_created":"2018-12-11T11:53:13Z","date_published":"2014-01-01T00:00:00Z","doi":"10.1007/978-3-319-10879-7_7","page":"95 - 114","oa":1,"publisher":"Springer"},{"author":[{"full_name":"Demay, Grégory","last_name":"Demay","first_name":"Grégory"},{"first_name":"Peter","id":"3E0BFE38-F248-11E8-B48F-1D18A9856A87","last_name":"Gazi","full_name":"Gazi, Peter"},{"last_name":"Maurer","full_name":"Maurer, Ueli","first_name":"Ueli"},{"first_name":"Björn","full_name":"Tackmann, Björn","last_name":"Tackmann"}],"publist_id":"5188","title":"Optimality of non-adaptive strategies: The case of parallel games","department":[{"_id":"KrPi"}],"date_updated":"2021-01-12T06:53:59Z","citation":{"ama":"Demay G, Gazi P, Maurer U, Tackmann B. Optimality of non-adaptive strategies: The case of parallel games. In: IEEE International Symposium on Information Theory. IEEE; 2014. doi:10.1109/ISIT.2014.6875125","apa":"Demay, G., Gazi, P., Maurer, U., & Tackmann, B. (2014). Optimality of non-adaptive strategies: The case of parallel games. In IEEE International Symposium on Information Theory. Honolulu, USA: IEEE. https://doi.org/10.1109/ISIT.2014.6875125","ieee":"G. Demay, P. Gazi, U. Maurer, and B. Tackmann, “Optimality of non-adaptive strategies: The case of parallel games,” in IEEE International Symposium on Information Theory, Honolulu, USA, 2014.","short":"G. Demay, P. Gazi, U. Maurer, B. Tackmann, in:, IEEE International Symposium on Information Theory, IEEE, 2014.","mla":"Demay, Grégory, et al. “Optimality of Non-Adaptive Strategies: The Case of Parallel Games.” IEEE International Symposium on Information Theory, 6875125, IEEE, 2014, doi:10.1109/ISIT.2014.6875125.","ista":"Demay G, Gazi P, Maurer U, Tackmann B. 2014. Optimality of non-adaptive strategies: The case of parallel games. IEEE International Symposium on Information Theory. IEEE International Symposium on Information Theory Proceedings, 6875125.","chicago":"Demay, Grégory, Peter Gazi, Ueli Maurer, and Björn Tackmann. “Optimality of Non-Adaptive Strategies: The Case of Parallel Games.” In IEEE International Symposium on Information Theory. IEEE, 2014. https://doi.org/10.1109/ISIT.2014.6875125."},"user_id":"4435EBFC-F248-11E8-B48F-1D18A9856A87","conference":{"end_date":"2014-07-04","location":"Honolulu, USA","start_date":"2014-06-29","name":"IEEE International Symposium on Information Theory Proceedings"},"type":"conference","status":"public","_id":"1907","article_number":"6875125","date_created":"2018-12-11T11:54:39Z","date_published":"2014-01-01T00:00:00Z","doi":"10.1109/ISIT.2014.6875125","publication_status":"published","year":"2014","language":[{"iso":"eng"}],"publication":"IEEE International Symposium on Information Theory","day":"01","main_file_link":[{"url":"https://eprint.iacr.org/2014/299","open_access":"1"}],"oa":1,"quality_controlled":"1","publisher":"IEEE","scopus_import":1,"month":"01","abstract":[{"lang":"eng","text":"Most cryptographic security proofs require showing that two systems are indistinguishable. A central tool in such proofs is that of a game, where winning the game means provoking a certain condition, and it is shown that the two systems considered cannot be distinguished unless this condition is provoked. Upper bounding the probability of winning such a game, i.e., provoking this condition, for an arbitrary strategy is usually hard, except in the special case where the best strategy for winning such a game is known to be non-adaptive. A sufficient criterion for ensuring the optimality of non-adaptive strategies is that of conditional equivalence to a system, a notion introduced in [1]. In this paper, we show that this criterion is not necessary to ensure the optimality of non-adaptive strategies by giving two results of independent interest: 1) the optimality of non-adaptive strategies is not preserved under parallel composition; 2) in contrast, conditional equivalence is preserved under parallel composition."}],"oa_version":"Submitted Version"},{"date_updated":"2021-01-12T06:54:57Z","department":[{"_id":"KrPi"}],"_id":"2045","conference":{"name":"PKC: Public Key Crypography","start_date":"2014-03-26","location":"Buenos Aires, Argentina","end_date":"2014-03-28"},"type":"conference","status":"public","publication_status":"published","language":[{"iso":"eng"}],"ec_funded":1,"volume":8383,"abstract":[{"text":"We introduce and study a new notion of enhanced chosen-ciphertext security (ECCA) for public-key encryption. Loosely speaking, in the ECCA security experiment, the decryption oracle provided to the adversary is augmented to return not only the output of the decryption algorithm on a queried ciphertext but also of a randomness-recovery algorithm associated to the scheme. Our results mainly concern the case where the randomness-recovery algorithm is efficient. We provide constructions of ECCA-secure encryption from adaptive trapdoor functions as defined by Kiltz et al. (EUROCRYPT 2010), resulting in ECCA encryption from standard number-theoretic assumptions. We then give two applications of ECCA-secure encryption: (1) We use it as a unifying concept in showing equivalence of adaptive trapdoor functions and tag-based adaptive trapdoor functions, resolving an open question of Kiltz et al. (2) We show that ECCA-secure encryption can be used to securely realize an approach to public-key encryption with non-interactive opening (PKENO) originally suggested by Damgård and Thorbek (EUROCRYPT 2007), resulting in new and practical PKENO schemes quite different from those in prior work. Our results demonstrate that ECCA security is of both practical and theoretical interest.","lang":"eng"}],"oa_version":"Submitted Version","main_file_link":[{"url":"https://eprint.iacr.org/2012/543","open_access":"1"}],"alternative_title":["LNCS"],"scopus_import":1,"intvolume":" 8383","month":"01","citation":{"ama":"Dachman Soled D, Fuchsbauer G, Mohassel P, O’Neill A. Enhanced chosen-ciphertext security and applications. In: Krawczyk H, ed. Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). Vol 8383. Springer; 2014:329-344. doi:10.1007/978-3-642-54631-0_19","apa":"Dachman Soled, D., Fuchsbauer, G., Mohassel, P., & O’Neill, A. (2014). Enhanced chosen-ciphertext security and applications. In H. Krawczyk (Ed.), Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 8383, pp. 329–344). Buenos Aires, Argentina: Springer. https://doi.org/10.1007/978-3-642-54631-0_19","ieee":"D. Dachman Soled, G. Fuchsbauer, P. Mohassel, and A. O’Neill, “Enhanced chosen-ciphertext security and applications,” in Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), Buenos Aires, Argentina, 2014, vol. 8383, pp. 329–344.","short":"D. Dachman Soled, G. Fuchsbauer, P. Mohassel, A. O’Neill, in:, H. Krawczyk (Ed.), Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), Springer, 2014, pp. 329–344.","mla":"Dachman Soled, Dana, et al. “Enhanced Chosen-Ciphertext Security and Applications.” Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), edited by Hugo Krawczyk, vol. 8383, Springer, 2014, pp. 329–44, doi:10.1007/978-3-642-54631-0_19.","ista":"Dachman Soled D, Fuchsbauer G, Mohassel P, O’Neill A. 2014. Enhanced chosen-ciphertext security and applications. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). PKC: Public Key Crypography, LNCS, vol. 8383, 329–344.","chicago":"Dachman Soled, Dana, Georg Fuchsbauer, Payman Mohassel, and Adam O’Neill. “Enhanced Chosen-Ciphertext Security and Applications.” In Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), edited by Hugo Krawczyk, 8383:329–44. Springer, 2014. https://doi.org/10.1007/978-3-642-54631-0_19."},"user_id":"4435EBFC-F248-11E8-B48F-1D18A9856A87","author":[{"first_name":"Dana","last_name":"Dachman Soled","full_name":"Dachman Soled, Dana"},{"id":"46B4C3EE-F248-11E8-B48F-1D18A9856A87","first_name":"Georg","last_name":"Fuchsbauer","full_name":"Fuchsbauer, Georg"},{"full_name":"Mohassel, Payman","last_name":"Mohassel","first_name":"Payman"},{"full_name":"O’Neill, Adam","last_name":"O’Neill","first_name":"Adam"}],"publist_id":"5006","title":"Enhanced chosen-ciphertext security and applications","editor":[{"full_name":"Krawczyk, Hugo","last_name":"Krawczyk","first_name":"Hugo"}],"project":[{"_id":"258C570E-B435-11E9-9278-68D0E5697425","call_identifier":"FP7","grant_number":"259668","name":"Provable Security for Physical Cryptography"}],"year":"2014","publication":"Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)","day":"01","page":"329 - 344","date_created":"2018-12-11T11:55:24Z","doi":"10.1007/978-3-642-54631-0_19","date_published":"2014-01-01T00:00:00Z","acknowledgement":"The second author was supported by EPSRC grant EP/H043454/1.","oa":1,"publisher":"Springer","quality_controlled":"1"},{"oa_version":"Submitted Version","abstract":[{"lang":"eng","text":"Following the publication of an attack on genome-wide association studies (GWAS) data proposed by Homer et al., considerable attention has been given to developing methods for releasing GWAS data in a privacy-preserving way. Here, we develop an end-to-end differentially private method for solving regression problems with convex penalty functions and selecting the penalty parameters by cross-validation. In particular, we focus on penalized logistic regression with elastic-net regularization, a method widely used to in GWAS analyses to identify disease-causing genes. We show how a differentially private procedure for penalized logistic regression with elastic-net regularization can be applied to the analysis of GWAS data and evaluate our method’s performance."}],"month":"01","intvolume":" 8744","scopus_import":1,"alternative_title":["LNCS"],"main_file_link":[{"open_access":"1","url":"http://arxiv.org/abs/1407.8067"}],"language":[{"iso":"eng"}],"publication_status":"published","volume":8744,"_id":"2047","status":"public","type":"conference","conference":{"name":"PSD: Privacy in Statistical Databases","start_date":"2014-09-17","location":"Ibiza, Spain","end_date":"2014-09-19"},"date_updated":"2021-01-12T06:54:57Z","department":[{"_id":"KrPi"},{"_id":"CaUh"}],"acknowledgement":"This research was partially supported by BCS- 0941518 to the Department of Statistics at Carnegie Mellon University.","quality_controlled":"1","publisher":"Springer","oa":1,"day":"01","publication":"Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)","year":"2014","doi":"10.1007/978-3-319-11257-2_14","date_published":"2014-01-01T00:00:00Z","date_created":"2018-12-11T11:55:24Z","page":"170 - 184","project":[{"_id":"25636330-B435-11E9-9278-68D0E5697425","grant_number":"11-NSF-1070","name":"ROOTS Genome-wide Analysis of Root Traits"}],"user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","citation":{"ista":"Yu F, Rybar M, Uhler C, Fienberg S. 2014. Differentially-private logistic regression for detecting multiple-SNP association in GWAS databases. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). PSD: Privacy in Statistical Databases, LNCS, vol. 8744, 170–184.","chicago":"Yu, Fei, Michal Rybar, Caroline Uhler, and Stephen Fienberg. “Differentially-Private Logistic Regression for Detecting Multiple-SNP Association in GWAS Databases.” In Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), edited by Josep Domingo Ferrer, 8744:170–84. Springer, 2014. https://doi.org/10.1007/978-3-319-11257-2_14.","short":"F. Yu, M. Rybar, C. Uhler, S. Fienberg, in:, J. Domingo Ferrer (Ed.), Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), Springer, 2014, pp. 170–184.","ieee":"F. Yu, M. Rybar, C. Uhler, and S. Fienberg, “Differentially-private logistic regression for detecting multiple-SNP association in GWAS databases,” in Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), Ibiza, Spain, 2014, vol. 8744, pp. 170–184.","apa":"Yu, F., Rybar, M., Uhler, C., & Fienberg, S. (2014). Differentially-private logistic regression for detecting multiple-SNP association in GWAS databases. In J. Domingo Ferrer (Ed.), Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 8744, pp. 170–184). Ibiza, Spain: Springer. https://doi.org/10.1007/978-3-319-11257-2_14","ama":"Yu F, Rybar M, Uhler C, Fienberg S. Differentially-private logistic regression for detecting multiple-SNP association in GWAS databases. In: Domingo Ferrer J, ed. Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). Vol 8744. Springer; 2014:170-184. doi:10.1007/978-3-319-11257-2_14","mla":"Yu, Fei, et al. “Differentially-Private Logistic Regression for Detecting Multiple-SNP Association in GWAS Databases.” Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), edited by Josep Domingo Ferrer, vol. 8744, Springer, 2014, pp. 170–84, doi:10.1007/978-3-319-11257-2_14."},"editor":[{"last_name":"Domingo Ferrer","full_name":"Domingo Ferrer, Josep","first_name":"Josep"}],"title":"Differentially-private logistic regression for detecting multiple-SNP association in GWAS databases","author":[{"full_name":"Yu, Fei","last_name":"Yu","first_name":"Fei"},{"first_name":"Michal","id":"2B3E3DE8-F248-11E8-B48F-1D18A9856A87","last_name":"Rybar","full_name":"Rybar, Michal"},{"orcid":"0000-0002-7008-0216","full_name":"Uhler, Caroline","last_name":"Uhler","first_name":"Caroline","id":"49ADD78E-F248-11E8-B48F-1D18A9856A87"},{"full_name":"Fienberg, Stephen","last_name":"Fienberg","first_name":"Stephen"}],"publist_id":"5004","external_id":{"arxiv":["1407.8067"]}},{"title":"Policy-based signatures","editor":[{"first_name":"Hugo","full_name":"Krawczyk, Hugo","last_name":"Krawczyk"}],"publist_id":"5005","author":[{"full_name":"Bellare, Mihir","last_name":"Bellare","first_name":"Mihir"},{"id":"46B4C3EE-F248-11E8-B48F-1D18A9856A87","first_name":"Georg","last_name":"Fuchsbauer","full_name":"Fuchsbauer, Georg"}],"user_id":"4435EBFC-F248-11E8-B48F-1D18A9856A87","citation":{"chicago":"Bellare, Mihir, and Georg Fuchsbauer. “Policy-Based Signatures.” In Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), edited by Hugo Krawczyk, 8383:520–37. Springer, 2014. https://doi.org/10.1007/978-3-642-54631-0_30.","ista":"Bellare M, Fuchsbauer G. 2014. Policy-based signatures. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). PKC: Public Key Crypography, LNCS, vol. 8383, 520–537.","mla":"Bellare, Mihir, and Georg Fuchsbauer. “Policy-Based Signatures.” Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), edited by Hugo Krawczyk, vol. 8383, Springer, 2014, pp. 520–37, doi:10.1007/978-3-642-54631-0_30.","ieee":"M. Bellare and G. Fuchsbauer, “Policy-based signatures,” in Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), Buenos Aires, Argentina, 2014, vol. 8383, pp. 520–537.","short":"M. Bellare, G. Fuchsbauer, in:, H. Krawczyk (Ed.), Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), Springer, 2014, pp. 520–537.","ama":"Bellare M, Fuchsbauer G. Policy-based signatures. In: Krawczyk H, ed. Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). Vol 8383. Springer; 2014:520-537. doi:10.1007/978-3-642-54631-0_30","apa":"Bellare, M., & Fuchsbauer, G. (2014). Policy-based signatures. In H. Krawczyk (Ed.), Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 8383, pp. 520–537). Buenos Aires, Argentina: Springer. https://doi.org/10.1007/978-3-642-54631-0_30"},"project":[{"grant_number":"259668","name":"Provable Security for Physical Cryptography","_id":"258C570E-B435-11E9-9278-68D0E5697425","call_identifier":"FP7"}],"date_created":"2018-12-11T11:55:24Z","doi":"10.1007/978-3-642-54631-0_30","date_published":"2014-01-01T00:00:00Z","page":"520 - 537","publication":"Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)","day":"01","year":"2014","oa":1,"publisher":"Springer","quality_controlled":"1","acknowledgement":"Part of his work was done while at Bristol University, supported by EPSRC grant EP/H043454/1.","department":[{"_id":"KrPi"}],"date_updated":"2021-01-12T06:54:57Z","status":"public","conference":{"name":"PKC: Public Key Crypography","start_date":"2014-05-26","location":"Buenos Aires, Argentina","end_date":"2014-05-28"},"type":"conference","_id":"2046","ec_funded":1,"volume":8383,"language":[{"iso":"eng"}],"publication_status":"published","intvolume":" 8383","month":"01","main_file_link":[{"open_access":"1","url":"https://eprint.iacr.org/2013/413"}],"alternative_title":["LNCS"],"scopus_import":1,"oa_version":"Submitted Version","abstract":[{"lang":"eng","text":"We introduce policy-based signatures (PBS), where a signer can only sign messages conforming to some authority-specified policy. The main requirements are unforgeability and privacy, the latter meaning that signatures not reveal the policy. PBS offers value along two fronts: (1) On the practical side, they allow a corporation to control what messages its employees can sign under the corporate key. (2) On the theoretical side, they unify existing work, capturing other forms of signatures as special cases or allowing them to be easily built. Our work focuses on definitions of PBS, proofs that this challenging primitive is realizable for arbitrary policies, efficient constructions for specific policies, and a few representative applications."}]},{"ddc":["000","004"],"date_updated":"2021-01-12T06:55:51Z","file_date_updated":"2020-07-14T12:45:31Z","department":[{"_id":"KrPi"}],"_id":"2185","status":"public","pubrep_id":"680","type":"conference","conference":{"end_date":"2014-05-15","location":"Copenhagen, Denmark","start_date":"2014-05-11","name":"EUROCRYPT: Theory and Applications of Cryptographic Techniques"},"file":[{"date_updated":"2020-07-14T12:45:31Z","file_size":505389,"creator":"system","date_created":"2018-12-12T10:08:43Z","file_name":"IST-2016-680-v1+1_708.pdf","content_type":"application/pdf","access_level":"open_access","relation":"main_file","checksum":"da1aa01221086083b23c92e547b48ff4","file_id":"4705"}],"language":[{"iso":"eng"}],"publication_status":"published","volume":8441,"oa_version":"Submitted Version","abstract":[{"lang":"eng","text":"We revisit the classical problem of converting an imperfect source of randomness into a usable cryptographic key. Assume that we have some cryptographic application P that expects a uniformly random m-bit key R and ensures that the best attack (in some complexity class) against P(R) has success probability at most δ. Our goal is to design a key-derivation function (KDF) h that converts any random source X of min-entropy k into a sufficiently "good" key h(X), guaranteeing that P(h(X)) has comparable security δ′ which is 'close' to δ. Seeded randomness extractors provide a generic way to solve this problem for all applications P, with resulting security δ′ = O(δ), provided that we start with entropy k ≥ m + 2 log (1/δ) - O(1). By a result of Radhakrishnan and Ta-Shma, this bound on k (called the "RT-bound") is also known to be tight in general. Unfortunately, in many situations the loss of 2 log (1/δ) bits of entropy is unacceptable. This motivates the study KDFs with less entropy waste by placing some restrictions on the source X or the application P. In this work we obtain the following new positive and negative results in this regard: - Efficient samplability of the source X does not help beat the RT-bound for general applications. This resolves the SRT (samplable RT) conjecture of Dachman-Soled et al. [DGKM12] in the affirmative, and also shows that the existence of computationally-secure extractors beating the RT-bound implies the existence of one-way functions. - We continue in the line of work initiated by Barak et al. [BDK+11] and construct new information-theoretic KDFs which beat the RT-bound for large but restricted classes of applications. Specifically, we design efficient KDFs that work for all unpredictability applications P (e.g., signatures, MACs, one-way functions, etc.) and can either: (1) extract all of the entropy k = m with a very modest security loss δ′ = O(δ·log (1/δ)), or alternatively, (2) achieve essentially optimal security δ′ = O(δ) with a very modest entropy loss k ≥ m + loglog (1/δ). In comparison, the best prior results from [BDK+11] for this class of applications would only guarantee δ′ = O(√δ) when k = m, and would need k ≥ m + log (1/δ) to get δ′ = O(δ). - The weaker bounds of [BDK+11] hold for a larger class of so-called "square- friendly" applications (which includes all unpredictability, but also some important indistinguishability, applications). Unfortunately, we show that these weaker bounds are tight for the larger class of applications. - We abstract out a clean, information-theoretic notion of (k,δ,δ′)- unpredictability extractors, which guarantee "induced" security δ′ for any δ-secure unpredictability application P, and characterize the parameters achievable for such unpredictability extractors. Of independent interest, we also relate this notion to the previously-known notion of (min-entropy) condensers, and improve the state-of-the-art parameters for such condensers."}],"month":"04","intvolume":" 8441","alternative_title":["LNCS"],"scopus_import":1,"user_id":"4435EBFC-F248-11E8-B48F-1D18A9856A87","citation":{"ama":"Dodis Y, Pietrzak KZ, Wichs D. Key derivation without entropy waste. In: Nguyen P, Oswald E, eds. Vol 8441. Springer; 2014:93-110. doi:10.1007/978-3-642-55220-5_6","apa":"Dodis, Y., Pietrzak, K. Z., & Wichs, D. (2014). Key derivation without entropy waste. In P. Nguyen & E. Oswald (Eds.) (Vol. 8441, pp. 93–110). Presented at the EUROCRYPT: Theory and Applications of Cryptographic Techniques, Copenhagen, Denmark: Springer. https://doi.org/10.1007/978-3-642-55220-5_6","short":"Y. Dodis, K.Z. Pietrzak, D. Wichs, in:, P. Nguyen, E. Oswald (Eds.), Springer, 2014, pp. 93–110.","ieee":"Y. Dodis, K. Z. Pietrzak, and D. Wichs, “Key derivation without entropy waste,” presented at the EUROCRYPT: Theory and Applications of Cryptographic Techniques, Copenhagen, Denmark, 2014, vol. 8441, pp. 93–110.","mla":"Dodis, Yevgeniy, et al. Key Derivation without Entropy Waste. Edited by Phong Nguyen and Elisabeth Oswald, vol. 8441, Springer, 2014, pp. 93–110, doi:10.1007/978-3-642-55220-5_6.","ista":"Dodis Y, Pietrzak KZ, Wichs D. 2014. Key derivation without entropy waste. EUROCRYPT: Theory and Applications of Cryptographic Techniques, LNCS, vol. 8441, 93–110.","chicago":"Dodis, Yevgeniy, Krzysztof Z Pietrzak, and Daniel Wichs. “Key Derivation without Entropy Waste.” edited by Phong Nguyen and Elisabeth Oswald, 8441:93–110. Springer, 2014. https://doi.org/10.1007/978-3-642-55220-5_6."},"title":"Key derivation without entropy waste","editor":[{"full_name":"Nguyen, Phong","last_name":"Nguyen","first_name":"Phong"},{"first_name":"Elisabeth","full_name":"Oswald, Elisabeth","last_name":"Oswald"}],"author":[{"first_name":"Yevgeniy","full_name":"Dodis, Yevgeniy","last_name":"Dodis"},{"id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","first_name":"Krzysztof Z","last_name":"Pietrzak","orcid":"0000-0002-9139-1654","full_name":"Pietrzak, Krzysztof Z"},{"first_name":"Daniel","last_name":"Wichs","full_name":"Wichs, Daniel"}],"publist_id":"4795","day":"01","has_accepted_license":"1","year":"2014","date_published":"2014-04-01T00:00:00Z","doi":"10.1007/978-3-642-55220-5_6","date_created":"2018-12-11T11:56:12Z","page":"93 - 110","quality_controlled":"1","publisher":"Springer","oa":1},{"day":"01","year":"2014","date_created":"2018-12-11T11:56:24Z","doi":"10.1007/978-3-642-54631-0_1","date_published":"2014-03-01T00:00:00Z","page":"1 - 18","oa":1,"publisher":"Springer","quality_controlled":"1","user_id":"4435EBFC-F248-11E8-B48F-1D18A9856A87","citation":{"chicago":"Kiltz, Eike, Daniel Masny, and Krzysztof Z Pietrzak. “Simple Chosen-Ciphertext Security from Low Noise LPN,” 8383:1–18. Springer, 2014. https://doi.org/10.1007/978-3-642-54631-0_1.","ista":"Kiltz E, Masny D, Pietrzak KZ. 2014. Simple chosen-ciphertext security from low noise LPN. IACR: International Conference on Practice and Theory in Public-Key Cryptography, LNCS, vol. 8383, 1–18.","mla":"Kiltz, Eike, et al. Simple Chosen-Ciphertext Security from Low Noise LPN. Vol. 8383, Springer, 2014, pp. 1–18, doi:10.1007/978-3-642-54631-0_1.","short":"E. Kiltz, D. Masny, K.Z. Pietrzak, in:, Springer, 2014, pp. 1–18.","ieee":"E. Kiltz, D. Masny, and K. Z. Pietrzak, “Simple chosen-ciphertext security from low noise LPN,” presented at the IACR: International Conference on Practice and Theory in Public-Key Cryptography, 2014, vol. 8383, pp. 1–18.","apa":"Kiltz, E., Masny, D., & Pietrzak, K. Z. (2014). Simple chosen-ciphertext security from low noise LPN (Vol. 8383, pp. 1–18). Presented at the IACR: International Conference on Practice and Theory in Public-Key Cryptography, Springer. https://doi.org/10.1007/978-3-642-54631-0_1","ama":"Kiltz E, Masny D, Pietrzak KZ. Simple chosen-ciphertext security from low noise LPN. In: Vol 8383. Springer; 2014:1-18. doi:10.1007/978-3-642-54631-0_1"},"title":"Simple chosen-ciphertext security from low noise LPN","author":[{"first_name":"Eike","full_name":"Kiltz, Eike","last_name":"Kiltz"},{"first_name":"Daniel","full_name":"Masny, Daniel","last_name":"Masny"},{"id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","first_name":"Krzysztof Z","last_name":"Pietrzak","full_name":"Pietrzak, Krzysztof Z","orcid":"0000-0002-9139-1654"}],"publist_id":"4748","language":[{"iso":"eng"}],"publication_status":"published","publication_identifier":{"isbn":["978-364254630-3"]},"volume":8383,"oa_version":"Submitted Version","abstract":[{"lang":"eng","text":"Recently, Döttling et al. (ASIACRYPT 2012) proposed the first chosen-ciphertext (IND-CCA) secure public-key encryption scheme from the learning parity with noise (LPN) assumption. In this work we give an alternative scheme which is conceptually simpler and more efficient. At the core of our construction is a trapdoor technique originally proposed for lattices by Micciancio and Peikert (EUROCRYPT 2012), which we adapt to the LPN setting. The main technical tool is a new double-trapdoor mechanism, together with a trapdoor switching lemma based on a computational variant of the leftover hash lemma."}],"intvolume":" 8383","month":"03","main_file_link":[{"url":"https://eprint.iacr.org/2015/401","open_access":"1"}],"alternative_title":["LNCS"],"scopus_import":1,"date_updated":"2021-01-12T06:56:05Z","department":[{"_id":"KrPi"}],"_id":"2219","status":"public","conference":{"name":"IACR: International Conference on Practice and Theory in Public-Key Cryptography"},"type":"conference"},{"project":[{"_id":"258C570E-B435-11E9-9278-68D0E5697425","call_identifier":"FP7","grant_number":"259668","name":"Provable Security for Physical Cryptography"}],"user_id":"4435EBFC-F248-11E8-B48F-1D18A9856A87","citation":{"chicago":"Jetchev, Dimitar, and Krzysztof Z Pietrzak. “How to Fake Auxiliary Input.” edited by Yehuda Lindell, 8349:566–90. Springer, 2014. https://doi.org/10.1007/978-3-642-54242-8_24.","ista":"Jetchev D, Pietrzak KZ. 2014. How to fake auxiliary input. TCC: Theory of Cryptography Conference, LNCS, vol. 8349, 566–590.","mla":"Jetchev, Dimitar, and Krzysztof Z. Pietrzak. How to Fake Auxiliary Input. Edited by Yehuda Lindell, vol. 8349, Springer, 2014, pp. 566–90, doi:10.1007/978-3-642-54242-8_24.","short":"D. Jetchev, K.Z. Pietrzak, in:, Y. Lindell (Ed.), Springer, 2014, pp. 566–590.","ieee":"D. Jetchev and K. Z. Pietrzak, “How to fake auxiliary input,” presented at the TCC: Theory of Cryptography Conference, San Diego, USA, 2014, vol. 8349, pp. 566–590.","ama":"Jetchev D, Pietrzak KZ. How to fake auxiliary input. In: Lindell Y, ed. Vol 8349. Springer; 2014:566-590. doi:10.1007/978-3-642-54242-8_24","apa":"Jetchev, D., & Pietrzak, K. Z. (2014). How to fake auxiliary input. In Y. Lindell (Ed.) (Vol. 8349, pp. 566–590). Presented at the TCC: Theory of Cryptography Conference, San Diego, USA: Springer. https://doi.org/10.1007/978-3-642-54242-8_24"},"title":"How to fake auxiliary input","editor":[{"first_name":"Yehuda","full_name":"Lindell, Yehuda","last_name":"Lindell"}],"author":[{"first_name":"Dimitar","last_name":"Jetchev","full_name":"Jetchev, Dimitar"},{"orcid":"0000-0002-9139-1654","full_name":"Pietrzak, Krzysztof Z","last_name":"Pietrzak","first_name":"Krzysztof Z","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87"}],"publist_id":"4725","oa":1,"quality_controlled":"1","publisher":"Springer","day":"01","year":"2014","has_accepted_license":"1","date_created":"2018-12-11T11:56:29Z","doi":"10.1007/978-3-642-54242-8_24","date_published":"2014-02-01T00:00:00Z","page":"566 - 590","_id":"2236","pubrep_id":"681","status":"public","conference":{"start_date":"2014-02-24","location":"San Diego, USA","end_date":"2014-02-26","name":"TCC: Theory of Cryptography Conference"},"type":"conference","ddc":["004"],"date_updated":"2021-01-12T06:56:12Z","file_date_updated":"2020-07-14T12:45:34Z","department":[{"_id":"KrPi"}],"oa_version":"Submitted Version","abstract":[{"text":"Consider a joint distribution (X,A) on a set. We show that for any family of distinguishers, there exists a simulator such that 1 no function in can distinguish (X,A) from (X,h(X)) with advantage ε, 2 h is only O(2 3ℓ ε -2) times less efficient than the functions in. For the most interesting settings of the parameters (in particular, the cryptographic case where X has superlogarithmic min-entropy, ε > 0 is negligible and consists of circuits of polynomial size), we can make the simulator h deterministic. As an illustrative application of our theorem, we give a new security proof for the leakage-resilient stream-cipher from Eurocrypt'09. Our proof is simpler and quantitatively much better than the original proof using the dense model theorem, giving meaningful security guarantees if instantiated with a standard blockcipher like AES. Subsequent to this work, Chung, Lui and Pass gave an interactive variant of our main theorem, and used it to investigate weak notions of Zero-Knowledge. Vadhan and Zheng give a more constructive version of our theorem using their new uniform min-max theorem.","lang":"eng"}],"intvolume":" 8349","month":"02","main_file_link":[{"open_access":"1","url":"https://repository.ist.ac.at/id/eprint/681"}],"alternative_title":["LNCS"],"language":[{"iso":"eng"}],"file":[{"creator":"system","file_size":313528,"date_updated":"2020-07-14T12:45:34Z","file_name":"IST-2016-681-v1+1_869_1_.pdf","date_created":"2018-12-12T10:17:21Z","relation":"main_file","access_level":"open_access","content_type":"application/pdf","checksum":"42960325c29dcd8d832edadcc3ce0045","file_id":"5275"}],"publication_status":"published","publication_identifier":{"isbn":["978-364254241-1"]},"ec_funded":1,"volume":8349},{"language":[{"iso":"eng"}],"publication":"Journal of Cryptology","day":"01","publication_status":"published","year":"2014","date_created":"2018-12-11T11:59:56Z","volume":27,"issue":"3","date_published":"2014-07-01T00:00:00Z","related_material":{"record":[{"id":"3225","status":"public","relation":"earlier_version"}]},"doi":"10.1007/s00145-013-9148-7","page":"397 - 428","oa_version":"None","abstract":[{"lang":"eng","text":"A robust combiner for hash functions takes two candidate implementations and constructs a hash function which is secure as long as at least one of the candidates is secure. So far, hash function combiners only aim at preserving a single property such as collision-resistance or pseudorandomness. However, when hash functions are used in protocols like TLS they are often required to provide several properties simultaneously. We therefore put forward the notion of robust multi-property combiners and elaborate on different definitions for such combiners. We then propose a combiner that provably preserves (target) collision-resistance, pseudorandomness, and being a secure message authentication code. This combiner satisfies the strongest notion we propose, which requires that the combined function satisfies every security property which is satisfied by at least one of the underlying hash function. If the underlying hash functions have output length n, the combiner has output length 2 n. This basically matches a known lower bound for black-box combiners for collision-resistance only, thus the other properties can be achieved without penalizing the length of the hash values. We then propose a combiner which also preserves the property of being indifferentiable from a random oracle, slightly increasing the output length to 2 n+ω(log n). Moreover, we show how to augment our constructions in order to make them also robust for the one-wayness property, but in this case require an a priory upper bound on the input length."}],"intvolume":" 27","month":"07","scopus_import":1,"quality_controlled":"1","publisher":"Springer","user_id":"3FFCCD3A-F248-11E8-B48F-1D18A9856A87","date_updated":"2023-02-23T11:17:53Z","citation":{"ama":"Fischlin M, Lehmann A, Pietrzak KZ. Robust multi-property combiners for hash functions. Journal of Cryptology. 2014;27(3):397-428. doi:10.1007/s00145-013-9148-7","apa":"Fischlin, M., Lehmann, A., & Pietrzak, K. Z. (2014). Robust multi-property combiners for hash functions. Journal of Cryptology. Springer. https://doi.org/10.1007/s00145-013-9148-7","short":"M. Fischlin, A. Lehmann, K.Z. Pietrzak, Journal of Cryptology 27 (2014) 397–428.","ieee":"M. Fischlin, A. Lehmann, and K. Z. Pietrzak, “Robust multi-property combiners for hash functions,” Journal of Cryptology, vol. 27, no. 3. Springer, pp. 397–428, 2014.","mla":"Fischlin, Marc, et al. “Robust Multi-Property Combiners for Hash Functions.” Journal of Cryptology, vol. 27, no. 3, Springer, 2014, pp. 397–428, doi:10.1007/s00145-013-9148-7.","ista":"Fischlin M, Lehmann A, Pietrzak KZ. 2014. Robust multi-property combiners for hash functions. Journal of Cryptology. 27(3), 397–428.","chicago":"Fischlin, Marc, Anja Lehmann, and Krzysztof Z Pietrzak. “Robust Multi-Property Combiners for Hash Functions.” Journal of Cryptology. Springer, 2014. https://doi.org/10.1007/s00145-013-9148-7."},"department":[{"_id":"KrPi"}],"title":"Robust multi-property combiners for hash functions","author":[{"first_name":"Marc","last_name":"Fischlin","full_name":"Fischlin, Marc"},{"first_name":"Anja","last_name":"Lehmann","full_name":"Lehmann, Anja"},{"first_name":"Krzysztof Z","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","orcid":"0000-0002-9139-1654","full_name":"Pietrzak, Krzysztof Z","last_name":"Pietrzak"}],"publist_id":"3940","_id":"2852","status":"public","type":"journal_article"},{"quality_controlled":"1","publisher":"Springer","oa":1,"doi":"10.1007/978-3-662-44371-2_7","date_published":"2014-01-01T00:00:00Z","date_created":"2018-12-11T11:55:36Z","page":"113 - 130","day":"01","has_accepted_license":"1","year":"2014","project":[{"_id":"258C570E-B435-11E9-9278-68D0E5697425","call_identifier":"FP7","name":"Provable Security for Physical Cryptography","grant_number":"259668"}],"title":"The exact PRF-security of NMAC and HMAC","editor":[{"last_name":"Garay","full_name":"Garay, Juan","first_name":"Juan"},{"last_name":"Gennaro","full_name":"Gennaro, Rosario","first_name":"Rosario"}],"publist_id":"4955","author":[{"full_name":"Gazi, Peter","last_name":"Gazi","first_name":"Peter","id":"3E0BFE38-F248-11E8-B48F-1D18A9856A87"},{"first_name":"Krzysztof Z","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","last_name":"Pietrzak","orcid":"0000-0002-9139-1654","full_name":"Pietrzak, Krzysztof Z"},{"full_name":"Rybar, Michal","last_name":"Rybar","id":"2B3E3DE8-F248-11E8-B48F-1D18A9856A87","first_name":"Michal"}],"user_id":"4435EBFC-F248-11E8-B48F-1D18A9856A87","citation":{"mla":"Gazi, Peter, et al. The Exact PRF-Security of NMAC and HMAC. Edited by Juan Garay and Rosario Gennaro, vol. 8616, no. 1, Springer, 2014, pp. 113–30, doi:10.1007/978-3-662-44371-2_7.","short":"P. Gazi, K.Z. Pietrzak, M. Rybar, in:, J. Garay, R. Gennaro (Eds.), Springer, 2014, pp. 113–130.","ieee":"P. Gazi, K. Z. Pietrzak, and M. Rybar, “The exact PRF-security of NMAC and HMAC,” presented at the CRYPTO: International Cryptology Conference, Santa Barbara, USA, 2014, vol. 8616, no. 1, pp. 113–130.","ama":"Gazi P, Pietrzak KZ, Rybar M. The exact PRF-security of NMAC and HMAC. In: Garay J, Gennaro R, eds. Vol 8616. Springer; 2014:113-130. doi:10.1007/978-3-662-44371-2_7","apa":"Gazi, P., Pietrzak, K. Z., & Rybar, M. (2014). The exact PRF-security of NMAC and HMAC. In J. Garay & R. Gennaro (Eds.) (Vol. 8616, pp. 113–130). Presented at the CRYPTO: International Cryptology Conference, Santa Barbara, USA: Springer. https://doi.org/10.1007/978-3-662-44371-2_7","chicago":"Gazi, Peter, Krzysztof Z Pietrzak, and Michal Rybar. “The Exact PRF-Security of NMAC and HMAC.” edited by Juan Garay and Rosario Gennaro, 8616:113–30. Springer, 2014. https://doi.org/10.1007/978-3-662-44371-2_7.","ista":"Gazi P, Pietrzak KZ, Rybar M. 2014. The exact PRF-security of NMAC and HMAC. CRYPTO: International Cryptology Conference, LNCS, vol. 8616, 113–130."},"month":"01","intvolume":" 8616","alternative_title":["LNCS"],"oa_version":"Submitted Version","abstract":[{"text":"NMAC is a mode of operation which turns a fixed input-length keyed hash function f into a variable input-length function. A practical single-key variant of NMAC called HMAC is a very popular and widely deployed message authentication code (MAC). Security proofs and attacks for NMAC can typically be lifted to HMAC. NMAC was introduced by Bellare, Canetti and Krawczyk [Crypto'96], who proved it to be a secure pseudorandom function (PRF), and thus also a MAC, assuming that (1) f is a PRF and (2) the function we get when cascading f is weakly collision-resistant. Unfortunately, HMAC is typically instantiated with cryptographic hash functions like MD5 or SHA-1 for which (2) has been found to be wrong. To restore the provable guarantees for NMAC, Bellare [Crypto'06] showed its security based solely on the assumption that f is a PRF, albeit via a non-uniform reduction. - Our first contribution is a simpler and uniform proof for this fact: If f is an ε-secure PRF (against q queries) and a δ-non-adaptively secure PRF (against q queries), then NMAC f is an (ε+ℓqδ)-secure PRF against q queries of length at most ℓ blocks each. - We then show that this ε+ℓqδ bound is basically tight. For the most interesting case where ℓqδ ≥ ε we prove this by constructing an f for which an attack with advantage ℓqδ exists. This also violates the bound O(ℓε) on the PRF-security of NMAC recently claimed by Koblitz and Menezes. - Finally, we analyze the PRF-security of a modification of NMAC called NI [An and Bellare, Crypto'99] that differs mainly by using a compression function with an additional keying input. This avoids the constant rekeying on multi-block messages in NMAC and allows for a security proof starting by the standard switch from a PRF to a random function, followed by an information-theoretic analysis. We carry out such an analysis, obtaining a tight ℓq2/2 c bound for this step, improving over the trivial bound of ℓ2q2/2c. The proof borrows combinatorial techniques originally developed for proving the security of CBC-MAC [Bellare et al., Crypto'05].","lang":"eng"}],"volume":8616,"issue":"1","related_material":{"record":[{"relation":"dissertation_contains","id":"838","status":"public"}]},"ec_funded":1,"file":[{"creator":"system","file_size":492310,"date_updated":"2020-07-14T12:45:28Z","file_name":"IST-2016-682-v1+1_578.pdf","date_created":"2018-12-12T10:13:17Z","relation":"main_file","access_level":"open_access","content_type":"application/pdf","checksum":"dab6ab36a5f6af94f2b597e6404ed11d","file_id":"4999"}],"language":[{"iso":"eng"}],"publication_status":"published","status":"public","pubrep_id":"682","type":"conference","conference":{"name":"CRYPTO: International Cryptology Conference","start_date":"2014-08-17","location":"Santa Barbara, USA","end_date":"2014-08-21"},"_id":"2082","department":[{"_id":"KrPi"}],"file_date_updated":"2020-07-14T12:45:28Z","ddc":["000","004"],"date_updated":"2023-09-07T12:02:27Z"},{"oa":1,"quality_controlled":"1","publisher":"Springer","page":"57 - 74","date_created":"2018-12-11T11:56:37Z","date_published":"2013-01-01T00:00:00Z","doi":"10.1007/978-3-642-40041-4_4","year":"2013","has_accepted_license":"1","day":"01","project":[{"_id":"258C570E-B435-11E9-9278-68D0E5697425","call_identifier":"FP7","name":"Provable Security for Physical Cryptography","grant_number":"259668"}],"publist_id":"4687","author":[{"full_name":"Alwen, Joel F","last_name":"Alwen","id":"2A8DFA8C-F248-11E8-B48F-1D18A9856A87","first_name":"Joel F"},{"id":"329FCCF0-F248-11E8-B48F-1D18A9856A87","first_name":"Stephan","full_name":"Krenn, Stephan","orcid":"0000-0003-2835-9093","last_name":"Krenn"},{"id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","first_name":"Krzysztof Z","last_name":"Pietrzak","orcid":"0000-0002-9139-1654","full_name":"Pietrzak, Krzysztof Z"},{"first_name":"Daniel","full_name":"Wichs, Daniel","last_name":"Wichs"}],"title":"Learning with rounding, revisited: New reduction properties and applications","citation":{"mla":"Alwen, Joel F., et al. Learning with Rounding, Revisited: New Reduction Properties and Applications. Vol. 8042, no. 1, Springer, 2013, pp. 57–74, doi:10.1007/978-3-642-40041-4_4.","apa":"Alwen, J. F., Krenn, S., Pietrzak, K. Z., & Wichs, D. (2013). Learning with rounding, revisited: New reduction properties and applications. Presented at the CRYPTO: International Cryptology Conference, Santa Barbara, CA, United States: Springer. https://doi.org/10.1007/978-3-642-40041-4_4","ama":"Alwen JF, Krenn S, Pietrzak KZ, Wichs D. Learning with rounding, revisited: New reduction properties and applications. 2013;8042(1):57-74. doi:10.1007/978-3-642-40041-4_4","ieee":"J. F. Alwen, S. Krenn, K. Z. Pietrzak, and D. Wichs, “Learning with rounding, revisited: New reduction properties and applications,” vol. 8042, no. 1. Springer, pp. 57–74, 2013.","short":"J.F. Alwen, S. Krenn, K.Z. Pietrzak, D. Wichs, 8042 (2013) 57–74.","chicago":"Alwen, Joel F, Stephan Krenn, Krzysztof Z Pietrzak, and Daniel Wichs. “Learning with Rounding, Revisited: New Reduction Properties and Applications.” Lecture Notes in Computer Science. Springer, 2013. https://doi.org/10.1007/978-3-642-40041-4_4.","ista":"Alwen JF, Krenn S, Pietrzak KZ, Wichs D. 2013. Learning with rounding, revisited: New reduction properties and applications. 8042(1), 57–74."},"user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","scopus_import":1,"alternative_title":["LNCS"],"intvolume":" 8042","month":"01","abstract":[{"text":"The learning with rounding (LWR) problem, introduced by Banerjee, Peikert and Rosen at EUROCRYPT ’12, is a variant of learning with errors (LWE), where one replaces random errors with deterministic rounding. The LWR problem was shown to be as hard as LWE for a setting of parameters where the modulus and modulus-to-error ratio are super-polynomial. In this work we resolve the main open problem and give a new reduction that works for a larger range of parameters, allowing for a polynomial modulus and modulus-to-error ratio. In particular, a smaller modulus gives us greater efficiency, and a smaller modulus-to-error ratio gives us greater security, which now follows from the worst-case hardness of GapSVP with polynomial (rather than super-polynomial) approximation factors.\r\n\r\nAs a tool in the reduction, we show that there is a “lossy mode” for the LWR problem, in which LWR samples only reveal partial information about the secret. This property gives us several interesting new applications, including a proof that LWR remains secure with weakly random secrets of sufficient min-entropy, and very simple constructions of deterministic encryption, lossy trapdoor functions and reusable extractors.\r\n\r\nOur approach is inspired by a technique of Goldwasser et al. from ICS ’10, which implicitly showed the existence of a “lossy mode” for LWE. By refining this technique, we also improve on the parameters of that work to only requiring a polynomial (instead of super-polynomial) modulus and modulus-to-error ratio.\r\n","lang":"eng"}],"oa_version":"Published Version","ec_funded":1,"volume":8042,"issue":"1","publication_status":"published","language":[{"iso":"eng"}],"file":[{"creator":"system","date_updated":"2020-07-14T12:45:35Z","file_size":587898,"date_created":"2018-12-12T10:11:55Z","file_name":"IST-2016-684-v1+1_098.pdf","access_level":"open_access","relation":"main_file","content_type":"application/pdf","file_id":"4912","checksum":"16d428408a806b8e49eecc607deab115"}],"conference":{"location":"Santa Barbara, CA, United States","end_date":"2013-08-22","start_date":"2013-08-18","name":"CRYPTO: International Cryptology Conference"},"type":"conference","pubrep_id":"684","status":"public","_id":"2259","series_title":"Lecture Notes in Computer Science","file_date_updated":"2020-07-14T12:45:35Z","department":[{"_id":"KrPi"}],"date_updated":"2021-01-12T06:56:21Z","ddc":["000","004"]},{"language":[{"iso":"eng"}],"file":[{"checksum":"18a3f602cb41de184dc0e16a0e907633","file_id":"4744","access_level":"open_access","relation":"main_file","content_type":"application/pdf","date_created":"2018-12-12T10:09:20Z","file_name":"IST-2016-685-v1+1_658.pdf","creator":"system","date_updated":"2020-07-14T12:45:35Z","file_size":493175}],"publication_status":"published","ec_funded":1,"volume":8042,"oa_version":"Submitted Version","abstract":[{"lang":"eng","text":"In a digital signature scheme with message recovery, rather than transmitting the message m and its signature σ, a single enhanced signature τ is transmitted. The verifier is able to recover m from τ and at the same time verify its authenticity. The two most important parameters of such a scheme are its security and overhead |τ| − |m|. A simple argument shows that for any scheme with “n bits security” |τ| − |m| ≥ n, i.e., the overhead is lower bounded by the security parameter n. Currently, the best known constructions in the random oracle model are far from this lower bound requiring an overhead of n + logq h , where q h is the number of queries to the random oracle. In this paper we give a construction which basically matches the n bit lower bound. We propose a simple digital signature scheme with n + o(logq h ) bits overhead, where q h denotes the number of random oracle queries.\r\n\r\nOur construction works in two steps. First, we propose a signature scheme with message recovery having optimal overhead in a new ideal model, the random invertible function model. Second, we show that a four-round Feistel network with random oracles as round functions is tightly “public-indifferentiable” from a random invertible function. At the core of our indifferentiability proof is an almost tight upper bound for the expected number of edges of the densest “small” subgraph of a random Cayley graph, which may be of independent interest.\r\n"}],"intvolume":" 8042","month":"01","scopus_import":1,"alternative_title":["LNCS"],"ddc":["000","004"],"date_updated":"2021-01-12T06:56:21Z","department":[{"_id":"KrPi"}],"file_date_updated":"2020-07-14T12:45:35Z","_id":"2258","series_title":"Lecture Notes in Computer Science","pubrep_id":"685","status":"public","conference":{"start_date":"2013-08-18","location":"Santa Barbara, CA, United States","end_date":"2013-08-22","name":"CRYPTO: International Cryptology Conference"},"type":"conference","day":"01","year":"2013","has_accepted_license":"1","date_created":"2018-12-11T11:56:37Z","date_published":"2013-01-01T00:00:00Z","doi":"10.1007/978-3-642-40041-4_31","page":"571 - 588","oa":1,"publisher":"Springer","quality_controlled":"1","user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","citation":{"chicago":"Kiltz, Eike, Krzysztof Z Pietrzak, and Mario Szegedy. “Digital Signatures with Minimal Overhead from Indifferentiable Random Invertible Functions.” Lecture Notes in Computer Science. Springer, 2013. https://doi.org/10.1007/978-3-642-40041-4_31.","ista":"Kiltz E, Pietrzak KZ, Szegedy M. 2013. Digital signatures with minimal overhead from indifferentiable random invertible functions. 8042, 571–588.","mla":"Kiltz, Eike, et al. Digital Signatures with Minimal Overhead from Indifferentiable Random Invertible Functions. Vol. 8042, Springer, 2013, pp. 571–88, doi:10.1007/978-3-642-40041-4_31.","short":"E. Kiltz, K.Z. Pietrzak, M. Szegedy, 8042 (2013) 571–588.","ieee":"E. Kiltz, K. Z. Pietrzak, and M. Szegedy, “Digital signatures with minimal overhead from indifferentiable random invertible functions,” vol. 8042. Springer, pp. 571–588, 2013.","apa":"Kiltz, E., Pietrzak, K. Z., & Szegedy, M. (2013). Digital signatures with minimal overhead from indifferentiable random invertible functions. Presented at the CRYPTO: International Cryptology Conference, Santa Barbara, CA, United States: Springer. https://doi.org/10.1007/978-3-642-40041-4_31","ama":"Kiltz E, Pietrzak KZ, Szegedy M. Digital signatures with minimal overhead from indifferentiable random invertible functions. 2013;8042:571-588. doi:10.1007/978-3-642-40041-4_31"},"title":"Digital signatures with minimal overhead from indifferentiable random invertible functions","publist_id":"4688","author":[{"full_name":"Kiltz, Eike","last_name":"Kiltz","first_name":"Eike"},{"id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","first_name":"Krzysztof Z","full_name":"Pietrzak, Krzysztof Z","orcid":"0000-0002-9139-1654","last_name":"Pietrzak"},{"full_name":"Szegedy, Mario","last_name":"Szegedy","first_name":"Mario"}],"project":[{"call_identifier":"FP7","_id":"258C570E-B435-11E9-9278-68D0E5697425","name":"Provable Security for Physical Cryptography","grant_number":"259668"}]},{"year":"2013","day":"01","page":"518 - 533","date_created":"2018-12-11T11:56:37Z","doi":"10.1007/978-3-642-38980-1_33","date_published":"2013-06-01T00:00:00Z","oa":1,"quality_controlled":"1","publisher":"Springer","citation":{"short":"D. Bernhard, G. Fuchsbauer, E. Ghadafi, 7954 (2013) 518–533.","ieee":"D. Bernhard, G. Fuchsbauer, and E. Ghadafi, “Efficient signatures of knowledge and DAA in the standard model,” vol. 7954. Springer, pp. 518–533, 2013.","apa":"Bernhard, D., Fuchsbauer, G., & Ghadafi, E. (2013). Efficient signatures of knowledge and DAA in the standard model. Presented at the ACNS: Applied Cryptography and Network Security, Banff, AB, Canada: Springer. https://doi.org/10.1007/978-3-642-38980-1_33","ama":"Bernhard D, Fuchsbauer G, Ghadafi E. Efficient signatures of knowledge and DAA in the standard model. 2013;7954:518-533. doi:10.1007/978-3-642-38980-1_33","mla":"Bernhard, David, et al. Efficient Signatures of Knowledge and DAA in the Standard Model. Vol. 7954, Springer, 2013, pp. 518–33, doi:10.1007/978-3-642-38980-1_33.","ista":"Bernhard D, Fuchsbauer G, Ghadafi E. 2013. Efficient signatures of knowledge and DAA in the standard model. 7954, 518–533.","chicago":"Bernhard, David, Georg Fuchsbauer, and Essam Ghadafi. “Efficient Signatures of Knowledge and DAA in the Standard Model.” Lecture Notes in Computer Science. Springer, 2013. https://doi.org/10.1007/978-3-642-38980-1_33."},"user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","author":[{"last_name":"Bernhard","full_name":"Bernhard, David","first_name":"David"},{"full_name":"Fuchsbauer, Georg","last_name":"Fuchsbauer","id":"46B4C3EE-F248-11E8-B48F-1D18A9856A87","first_name":"Georg"},{"full_name":"Ghadafi, Essam","last_name":"Ghadafi","first_name":"Essam"}],"publist_id":"4686","title":"Efficient signatures of knowledge and DAA in the standard model","publication_status":"published","language":[{"iso":"eng"}],"volume":7954,"abstract":[{"text":"Direct Anonymous Attestation (DAA) is one of the most complex cryptographic protocols deployed in practice. It allows an embedded secure processor known as a Trusted Platform Module (TPM) to attest to the configuration of its host computer without violating the owner’s privacy. DAA has been standardized by the Trusted Computing Group and ISO/IEC.\r\n\r\nThe security of the DAA standard and all existing schemes is analyzed in the random-oracle model. We provide the first constructions of DAA in the standard model, that is, without relying on random oracles. Our constructions use new building blocks, including the first efficient signatures of knowledge in the standard model, which have many applications beyond DAA.\r\n","lang":"eng"}],"oa_version":"Submitted Version","main_file_link":[{"open_access":"1","url":"http://eprint.iacr.org/2012/475"}],"scopus_import":1,"alternative_title":["LNCS"],"intvolume":" 7954","month":"06","date_updated":"2020-08-11T10:09:44Z","department":[{"_id":"KrPi"}],"_id":"2260","series_title":"Lecture Notes in Computer Science","conference":{"name":"ACNS: Applied Cryptography and Network Security","start_date":"2013-06-25","end_date":"2013-06-28","location":"Banff, AB, Canada"},"type":"conference","status":"public"},{"status":"public","conference":{"end_date":"2013-09-28","location":"New Orleans, LA, United States","start_date":"2013-09-26","name":"CSF: Computer Security Foundations"},"type":"conference","_id":"2291","title":"Cryptographically enforced RBAC","department":[{"_id":"KrPi"}],"author":[{"first_name":"Anna","full_name":"Ferrara, Anna","last_name":"Ferrara"},{"last_name":"Fuchsbauer","full_name":"Fuchsbauer, Georg","first_name":"Georg","id":"46B4C3EE-F248-11E8-B48F-1D18A9856A87"},{"last_name":"Warinschi","full_name":"Warinschi, Bogdan","first_name":"Bogdan"}],"publist_id":"4637","user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","date_updated":"2021-01-12T06:56:34Z","citation":{"ista":"Ferrara A, Fuchsbauer G, Warinschi B. 2013. Cryptographically enforced RBAC. CSF: Computer Security Foundations, 115–129.","chicago":"Ferrara, Anna, Georg Fuchsbauer, and Bogdan Warinschi. “Cryptographically Enforced RBAC,” 115–29. IEEE, 2013. https://doi.org/10.1109/CSF.2013.15.","ieee":"A. Ferrara, G. Fuchsbauer, and B. Warinschi, “Cryptographically enforced RBAC,” presented at the CSF: Computer Security Foundations, New Orleans, LA, United States, 2013, pp. 115–129.","short":"A. Ferrara, G. Fuchsbauer, B. Warinschi, in:, IEEE, 2013, pp. 115–129.","ama":"Ferrara A, Fuchsbauer G, Warinschi B. Cryptographically enforced RBAC. In: IEEE; 2013:115-129. doi:10.1109/CSF.2013.15","apa":"Ferrara, A., Fuchsbauer, G., & Warinschi, B. (2013). Cryptographically enforced RBAC (pp. 115–129). Presented at the CSF: Computer Security Foundations, New Orleans, LA, United States: IEEE. https://doi.org/10.1109/CSF.2013.15","mla":"Ferrara, Anna, et al. Cryptographically Enforced RBAC. IEEE, 2013, pp. 115–29, doi:10.1109/CSF.2013.15."},"month":"09","main_file_link":[{"url":"http://eprint.iacr.org/2013/492","open_access":"1"}],"oa":1,"quality_controlled":"1","scopus_import":1,"publisher":"IEEE","oa_version":"Submitted Version","abstract":[{"text":"Cryptographic access control promises to offer easily distributed trust and broader applicability, while reducing reliance on low-level online monitors. Traditional implementations of cryptographic access control rely on simple cryptographic primitives whereas recent endeavors employ primitives with richer functionality and security guarantees. Worryingly, few of the existing cryptographic access-control schemes come with precise guarantees, the gap between the policy specification and the implementation being analyzed only informally, if at all. In this paper we begin addressing this shortcoming. Unlike prior work that targeted ad-hoc policy specification, we look at the well-established Role-Based Access Control (RBAC) model, as used in a typical file system. In short, we provide a precise syntax for a computational version of RBAC, offer rigorous definitions for cryptographic policy enforcement of a large class of RBAC security policies, and demonstrate that an implementation based on attribute-based encryption meets our security notions. We view our main contribution as being at the conceptual level. Although we work with RBAC for concreteness, our general methodology could guide future research for uses of cryptography in other access-control models. \r\n","lang":"eng"}],"date_created":"2018-12-11T11:56:48Z","date_published":"2013-09-01T00:00:00Z","doi":"10.1109/CSF.2013.15","page":"115 - 129","language":[{"iso":"eng"}],"day":"01","publication_status":"published","year":"2013"},{"project":[{"call_identifier":"FP7","_id":"258C570E-B435-11E9-9278-68D0E5697425","name":"Provable Security for Physical Cryptography","grant_number":"259668"}],"editor":[{"last_name":"Sahai","full_name":"Sahai, Amit","first_name":"Amit"}],"title":"A counterexample to the chain rule for conditional HILL entropy, and what deniable encryption has to do with it","publist_id":"3795","author":[{"id":"329FCCF0-F248-11E8-B48F-1D18A9856A87","first_name":"Stephan","orcid":"0000-0003-2835-9093","full_name":"Krenn, Stephan","last_name":"Krenn"},{"last_name":"Pietrzak","full_name":"Pietrzak, Krzysztof Z","orcid":"0000-0002-9139-1654","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","first_name":"Krzysztof Z"},{"full_name":"Wadia, Akshay","last_name":"Wadia","first_name":"Akshay"}],"user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","citation":{"ieee":"S. Krenn, K. Z. Pietrzak, and A. Wadia, “A counterexample to the chain rule for conditional HILL entropy, and what deniable encryption has to do with it,” presented at the TCC: Theory of Cryptography Conference, Tokyo, Japan, 2013, vol. 7785, pp. 23–39.","short":"S. Krenn, K.Z. Pietrzak, A. Wadia, in:, A. Sahai (Ed.), Springer, 2013, pp. 23–39.","apa":"Krenn, S., Pietrzak, K. Z., & Wadia, A. (2013). A counterexample to the chain rule for conditional HILL entropy, and what deniable encryption has to do with it. In A. Sahai (Ed.) (Vol. 7785, pp. 23–39). Presented at the TCC: Theory of Cryptography Conference, Tokyo, Japan: Springer. https://doi.org/10.1007/978-3-642-36594-2_2","ama":"Krenn S, Pietrzak KZ, Wadia A. A counterexample to the chain rule for conditional HILL entropy, and what deniable encryption has to do with it. In: Sahai A, ed. Vol 7785. Springer; 2013:23-39. doi:10.1007/978-3-642-36594-2_2","mla":"Krenn, Stephan, et al. A Counterexample to the Chain Rule for Conditional HILL Entropy, and What Deniable Encryption Has to Do with It. Edited by Amit Sahai, vol. 7785, Springer, 2013, pp. 23–39, doi:10.1007/978-3-642-36594-2_2.","ista":"Krenn S, Pietrzak KZ, Wadia A. 2013. A counterexample to the chain rule for conditional HILL entropy, and what deniable encryption has to do with it. TCC: Theory of Cryptography Conference, LNCS, vol. 7785, 23–39.","chicago":"Krenn, Stephan, Krzysztof Z Pietrzak, and Akshay Wadia. “A Counterexample to the Chain Rule for Conditional HILL Entropy, and What Deniable Encryption Has to Do with It.” edited by Amit Sahai, 7785:23–39. Springer, 2013. https://doi.org/10.1007/978-3-642-36594-2_2."},"publisher":"Springer","quality_controlled":"1","oa":1,"doi":"10.1007/978-3-642-36594-2_2","date_published":"2013-01-29T00:00:00Z","date_created":"2018-12-11T12:00:27Z","page":"23 - 39","day":"29","has_accepted_license":"1","year":"2013","status":"public","type":"conference","conference":{"name":"TCC: Theory of Cryptography Conference","start_date":"2013-03-03","end_date":"2013-03-06","location":"Tokyo, Japan"},"_id":"2940","file_date_updated":"2020-07-14T12:45:54Z","department":[{"_id":"KrPi"}],"ddc":["000"],"date_updated":"2023-02-23T10:00:43Z","month":"01","intvolume":" 7785","alternative_title":["LNCS"],"scopus_import":1,"oa_version":"Submitted Version","abstract":[{"text":"A chain rule for an entropy notion H(.) states that the entropy H(X) of a variable X decreases by at most l if conditioned on an l-bit string A, i.e., H(X|A)>= H(X)-l. More generally, it satisfies a chain rule for conditional entropy if H(X|Y,A)>= H(X|Y)-l.\r\n\r\nAll natural information theoretic entropy notions we are aware of (like Shannon or min-entropy) satisfy some kind of chain rule for conditional entropy. Moreover, many computational entropy notions (like Yao entropy, unpredictability entropy and several variants of HILL entropy) satisfy the chain rule for conditional entropy, though here not only the quantity decreases by l, but also the quality of the entropy decreases exponentially in l. However, for \r\nthe standard notion of conditional HILL entropy (the computational equivalent of min-entropy) the existence of such a rule was unknown so far.\r\n\r\nIn this paper, we prove that for conditional HILL entropy no meaningful chain rule exists, assuming the existence of one-way permutations: there exist distributions X,Y,A, where A is a distribution over a single bit, but $H(X|Y)>>H(X|Y,A)$, even if we simultaneously allow for a massive degradation in the quality of the entropy.\r\n\r\nThe idea underlying our construction is based on a surprising connection between the chain rule for HILL entropy and deniable encryption. ","lang":"eng"}],"volume":7785,"related_material":{"record":[{"relation":"later_version","status":"public","id":"1479"}]},"ec_funded":1,"file":[{"access_level":"open_access","relation":"main_file","content_type":"application/pdf","file_id":"5875","checksum":"beb0cc1c0579da2d2e84394230a5da78","creator":"dernst","date_updated":"2020-07-14T12:45:54Z","file_size":414823,"date_created":"2019-01-22T14:11:11Z","file_name":"2013_LNCS_Krenn.pdf"}],"language":[{"iso":"eng"}],"publication_status":"published"},{"publist_id":"7318","author":[{"full_name":"Blazy, Olivier","last_name":"Blazy","first_name":"Olivier"},{"last_name":"Fuchsbauer","full_name":"Fuchsbauer, Georg","id":"46B4C3EE-F248-11E8-B48F-1D18A9856A87","first_name":"Georg"},{"last_name":"Pointcheval","full_name":"Pointcheval, David","first_name":"David"},{"first_name":"Damien","last_name":"Vergnaud","full_name":"Vergnaud, Damien"}],"title":"Short blind signatures","department":[{"_id":"KrPi"}],"date_updated":"2021-01-12T08:01:09Z","citation":{"mla":"Blazy, Olivier, et al. “Short Blind Signatures.” Journal of Computer Security, vol. 21, no. 5, IOS Press, 2013, pp. 627–61, doi:10.3233/JCS-130477.","ama":"Blazy O, Fuchsbauer G, Pointcheval D, Vergnaud D. Short blind signatures. Journal of Computer Security. 2013;21(5):627-661. doi:10.3233/JCS-130477","apa":"Blazy, O., Fuchsbauer, G., Pointcheval, D., & Vergnaud, D. (2013). Short blind signatures. Journal of Computer Security. IOS Press. https://doi.org/10.3233/JCS-130477","short":"O. Blazy, G. Fuchsbauer, D. Pointcheval, D. Vergnaud, Journal of Computer Security 21 (2013) 627–661.","ieee":"O. Blazy, G. Fuchsbauer, D. Pointcheval, and D. Vergnaud, “Short blind signatures,” Journal of Computer Security, vol. 21, no. 5. IOS Press, pp. 627–661, 2013.","chicago":"Blazy, Olivier, Georg Fuchsbauer, David Pointcheval, and Damien Vergnaud. “Short Blind Signatures.” Journal of Computer Security. IOS Press, 2013. https://doi.org/10.3233/JCS-130477.","ista":"Blazy O, Fuchsbauer G, Pointcheval D, Vergnaud D. 2013. Short blind signatures. Journal of Computer Security. 21(5), 627–661."},"user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","type":"journal_article","status":"public","_id":"502","page":"627 - 661","doi":"10.3233/JCS-130477","issue":"5","date_published":"2013-11-22T00:00:00Z","volume":21,"date_created":"2018-12-11T11:46:50Z","year":"2013","publication_status":"published","day":"22","publication":"Journal of Computer Security","language":[{"iso":"eng"}],"scopus_import":1,"quality_controlled":"1","publisher":"IOS Press","month":"11","intvolume":" 21","abstract":[{"text":"Blind signatures allow users to obtain signatures on messages hidden from the signer; moreover, the signer cannot link the resulting message/signature pair to the signing session. This paper presents blind signature schemes, in which the number of interactions between the user and the signer is minimal and whose blind signatures are short. Our schemes are defined over bilinear groups and are proved secure in the common-reference-string model without random oracles and under standard assumptions: CDH and the decision-linear assumption. (We also give variants over asymmetric groups based on similar assumptions.) The blind signatures are Waters signatures, which consist of 2 group elements. Moreover, we instantiate partially blind signatures, where the message consists of a part hidden from the signer and a commonly known public part, and schemes achieving perfect blindness. We propose new variants of blind signatures, such as signer-friendly partially blind signatures, where the public part can be chosen by the signer without prior agreement, 3-party blind signatures, as well as blind signatures on multiple aggregated messages provided by independent sources. We also extend Waters signatures to non-binary alphabets by proving a new result on the underlying hash function. ","lang":"eng"}],"oa_version":"None"},{"related_material":{"record":[{"status":"public","id":"1675","relation":"later_version"}]},"date_published":"2013-11-28T00:00:00Z","date_created":"2018-12-11T11:56:42Z","day":"28","file":[{"content_type":"application/pdf","access_level":"open_access","relation":"main_file","checksum":"37b61637b62fc079d9141c59d9f1a94f","file_id":"5197","date_updated":"2020-07-14T12:45:36Z","file_size":405870,"creator":"system","date_created":"2018-12-12T10:16:11Z","file_name":"IST-2016-671-v1+1_796.pdf"}],"language":[{"iso":"eng"}],"has_accepted_license":"1","year":"2013","publication_status":"published","month":"11","scopus_import":1,"publisher":"IST Austria","oa":1,"oa_version":"Published Version","abstract":[{"text":"Proofs of work (PoW) have been suggested by Dwork and Naor (Crypto'92) as protection to a shared resource. The basic idea is to ask the service requestor to dedicate some non-trivial amount of computational work to every request. The original applications included prevention of spam and protection against denial of service attacks. More recently, PoWs have been used to prevent double spending in the Bitcoin digital currency system.\r\n\r\nIn this work, we put forward an alternative concept for PoWs -- so-called proofs of space (PoS), where a service requestor must dedicate a significant amount of disk space as opposed to computation. We construct secure PoS schemes in the random oracle model, using graphs with high "pebbling complexity" and Merkle hash-trees. ","lang":"eng"}],"title":"Proofs of Space","department":[{"_id":"VlKo"},{"_id":"KrPi"}],"file_date_updated":"2020-07-14T12:45:36Z","publist_id":"4670","author":[{"last_name":"Dziembowski","full_name":"Dziembowski, Stefan","first_name":"Stefan"},{"first_name":"Sebastian","last_name":"Faust","full_name":"Faust, Sebastian"},{"last_name":"Kolmogorov","full_name":"Kolmogorov, Vladimir","id":"3D50B0BA-F248-11E8-B48F-1D18A9856A87","first_name":"Vladimir"},{"first_name":"Krzysztof Z","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","full_name":"Pietrzak, Krzysztof Z","orcid":"0000-0002-9139-1654","last_name":"Pietrzak"}],"user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","ddc":["530"],"date_updated":"2024-03-20T08:31:49Z","citation":{"chicago":"Dziembowski, Stefan, Sebastian Faust, Vladimir Kolmogorov, and Krzysztof Z Pietrzak. Proofs of Space. IST Austria, 2013.","ista":"Dziembowski S, Faust S, Kolmogorov V, Pietrzak KZ. 2013. Proofs of Space, IST Austria,p.","mla":"Dziembowski, Stefan, et al. Proofs of Space. IST Austria, 2013.","short":"S. Dziembowski, S. Faust, V. Kolmogorov, K.Z. Pietrzak, Proofs of Space, IST Austria, 2013.","ieee":"S. Dziembowski, S. Faust, V. Kolmogorov, and K. Z. Pietrzak, Proofs of Space. IST Austria, 2013.","ama":"Dziembowski S, Faust S, Kolmogorov V, Pietrzak KZ. Proofs of Space. IST Austria; 2013.","apa":"Dziembowski, S., Faust, S., Kolmogorov, V., & Pietrzak, K. Z. (2013). Proofs of Space. IST Austria."},"status":"public","pubrep_id":"671","type":"report","_id":"2274"},{"_id":"2048","type":"conference","conference":{"name":"CHES: Cryptographic Hardware and Embedded Systems","end_date":"2012-09-12","location":"Leuven, Belgium","start_date":"2012-09-09"},"status":"public","date_updated":"2021-01-12T06:54:58Z","department":[{"_id":"KrPi"}],"abstract":[{"text":"Leakage resilient cryptography attempts to incorporate side-channel leakage into the black-box security model and designs cryptographic schemes that are provably secure within it. Informally, a scheme is leakage-resilient if it remains secure even if an adversary learns a bounded amount of arbitrary information about the schemes internal state. Unfortunately, most leakage resilient schemes are unnecessarily complicated in order to achieve strong provable security guarantees. As advocated by Yu et al. [CCS’10], this mostly is an artefact of the security proof and in practice much simpler construction may already suffice to protect against realistic side-channel attacks. In this paper, we show that indeed for simpler constructions leakage-resilience can be obtained when we aim for relaxed security notions where the leakage-functions and/or the inputs to the primitive are chosen non-adaptively. For example, we show that a three round Feistel network instantiated with a leakage resilient PRF yields a leakage resilient PRP if the inputs are chosen non-adaptively (This complements the result of Dodis and Pietrzak [CRYPTO’10] who show that if a adaptive queries are allowed, a superlogarithmic number of rounds is necessary.) We also show that a minor variation of the classical GGM construction gives a leakage resilient PRF if both, the leakage-function and the inputs, are chosen non-adaptively.","lang":"eng"}],"oa_version":"Preprint","scopus_import":1,"alternative_title":["LNCS"],"main_file_link":[{"open_access":"1","url":"http://www.iacr.org/archive/ches2012/74280211/74280211.pdf"}],"month":"09","intvolume":" 7428","publication_status":"published","language":[{"iso":"eng"}],"volume":7428,"ec_funded":1,"project":[{"call_identifier":"FP7","_id":"258C570E-B435-11E9-9278-68D0E5697425","grant_number":"259668","name":"Provable Security for Physical Cryptography"}],"citation":{"chicago":"Faust, Sebastian, Krzysztof Z Pietrzak, and Joachim Schipper. “Practical Leakage-Resilient Symmetric Cryptography.” In Conference Proceedings CHES 2012, 7428:213–32. Springer, 2012. https://doi.org/10.1007/978-3-642-33027-8_13.","ista":"Faust S, Pietrzak KZ, Schipper J. 2012. Practical leakage-resilient symmetric cryptography. Conference proceedings CHES 2012. CHES: Cryptographic Hardware and Embedded Systems, LNCS, vol. 7428, 213–232.","mla":"Faust, Sebastian, et al. “Practical Leakage-Resilient Symmetric Cryptography.” Conference Proceedings CHES 2012, vol. 7428, Springer, 2012, pp. 213–32, doi:10.1007/978-3-642-33027-8_13.","short":"S. Faust, K.Z. Pietrzak, J. Schipper, in:, Conference Proceedings CHES 2012, Springer, 2012, pp. 213–232.","ieee":"S. Faust, K. Z. Pietrzak, and J. Schipper, “Practical leakage-resilient symmetric cryptography,” in Conference proceedings CHES 2012, Leuven, Belgium, 2012, vol. 7428, pp. 213–232.","apa":"Faust, S., Pietrzak, K. Z., & Schipper, J. (2012). Practical leakage-resilient symmetric cryptography. In Conference proceedings CHES 2012 (Vol. 7428, pp. 213–232). Leuven, Belgium: Springer. https://doi.org/10.1007/978-3-642-33027-8_13","ama":"Faust S, Pietrzak KZ, Schipper J. Practical leakage-resilient symmetric cryptography. In: Conference Proceedings CHES 2012. Vol 7428. Springer; 2012:213-232. doi:10.1007/978-3-642-33027-8_13"},"user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","publist_id":"5003","author":[{"first_name":"Sebastian","last_name":"Faust","full_name":"Faust, Sebastian"},{"first_name":"Krzysztof Z","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","full_name":"Pietrzak, Krzysztof Z","orcid":"0000-0002-9139-1654","last_name":"Pietrzak"},{"last_name":"Schipper","full_name":"Schipper, Joachim","first_name":"Joachim","id":"7BE863D4-E9CF-11E9-9EDB-90527418172C"}],"title":"Practical leakage-resilient symmetric cryptography","acknowledgement":"Sebastian Faust acknowledges support from the Danish National Research Foundation and The National Science Foundation of China (under the grant 61061130540) for the Sino-Danish Center for the Theory of Interactive Computation, within part of this work was performed; and from the CFEM research center, supported by the Danish Strategic Research Council. \r\nSupported by the European Research Council/ERC Starting Grant 259668-PSPC.\r\n","publisher":"Springer","quality_controlled":"1","oa":1,"year":"2012","day":"01","publication":" Conference proceedings CHES 2012","page":"213 - 232","date_published":"2012-09-01T00:00:00Z","doi":"10.1007/978-3-642-33027-8_13","date_created":"2018-12-11T11:55:25Z"},{"abstract":[{"text":"We propose a new authentication protocol that is provably secure based on a ring variant of the learning parity with noise (LPN) problem. The protocol follows the design principle of the LPN-based protocol from Eurocrypt’11 (Kiltz et al.), and like it, is a two round protocol secure against active attacks. Moreover, our protocol has small communication complexity and a very small footprint which makes it applicable in scenarios that involve low-cost, resource-constrained devices.\r\n\r\nPerformance-wise, our protocol is more efficient than previous LPN-based schemes, such as the many variants of the Hopper-Blum (HB) protocol and the aforementioned protocol from Eurocrypt’11. Our implementation results show that it is even comparable to the standard challenge-and-response protocols based on the AES block-cipher. Our basic protocol is roughly 20 times slower than AES, but with the advantage of having 10 times smaller code size. Furthermore, if a few hundred bytes of non-volatile memory are available to allow the storage of some off-line pre-computations, then the online phase of our protocols is only twice as slow as AES.\r\n","lang":"eng"}],"oa_version":"Preprint","scopus_import":1,"alternative_title":["LNCS"],"main_file_link":[{"url":"http://www.iacr.org/archive/fse2012/75490350/75490350.pdf","open_access":"1"}],"month":"03","intvolume":" 7549","publication_status":"published","language":[{"iso":"eng"}],"volume":7549,"ec_funded":1,"_id":"2049","type":"conference","conference":{"name":"FSE: Fast Software Encryption","start_date":"2012-03-19","location":"Washington, DC, USA","end_date":"2012-03-21"},"status":"public","date_updated":"2021-01-12T06:54:58Z","department":[{"_id":"KrPi"}],"acknowledgement":"Supported by the European Research Council / ERC Starting Grant (259668- PSPC)\r\nWe would like to thank the anonymous referees of this confer- ence and those of the ECRYPT Workshop on Lightweight Cryptography for very useful comments, and in particular for the suggestion that the scheme is somewhat vulnerable to a man-in-the-middle attack whenever an adversary observes two reader challenges that are the same. We hope that the attack we described in Appendix A corresponds to what the reviewer had in mind. We also thank Tanja Lange for pointing us to the pa- per of [Kir11] and for discussions of some of her recent work. ","publisher":"Springer","quality_controlled":"1","oa":1,"year":"2012","day":"01","publication":" Conference proceedings FSE 2012","page":"346 - 365","date_published":"2012-03-01T00:00:00Z","doi":"10.1007/978-3-642-34047-5_20","date_created":"2018-12-11T11:55:25Z","project":[{"name":"Provable Security for Physical Cryptography","grant_number":"259668","_id":"258C570E-B435-11E9-9278-68D0E5697425","call_identifier":"FP7"}],"citation":{"apa":"Heyse, S., Kiltz, E., Lyubashevsky, V., Paar, C., & Pietrzak, K. Z. (2012). Lapin: An efficient authentication protocol based on ring-LPN. In Conference proceedings FSE 2012 (Vol. 7549, pp. 346–365). Washington, DC, USA: Springer. https://doi.org/10.1007/978-3-642-34047-5_20","ama":"Heyse S, Kiltz E, Lyubashevsky V, Paar C, Pietrzak KZ. Lapin: An efficient authentication protocol based on ring-LPN. In: Conference Proceedings FSE 2012. Vol 7549. Springer; 2012:346-365. doi:10.1007/978-3-642-34047-5_20","short":"S. Heyse, E. Kiltz, V. Lyubashevsky, C. Paar, K.Z. Pietrzak, in:, Conference Proceedings FSE 2012, Springer, 2012, pp. 346–365.","ieee":"S. Heyse, E. Kiltz, V. Lyubashevsky, C. Paar, and K. Z. Pietrzak, “Lapin: An efficient authentication protocol based on ring-LPN,” in Conference proceedings FSE 2012, Washington, DC, USA, 2012, vol. 7549, pp. 346–365.","mla":"Heyse, Stefan, et al. “Lapin: An Efficient Authentication Protocol Based on Ring-LPN.” Conference Proceedings FSE 2012, vol. 7549, Springer, 2012, pp. 346–65, doi:10.1007/978-3-642-34047-5_20.","ista":"Heyse S, Kiltz E, Lyubashevsky V, Paar C, Pietrzak KZ. 2012. Lapin: An efficient authentication protocol based on ring-LPN. Conference proceedings FSE 2012. FSE: Fast Software Encryption, LNCS, vol. 7549, 346–365.","chicago":"Heyse, Stefan, Eike Kiltz, Vadim Lyubashevsky, Christof Paar, and Krzysztof Z Pietrzak. “Lapin: An Efficient Authentication Protocol Based on Ring-LPN.” In Conference Proceedings FSE 2012, 7549:346–65. Springer, 2012. https://doi.org/10.1007/978-3-642-34047-5_20."},"user_id":"3E5EF7F0-F248-11E8-B48F-1D18A9856A87","author":[{"first_name":"Stefan","last_name":"Heyse","full_name":"Heyse, Stefan"},{"full_name":"Kiltz, Eike","last_name":"Kiltz","first_name":"Eike"},{"full_name":"Lyubashevsky, Vadim","last_name":"Lyubashevsky","first_name":"Vadim"},{"last_name":"Paar","full_name":"Paar, Christof","first_name":"Christof"},{"id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","first_name":"Krzysztof Z","last_name":"Pietrzak","full_name":"Pietrzak, Krzysztof Z","orcid":"0000-0002-9139-1654"}],"publist_id":"5002","title":"Lapin: An efficient authentication protocol based on ring-LPN"},{"month":"10","oa":1,"main_file_link":[{"open_access":"1","url":"https://eprint.iacr.org/2012/258"}],"scopus_import":1,"publisher":"ACM","quality_controlled":"1","acknowledgement":"This work was partially funded by National Funds through the FCT - Fundação para a Ciência e a Tecnologia (Portuguese Foundation for Science and Technology) within project ENI-AC/2224/2009, by ENIAC Joint Undertaking under grant agreement number 120224, European Projects FP7-256980 NESSoS and FP7-229599 AMAROUT, Spanish National project TIN2009-14599 DESAFIOS 10, and Madrid Regional project S2009TIC-1465 PROMETIDOS.","oa_version":"Submitted Version","abstract":[{"lang":"eng","text":"Developers building cryptography into security-sensitive applications face a daunting task. Not only must they understand the security guarantees delivered by the constructions they choose, they must also implement and combine them correctly and efficiently. Cryptographic compilers free developers from this task by turning high-level specifications of security goals into efficient implementations. Yet, trusting such tools is hard as they rely on complex mathematical machinery and claim security properties that are subtle and difficult to verify. In this paper we present ZKCrypt, an optimizing cryptographic compiler achieving an unprecedented level of assurance without sacrificing practicality for a comprehensive class of cryptographic protocols, known as Zero-Knowledge Proofs of Knowledge. The pipeline of ZKCrypt integrates purpose-built verified compilers and verifying compilers producing formal proofs in the CertiCrypt framework. By combining the guarantees delivered by each stage, ZKCrypt provides assurance that the output implementation securely realizes the abstract proof goal given as input. We report on the main characteristics of ZKCrypt, highlight new definitions and concepts at its foundations, and illustrate its applicability through a representative example of an anonymous credential system."}],"date_created":"2018-12-11T12:00:26Z","date_published":"2012-10-01T00:00:00Z","doi":"10.1145/2382196.2382249","page":"488 - 500","language":[{"iso":"eng"}],"publication":"Proceedings of the 2012 ACM conference on Computer and communications security","day":"01","publication_status":"published","year":"2012","status":"public","conference":{"end_date":"2012-10-18","location":"Raleigh, NC, USA","start_date":"2012-10-16","name":"CCS: Computer and Communications Security"},"type":"conference","_id":"2937","title":"Full proof cryptography: Verifiable compilation of efficient zero-knowledge protocols","department":[{"_id":"KrPi"}],"publist_id":"3798","author":[{"full_name":"Almeida, José","last_name":"Almeida","first_name":"José"},{"full_name":"Barbosa, Manuel","last_name":"Barbosa","first_name":"Manuel"},{"first_name":"Endre","last_name":"Bangerter","full_name":"Bangerter, Endre"},{"last_name":"Barthe","full_name":"Barthe, Gilles","first_name":"Gilles"},{"last_name":"Krenn","full_name":"Krenn, Stephan","orcid":"0000-0003-2835-9093","id":"329FCCF0-F248-11E8-B48F-1D18A9856A87","first_name":"Stephan"},{"full_name":"Béguelin, Santiago","last_name":"Béguelin","first_name":"Santiago"}],"user_id":"3E5EF7F0-F248-11E8-B48F-1D18A9856A87","date_updated":"2021-01-12T07:39:53Z","citation":{"ista":"Almeida J, Barbosa M, Bangerter E, Barthe G, Krenn S, Béguelin S. 2012. Full proof cryptography: Verifiable compilation of efficient zero-knowledge protocols. Proceedings of the 2012 ACM conference on Computer and communications security. CCS: Computer and Communications Security, 488–500.","chicago":"Almeida, José, Manuel Barbosa, Endre Bangerter, Gilles Barthe, Stephan Krenn, and Santiago Béguelin. “Full Proof Cryptography: Verifiable Compilation of Efficient Zero-Knowledge Protocols.” In Proceedings of the 2012 ACM Conference on Computer and Communications Security, 488–500. ACM, 2012. https://doi.org/10.1145/2382196.2382249.","ama":"Almeida J, Barbosa M, Bangerter E, Barthe G, Krenn S, Béguelin S. Full proof cryptography: Verifiable compilation of efficient zero-knowledge protocols. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security. ACM; 2012:488-500. doi:10.1145/2382196.2382249","apa":"Almeida, J., Barbosa, M., Bangerter, E., Barthe, G., Krenn, S., & Béguelin, S. (2012). Full proof cryptography: Verifiable compilation of efficient zero-knowledge protocols. In Proceedings of the 2012 ACM conference on Computer and communications security (pp. 488–500). Raleigh, NC, USA: ACM. https://doi.org/10.1145/2382196.2382249","short":"J. Almeida, M. Barbosa, E. Bangerter, G. Barthe, S. Krenn, S. Béguelin, in:, Proceedings of the 2012 ACM Conference on Computer and Communications Security, ACM, 2012, pp. 488–500.","ieee":"J. Almeida, M. Barbosa, E. Bangerter, G. Barthe, S. Krenn, and S. Béguelin, “Full proof cryptography: Verifiable compilation of efficient zero-knowledge protocols,” in Proceedings of the 2012 ACM conference on Computer and communications security, Raleigh, NC, USA, 2012, pp. 488–500.","mla":"Almeida, José, et al. “Full Proof Cryptography: Verifiable Compilation of Efficient Zero-Knowledge Protocols.” Proceedings of the 2012 ACM Conference on Computer and Communications Security, ACM, 2012, pp. 488–500, doi:10.1145/2382196.2382249."}},{"title":"Commitments and efficient zero knowledge proofs from learning parity with noise","editor":[{"first_name":"Xiaoyun","full_name":"Wang, Xiaoyun","last_name":"Wang"},{"last_name":"Sako","full_name":"Sako, Kazue","first_name":"Kazue"}],"publist_id":"3730","author":[{"first_name":"Abhishek","last_name":"Jain","full_name":"Jain, Abhishek"},{"id":"329FCCF0-F248-11E8-B48F-1D18A9856A87","first_name":"Stephan","last_name":"Krenn","full_name":"Krenn, Stephan","orcid":"0000-0003-2835-9093"},{"orcid":"0000-0002-9139-1654","full_name":"Pietrzak, Krzysztof Z","last_name":"Pietrzak","first_name":"Krzysztof Z","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87"},{"first_name":"Aris","full_name":"Tentes, Aris","last_name":"Tentes"}],"user_id":"3E5EF7F0-F248-11E8-B48F-1D18A9856A87","citation":{"mla":"Jain, Abhishek, et al. Commitments and Efficient Zero Knowledge Proofs from Learning Parity with Noise. Edited by Xiaoyun Wang and Kazue Sako, vol. 7658, Springer, 2012, pp. 663–80, doi:10.1007/978-3-642-34961-4_40.","ama":"Jain A, Krenn S, Pietrzak KZ, Tentes A. Commitments and efficient zero knowledge proofs from learning parity with noise. In: Wang X, Sako K, eds. Vol 7658. Springer; 2012:663-680. doi:10.1007/978-3-642-34961-4_40","apa":"Jain, A., Krenn, S., Pietrzak, K. Z., & Tentes, A. (2012). Commitments and efficient zero knowledge proofs from learning parity with noise. In X. Wang & K. Sako (Eds.) (Vol. 7658, pp. 663–680). Presented at the ASIACRYPT: Theory and Application of Cryptology and Information Security, Beijing, China: Springer. https://doi.org/10.1007/978-3-642-34961-4_40","short":"A. Jain, S. Krenn, K.Z. Pietrzak, A. Tentes, in:, X. Wang, K. Sako (Eds.), Springer, 2012, pp. 663–680.","ieee":"A. Jain, S. Krenn, K. Z. Pietrzak, and A. Tentes, “Commitments and efficient zero knowledge proofs from learning parity with noise,” presented at the ASIACRYPT: Theory and Application of Cryptology and Information Security, Beijing, China, 2012, vol. 7658, pp. 663–680.","chicago":"Jain, Abhishek, Stephan Krenn, Krzysztof Z Pietrzak, and Aris Tentes. “Commitments and Efficient Zero Knowledge Proofs from Learning Parity with Noise.” edited by Xiaoyun Wang and Kazue Sako, 7658:663–80. Springer, 2012. https://doi.org/10.1007/978-3-642-34961-4_40.","ista":"Jain A, Krenn S, Pietrzak KZ, Tentes A. 2012. Commitments and efficient zero knowledge proofs from learning parity with noise. ASIACRYPT: Theory and Application of Cryptology and Information Security, LNCS, vol. 7658, 663–680."},"project":[{"grant_number":"259668","name":"Provable Security for Physical Cryptography","_id":"258C570E-B435-11E9-9278-68D0E5697425","call_identifier":"FP7"}],"date_created":"2018-12-11T12:00:38Z","date_published":"2012-12-01T00:00:00Z","doi":"10.1007/978-3-642-34961-4_40","page":"663 - 680","day":"01","year":"2012","has_accepted_license":"1","oa":1,"publisher":"Springer","acknowledgement":"We are grateful to Petros Mol for helpful discussions on the reduction for the hardness of the xLPN problem.\r\n","department":[{"_id":"KrPi"}],"file_date_updated":"2020-07-14T12:45:58Z","ddc":["004","005"],"date_updated":"2021-01-12T07:40:11Z","pubrep_id":"721","status":"public","tmp":{"legal_code_url":"https://creativecommons.org/licenses/by/4.0/legalcode","image":"/images/cc_by.png","name":"Creative Commons Attribution 4.0 International Public License (CC-BY 4.0)","short":"CC BY (4.0)"},"conference":{"name":"ASIACRYPT: Theory and Application of Cryptology and Information Security","start_date":"2012-12-02","location":"Beijing, China","end_date":"2012-12-06"},"type":"conference","_id":"2974","ec_funded":1,"volume":7658,"language":[{"iso":"eng"}],"file":[{"file_size":482570,"date_updated":"2020-07-14T12:45:58Z","creator":"system","file_name":"IST-2016-721-v1+1_513.pdf","date_created":"2018-12-12T10:14:00Z","content_type":"application/pdf","relation":"main_file","access_level":"open_access","file_id":"5048","checksum":"ab879537385efc4cb4203e7ef0fea17b"}],"publication_status":"published","intvolume":" 7658","month":"12","scopus_import":1,"alternative_title":["LNCS"],"oa_version":"Submitted Version","abstract":[{"text":"We construct a perfectly binding string commitment scheme whose security is based on the learning parity with noise (LPN) assumption, or equivalently, the hardness of decoding random linear codes. Our scheme not only allows for a simple and efficient zero-knowledge proof of knowledge for committed values (essentially a Σ-protocol), but also for such proofs showing any kind of relation amongst committed values, i.e. proving that messages m_0,...,m_u, are such that m_0=C(m_1,...,m_u) for any circuit C.\r\n\r\nTo get soundness which is exponentially small in a security parameter t, and when the zero-knowledge property relies on the LPN problem with secrets of length l, our 3 round protocol has communication complexity O(t|C|l log(l)) and computational complexity of O(t|C|l) bit operations. The hidden constants are small, and the computation consists mostly of computing inner products of bit-vectors.","lang":"eng"}]},{"publication_status":"published","year":"2012","language":[{"iso":"eng"}],"day":"19","page":"99 - 114","date_created":"2018-12-11T12:02:15Z","volume":7147,"date_published":"2012-02-19T00:00:00Z","doi":"10.1007/978-3-642-27660-6_9","abstract":[{"text":"The Learning Parity with Noise (LPN) problem has recently found many applications in cryptography as the hardness assumption underlying the constructions of "provably secure" cryptographic schemes like encryption or authentication protocols. Being provably secure means that the scheme comes with a proof showing that the existence of an efficient adversary against the scheme implies that the underlying hardness assumption is wrong. LPN based schemes are appealing for theoretical and practical reasons. On the theoretical side, LPN based schemes offer a very strong security guarantee. The LPN problem is equivalent to the problem of decoding random linear codes, a problem that has been extensively studied in the last half century. The fastest known algorithms run in exponential time and unlike most number-theoretic problems used in cryptography, the LPN problem does not succumb to known quantum algorithms. On the practical side, LPN based schemes are often extremely simple and efficient in terms of code-size as well as time and space requirements. This makes them prime candidates for light-weight devices like RFID tags, which are too weak to implement standard cryptographic primitives like the AES block-cipher. This talk will be a gentle introduction to provable security using simple LPN based schemes as examples. Starting from pseudorandom generators and symmetric key encryption, over secret-key authentication protocols, and, if time admits, touching on recent constructions of public-key identification, commitments and zero-knowledge proofs.","lang":"eng"}],"oa_version":"None","quality_controlled":"1","scopus_import":1,"publisher":"Springer","alternative_title":["LNCS"],"intvolume":" 7147","month":"02","date_updated":"2021-01-12T07:42:07Z","citation":{"chicago":"Pietrzak, Krzysztof Z. “Cryptography from Learning Parity with Noise,” 7147:99–114. Springer, 2012. https://doi.org/10.1007/978-3-642-27660-6_9.","ista":"Pietrzak KZ. 2012. Cryptography from learning parity with noise. SOFSEM: Current Trends in Theory and Practice of Computer Science, LNCS, vol. 7147, 99–114.","mla":"Pietrzak, Krzysztof Z. Cryptography from Learning Parity with Noise. Vol. 7147, Springer, 2012, pp. 99–114, doi:10.1007/978-3-642-27660-6_9.","short":"K.Z. Pietrzak, in:, Springer, 2012, pp. 99–114.","ieee":"K. Z. Pietrzak, “Cryptography from learning parity with noise,” presented at the SOFSEM: Current Trends in Theory and Practice of Computer Science, Špindlerův Mlýn, Czech Republic, 2012, vol. 7147, pp. 99–114.","apa":"Pietrzak, K. Z. (2012). Cryptography from learning parity with noise (Vol. 7147, pp. 99–114). Presented at the SOFSEM: Current Trends in Theory and Practice of Computer Science, Špindlerův Mlýn, Czech Republic: Springer. https://doi.org/10.1007/978-3-642-27660-6_9","ama":"Pietrzak KZ. Cryptography from learning parity with noise. In: Vol 7147. Springer; 2012:99-114. doi:10.1007/978-3-642-27660-6_9"},"user_id":"3E5EF7F0-F248-11E8-B48F-1D18A9856A87","publist_id":"3407","author":[{"id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","first_name":"Krzysztof Z","orcid":"0000-0002-9139-1654","full_name":"Pietrzak, Krzysztof Z","last_name":"Pietrzak"}],"department":[{"_id":"KrPi"}],"title":"Cryptography from learning parity with noise","_id":"3250","conference":{"name":"SOFSEM: Current Trends in Theory and Practice of Computer Science","end_date":"2012-01-27","location":"Špindlerův Mlýn, Czech Republic","start_date":"2012-01-21"},"type":"conference","status":"public"},{"_id":"3282","status":"public","pubrep_id":"686","type":"conference","tmp":{"legal_code_url":"https://creativecommons.org/licenses/by/4.0/legalcode","image":"/images/cc_by.png","name":"Creative Commons Attribution 4.0 International Public License (CC-BY 4.0)","short":"CC BY (4.0)"},"conference":{"end_date":"2012-04-19","location":"Cambridge, UK","start_date":"2012-04-15","name":"EUROCRYPT: Theory and Applications of Cryptographic Techniques"},"ddc":["000","004"],"date_updated":"2021-01-12T07:42:22Z","file_date_updated":"2020-07-14T12:46:06Z","department":[{"_id":"KrPi"}],"oa_version":"Submitted Version","abstract":[{"text":"Traditionally, symmetric-key message authentication codes (MACs) are easily built from pseudorandom functions (PRFs). In this work we propose a wide variety of other approaches to building efficient MACs, without going through a PRF first. In particular, unlike deterministic PRF-based MACs, where each message has a unique valid tag, we give a number of probabilistic MAC constructions from various other primitives/assumptions. Our main results are summarized as follows: We show several new probabilistic MAC constructions from a variety of general assumptions, including CCA-secure encryption, Hash Proof Systems and key-homomorphic weak PRFs. By instantiating these frameworks under concrete number theoretic assumptions, we get several schemes which are more efficient than just using a state-of-the-art PRF instantiation under the corresponding assumption. For probabilistic MACs, unlike deterministic ones, unforgeability against a chosen message attack (uf-cma ) alone does not imply security if the adversary can additionally make verification queries (uf-cmva ). We give an efficient generic transformation from any uf-cma secure MAC which is "message-hiding" into a uf-cmva secure MAC. This resolves the main open problem of Kiltz et al. from Eurocrypt'11; By using our transformation on their constructions, we get the first efficient MACs from the LPN assumption. While all our new MAC constructions immediately give efficient actively secure, two-round symmetric-key identification schemes, we also show a very simple, three-round actively secure identification protocol from any weak PRF. In particular, the resulting protocol is much more efficient than the trivial approach of building a regular PRF from a weak PRF. © 2012 International Association for Cryptologic Research.","lang":"eng"}],"month":"03","intvolume":" 7237","alternative_title":["LNCS"],"file":[{"file_name":"IST-2016-686-v1+1_059.pdf","date_created":"2018-12-12T10:14:23Z","creator":"system","file_size":372292,"date_updated":"2020-07-14T12:46:06Z","file_id":"5074","checksum":"8557c17a8c2586d06ebfe62d934f5c5f","relation":"main_file","access_level":"open_access","content_type":"application/pdf"}],"language":[{"iso":"eng"}],"publication_status":"published","volume":7237,"ec_funded":1,"project":[{"grant_number":"259668","name":"Provable Security for Physical Cryptography","call_identifier":"FP7","_id":"258C570E-B435-11E9-9278-68D0E5697425"}],"user_id":"3E5EF7F0-F248-11E8-B48F-1D18A9856A87","citation":{"mla":"Dodis, Yevgeniy, et al. Message Authentication, Revisited. Vol. 7237, Springer, 2012, pp. 355–74, doi:10.1007/978-3-642-29011-4_22.","ama":"Dodis Y, Pietrzak KZ, Kiltz E, Wichs D. Message authentication, revisited. In: Vol 7237. Springer; 2012:355-374. doi:10.1007/978-3-642-29011-4_22","apa":"Dodis, Y., Pietrzak, K. Z., Kiltz, E., & Wichs, D. (2012). Message authentication, revisited (Vol. 7237, pp. 355–374). Presented at the EUROCRYPT: Theory and Applications of Cryptographic Techniques, Cambridge, UK: Springer. https://doi.org/10.1007/978-3-642-29011-4_22","ieee":"Y. Dodis, K. Z. Pietrzak, E. Kiltz, and D. Wichs, “Message authentication, revisited,” presented at the EUROCRYPT: Theory and Applications of Cryptographic Techniques, Cambridge, UK, 2012, vol. 7237, pp. 355–374.","short":"Y. Dodis, K.Z. Pietrzak, E. Kiltz, D. Wichs, in:, Springer, 2012, pp. 355–374.","chicago":"Dodis, Yevgeniy, Krzysztof Z Pietrzak, Eike Kiltz, and Daniel Wichs. “Message Authentication, Revisited,” 7237:355–74. Springer, 2012. https://doi.org/10.1007/978-3-642-29011-4_22.","ista":"Dodis Y, Pietrzak KZ, Kiltz E, Wichs D. 2012. Message authentication, revisited. EUROCRYPT: Theory and Applications of Cryptographic Techniques, LNCS, vol. 7237, 355–374."},"title":"Message authentication, revisited","author":[{"first_name":"Yevgeniy","last_name":"Dodis","full_name":"Dodis, Yevgeniy"},{"full_name":"Pietrzak, Krzysztof Z","orcid":"0000-0002-9139-1654","last_name":"Pietrzak","first_name":"Krzysztof Z","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87"},{"first_name":"Eike","last_name":"Kiltz","full_name":"Kiltz, Eike"},{"full_name":"Wichs, Daniel","last_name":"Wichs","first_name":"Daniel"}],"publist_id":"3364","acknowledgement":"Supported by the European Research Council under the European Union’s Seventh Framework Programme (FP7/2007-2013) / ERC Starting Grant (259668-PSPC)","publisher":"Springer","quality_controlled":"1","oa":1,"day":"10","has_accepted_license":"1","year":"2012","date_published":"2012-03-10T00:00:00Z","doi":"10.1007/978-3-642-29011-4_22","date_created":"2018-12-11T12:02:27Z","page":"355 - 374"},{"status":"public","conference":{"start_date":"2012-03-19","location":"Taormina, Sicily, Italy","end_date":"2012-03-21","name":"TCC: Theory of Cryptography Conference"},"type":"conference","_id":"3280","department":[{"_id":"KrPi"}],"date_updated":"2021-01-12T07:42:21Z","intvolume":" 7194","month":"05","main_file_link":[{"url":"http://www.iacr.org/archive/tcc2012/71940166/71940166.pdf","open_access":"1"}],"alternative_title":["LNCS"],"oa_version":"Submitted Version","abstract":[{"lang":"eng","text":"The (decisional) learning with errors problem (LWE) asks to distinguish "noisy" inner products of a secret vector with random vectors from uniform. The learning parities with noise problem (LPN) is the special case where the elements of the vectors are bits. In recent years, the LWE and LPN problems have found many applications in cryptography. In this paper we introduce a (seemingly) much stronger adaptive assumption, called "subspace LWE" (SLWE), where the adversary can learn the inner product of the secret and random vectors after they were projected into an adaptively and adversarially chosen subspace. We prove that, surprisingly, the SLWE problem mapping into subspaces of dimension d is almost as hard as LWE using secrets of length d (the other direction is trivial.) This result immediately implies that several existing cryptosystems whose security is based on the hardness of the LWE/LPN problems are provably secure in a much stronger sense than anticipated. As an illustrative example we show that the standard way of using LPN for symmetric CPA secure encryption is even secure against a very powerful class of related key attacks. "}],"ec_funded":1,"volume":7194,"language":[{"iso":"eng"}],"publication_status":"published","project":[{"name":"Provable Security for Physical Cryptography","grant_number":"259668","_id":"258C570E-B435-11E9-9278-68D0E5697425","call_identifier":"FP7"}],"title":"Subspace LWE","author":[{"id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","first_name":"Krzysztof Z","last_name":"Pietrzak","orcid":"0000-0002-9139-1654","full_name":"Pietrzak, Krzysztof Z"}],"publist_id":"3366","user_id":"3E5EF7F0-F248-11E8-B48F-1D18A9856A87","citation":{"chicago":"Pietrzak, Krzysztof Z. “Subspace LWE,” 7194:548–63. Springer, 2012. https://doi.org/10.1007/978-3-642-28914-9_31.","ista":"Pietrzak KZ. 2012. Subspace LWE. TCC: Theory of Cryptography Conference, LNCS, vol. 7194, 548–563.","mla":"Pietrzak, Krzysztof Z. Subspace LWE. Vol. 7194, Springer, 2012, pp. 548–63, doi:10.1007/978-3-642-28914-9_31.","apa":"Pietrzak, K. Z. (2012). Subspace LWE (Vol. 7194, pp. 548–563). Presented at the TCC: Theory of Cryptography Conference, Taormina, Sicily, Italy: Springer. https://doi.org/10.1007/978-3-642-28914-9_31","ama":"Pietrzak KZ. Subspace LWE. In: Vol 7194. Springer; 2012:548-563. doi:10.1007/978-3-642-28914-9_31","ieee":"K. Z. Pietrzak, “Subspace LWE,” presented at the TCC: Theory of Cryptography Conference, Taormina, Sicily, Italy, 2012, vol. 7194, pp. 548–563.","short":"K.Z. Pietrzak, in:, Springer, 2012, pp. 548–563."},"oa":1,"quality_controlled":"1","publisher":"Springer","acknowledgement":"Supported by the European Research Council under the European Union’s Seventh Framework Programme (FP7/2007-2013) / ERC Starting Grant (259668-PSPC).","date_created":"2018-12-11T12:02:26Z","doi":"10.1007/978-3-642-28914-9_31","date_published":"2012-05-04T00:00:00Z","page":"548 - 563","day":"04","year":"2012"},{"year":"2012","publication_status":"published","day":"04","language":[{"iso":"eng"}],"page":"458 - 475","volume":7194,"date_published":"2012-05-04T00:00:00Z","doi":"10.1007/978-3-642-28914-9_26","date_created":"2018-12-11T12:02:26Z","abstract":[{"text":"We consider the problem of amplifying the "lossiness" of functions. We say that an oracle circuit C*: {0,1} m → {0,1}* amplifies relative lossiness from ℓ/n to L/m if for every function f:{0,1} n → {0,1} n it holds that 1 If f is injective then so is C f. 2 If f has image size of at most 2 n-ℓ, then C f has image size at most 2 m-L. The question is whether such C* exists for L/m ≫ ℓ/n. This problem arises naturally in the context of cryptographic "lossy functions," where the relative lossiness is the key parameter. We show that for every circuit C* that makes at most t queries to f, the relative lossiness of C f is at most L/m ≤ ℓ/n + O(log t)/n. In particular, no black-box method making a polynomial t = poly(n) number of queries can amplify relative lossiness by more than an O(logn)/n additive term. We show that this is tight by giving a simple construction (cascading with some randomization) that achieves such amplification.","lang":"eng"}],"oa_version":"None","acknowledgement":"We would like to thank Oded Goldreich and Omer Rein- gold for discussions at an early stage of this project, and Scott Aaronson for clarifications regarding the collision problem.\r\n","quality_controlled":"1","alternative_title":["LNCS"],"publisher":"Springer","main_file_link":[{"url":"http://www.iacr.org/archive/tcc2012/tcc2012-index.html"}],"month":"05","intvolume":" 7194","date_updated":"2021-01-12T07:42:22Z","citation":{"mla":"Pietrzak, Krzysztof Z., et al. Lossy Functions Do Not Amplify Well. Vol. 7194, Springer, 2012, pp. 458–75, doi:10.1007/978-3-642-28914-9_26.","apa":"Pietrzak, K. Z., Rosen, A., & Segev, G. (2012). Lossy functions do not amplify well (Vol. 7194, pp. 458–475). Presented at the TCC: Theory of Cryptography Conference, Taormina, Sicily, Italy: Springer. https://doi.org/10.1007/978-3-642-28914-9_26","ama":"Pietrzak KZ, Rosen A, Segev G. Lossy functions do not amplify well. In: Vol 7194. Springer; 2012:458-475. doi:10.1007/978-3-642-28914-9_26","short":"K.Z. Pietrzak, A. Rosen, G. Segev, in:, Springer, 2012, pp. 458–475.","ieee":"K. Z. Pietrzak, A. Rosen, and G. Segev, “Lossy functions do not amplify well,” presented at the TCC: Theory of Cryptography Conference, Taormina, Sicily, Italy, 2012, vol. 7194, pp. 458–475.","chicago":"Pietrzak, Krzysztof Z, Alon Rosen, and Gil Segev. “Lossy Functions Do Not Amplify Well,” 7194:458–75. Springer, 2012. https://doi.org/10.1007/978-3-642-28914-9_26.","ista":"Pietrzak KZ, Rosen A, Segev G. 2012. Lossy functions do not amplify well. TCC: Theory of Cryptography Conference, LNCS, vol. 7194, 458–475."},"user_id":"3E5EF7F0-F248-11E8-B48F-1D18A9856A87","publist_id":"3365","author":[{"id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","first_name":"Krzysztof Z","last_name":"Pietrzak","full_name":"Pietrzak, Krzysztof Z","orcid":"0000-0002-9139-1654"},{"first_name":"Alon","last_name":"Rosen","full_name":"Rosen, Alon"},{"first_name":"Gil","last_name":"Segev","full_name":"Segev, Gil"}],"department":[{"_id":"KrPi"}],"title":"Lossy functions do not amplify well","_id":"3281","type":"conference","conference":{"end_date":"2012-03-21","location":"Taormina, Sicily, Italy","start_date":"2012-03-19","name":"TCC: Theory of Cryptography Conference"},"status":"public"},{"volume":7194,"ec_funded":1,"language":[{"iso":"eng"}],"publication_status":"published","month":"05","intvolume":" 7194","scopus_import":1,"alternative_title":["LNCS"],"main_file_link":[{"url":"http://www.iacr.org/archive/tcc2012/tcc2012-index.html"}],"oa_version":"None","abstract":[{"text":"We show a hardness-preserving construction of a PRF from any length doubling PRG which improves upon known constructions whenever we can put a non-trivial upper bound q on the number of queries to the PRF. Our construction requires only O(logq) invocations to the underlying PRG with each query. In comparison, the number of invocations by the best previous hardness-preserving construction (GGM using Levin's trick) is logarithmic in the hardness of the PRG. For example, starting from an exponentially secure PRG {0,1} n → {0,1} 2n, we get a PRF which is exponentially secure if queried at most q = exp(√n)times and where each invocation of the PRF requires Θ(√n) queries to the underlying PRG. This is much less than the Θ(n) required by known constructions. \r\n","lang":"eng"}],"department":[{"_id":"KrPi"}],"date_updated":"2021-01-12T07:42:21Z","status":"public","type":"conference","conference":{"name":"TCC: Theory of Cryptography Conference","start_date":"2012-03-19","end_date":"2012-03-21","location":"Taormina, Sicily, Italy"},"_id":"3279","doi":"10.1007/978-3-642-28914-9_21","date_published":"2012-05-04T00:00:00Z","date_created":"2018-12-11T12:02:25Z","page":"369 - 382","day":"04","year":"2012","quality_controlled":"1","publisher":"Springer","acknowledgement":"Supported by the European Research Council under the European Union’s Seventh Framework Programme (FP7/2007-2013) / ERC Starting Grant (259668-PSPC)","title":"Hardness preserving constructions of pseudorandom functions","publist_id":"3367","author":[{"first_name":"Abhishek","full_name":"Jain, Abhishek","last_name":"Jain"},{"id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","first_name":"Krzysztof Z","last_name":"Pietrzak","full_name":"Pietrzak, Krzysztof Z","orcid":"0000-0002-9139-1654"},{"last_name":"Tentes","full_name":"Tentes, Aris","first_name":"Aris"}],"user_id":"3E5EF7F0-F248-11E8-B48F-1D18A9856A87","citation":{"ama":"Jain A, Pietrzak KZ, Tentes A. Hardness preserving constructions of pseudorandom functions. In: Vol 7194. Springer; 2012:369-382. doi:10.1007/978-3-642-28914-9_21","apa":"Jain, A., Pietrzak, K. Z., & Tentes, A. (2012). Hardness preserving constructions of pseudorandom functions (Vol. 7194, pp. 369–382). Presented at the TCC: Theory of Cryptography Conference, Taormina, Sicily, Italy: Springer. https://doi.org/10.1007/978-3-642-28914-9_21","ieee":"A. Jain, K. Z. Pietrzak, and A. Tentes, “Hardness preserving constructions of pseudorandom functions,” presented at the TCC: Theory of Cryptography Conference, Taormina, Sicily, Italy, 2012, vol. 7194, pp. 369–382.","short":"A. Jain, K.Z. Pietrzak, A. Tentes, in:, Springer, 2012, pp. 369–382.","mla":"Jain, Abhishek, et al. Hardness Preserving Constructions of Pseudorandom Functions. Vol. 7194, Springer, 2012, pp. 369–82, doi:10.1007/978-3-642-28914-9_21.","ista":"Jain A, Pietrzak KZ, Tentes A. 2012. Hardness preserving constructions of pseudorandom functions. TCC: Theory of Cryptography Conference, LNCS, vol. 7194, 369–382.","chicago":"Jain, Abhishek, Krzysztof Z Pietrzak, and Aris Tentes. “Hardness Preserving Constructions of Pseudorandom Functions,” 7194:369–82. Springer, 2012. https://doi.org/10.1007/978-3-642-28914-9_21."},"project":[{"_id":"258C570E-B435-11E9-9278-68D0E5697425","call_identifier":"FP7","grant_number":"259668","name":"Provable Security for Physical Cryptography"}]}]