[{"oa":1,"publisher":"Elsevier","quality_controlled":"1","acknowledgement":"We thank Mahsa Bastankhah and Mohammad Ali Maddah-Ali for fruitful discussions about different variants of the problem. This work is supported by the European Research Council (ERC) Consolidator Project 864228 (AdjustNet), 2020-2025, the ERC CoG 863818 (ForM-SMArt), and the German Research Foundation (DFG) grant 470029389 (FlexNets), 2021-2024.","date_created":"2024-01-16T13:40:41Z","doi":"10.1016/j.tcs.2023.114353","date_published":"2024-01-11T00:00:00Z","publication":"Theoretical Computer Science","day":"11","year":"2024","project":[{"call_identifier":"H2020","_id":"0599E47C-7A3F-11EA-A408-12923DDC885E","name":"Formal Methods for Stochastic Models: Algorithms and Applications","grant_number":"863818"}],"article_number":"114353","title":"Weighted packet selection for rechargeable links in cryptocurrency networks: Complexity and approximation","article_processing_charge":"Yes (via OA deal)","author":[{"full_name":"Schmid, Stefan","last_name":"Schmid","first_name":"Stefan"},{"first_name":"Jakub","id":"130759D2-D7DD-11E9-87D2-DE0DE6697425","last_name":"Svoboda","full_name":"Svoboda, Jakub","orcid":"0000-0002-1419-3267"},{"last_name":"Yeo","full_name":"Yeo, Michelle X","first_name":"Michelle X","id":"2D82B818-F248-11E8-B48F-1D18A9856A87"}],"user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","citation":{"mla":"Schmid, Stefan, et al. “Weighted Packet Selection for Rechargeable Links in Cryptocurrency Networks: Complexity and Approximation.” Theoretical Computer Science, vol. 989, 114353, Elsevier, 2024, doi:10.1016/j.tcs.2023.114353.","short":"S. Schmid, J. Svoboda, M.X. Yeo, Theoretical Computer Science 989 (2024).","ieee":"S. Schmid, J. Svoboda, and M. X. Yeo, “Weighted packet selection for rechargeable links in cryptocurrency networks: Complexity and approximation,” Theoretical Computer Science, vol. 989. Elsevier, 2024.","apa":"Schmid, S., Svoboda, J., & Yeo, M. X. (2024). Weighted packet selection for rechargeable links in cryptocurrency networks: Complexity and approximation. Theoretical Computer Science. Elsevier. https://doi.org/10.1016/j.tcs.2023.114353","ama":"Schmid S, Svoboda J, Yeo MX. Weighted packet selection for rechargeable links in cryptocurrency networks: Complexity and approximation. Theoretical Computer Science. 2024;989. doi:10.1016/j.tcs.2023.114353","chicago":"Schmid, Stefan, Jakub Svoboda, and Michelle X Yeo. “Weighted Packet Selection for Rechargeable Links in Cryptocurrency Networks: Complexity and Approximation.” Theoretical Computer Science. Elsevier, 2024. https://doi.org/10.1016/j.tcs.2023.114353.","ista":"Schmid S, Svoboda J, Yeo MX. 2024. Weighted packet selection for rechargeable links in cryptocurrency networks: Complexity and approximation. Theoretical Computer Science. 989, 114353."},"intvolume":" 989","month":"01","main_file_link":[{"url":"https://doi.org/10.1016/j.tcs.2023.114353","open_access":"1"}],"oa_version":"Published Version","abstract":[{"lang":"eng","text":"We consider a natural problem dealing with weighted packet selection across a rechargeable link, which e.g., finds applications in cryptocurrency networks. The capacity of a link (u, v) is determined by how many nodes u and v allocate for this link. Specifically, the input is a finite ordered sequence of packets that arrive in both directions along a link. Given (u, v) and a packet of weight x going from u to v, node u can either accept or reject the packet. If u accepts the packet, the capacity on link (u, v) decreases by x. Correspondingly, v's capacity on \r\n increases by x. If a node rejects the packet, this will entail a cost affinely linear in the weight of the packet. A link is “rechargeable” in the sense that the total capacity of the link has to remain constant, but the allocation of capacity at the ends of the link can depend arbitrarily on the nodes' decisions. The goal is to minimise the sum of the capacity injected into the link and the cost of rejecting packets. We show that the problem is NP-hard, but can be approximated efficiently with a ratio of (1+E) . (1+3) for some arbitrary E>0."}],"ec_funded":1,"volume":989,"language":[{"iso":"eng"}],"publication_status":"epub_ahead","publication_identifier":{"issn":["0304-3975"]},"keyword":["General Computer Science","Theoretical Computer Science"],"status":"public","type":"journal_article","article_type":"original","_id":"14820","department":[{"_id":"KrCh"},{"_id":"KrPi"}],"date_updated":"2024-01-17T09:23:03Z"},{"article_number":"12","user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","citation":{"mla":"Alpos, Orestis, et al. “Eating Sandwiches: Modular and Lightweight Elimination of Transaction Reordering Attacks.” 27th International Conference on Principles of Distributed Systems, vol. 286, 12, Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 2024, doi:10.4230/LIPIcs.OPODIS.2023.12.","ama":"Alpos O, Amores-Sesar I, Cachin C, Yeo MX. Eating sandwiches: Modular and lightweight elimination of transaction reordering attacks. In: 27th International Conference on Principles of Distributed Systems. Vol 286. Schloss Dagstuhl - Leibniz-Zentrum für Informatik; 2024. doi:10.4230/LIPIcs.OPODIS.2023.12","apa":"Alpos, O., Amores-Sesar, I., Cachin, C., & Yeo, M. X. (2024). Eating sandwiches: Modular and lightweight elimination of transaction reordering attacks. In 27th International Conference on Principles of Distributed Systems (Vol. 286). Tokyo, Japan: Schloss Dagstuhl - Leibniz-Zentrum für Informatik. https://doi.org/10.4230/LIPIcs.OPODIS.2023.12","ieee":"O. Alpos, I. Amores-Sesar, C. Cachin, and M. X. Yeo, “Eating sandwiches: Modular and lightweight elimination of transaction reordering attacks,” in 27th International Conference on Principles of Distributed Systems, Tokyo, Japan, 2024, vol. 286.","short":"O. Alpos, I. Amores-Sesar, C. Cachin, M.X. Yeo, in:, 27th International Conference on Principles of Distributed Systems, Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 2024.","chicago":"Alpos, Orestis, Ignacio Amores-Sesar, Christian Cachin, and Michelle X Yeo. “Eating Sandwiches: Modular and Lightweight Elimination of Transaction Reordering Attacks.” In 27th International Conference on Principles of Distributed Systems, Vol. 286. Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 2024. https://doi.org/10.4230/LIPIcs.OPODIS.2023.12.","ista":"Alpos O, Amores-Sesar I, Cachin C, Yeo MX. 2024. Eating sandwiches: Modular and lightweight elimination of transaction reordering attacks. 27th International Conference on Principles of Distributed Systems. OPODIS: Conference on Principles of Distributed Systems, LIPIcs, vol. 286, 12."},"title":"Eating sandwiches: Modular and lightweight elimination of transaction reordering attacks","article_processing_charge":"No","external_id":{"arxiv":["2307.02954"]},"author":[{"last_name":"Alpos","full_name":"Alpos, Orestis","first_name":"Orestis"},{"full_name":"Amores-Sesar, Ignacio","last_name":"Amores-Sesar","first_name":"Ignacio"},{"first_name":"Christian","full_name":"Cachin, Christian","last_name":"Cachin"},{"first_name":"Michelle X","id":"2D82B818-F248-11E8-B48F-1D18A9856A87","last_name":"Yeo","full_name":"Yeo, Michelle X"}],"acknowledgement":"We would like to thank Krzysztof Pietrzak and Jovana Mićić for useful discussions. This work has been funded by the Swiss National Science Foundation (SNSF) under grant agreement Nr. 200021_188443 (Advanced Consensus Protocols).\r\n","oa":1,"quality_controlled":"1","publisher":"Schloss Dagstuhl - Leibniz-Zentrum für Informatik","publication":"27th International Conference on Principles of Distributed Systems","day":"18","year":"2024","has_accepted_license":"1","date_created":"2024-02-18T23:01:02Z","date_published":"2024-01-18T00:00:00Z","doi":"10.4230/LIPIcs.OPODIS.2023.12","_id":"15007","status":"public","conference":{"location":"Tokyo, Japan","end_date":"2023-12-08","start_date":"2023-12-06","name":"OPODIS: Conference on Principles of Distributed Systems"},"tmp":{"legal_code_url":"https://creativecommons.org/licenses/by/4.0/legalcode","image":"/images/cc_by.png","name":"Creative Commons Attribution 4.0 International Public License (CC-BY 4.0)","short":"CC BY (4.0)"},"type":"conference","ddc":["000"],"date_updated":"2024-02-26T10:18:18Z","file_date_updated":"2024-02-26T10:16:57Z","department":[{"_id":"KrPi"}],"oa_version":"Published Version","abstract":[{"lang":"eng","text":"Traditional blockchains grant the miner of a block full control not only over which transactions but also their order. This constitutes a major flaw discovered with the introduction of decentralized finance and allows miners to perform MEV attacks. In this paper, we address the issue of sandwich attacks by providing a construction that takes as input a blockchain protocol and outputs a new blockchain protocol with the same security but in which sandwich attacks are not profitable. Furthermore, our protocol is fully decentralized with no trusted third parties or heavy cryptography primitives and carries a linear increase in latency and minimum computation overhead."}],"intvolume":" 286","month":"01","scopus_import":"1","alternative_title":["LIPIcs"],"language":[{"iso":"eng"}],"file":[{"content_type":"application/pdf","relation":"main_file","access_level":"open_access","success":1,"checksum":"2993e810a45e8c8056106834b07aea92","file_id":"15031","file_size":1505994,"date_updated":"2024-02-26T10:16:57Z","creator":"dernst","file_name":"2024_LIPICs_Alpos.pdf","date_created":"2024-02-26T10:16:57Z"}],"publication_status":"published","publication_identifier":{"issn":["1868-8969"],"isbn":["9783959773089"]},"license":"https://creativecommons.org/licenses/by/4.0/","volume":286},{"_id":"13143","conference":{"name":"PKC: Public-Key Cryptography","end_date":"2023-05-10","location":"Atlanta, GA, United States","start_date":"2023-05-07"},"type":"conference","status":"public","date_updated":"2023-06-19T08:03:37Z","department":[{"_id":"KrPi"}],"abstract":[{"text":"GIMPS and PrimeGrid are large-scale distributed projects dedicated to searching giant prime numbers, usually of special forms like Mersenne and Proth primes. The numbers in the current search-space are millions of digits large and the participating volunteers need to run resource-consuming primality tests. Once a candidate prime N has been found, the only way for another party to independently verify the primality of N used to be by repeating the expensive primality test. To avoid the need for second recomputation of each primality test, these projects have recently adopted certifying mechanisms that enable efficient verification of performed tests. However, the mechanisms presently in place only detect benign errors and there is no guarantee against adversarial behavior: a malicious volunteer can mislead the project to reject a giant prime as being non-prime.\r\nIn this paper, we propose a practical, cryptographically-sound mechanism for certifying the non-primality of Proth numbers. That is, a volunteer can – parallel to running the primality test for N – generate an efficiently verifiable proof at a little extra cost certifying that N is not prime. The interactive protocol has statistical soundness and can be made non-interactive using the Fiat-Shamir heuristic.\r\nOur approach is based on a cryptographic primitive called Proof of Exponentiation (PoE) which, for a group G, certifies that a tuple (x,y,T)∈G2×N satisfies x2T=y (Pietrzak, ITCS 2019 and Wesolowski, J. Cryptol. 2020). In particular, we show how to adapt Pietrzak’s PoE at a moderate additional cost to make it a cryptographically-sound certificate of non-primality.","lang":"eng"}],"oa_version":"Submitted Version","main_file_link":[{"open_access":"1","url":"https://eprint.iacr.org/2023/238"}],"alternative_title":["LNCS"],"scopus_import":"1","intvolume":" 13940","month":"05","publication_status":"published","publication_identifier":{"issn":["0302-9743"],"isbn":["9783031313677"],"eissn":["1611-3349"]},"language":[{"iso":"eng"}],"volume":13940,"citation":{"short":"C. Hoffmann, P. Hubáček, C. Kamath, K.Z. Pietrzak, in:, Public-Key Cryptography - PKC 2023, Springer Nature, 2023, pp. 530–553.","ieee":"C. Hoffmann, P. Hubáček, C. Kamath, and K. Z. Pietrzak, “Certifying giant nonprimes,” in Public-Key Cryptography - PKC 2023, Atlanta, GA, United States, 2023, vol. 13940, pp. 530–553.","ama":"Hoffmann C, Hubáček P, Kamath C, Pietrzak KZ. Certifying giant nonprimes. In: Public-Key Cryptography - PKC 2023. Vol 13940. Springer Nature; 2023:530-553. doi:10.1007/978-3-031-31368-4_19","apa":"Hoffmann, C., Hubáček, P., Kamath, C., & Pietrzak, K. Z. (2023). Certifying giant nonprimes. In Public-Key Cryptography - PKC 2023 (Vol. 13940, pp. 530–553). Atlanta, GA, United States: Springer Nature. https://doi.org/10.1007/978-3-031-31368-4_19","mla":"Hoffmann, Charlotte, et al. “Certifying Giant Nonprimes.” Public-Key Cryptography - PKC 2023, vol. 13940, Springer Nature, 2023, pp. 530–53, doi:10.1007/978-3-031-31368-4_19.","ista":"Hoffmann C, Hubáček P, Kamath C, Pietrzak KZ. 2023. Certifying giant nonprimes. Public-Key Cryptography - PKC 2023. PKC: Public-Key Cryptography, LNCS, vol. 13940, 530–553.","chicago":"Hoffmann, Charlotte, Pavel Hubáček, Chethan Kamath, and Krzysztof Z Pietrzak. “Certifying Giant Nonprimes.” In Public-Key Cryptography - PKC 2023, 13940:530–53. Springer Nature, 2023. https://doi.org/10.1007/978-3-031-31368-4_19."},"user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","article_processing_charge":"No","author":[{"full_name":"Hoffmann, Charlotte","last_name":"Hoffmann","id":"0f78d746-dc7d-11ea-9b2f-83f92091afe7","first_name":"Charlotte"},{"full_name":"Hubáček, Pavel","last_name":"Hubáček","first_name":"Pavel"},{"first_name":"Chethan","last_name":"Kamath","full_name":"Kamath, Chethan"},{"last_name":"Pietrzak","full_name":"Pietrzak, Krzysztof Z","orcid":"0000-0002-9139-1654","first_name":"Krzysztof Z","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87"}],"title":"Certifying giant nonprimes","acknowledgement":"We are grateful to Pavel Atnashev for clarifying via e-mail several aspects of the primality tests implementated in the PrimeGrid project. Pavel Hubáček is supported by the Czech Academy of Sciences (RVO 67985840), the Grant Agency of the Czech Republic under the grant agreement no. 19-27871X, and by the Charles University project UNCE/SCI/004. Chethan Kamath is supported by Azrieli International Postdoctoral Fellowship, ISF grants 484/18 and 1789/19, and ERC StG project SPP: Secrecy Preserving Proofs.","oa":1,"publisher":"Springer Nature","quality_controlled":"1","year":"2023","publication":"Public-Key Cryptography - PKC 2023","day":"02","page":"530-553","date_created":"2023-06-18T22:00:47Z","date_published":"2023-05-02T00:00:00Z","doi":"10.1007/978-3-031-31368-4_19"},{"title":"Long-lived counters with polylogarithmic amortized step complexity","author":[{"first_name":"Mirza Ahad","id":"3EDE6DE4-AA5A-11E9-986D-341CE6697425","last_name":"Baig","full_name":"Baig, Mirza Ahad"},{"full_name":"Hendler, Danny","last_name":"Hendler","first_name":"Danny"},{"full_name":"Milani, Alessia","last_name":"Milani","first_name":"Alessia"},{"full_name":"Travers, Corentin","last_name":"Travers","first_name":"Corentin"}],"external_id":{"isi":["000890138700001"]},"article_processing_charge":"No","user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","citation":{"ista":"Baig MA, Hendler D, Milani A, Travers C. 2023. Long-lived counters with polylogarithmic amortized step complexity. Distributed Computing. 36, 29–43.","chicago":"Baig, Mirza Ahad, Danny Hendler, Alessia Milani, and Corentin Travers. “Long-Lived Counters with Polylogarithmic Amortized Step Complexity.” Distributed Computing. Springer Nature, 2023. https://doi.org/10.1007/s00446-022-00439-5.","short":"M.A. Baig, D. Hendler, A. Milani, C. Travers, Distributed Computing 36 (2023) 29–43.","ieee":"M. A. Baig, D. Hendler, A. Milani, and C. Travers, “Long-lived counters with polylogarithmic amortized step complexity,” Distributed Computing, vol. 36. Springer Nature, pp. 29–43, 2023.","apa":"Baig, M. A., Hendler, D., Milani, A., & Travers, C. (2023). Long-lived counters with polylogarithmic amortized step complexity. Distributed Computing. Springer Nature. https://doi.org/10.1007/s00446-022-00439-5","ama":"Baig MA, Hendler D, Milani A, Travers C. Long-lived counters with polylogarithmic amortized step complexity. Distributed Computing. 2023;36:29-43. doi:10.1007/s00446-022-00439-5","mla":"Baig, Mirza Ahad, et al. “Long-Lived Counters with Polylogarithmic Amortized Step Complexity.” Distributed Computing, vol. 36, Springer Nature, 2023, pp. 29–43, doi:10.1007/s00446-022-00439-5."},"doi":"10.1007/s00446-022-00439-5","date_published":"2023-03-01T00:00:00Z","date_created":"2023-01-12T12:10:08Z","page":"29-43","day":"01","publication":"Distributed Computing","isi":1,"year":"2023","quality_controlled":"1","publisher":"Springer Nature","oa":1,"acknowledgement":"A preliminary version of this work appeared in DISC’19. Mirza Ahad Baig, Alessia Milani and Corentin Travers are supported by ANR projects Descartes and FREDDA. Mirza Ahad Baig is supported by UMI Relax. Danny Hendler is supported by the Israel Science Foundation (Grants 380/18 and 1425/22).","department":[{"_id":"KrPi"}],"date_updated":"2023-08-16T08:39:36Z","status":"public","keyword":["Computational Theory and Mathematics","Computer Networks and Communications","Hardware and Architecture","Theoretical Computer Science"],"type":"journal_article","article_type":"original","_id":"12164","volume":36,"language":[{"iso":"eng"}],"publication_identifier":{"eissn":["1432-0452"],"issn":["0178-2770"]},"publication_status":"published","month":"03","intvolume":" 36","scopus_import":"1","main_file_link":[{"url":"https://drops.dagstuhl.de/opus/volltexte/2019/11310/","open_access":"1"}],"oa_version":"Preprint","abstract":[{"text":"A shared-memory counter is a widely-used and well-studied concurrent object. It supports two operations: An Inc operation that increases its value by 1 and a Read operation that returns its current value. In Jayanti et al (SIAM J Comput, 30(2), 2000), Jayanti, Tan and Toueg proved a linear lower bound on the worst-case step complexity of obstruction-free implementations, from read-write registers, of a large class of shared objects that includes counters. The lower bound leaves open the question of finding counter implementations with sub-linear amortized step complexity. In this work, we address this gap. We show that n-process, wait-free and linearizable counters can be implemented from read-write registers with O(log2n) amortized step complexity. This is the first counter algorithm from read-write registers that provides sub-linear amortized step complexity in executions of arbitrary length. Since a logarithmic lower bound on the amortized step complexity of obstruction-free counter implementations exists, our upper bound is within a logarithmic factor of the optimal. The worst-case step complexity of the construction remains linear, which is optimal. This is obtained thanks to a new max register construction with O(logn) amortized step complexity in executions of arbitrary length in which the value stored in the register does not grow too quickly. We then leverage an existing counter algorithm by Aspnes, Attiya and Censor-Hillel [1] in which we “plug” our max register implementation to show that it remains linearizable while achieving O(log2n) amortized step complexity.","lang":"eng"}]},{"oa":1,"quality_controlled":"1","publisher":"Springer Nature","year":"2023","publication":"43rd Annual International Cryptology Conference","day":"09","page":"514-546","date_created":"2023-10-15T22:01:11Z","date_published":"2023-08-09T00:00:00Z","doi":"10.1007/978-3-031-38545-2_17","citation":{"mla":"Dodis, Yevgeniy, et al. “Random Oracle Combiners: Breaking the Concatenation Barrier for Collision-Resistance.” 43rd Annual International Cryptology Conference, vol. 14082, Springer Nature, 2023, pp. 514–46, doi:10.1007/978-3-031-38545-2_17.","apa":"Dodis, Y., Ferguson, N., Goldin, E., Hall, P., & Pietrzak, K. Z. (2023). Random oracle combiners: Breaking the concatenation barrier for collision-resistance. In 43rd Annual International Cryptology Conference (Vol. 14082, pp. 514–546). Santa Barbara, CA, United States: Springer Nature. https://doi.org/10.1007/978-3-031-38545-2_17","ama":"Dodis Y, Ferguson N, Goldin E, Hall P, Pietrzak KZ. Random oracle combiners: Breaking the concatenation barrier for collision-resistance. In: 43rd Annual International Cryptology Conference. Vol 14082. Springer Nature; 2023:514-546. doi:10.1007/978-3-031-38545-2_17","ieee":"Y. Dodis, N. Ferguson, E. Goldin, P. Hall, and K. Z. Pietrzak, “Random oracle combiners: Breaking the concatenation barrier for collision-resistance,” in 43rd Annual International Cryptology Conference, Santa Barbara, CA, United States, 2023, vol. 14082, pp. 514–546.","short":"Y. Dodis, N. Ferguson, E. Goldin, P. Hall, K.Z. Pietrzak, in:, 43rd Annual International Cryptology Conference, Springer Nature, 2023, pp. 514–546.","chicago":"Dodis, Yevgeniy, Niels Ferguson, Eli Goldin, Peter Hall, and Krzysztof Z Pietrzak. “Random Oracle Combiners: Breaking the Concatenation Barrier for Collision-Resistance.” In 43rd Annual International Cryptology Conference, 14082:514–46. Springer Nature, 2023. https://doi.org/10.1007/978-3-031-38545-2_17.","ista":"Dodis Y, Ferguson N, Goldin E, Hall P, Pietrzak KZ. 2023. Random oracle combiners: Breaking the concatenation barrier for collision-resistance. 43rd Annual International Cryptology Conference. CRYPTO: Advances in Cryptology, LNCS, vol. 14082, 514–546."},"user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","article_processing_charge":"No","author":[{"first_name":"Yevgeniy","full_name":"Dodis, Yevgeniy","last_name":"Dodis"},{"first_name":"Niels","full_name":"Ferguson, Niels","last_name":"Ferguson"},{"full_name":"Goldin, Eli","last_name":"Goldin","first_name":"Eli"},{"first_name":"Peter","last_name":"Hall","full_name":"Hall, Peter"},{"first_name":"Krzysztof Z","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","last_name":"Pietrzak","full_name":"Pietrzak, Krzysztof Z","orcid":"0000-0002-9139-1654"}],"title":"Random oracle combiners: Breaking the concatenation barrier for collision-resistance","abstract":[{"text":"Suppose we have two hash functions h1 and h2, but we trust the security of only one of them. To mitigate this worry, we wish to build a hash combiner Ch1,h2 which is secure so long as one of the underlying hash functions is. This question has been well-studied in the regime of collision resistance. In this case, concatenating the two hash function outputs clearly works. Unfortunately, a long series of works (Boneh and Boyen, CRYPTO’06; Pietrzak, Eurocrypt’07; Pietrzak, CRYPTO’08) showed no (noticeably) shorter combiner for collision resistance is possible.\r\nIn this work, we revisit this pessimistic state of affairs, motivated by the observation that collision-resistance is insufficient for many interesting applications of cryptographic hash functions anyway. We argue the right formulation of the “hash combiner” is to build what we call random oracle (RO) combiners, utilizing stronger assumptions for stronger constructions.\r\nIndeed, we circumvent the previous lower bounds for collision resistance by constructing a simple length-preserving RO combiner C˜h1,h2Z1,Z2(M)=h1(M,Z1)⊕h2(M,Z2),where Z1,Z2\r\n are random salts of appropriate length. We show that this extra randomness is necessary for RO combiners, and indeed our construction is somewhat tight with this lower bound.\r\nOn the negative side, we show that one cannot generically apply the composition theorem to further replace “monolithic” hash functions h1 and h2 by some simpler indifferentiable construction (such as the Merkle-Damgård transformation) from smaller components, such as fixed-length compression functions. Finally, despite this issue, we directly prove collision resistance of the Merkle-Damgård variant of our combiner, where h1 and h2 are replaced by iterative Merkle-Damgård hashes applied to a fixed-length compression function. Thus, we can still subvert the concatenation barrier for collision-resistance combiners while utilizing practically small fixed-length components underneath.","lang":"eng"}],"oa_version":"Preprint","main_file_link":[{"open_access":"1","url":"https://eprint.iacr.org/2023/1041"}],"scopus_import":"1","alternative_title":["LNCS"],"intvolume":" 14082","month":"08","publication_status":"published","publication_identifier":{"issn":["0302-9743"],"isbn":["9783031385445"],"eissn":["1611-3349"]},"language":[{"iso":"eng"}],"volume":14082,"_id":"14428","conference":{"end_date":"2023-08-24","location":"Santa Barbara, CA, United States","start_date":"2023-08-20","name":"CRYPTO: Advances in Cryptology"},"type":"conference","status":"public","date_updated":"2023-10-16T08:02:11Z","department":[{"_id":"KrPi"}]},{"volume":14168,"publication_identifier":{"isbn":["9783031444685"],"eissn":["1611-3349"],"issn":["0302-9743"]},"publication_status":"published","language":[{"iso":"eng"}],"scopus_import":"1","alternative_title":["LNCS"],"main_file_link":[{"open_access":"1","url":"https://eprint.iacr.org/2023/1017"}],"month":"10","intvolume":" 14168","abstract":[{"lang":"eng","text":"Threshold secret sharing allows a dealer to split a secret s into n shares, such that any t shares allow for reconstructing s, but no t-1 shares reveal any information about s. Leakage-resilient secret sharing requires that the secret remains hidden, even when an adversary additionally obtains a limited amount of leakage from every share. Benhamouda et al. (CRYPTO’18) proved that Shamir’s secret sharing scheme is one bit leakage-resilient for reconstruction threshold t≥0.85n and conjectured that the same holds for t = c.n for any constant 0≤c≤1. Nielsen and Simkin (EUROCRYPT’20) showed that this is the best one can hope for by proving that Shamir’s scheme is not secure against one-bit leakage when t0c.n/log(n).\r\nIn this work, we strengthen the lower bound of Nielsen and Simkin. We consider noisy leakage-resilience, where a random subset of leakages is replaced by uniformly random noise. We prove a lower bound for Shamir’s secret sharing, similar to that of Nielsen and Simkin, which holds even when a constant fraction of leakages is replaced by random noise. To this end, we first prove a lower bound on the share size of any noisy-leakage-resilient sharing scheme. We then use this lower bound to show that there exist universal constants c1, c2, such that for sufficiently large n it holds that Shamir’s secret sharing scheme is not noisy-leakage-resilient for t≤c1.n/log(n), even when a c2 fraction of leakages are replaced by random noise.\r\n\r\n\r\n\r\n"}],"oa_version":"Preprint","department":[{"_id":"KrPi"}],"date_updated":"2023-10-31T11:43:12Z","type":"conference","conference":{"name":"LATINCRYPT: Conference on Cryptology and Information Security in Latin America","start_date":"2023-10-03","location":"Quito, Ecuador","end_date":"2023-10-06"},"status":"public","_id":"14457","page":"215-228","date_published":"2023-10-01T00:00:00Z","doi":"10.1007/978-3-031-44469-2_11","date_created":"2023-10-29T23:01:16Z","year":"2023","day":"01","publication":"8th International Conference on Cryptology and Information Security in Latin America","publisher":"Springer Nature","quality_controlled":"1","oa":1,"author":[{"first_name":"Charlotte","id":"0f78d746-dc7d-11ea-9b2f-83f92091afe7","last_name":"Hoffmann","orcid":"0000-0003-2027-5549","full_name":"Hoffmann, Charlotte"},{"first_name":"Mark","full_name":"Simkin, Mark","last_name":"Simkin"}],"article_processing_charge":"No","title":"Stronger lower bounds for leakage-resilient secret sharing","citation":{"chicago":"Hoffmann, Charlotte, and Mark Simkin. “Stronger Lower Bounds for Leakage-Resilient Secret Sharing.” In 8th International Conference on Cryptology and Information Security in Latin America, 14168:215–28. Springer Nature, 2023. https://doi.org/10.1007/978-3-031-44469-2_11.","ista":"Hoffmann C, Simkin M. 2023. Stronger lower bounds for leakage-resilient secret sharing. 8th International Conference on Cryptology and Information Security in Latin America. LATINCRYPT: Conference on Cryptology and Information Security in Latin America, LNCS, vol. 14168, 215–228.","mla":"Hoffmann, Charlotte, and Mark Simkin. “Stronger Lower Bounds for Leakage-Resilient Secret Sharing.” 8th International Conference on Cryptology and Information Security in Latin America, vol. 14168, Springer Nature, 2023, pp. 215–28, doi:10.1007/978-3-031-44469-2_11.","ieee":"C. Hoffmann and M. Simkin, “Stronger lower bounds for leakage-resilient secret sharing,” in 8th International Conference on Cryptology and Information Security in Latin America, Quito, Ecuador, 2023, vol. 14168, pp. 215–228.","short":"C. Hoffmann, M. Simkin, in:, 8th International Conference on Cryptology and Information Security in Latin America, Springer Nature, 2023, pp. 215–228.","apa":"Hoffmann, C., & Simkin, M. (2023). Stronger lower bounds for leakage-resilient secret sharing. In 8th International Conference on Cryptology and Information Security in Latin America (Vol. 14168, pp. 215–228). Quito, Ecuador: Springer Nature. https://doi.org/10.1007/978-3-031-44469-2_11","ama":"Hoffmann C, Simkin M. Stronger lower bounds for leakage-resilient secret sharing. In: 8th International Conference on Cryptology and Information Security in Latin America. Vol 14168. Springer Nature; 2023:215-228. doi:10.1007/978-3-031-44469-2_11"},"user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87"},{"day":"25","publication":"SIROCCO 2023: Structural Information and Communication Complexity ","year":"2023","date_published":"2023-05-25T00:00:00Z","doi":"10.1007/978-3-031-32733-9_26","date_created":"2023-07-16T22:01:12Z","page":"576-594","acknowledgement":"We thank Mahsa Bastankhah and Mohammad Ali Maddah-Ali for fruitful discussions about different variants of the problem. This work is supported by the European Research Council (ERC) Consolidator Project 864228 (AdjustNet), 2020-2025, the ERC CoG 863818 (ForM-SMArt), and the German Research Foundation (DFG) grant 470029389 (FlexNets), 2021–2024.","quality_controlled":"1","publisher":"Springer Nature","oa":1,"user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","citation":{"ieee":"S. Schmid, J. Svoboda, and M. X. Yeo, “Weighted packet selection for rechargeable links in cryptocurrency networks: Complexity and approximation,” in SIROCCO 2023: Structural Information and Communication Complexity , Alcala de Henares, Spain, 2023, vol. 13892, pp. 576–594.","short":"S. Schmid, J. Svoboda, M.X. Yeo, in:, SIROCCO 2023: Structural Information and Communication Complexity , Springer Nature, 2023, pp. 576–594.","apa":"Schmid, S., Svoboda, J., & Yeo, M. X. (2023). Weighted packet selection for rechargeable links in cryptocurrency networks: Complexity and approximation. In SIROCCO 2023: Structural Information and Communication Complexity (Vol. 13892, pp. 576–594). Alcala de Henares, Spain: Springer Nature. https://doi.org/10.1007/978-3-031-32733-9_26","ama":"Schmid S, Svoboda J, Yeo MX. Weighted packet selection for rechargeable links in cryptocurrency networks: Complexity and approximation. In: SIROCCO 2023: Structural Information and Communication Complexity . Vol 13892. Springer Nature; 2023:576-594. doi:10.1007/978-3-031-32733-9_26","mla":"Schmid, Stefan, et al. “Weighted Packet Selection for Rechargeable Links in Cryptocurrency Networks: Complexity and Approximation.” SIROCCO 2023: Structural Information and Communication Complexity , vol. 13892, Springer Nature, 2023, pp. 576–94, doi:10.1007/978-3-031-32733-9_26.","ista":"Schmid S, Svoboda J, Yeo MX. 2023. Weighted packet selection for rechargeable links in cryptocurrency networks: Complexity and approximation. SIROCCO 2023: Structural Information and Communication Complexity . SIROCCO: Structural Information and Communication Complexity, LNCS, vol. 13892, 576–594.","chicago":"Schmid, Stefan, Jakub Svoboda, and Michelle X Yeo. “Weighted Packet Selection for Rechargeable Links in Cryptocurrency Networks: Complexity and Approximation.” In SIROCCO 2023: Structural Information and Communication Complexity , 13892:576–94. Springer Nature, 2023. https://doi.org/10.1007/978-3-031-32733-9_26."},"title":"Weighted packet selection for rechargeable links in cryptocurrency networks: Complexity and approximation","author":[{"first_name":"Stefan","last_name":"Schmid","full_name":"Schmid, Stefan"},{"id":"130759D2-D7DD-11E9-87D2-DE0DE6697425","first_name":"Jakub","orcid":"0000-0002-1419-3267","full_name":"Svoboda, Jakub","last_name":"Svoboda"},{"first_name":"Michelle X","id":"2D82B818-F248-11E8-B48F-1D18A9856A87","full_name":"Yeo, Michelle X","last_name":"Yeo"}],"article_processing_charge":"No","external_id":{"arxiv":["2204.13459"]},"project":[{"_id":"0599E47C-7A3F-11EA-A408-12923DDC885E","call_identifier":"H2020","grant_number":"863818","name":"Formal Methods for Stochastic Models: Algorithms and Applications"}],"language":[{"iso":"eng"}],"publication_identifier":{"isbn":["9783031327322"],"eissn":["1611-3349"],"issn":["0302-9743"]},"publication_status":"published","related_material":{"record":[{"id":"14506","status":"public","relation":"dissertation_contains"}]},"volume":13892,"ec_funded":1,"oa_version":"Preprint","abstract":[{"text":"We consider a natural problem dealing with weighted packet selection across a rechargeable link, which e.g., finds applications in cryptocurrency networks. The capacity of a link (u, v) is determined by how much nodes u and v allocate for this link. Specifically, the input is a finite ordered sequence of packets that arrive in both directions along a link. Given (u, v) and a packet of weight x going from u to v, node u can either accept or reject the packet. If u accepts the packet, the capacity on link (u, v) decreases by x. Correspondingly, v’s capacity on (u, v) increases by x. If a node rejects the packet, this will entail a cost affinely linear in the weight of the packet. A link is “rechargeable” in the sense that the total capacity of the link has to remain constant, but the allocation of capacity at the ends of the link can depend arbitrarily on the nodes’ decisions. The goal is to minimise the sum of the capacity injected into the link and the cost of rejecting packets. We show that the problem is NP-hard, but can be approximated efficiently with a ratio of (1+ε)⋅(1+3–√) for some arbitrary ε>0.\r\n.","lang":"eng"}],"month":"05","intvolume":" 13892","scopus_import":"1","alternative_title":["LNCS"],"main_file_link":[{"open_access":"1","url":"https://doi.org/10.48550/arXiv.2204.13459"}],"date_updated":"2023-11-30T10:54:51Z","department":[{"_id":"KrPi"},{"_id":"KrCh"}],"_id":"13238","status":"public","type":"conference","conference":{"start_date":"2023-06-06","end_date":"2023-06-09","location":"Alcala de Henares, Spain","name":"SIROCCO: Structural Information and Communication Complexity"}},{"oa_version":"Published Version","abstract":[{"text":"Payment channel networks are a promising approach to improve the scalability bottleneck\r\nof cryptocurrencies. Two design principles behind payment channel networks are\r\nefficiency and privacy. Payment channel networks improve efficiency by allowing users\r\nto transact in a peer-to-peer fashion along multi-hop routes in the network, avoiding\r\nthe lengthy process of consensus on the blockchain. Transacting over payment channel\r\nnetworks also improves privacy as these transactions are not broadcast to the blockchain.\r\nDespite the influx of recent protocols built on top of payment channel networks and\r\ntheir analysis, a common shortcoming of many of these protocols is that they typically\r\nfocus only on either improving efficiency or privacy, but not both. Another limitation\r\non the efficiency front is that the models used to model actions, costs and utilities of\r\nusers are limited or come with unrealistic assumptions.\r\nThis thesis aims to address some of the shortcomings of recent protocols and algorithms\r\non payment channel networks, particularly in their privacy and efficiency aspects. We\r\nfirst present a payment route discovery protocol based on hub labelling and private\r\ninformation retrieval that hides the route query and is also efficient. We then present\r\na rebalancing protocol that formulates the rebalancing problem as a linear program\r\nand solves the linear program using multiparty computation so as to hide the channel\r\nbalances. The rebalancing solution as output by our protocol is also globally optimal.\r\nWe go on to develop more realistic models of the action space, costs, and utilities of\r\nboth existing and new users that want to join the network. In each of these settings,\r\nwe also develop algorithms to optimise the utility of these users with good guarantees\r\non the approximation and competitive ratios.","lang":"eng"}],"month":"11","alternative_title":["ISTA Thesis"],"language":[{"iso":"eng"}],"file":[{"relation":"source_file","access_level":"closed","content_type":"application/x-zip-compressed","file_id":"14598","checksum":"521c72818d720a52b377207b2ee87b6a","creator":"cchlebak","file_size":3037720,"date_updated":"2023-11-23T10:29:55Z","file_name":"thesis_yeo.zip","date_created":"2023-11-23T10:29:55Z"},{"file_name":"thesis_yeo.pdf","date_created":"2023-11-23T10:30:08Z","file_size":2717256,"date_updated":"2023-11-23T10:30:08Z","creator":"cchlebak","success":1,"checksum":"0ed5d16899687aecf13d843c9878c9f2","file_id":"14599","content_type":"application/pdf","relation":"main_file","access_level":"open_access"}],"degree_awarded":"PhD","publication_status":"published","publication_identifier":{"issn":["2663 - 337X"]},"ec_funded":1,"related_material":{"record":[{"status":"public","id":"9969","relation":"part_of_dissertation"},{"id":"13238","status":"public","relation":"part_of_dissertation"},{"relation":"part_of_dissertation","id":"14490","status":"public"}]},"_id":"14506","status":"public","type":"dissertation","ddc":["000"],"date_updated":"2023-11-30T10:54:51Z","supervisor":[{"full_name":"Pietrzak, Krzysztof Z","orcid":"0000-0002-9139-1654","last_name":"Pietrzak","first_name":"Krzysztof Z","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87"}],"file_date_updated":"2023-11-23T10:30:08Z","department":[{"_id":"GradSch"},{"_id":"KrPi"}],"oa":1,"publisher":"Institute of Science and Technology Austria","day":"10","year":"2023","has_accepted_license":"1","date_created":"2023-11-10T08:10:43Z","date_published":"2023-11-10T00:00:00Z","doi":"10.15479/14506","page":"162","project":[{"grant_number":"665385","name":"International IST Doctoral Program","_id":"2564DBCA-B435-11E9-9278-68D0E5697425","call_identifier":"H2020"}],"user_id":"8b945eb4-e2f2-11eb-945a-df72226e66a9","citation":{"mla":"Yeo, Michelle X. Advances in Efficiency and Privacy in Payment Channel Network Analysis. Institute of Science and Technology Austria, 2023, doi:10.15479/14506.","short":"M.X. Yeo, Advances in Efficiency and Privacy in Payment Channel Network Analysis, Institute of Science and Technology Austria, 2023.","ieee":"M. X. Yeo, “Advances in efficiency and privacy in payment channel network analysis,” Institute of Science and Technology Austria, 2023.","apa":"Yeo, M. X. (2023). Advances in efficiency and privacy in payment channel network analysis. Institute of Science and Technology Austria. https://doi.org/10.15479/14506","ama":"Yeo MX. Advances in efficiency and privacy in payment channel network analysis. 2023. doi:10.15479/14506","chicago":"Yeo, Michelle X. “Advances in Efficiency and Privacy in Payment Channel Network Analysis.” Institute of Science and Technology Austria, 2023. https://doi.org/10.15479/14506.","ista":"Yeo MX. 2023. Advances in efficiency and privacy in payment channel network analysis. Institute of Science and Technology Austria."},"title":"Advances in efficiency and privacy in payment channel network analysis","article_processing_charge":"No","author":[{"id":"2D82B818-F248-11E8-B48F-1D18A9856A87","first_name":"Michelle X","last_name":"Yeo","full_name":"Yeo, Michelle X"}]},{"_id":"14490","conference":{"start_date":"2023-07-18","end_date":"2023-07-21","location":"Hong Kong, China","name":"ICDCS: International Conference on Distributed Computing Systems"},"type":"conference","status":"public","date_updated":"2023-11-30T10:54:51Z","department":[{"_id":"KrPi"}],"abstract":[{"lang":"eng","text":"Payment channel networks (PCNs) are a promising solution to the scalability problem of cryptocurrencies. Any two users connected by a payment channel in the network can theoretically send an unbounded number of instant, costless transactions between them. Users who are not directly connected can also transact with each other in a multi-hop fashion. In this work, we study the incentive structure behind the creation of payment channel networks, particularly from the point of view of a single user that wants to join the network. We define a utility function for a new user in terms of expected revenue, expected fees, and the cost of creating channels, and then provide constant factor approximation algorithms that optimise the utility function given a certain budget. Additionally, we take a step back from a single user to the whole network and examine the parameter spaces under which simple graph topologies form a Nash equilibrium."}],"oa_version":"Preprint","main_file_link":[{"open_access":"1","url":"https://doi.org/10.48550/arXiv.2306.16006"}],"scopus_import":"1","intvolume":" 2023","month":"10","publication_status":"published","publication_identifier":{"isbn":["9798350339864"],"eissn":["2575-8411"]},"language":[{"iso":"eng"}],"volume":2023,"related_material":{"record":[{"relation":"dissertation_contains","status":"public","id":"14506"}]},"citation":{"chicago":"Avarikioti, Zeta, Tomasz Lizurej, Tomasz Michalak, and Michelle X Yeo. “Lightning Creation Games.” In 43rd International Conference on Distributed Computing Systems, 2023:603–13. IEEE, 2023. https://doi.org/10.1109/ICDCS57875.2023.00037.","ista":"Avarikioti Z, Lizurej T, Michalak T, Yeo MX. 2023. Lightning creation games. 43rd International Conference on Distributed Computing Systems. ICDCS: International Conference on Distributed Computing Systems vol. 2023, 603–613.","mla":"Avarikioti, Zeta, et al. “Lightning Creation Games.” 43rd International Conference on Distributed Computing Systems, vol. 2023, IEEE, 2023, pp. 603–13, doi:10.1109/ICDCS57875.2023.00037.","ieee":"Z. Avarikioti, T. Lizurej, T. Michalak, and M. X. Yeo, “Lightning creation games,” in 43rd International Conference on Distributed Computing Systems, Hong Kong, China, 2023, vol. 2023, pp. 603–613.","short":"Z. Avarikioti, T. Lizurej, T. Michalak, M.X. Yeo, in:, 43rd International Conference on Distributed Computing Systems, IEEE, 2023, pp. 603–613.","ama":"Avarikioti Z, Lizurej T, Michalak T, Yeo MX. Lightning creation games. In: 43rd International Conference on Distributed Computing Systems. Vol 2023. IEEE; 2023:603-613. doi:10.1109/ICDCS57875.2023.00037","apa":"Avarikioti, Z., Lizurej, T., Michalak, T., & Yeo, M. X. (2023). Lightning creation games. In 43rd International Conference on Distributed Computing Systems (Vol. 2023, pp. 603–613). Hong Kong, China: IEEE. https://doi.org/10.1109/ICDCS57875.2023.00037"},"user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","external_id":{"arxiv":["2306.16006"]},"article_processing_charge":"No","author":[{"first_name":"Zeta","full_name":"Avarikioti, Zeta","last_name":"Avarikioti"},{"full_name":"Lizurej, Tomasz","last_name":"Lizurej","first_name":"Tomasz"},{"first_name":"Tomasz","last_name":"Michalak","full_name":"Michalak, Tomasz"},{"last_name":"Yeo","full_name":"Yeo, Michelle X","id":"2D82B818-F248-11E8-B48F-1D18A9856A87","first_name":"Michelle X"}],"title":"Lightning creation games","acknowledgement":"The work was partially supported by the Austrian Science Fund (FWF) through the project CoRaF (grant 2020388). It was also partially supported by NCN Grant 2019/35/B/ST6/04138 and ERC Grant 885666.","oa":1,"quality_controlled":"1","publisher":"IEEE","year":"2023","publication":"43rd International Conference on Distributed Computing Systems","day":"11","page":"603-613","date_created":"2023-11-05T23:00:54Z","date_published":"2023-10-11T00:00:00Z","doi":"10.1109/ICDCS57875.2023.00037"},{"date_updated":"2023-12-18T09:00:00Z","department":[{"_id":"KrPi"}],"_id":"14693","status":"public","conference":{"name":"TCC: Theory of Cryptography","location":"Taipei, Taiwan","end_date":"2023-12-02","start_date":"2023-11-29"},"type":"conference","language":[{"iso":"eng"}],"publication_identifier":{"isbn":["9783031486234"],"eissn":["1611-3349"],"issn":["0302-9743"]},"volume":14372,"oa_version":"Preprint","abstract":[{"lang":"eng","text":"Lucas sequences are constant-recursive integer sequences with a long history of applications in cryptography, both in the design of cryptographic schemes and cryptanalysis. In this work, we study the sequential hardness of computing Lucas sequences over an RSA modulus.\r\nFirst, we show that modular Lucas sequences are at least as sequentially hard as the classical delay function given by iterated modular squaring proposed by Rivest, Shamir, and Wagner (MIT Tech. Rep. 1996) in the context of time-lock puzzles. Moreover, there is no obvious reduction in the other direction, which suggests that the assumption of sequential hardness of modular Lucas sequences is strictly weaker than that of iterated modular squaring. In other words, the sequential hardness of modular Lucas sequences might hold even in the case of an algorithmic improvement violating the sequential hardness of iterated modular squaring.\r\nSecond, we demonstrate the feasibility of constructing practically-efficient verifiable delay functions based on the sequential hardness of modular Lucas sequences. Our construction builds on the work of Pietrzak (ITCS 2019) by leveraging the intrinsic connection between the problem of computing modular Lucas sequences and exponentiation in an appropriate extension field."}],"intvolume":" 14372","month":"11","main_file_link":[{"url":"https://eprint.iacr.org/2023/1404","open_access":"1"}],"alternative_title":["LNCS"],"scopus_import":"1","user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","citation":{"apa":"Hoffmann, C., Hubáček, P., Kamath, C., & Krňák, T. (2023). (Verifiable) delay functions from Lucas sequences. In 21st International Conference on Theory of Cryptography (Vol. 14372, pp. 336–362). Taipei, Taiwan: Springer Nature. https://doi.org/10.1007/978-3-031-48624-1_13","ama":"Hoffmann C, Hubáček P, Kamath C, Krňák T. (Verifiable) delay functions from Lucas sequences. In: 21st International Conference on Theory of Cryptography. Vol 14372. Springer Nature; 2023:336-362. doi:10.1007/978-3-031-48624-1_13","short":"C. Hoffmann, P. Hubáček, C. Kamath, T. Krňák, in:, 21st International Conference on Theory of Cryptography, Springer Nature, 2023, pp. 336–362.","ieee":"C. Hoffmann, P. Hubáček, C. Kamath, and T. Krňák, “(Verifiable) delay functions from Lucas sequences,” in 21st International Conference on Theory of Cryptography, Taipei, Taiwan, 2023, vol. 14372, pp. 336–362.","mla":"Hoffmann, Charlotte, et al. “(Verifiable) Delay Functions from Lucas Sequences.” 21st International Conference on Theory of Cryptography, vol. 14372, Springer Nature, 2023, pp. 336–62, doi:10.1007/978-3-031-48624-1_13.","ista":"Hoffmann C, Hubáček P, Kamath C, Krňák T. 2023. (Verifiable) delay functions from Lucas sequences. 21st International Conference on Theory of Cryptography. TCC: Theory of Cryptography, LNCS, vol. 14372, 336–362.","chicago":"Hoffmann, Charlotte, Pavel Hubáček, Chethan Kamath, and Tomáš Krňák. “(Verifiable) Delay Functions from Lucas Sequences.” In 21st International Conference on Theory of Cryptography, 14372:336–62. Springer Nature, 2023. https://doi.org/10.1007/978-3-031-48624-1_13."},"title":"(Verifiable) delay functions from Lucas sequences","article_processing_charge":"No","author":[{"orcid":"0000-0003-2027-5549","full_name":"Hoffmann, Charlotte","last_name":"Hoffmann","first_name":"Charlotte","id":"0f78d746-dc7d-11ea-9b2f-83f92091afe7"},{"last_name":"Hubáček","full_name":"Hubáček, Pavel","first_name":"Pavel"},{"first_name":"Chethan","last_name":"Kamath","full_name":"Kamath, Chethan"},{"last_name":"Krňák","full_name":"Krňák, Tomáš","first_name":"Tomáš"}],"publication":"21st International Conference on Theory of Cryptography","day":"27","year":"2023","date_created":"2023-12-17T23:00:54Z","date_published":"2023-11-27T00:00:00Z","doi":"10.1007/978-3-031-48624-1_13","page":"336-362","acknowledgement":"Home Theory of Cryptography Conference paper\r\n(Verifiable) Delay Functions from Lucas Sequences\r\nDownload book PDF\r\nDownload book EPUB\r\nSimilar content being viewed by others\r\n\r\nSlider with three content items shown per slide. Use the Previous and Next buttons to navigate the slides or the slide controller buttons at the end to navigate through each slide.\r\nPrevious slide\r\nGeneric-Group Delay Functions Require Hidden-Order Groups\r\nChapter© 2020\r\n\r\nShifted powers in Lucas–Lehmer sequences\r\nArticle30 January 2019\r\n\r\nA New Class of Trapdoor Verifiable Delay Functions\r\nChapter© 2023\r\n\r\nWeak Pseudoprimality Associated with the Generalized Lucas Sequences\r\nChapter© 2022\r\n\r\nOn the Security of Time-Lock Puzzles and Timed Commitments\r\nChapter© 2020\r\n\r\nGeneration of full cycles by a composition of NLFSRs\r\nArticle08 March 2014\r\n\r\nCryptographically Strong de Bruijn Sequences with Large Periods\r\nChapter© 2013\r\n\r\nOpen Problems on With-Carry Sequence Generators\r\nChapter© 2014\r\n\r\nGenerically Speeding-Up Repeated Squaring Is Equivalent to Factoring: Sharp Thresholds for All Generic-Ring Delay Functions\r\nChapter© 2020\r\n\r\nNext slide\r\nGo to slide 1\r\nGo to slide 2\r\nGo to slide 3\r\n(Verifiable) Delay Functions from Lucas Sequences\r\nCharlotte Hoffmann, Pavel Hubáček, Chethan Kamath & Tomáš Krňák \r\nConference paper\r\nFirst Online: 27 November 2023\r\n83 Accesses\r\n\r\nPart of the Lecture Notes in Computer Science book series (LNCS,volume 14372)\r\n\r\nAbstract\r\nLucas sequences are constant-recursive integer sequences with a long history of applications in cryptography, both in the design of cryptographic schemes and cryptanalysis. In this work, we study the sequential hardness of computing Lucas sequences over an RSA modulus.\r\n\r\nFirst, we show that modular Lucas sequences are at least as sequentially hard as the classical delay function given by iterated modular squaring proposed by Rivest, Shamir, and Wagner (MIT Tech. Rep. 1996) in the context of time-lock puzzles. Moreover, there is no obvious reduction in the other direction, which suggests that the assumption of sequential hardness of modular Lucas sequences is strictly weaker than that of iterated modular squaring. In other words, the sequential hardness of modular Lucas sequences might hold even in the case of an algorithmic improvement violating the sequential hardness of iterated modular squaring.\r\n\r\nSecond, we demonstrate the feasibility of constructing practically-efficient verifiable delay functions based on the sequential hardness of modular Lucas sequences. Our construction builds on the work of Pietrzak (ITCS 2019) by leveraging the intrinsic connection between the problem of computing modular Lucas sequences and exponentiation in an appropriate extension field.\r\n\r\nKeywords\r\nDelay functions\r\nVerifiable delay functions\r\nLucas sequences\r\nDownload conference paper PDF\r\n\r\n1 Introduction\r\nA verifiable delay function (VDF) \r\n is a function that satisfies two properties. First, it is a delay function, which means it must take a prescribed (wall) time T to compute f, irrespective of the amount of parallelism available. Second, it should be possible for anyone to quickly verify – say, given a short proof \r\n – the value of the function (even without resorting to parallelism), where by quickly we mean that the verification time should be independent of or significantly smaller than T (e.g., logarithmic in T). If we drop either of the two requirements, then the primitive turns out trivial to construct. For instance, for an appropriately chosen hash function h, the delay function \r\n defined by T-times iterated hashing of the input is a natural heuristic for an inherently sequential task which, however, seems hard to verify more efficiently than by recomputing. On the other hand, the identity function \r\n is trivial to verify but also easily computable. Designing a simple function satisfying the two properties simultaneously proved to be a nontrivial task.\r\n\r\nThe notion of VDFs was introduced in [31] and later formalised in [9]. In principle, since the task of constructing a VDF reduces to the task of incrementally-verifiable computation [9, 53], constructions of VDFs could leverage succinct non-interactive arguments of knowledge (SNARKs): take any sequentially-hard function f (for instance, iterated hashing) as the delay function and then use the SNARK on top of it as the mechanism for verifying the computation of the delay function. However, as discussed in [9], the resulting construction is not quite practical since we would rely on a general-purpose machinery of SNARKs with significant overhead.\r\n\r\nEfficient VDFs via Algebraic Delay Functions. VDFs have recently found interesting applications in design of blockchains [17], randomness beacons [43, 51], proofs of data replication [9], or short-lived zero-knowledge proofs and signatures [3]. Since efficiency is an important factor there, this has resulted in a flurry of constructions of VDFs that are tailored with application and practicality in mind. They rely on more algebraic, structured delay functions that often involve iterating an atomic operation so that one can resort to custom proof systems to achieve verifiability. These constructions involve a range of algebraic settings like the RSA or class groups [5, 8, 25, 42, 55], permutation polynomials over finite fields [9], isogenies of elliptic curves [21, 52] and, very recently, lattices [15, 28]. The constructions in [42, 55] are arguably the most practical and the mechanism that underlies their delay function is the same: carry out iterated squaring in groups of unknown order, like RSA groups [47] or class groups [12]. What distinguishes these two proposals is the way verification is carried out, i.e., how the underlying “proof of exponentiation” works: while Pietrzak [42] resorts to an LFKN-style recursive proof system [35], Wesolowski [55] uses a clever linear decomposition of the exponent.\r\n\r\nIterated Modular Squaring and Sequentiality. The delay function that underlies the VDFs in [5, 25, 42, 55] is the same, and its security relies on the conjectured sequential hardness of iterated squaring in a group of unknown order (suggested in the context of time-lock puzzles by Rivest, Shamir, and Wagner [48]). Given that the practically efficient VDFs all rely on the above single delay function, an immediate open problem is to identify additional sources of sequential hardness that are structured enough to support practically efficient verifiability.\r\n\r\n1.1 Our Approach to (Verifiable) Delay Functions\r\nIn this work, we study an alternative source of sequential hardness in the algebraic setting and use it to construct efficient verifiable delay functions. The sequentiality of our delay function relies on an atomic operation that is related to the computation of so-called Lucas sequences [29, 34, 57], explained next.\r\n\r\nLucas Sequences. A Lucas sequence is a constant-recursive integer sequence that satisfies the recurrence relation\r\n\r\nfor integers P and Q.Footnote1 Specifically, the Lucas sequences of integers \r\n and \r\n of the first and second type (respectively) are defined recursively as\r\n\r\nwith \r\n, and\r\n\r\nwith \r\n.\r\n\r\nThese sequences can be alternatively defined by the characteristic polynomial \r\n. Specifically, given the discriminant \r\n of the characteristic polynomial, one can alternatively compute the above sequences by performing operations in the extension field\r\n\r\nusing the identities\r\n\r\nwhere \r\n and its conjugate \r\n are roots of the characteristic polynomial. Since conjugation and exponentiation commute in the extension field (i.e., \r\n), computing the i-th terms of the two Lucas sequences over integers reduces to computing \r\n in the extension field, and vice versa.\r\n\r\nThe intrinsic connection between computing the terms in the Lucas sequences and that of exponentiation in the extension has been leveraged to provide alternative instantiations of public-key encryption schemes like RSA and ElGamal in terms of Lucas sequences [7, 30]. However, as we explain later, the corresponding underlying computational hardness assumptions are not necessarily equivalent.\r\n\r\nOverview of Our Delay Function. The delay function in [5, 25, 42, 55] is defined as the iterated squaring base x in a (safe) RSA groupFootnote2 modulo N:\r\n\r\nOur delay function is its analogue in the setting of Lucas sequences:\r\n\r\nAs mentioned above, computing \r\n can be carried out equivalently in the extension field \r\n using the known relationship to roots of the characteristic polynomial of the Lucas sequence. Thus, the delay function can be alternatively defined as\r\n\r\nNote that the atomic operation of our delay function is “doubling” the index of an element of the Lucas sequence modulo N (i.e., \r\n) or, equivalently, squaring in the extension field \r\n (as opposed to squaring in \r\n). Using the representation of \r\n as \r\n, squaring in \r\n can be expressed as a combination of squaring, multiplication and addition modulo N, since\r\n\r\n(1)\r\nSince \r\n is a group of unknown order (provided the factorization of N is kept secret), iterated squaring remains hard here. In fact, we show in Sect. 3.2 that iterated squaring in \r\n is at least as hard as iterated squaring for RSA moduli N. Moreover, we conjecture in Conjecture 1 that it is, in fact, strictly harder (also see discussion below on advantages of our approach).\r\n\r\nVerifying Modular Lucas Sequence. To obtain a VDF, we need to show how to efficiently verify our delay function. To this end, we show how to adapt the interactive proof of exponentiation from [42] to our setting, which then – via the Fiat-Shamir Transform [22] – yields the non-interactive verification algorithm.Footnote3 Thus, our main result is stated informally below.\r\n\r\nTheorem 1\r\n(Informally stated, see Theorem 2). Assuming sequential hardness of modular Lucas sequence, there exists statistically-sound VDF in the random-oracle model.\r\n\r\nHowever, the modification of Pietrzak’s protocol is not trivial and we have to overcome several hurdles that we face in this task, which we elaborate on in Sect. 1.2. We conclude this section with discussions about our results.\r\n\r\nAdvantage of Our Approach. Our main advantage is the reliance on a potentially weaker (sequential) hardness assumption while maintaining efficiency: we show in Sect. 3.2 that modular Lucas sequences are at least as sequentially-hard as the classical delay function given by iterated modular squaring [48]. Despite the linear recursive structure of Lucas sequences, there is no obvious reduction in the other direction, which suggests that the assumption of sequential hardness of modular Lucas sequences is strictly weaker than that of iterated modular squaring (Conjecture 1). In other words, the sequential hardness of modular Lucas sequences might hold even in the case of an algorithmic improvement violating the sequential hardness of iterated modular squaring. Even though both assumptions need the group order to be hidden, we believe that there is need for a nuanced analysis of sequential hardness assumptions in hidden order groups, especially because all current delay functions that provide sufficient structure for applications are based on iterated modular squaring. If the iterated modular squaring assumption is broken, our delay function is currently the only practical alternative in the RSA group.\r\n\r\nDelay Functions in Idealised Models. Recent works studied the relationship of group-theoretic (verifiable) delay functions to the hardness of factoring in idealised models such as the algebraic group model and the generic ring model [27, 50]. In the generic ring model, Rotem and Segev [50] showed the equivalence of straight-line delay functions in the RSA setting and factoring. Our construction gives rise to a straight-line delay function and, by their result, its sequentiality is equivalent to factoring for generic algorithms. However, their result holds only in the generic ring model and leaves the relationship between the two assumptions unresolved in the standard model.\r\n\r\nCompare this with the status of the RSA assumption and factoring. On one hand, we know that in the generic ring model, RSA and factoring are equivalent [2]. Yet, it is possible to rule out certain classes of reductions from factoring to RSA in the standard model [11]. Most importantly, despite the equivalence in the generic ring model, there is currently no reduction from factoring to RSA in the standard model and it remains one of the major open problems in number theory related to cryptography since the introduction of the RSA assumption.\r\n\r\nIn summary, speeding up iterated squaring by a non-generic algorithm could be possible (necessarily exploiting the representations of ring elements modulo N), while such an algorithm may not lead to a speed-up in the computation of modular Lucas sequences despite the result of Rotem and Segev [50].\r\n\r\n1.2 Technical Overview\r\nPietrzak’s VDF. Let \r\n be an RSA modulus where p and q are safe primes and let x be a random element from \r\n. At its core, Pietrzak’s VDF relies on the interactive protocol for the statement\r\n\r\n“(N, x, y, T) satisfies \r\n”.\r\n\r\nThe protocol is recursive and, in a round-by-round fashion, reduces the claim to a smaller statement by halving the time parameter. To be precise, in each round, the (honest) prover sends the “midpoint” \r\n of the current statement to the verifier and they together reduce the statement to\r\n\r\n“\r\n satisfies \r\n”,\r\n\r\nwhere \r\n and \r\n for a random challenge r. This is continued till \r\n is obtained at which point the verifier simply checks whether \r\n using a single modular squaring.\r\n\r\nSince the challenges r are public, the protocol can be compiled into a non-interactive one using the Fiat-Shamir transform [22] and this yields a means to verify the delay function\r\n\r\nIt is worth pointing out that the choice of safe primes is crucial for proving soundness: in case the group has easy-to-find elements of small order then it becomes easy to break soundness (see, e.g., [10]).\r\n\r\nAdapting Pietrzak’s Protocol to Lucas Sequences. For a modulus \r\n and integers \r\n, recall that our delay function is defined as\r\n\r\nor equivalently\r\n\r\nfor the discriminant \r\n of the characteristic polynomial \r\n. Towards building a verification algorithm for this delay function, the natural first step is to design an interactive protocol for the statement\r\n\r\n“(N, P, Q, y, T) satisfies \r\n.”\r\n\r\nIt turns out that the interactive protocol from [42] can be adapted for this purpose. However, we encounter two technicalities in this process.\r\n\r\nDealing with elements of small order. The main problem that we face while designing our protocol is avoiding elements of small order. In the case of [42], this was accomplished by moving to the setting of signed quadratic residues [26] in which the sub-groups are all of large order. It is not clear whether a corresponding object exists for our algebraic setting. However, in an earlier draft of Pietrzak’s protocol [41], this problem was dealt with in a different manner: the prover sends a square root of \r\n, from which the original \r\n can be recovered easily (by squaring it) with a guarantee that the result lies in a group of quadratic residues \r\n. Notice that the prover knows the square root of \r\n, because it is just a previous term in the sequence he computed.\r\n\r\nIn our setting, we cannot simply ask for the square root of the midpoint as the subgroup of \r\n we effectively work in has a different structure. Nevertheless, we can use a similar approach: for an appropriately chosen small a, we provide an a-th root of \r\n (instead of \r\n itself) to the prover in the beginning of the protocol. The prover then computes the whole sequence for \r\n. In the end, he has the a-th root of every term of the original sequence and he can recover any element of the original sequence by raising to the a-th power.\r\n\r\nSampling strong modulus. The second technicality is related to the first one. In order to ensure that we can use the above trick, we require a modulus where the small subgroups are reasonably small not only in the group \r\n but also in the extension \r\n. Thus the traditional sampling algorithms that are used to sample strong primes (e.g., [46]) are not sufficient for our purposes. However, sampling strong primes that suit our criteria can still be carried out efficiently as we show in the full version.\r\n\r\nComparing Our Technique with [8, 25]. The VDFs in [8, 25] are also inspired by [42] and, hence, faced the same problem of low-order elements. In [8], this is dealt with by amplifying the soundness at the cost of parallel repetition and hence larger proofs and extra computation. In [25], the number of repetitions of [8] is reduced significantly by introducing the following technique: The exponent of the initial instance is reduced by some parameter \r\n and at the end of an interactive phase, the verifier performs final exponentiation with \r\n, thereby weeding out potential false low-order elements in the claim. This technique differs from the approach taken in our work in the following ways: The technique from [25] works in arbitrary groups but it requires the parameter \r\n to be large and of a specific form. In particular, the VDF becomes more efficient when \r\n is larger than \r\n. In our protocol, we work in RSA groups whose modulus is the product of primes that satisfy certain conditions depending on a. This enables us to choose a parameter a that is smaller than a statistical security parameter and thereby makes the final exponentiation performed by the verifier much more efficient. Further, a can be any natural number, while \r\n must be set as powers of all small prime numbers up a certain bound in [25].\r\n\r\n1.3 More Related Work\r\nTimed Primitives. The notion of VDFs was introduced in [31] and later formalised in [9]. VDFs are closely related to the notions of time-lock puzzles [48] and proofs of sequential work [36]. Roughly speaking, a time-lock puzzle is a delay function that additionally allows efficient sampling of the output via a trapdoor. A proof of sequential work, on the other hand, is a delay “multi-function”, in the sense that the output is not necessarily unique. Constructions of time-lock puzzles are rare [6, 38, 48], and there are known limitations: e.g., that it cannot exist in the random-oracle model [36]. However, we know how to construct proofs of sequential work in the random-oracle model [1, 16, 19, 36].\r\n\r\nSince VDFs have found several applications, e.g., in the design of resource-efficient blockchains [17], randomness beacons [43, 51] and proof of data replication [9], there have been several constructions. Among them, the most notable are the iterated-squaring based construction from [8, 25, 42, 55], the permutation-polynomial based construction from [9], the isogenies-based construction from [13, 21, 52] and the construction from lattice problems [15, 28]. The constructions in [42, 55] are quite practical (see the survey [10]) and the VDF deployed in the cryptocurrency Chia is basically their construction adapted to the algebraic setting of class groups [17]. This is arguably the closest work to ours. On the other hand, the constructions from [21, 52], which work in the algebraic setting of isogenies of elliptic curves where no analogue of square and multiply is known, simply rely on “exponentiation”. Although, these constructions provide a certain form of quantum resistance, they are presently far from efficient. Freitag et al. [23] constructed VDFs from any sequentially hard function and polynomial hardness of learning with errors, the first from standard assumptions. The works of Cini, Lai, and Malavolta [15, 28] constructed the first VDF from lattice-based assumptions and conjectured it to be post-quantum secure.\r\n\r\nSeveral variants of VDFs have also been proposed. A VDF is said to be unique if the proof that is used for verification is unique [42]. Recently, Choudhuri et al. [5] constructed unique VDFs from the sequential hardness of iterated squaring in any RSA group and polynomial hardness of LWE. A VDF is tight [18] if the gap between simply computing the function and computing it with a proof is small. Yet another extension is a continuous VDF [20]. The feasibility of time-lock puzzles and proofs of sequential works were recently extended to VDFs. It was shown [50] that the latter requirement, i.e., working in a group of unknown order, is inherent in a black-box sense. It was shown in [18, 37] that there are barriers to constructing tight VDFs in the random-oracle model.\r\n\r\nVDFs also have surprising connection to complexity theory [14, 20, 33].\r\n\r\nWork Related to Lucas Sequences. Lucas sequences have long been studied in the context of number theory: see for example [45] or [44] for a survey of its applications to number theory. Its earliest application to cryptography can be traced to the \r\n factoring algorithm [56]. Constructive applications were found later thanks to the parallels with exponentiation. Several encryption and signature schemes were proposed, most notably the LUC family of encryption and signatures [30, 39]. It was later shown that some of these schemes can be broken or that the advantages it claimed were not present [7]. Other applications can be found in [32].\r\n\r\n2 Preliminaries\r\n2.1 Interactive Proof Systems\r\nInteractive Protocols. An interactive protocol consists of a pair \r\n of interactive Turing machines that are run on a common input \r\n. The first machine \r\n is the prover and is computationally unbounded. The second machine \r\n is the verifier and is probabilistic polynomial-time.\r\n\r\nIn an \r\n-round (i.e., \r\n-message) interactive protocol, in each round \r\n, first \r\n sends a message \r\n to \r\n and then \r\n sends a message \r\n to \r\n, where \r\n is a finite alphabet. At the end of the interaction, \r\n runs a (deterministic) Turing machine on input \r\n. The interactive protocol is public-coin if \r\n is a uniformly distributed random string in \r\n.\r\n\r\nInteractive Proof Systems. The notion of an interactive proof for a language L is due to Goldwasser, Micali and Rackoff [24].\r\n\r\nDefinition 1\r\nFor a function \r\n, an interactive protocol \r\n is an \r\n-statistically-sound interactive proof system for L if:\r\n\r\nCompleteness: For every \r\n, if \r\n interacts with \r\n on common input \r\n, then \r\n accepts with probability 1.\r\n\r\nSoundness: For every \r\n and every (computationally-unbounded) cheating prover strategy \r\n, the verifier \r\n accepts when interacting with \r\n with probability less than \r\n, where \r\n is called the soundness error.\r\n\r\n2.2 Verifiable Delay Functions\r\nWe adapt the definition of verifiable delay functions from [9] but we decouple the verifiability and sequentiality properties for clarity of exposition of our results. First, we present the definition of a delay function.\r\n\r\nDefinition 2\r\nA delay function \r\n consists of a triple of algorithms with the following syntax:\r\n\r\n:\r\n\r\nOn input a security parameter \r\n, the algorithm \r\n outputs public parameters \r\n.\r\n\r\n:\r\n\r\nOn input public parameters \r\n and a time parameter \r\n, the algorithm \r\n outputs a challenge x.\r\n\r\n:\r\n\r\nOn input a challenge pair (x, T), the (deterministic) algorithm \r\n outputs the value y of the delay function in time T.\r\n\r\nThe security property required of a delay function is sequential hardness as defined below.\r\n\r\nDefinition 3\r\n(Sequentiality). We say that a delay function \r\n satisfies the sequentiality property, if there exists an \r\n such that for all \r\n and for every adversary \r\n, where \r\n uses \r\n processors and runs in time \r\n, there exists a negligible function \r\n such that\r\n\r\nfigure a\r\nA few remarks about our definition of sequentiality are in order:\r\n\r\n1.\r\nWe require computing \r\n to be hard in less than T sequential steps even using any polynomially-bounded amount of parallelism and precomputation. Note that it is necessary to bound the amount of parallelism, as an adversary could otherwise break the underlying hardness assumption (e.g. hardness of factorization). Analogously, T should be polynomial in \r\n as, otherwise, breaking the underlying hardness assumptions becomes easier than computing \r\n itself for large values of T.\r\n\r\n2.\r\nAnother issue is what bound on the number of sequential steps of the adversary should one impose. For example, the delay function based on T repeated modular squarings can be computed in sequential time \r\n using polynomial parallelism [4]. Thus, one cannot simply bound the sequential time of the adversary by o(T). Similarly to [38], we adapt the \r\n bound for \r\n which, in particular, is asymptotically smaller than \r\n.\r\n\r\n3.\r\nWithout loss of generality, we assume that the size of \r\n is at least linear in n and the adversary A does not have to get the unary representation of the security parameter \r\n as its input.\r\n\r\nThe definition of verifiable delay function extends a delay function with the possibility to compute publicly-verifiable proofs of correctness of the output value.\r\n\r\nDefinition 4\r\nA delay function \r\n is a verifiable delay function if it is equipped with two additional algorithms \r\n and \r\n with the following syntax:\r\n\r\n:\r\n\r\nOn input public parameters and a challenge pair (x, T), the \r\n algorithm outputs \r\n, where \r\n is a proof that the output y is the output of \r\n.\r\n\r\n:\r\n\r\nOn input public parameters, a challenge pair (x, T), and an output/proof pair \r\n, the (deterministic) algorithm \r\n outputs either \r\n or \r\n.\r\n\r\nIn addition to sequentiality (inherited from the underlying delay function), the \r\n and \r\n algorithms must together satisfy correctness and (statistical) soundness as defined below.\r\n\r\nDefinition 5\r\n(Correctness). A verifiable delay function \r\n is correct if for all \r\n\r\nfigure b\r\nDefinition 6\r\n(Statistical soundness). A verifiable delay function \r\n is statistically sound if for every (computationally unbounded) malicious prover \r\n there exists a negligible function \r\n such that for all \r\n\r\nfigure c\r\n3 Delay Functions from Lucas Sequences\r\nIn this section, we propose a delay function based on Lucas sequences and prove its sequentiality assuming that iterated squaring in a group of unknown order is sequential (Sect. 3.1). Further, we conjecture (Sect. 3.2) that our delay function candidate is even more robust than its predecessor proposed by Rivest, Shamir, and Wagner [48]. Finally, we turn our delay function candidate into a verifiable delay function (Sect. 4).\r\n\r\n3.1 The Atomic Operation\r\nOur delay function is based on subsequences of Lucas sequences, whose indexes are powers of two. Below, we use \r\n to denote the set of non-negative integers.\r\n\r\nDefinition 7\r\nFor integers \r\n, the Lucas sequences \r\n and \r\n are defined for all \r\n as\r\n\r\nwith \r\n and \r\n, and\r\n\r\nwith \r\n and \r\n.\r\n\r\nWe define subsequences \r\n, respectively \r\n, of \r\n, respectively \r\n for all \r\n as\r\n\r\n(2)\r\nAlthough the value of \r\n depends on parameters (P, Q), we omit (P, Q) from the notation because these parameters will be always obvious from the context.\r\n\r\nThe underlying atomic operation for our delay function is\r\n\r\nThere are several ways to compute \r\n in T sequential steps, and we describe two of them below.\r\n\r\nAn Approach Based on Squaring in a Suitable Extension Ring. To compute the value \r\n, we can use the extension ring \r\n, where \r\n is the discriminant of the characteristic polynomial \r\n of the Lucas sequence. The characteristic polynomial f(z) has a root \r\n, and it is known that, for all \r\n, it holds that\r\n\r\nThus, by iterated squaring of \r\n, we can compute terms of our target subsequences. To get a better understanding of squaring in the extension ring, consider the representation of the root \r\n for some \r\n. Then,\r\n\r\nThen, the atomic operation of our delay function can be interpreted as \r\n, defined for all \r\n as\r\n\r\n(3)\r\nAn Approach Based on Known Identities. Many useful identities for members of modular Lucas sequences are known, such as\r\n\r\n(4)\r\nSetting \r\n we get\r\n\r\n(5)\r\nThe above identities are not hard to derive (see, e.g., Lemma 12.5 in [40]). Indexes are doubled on each of application of the identities in Eq. (5), and, thus, for \r\n, we define an auxiliary sequence \r\n by \r\n. Using the identities in Eq. (5), we get recursive equations\r\n\r\n(6)\r\nThen, the atomic operation of our delay function can be interpreted as \r\n, defined for all \r\n as\r\n\r\n(7)\r\nAfter a closer inspection, the reader may have an intuition that an auxiliary sequence \r\n, which introduces a third state variable, is redundant. This intuition is indeed right. In fact, there is another easily derivable identity\r\n\r\n(8)\r\nwhich can be found, e.g., as Lemma 12.2 in [40]. On the other hand, Eq. (8) is quite interesting because it allows us to compute large powers of an element \r\n using two Lucas sequences. We use this fact in the security reduction in Sect. 3.2. Our construction of a delay function, denoted \r\n, is given in Fig. 1.\r\n\r\nFig. 1.\r\nfigure 1\r\nOur delay function candidate \r\n based on a modular Lucas sequence.\r\n\r\nFull size image\r\nOn the Discriminant D. Notice that whenever D is a quadratic residue modulo N, the value \r\n is an element of \r\n and hence \r\n. By definition, LCS.Gen generates a parameter D that is a quadratic residue with probability 1/4, so it might seem that in one fourth of the cases there is another approach to compute \r\n: find the element \r\n and then perform n sequential squarings in the group \r\n. However, it is well known that finding square roots of uniform elements in \r\n is equivalent to factoring the modulus N, so this approach is not feasible. We can therefore omit any restrictions on the discriminant D in the definition of our delay function LCS.\r\n\r\n3.2 Reduction from RSW Delay Function\r\nIn order to prove the sequentiality property (Definition 3) of our candidate \r\n, we rely on the standard conjecture of the sequentiality of the \r\n time-lock puzzles, implicitly stated in [48] as the underlying hardness assumption.\r\n\r\nDefinition 8\r\n(\r\n delay function). The \r\n delay function is defined as follows:\r\n\r\n: Samples two n-bit primes p and q and outputs \r\n.\r\n\r\n: Outputs an x sampled from the uniform distribution on \r\n.\r\n\r\n: Outputs \r\n.\r\n\r\nTheorem 2\r\nIf the \r\n delay function has the sequentiality property, then the \r\n delay function has the sequentiality property.\r\n\r\nProof\r\nSuppose there exists an adversary \r\n who contradicts the sequentiality of \r\n, where \r\n is a precomputation algorithm and \r\n is an online algorithm. We construct an adversary \r\n who contradicts the sequentiality of \r\n as follows:\r\n\r\nThe algorithm \r\n is defined identically to the algorithm \r\n.\r\n\r\nOn input \r\n, \r\n picks a P from the uniform distribution on \r\n, sets\r\n\r\nand it runs \r\n to compute \r\n. The algorithm \r\n computes \r\n using the identity in Eq. (8).\r\n\r\nNote that the input distribution for the algorithm \r\n produced by \r\n differs from the one produced by \r\n, because the \r\n generator samples Q from the uniform distribution on \r\n (instead of \r\n). However, this is not a problem since the size of \r\n is negligible compared to the size of \r\n, so the statistical distance between the distribution of D produced by \r\n and the distribution of D sampled by \r\n is negligible in the security parameter. Thus, except for a negligible multiplicative loss, the adversary \r\n attains the same success probability of breaking the sequentiality of \r\n as the probability of \r\n breaking the sequentiality of \r\n – a contradiction to the assumption of the theorem. \r\n\r\nWe believe that the converse implication to Theorem 2 is not true, i.e., that breaking the sequentiality of \r\n does not necessarily imply breaking the sequentiality of \r\n. Below, we state it as a conjecture.\r\n\r\nConjecture 1\r\nSequentiality of \r\n cannot be reduced to sequentiality of \r\n.\r\n\r\nOne reason why the above conjecture might be true is that, while the \r\n delay function is based solely only on multiplication in the group \r\n, our \r\n delay function uses the full arithmetic (addition and multiplication) of the commutative ring \r\n.\r\n\r\nOne way to support the conjecture would be to construct an algorithm that speeds up iterated squaring but is not immediately applicable to Lucas sequences. By [49] we know that this cannot be achieved by a generic algorithm. A non-generic algorithm that solves iterated squaring in time \r\n is presented in [4]. The main tool of their construction is the Explicit Chinese Remainder Theorem modulo N. However, a similiar theorem exists also for univariate polynomial rings, which suggests that a similar speed-up can be obtained for our delay function by adapting the techniques in [4] to our setting.\r\n\r\n4 VDF from Lucas Sequences\r\nIn Sect. 3.1 we saw different ways of computing the atomic operation of the delay function. Computing \r\n in the extension field seems to be the more natural and time and space effective approach. Furthermore, writing the atomic operation \r\n as \r\n is very clear, and, thus, we follow this approach throughout the rest of the paper.\r\n\r\n4.1 Structure of \r\nTo construct a VDF based on Lucas sequences, we use an algebraic extension\r\n\r\n(9)\r\nwhere N is an RSA modulus and \r\n. In this section, we describe the structure of the algebraic extension given in Expression (9). Based on our understanding of the structure of the above algebraic extension, we can conclude that using modulus N composed of safe primes (i.e., for all prime factors p of N, \r\n has a large prime divisor) is necessary but not sufficient condition for security of our construction. We specify some sufficient conditions on factors of N in the subsequent Sect. 4.2.\r\n\r\nFirst, we introduce some simplifying notation for quotient rings.\r\n\r\nDefinition 9\r\nFor \r\n and \r\n, we denote by \r\n the quotient ring \r\n, where (m, f(x)) denotes the ideal of the ring \r\n generated by m and f(x).\r\n\r\nObservation 1, below, allows us to restrict our analysis only to the structure of \r\n for prime \r\n.\r\n\r\nObservation 1\r\nLet \r\n be distinct primes, \r\n and \r\n. Then\r\n\r\nProof\r\nUsing the Chinese reminder theorem, we get\r\n\r\nas claimed. \r\n\r\nThe following lemma characterizes the structure of \r\n with respect to the discriminant of f. We use \r\n to denote the standard Legendre symbol.\r\n\r\nLemma 1\r\nLet \r\n and \r\n be a polynomial of degree 2 with the discriminant D. Then\r\n\r\nProof\r\nWe consider each case separately:\r\n\r\nIf \r\n, then f(x) is irreducible over \r\n and \r\n is a field with \r\n elements. Since \r\n is a finite field, \r\n is cyclic and contains \r\n elements.\r\n\r\nIf \r\n, then \r\n and f has some double root \r\n and it can be written as \r\n for some \r\n. Since the ring \r\n is isomorphic to the ring \r\n (consider the isomorphism \r\n), we can restrict ourselves to describing the structure of \r\n.\r\n\r\nWe will prove that the function \r\n,\r\n\r\nis an isomorphism. First, the polynomial \r\n is invertible if and only if \r\n (inverse is \r\n). For the choice \r\n, we have\r\n\r\nThus \r\n is onto. Second, \r\n is, in fact, a bijection, because\r\n\r\n(10)\r\nFinally, \r\n is a homomorphism, because\r\n\r\nIf \r\n, then f(x) has two roots \r\n. We have an isomorphism\r\n\r\nand \r\n. \r\n\r\n4.2 Strong Groups and Strong Primes\r\nTo achieve the verifiability property of our construction, we need \r\n to contain a strong subgroup (defined next) of order asymptotically linear in p. We remark that our definition of strong primes is stronger than the one by Rivest and Silverman [46].\r\n\r\nDefinition 10\r\n(Strong groups). For \r\n, we say that a non-trivial group \r\n is \r\n-strong, if the order of each non-trivial subgroup of \r\n is greater than \r\n.\r\n\r\nObservation 2\r\nIf \r\n and \r\n are \r\n-strong groups, then \r\n is a \r\n-strong group.\r\n\r\nIt can be seen from Lemma 1 that \r\n always contains groups of small order (e.g. \r\n). To avoid these, we descend into the subgroup of a-th powers of elements of \r\n. Below, we introduce the corresponding notation.\r\n\r\nDefinition 11\r\nFor an Abelian group \r\n and \r\n, we define the subgroup \r\n of \r\n in the multiplicative notation and \r\n in the additive notation.\r\n\r\nFurther, we show in Lemma 2 below that \r\n-strong primality (defined next) is a sufficient condition for \r\n to be a \r\n-strong group.\r\n\r\nDefinition 12\r\n(Strong primes). Let \r\n and \r\n. We say that p is a \r\n-strong prime, if \r\n and there exists \r\n, \r\n, such that \r\n and every prime factor of W is greater than \r\n.\r\n\r\nSince a is a public parameter in our setup, super-polynomial a could reveal partial information about the factorization of N. However, we could allow a to be polynomial in \r\n while maintaining hardness of factoring N.Footnote4 For the sake of simplicity of Definition 12, we rather use stronger condition \r\n. The following simple observation will be useful for proving Lemma 2.\r\n\r\nObservation 3\r\nFor \r\n.\r\n\r\nLemma 2\r\nLet p be a \r\n-strong prime and \r\n be a quadratic polynomial. Then, \r\n is a \r\n-strong group.\r\n\r\nProof\r\nFrom definition of the strong primes, there exists \r\n, whose factors are bigger than \r\n and \r\n. We denote \r\n a factor of W. Applying Observation 3 to Lemma 1, we get\r\n\r\nIn particular, we used above the fact that Observation 2 implies that \r\n as explained next. Since \r\n, all divisors of \r\n are divisors of aW. By definition of a and W in Definition 12, we also have that \r\n, which implies that any factor of \r\n divides either a or W, but not both. When we divide \r\n by all the common divisors with a, only the common divisors with W are left, which implies \r\n. The proof of the lemma is now completed by Observation 2.\r\n\r\nCorollary 1\r\nLet p be a \r\n-strong prime, q be a \r\n-strong prime, \r\n, \r\n, \r\n and \r\n. Then \r\n is \r\n-strong.\r\n\r\n4.3 Our Interactive Protocol\r\nOur interactive protocol is formally described in Fig. 3. To understand this protocol, we first recall the outline of Pietrzak’s interactive protocol from Sect. 1.2 and then highlight the hurdles. Let \r\n be an RSA modulus where p and q are strong primes and let x be a random element from \r\n. The interactive protocol in [42] allows a prover to convince the verifier of the statement\r\n\r\n“(N, x, y, T) satisfies \r\n”.\r\n\r\nThe protocol is recursive and in a round-by-round fashion reduces the claim to a smaller statement by halving the time parameter. To be precise, in each round the (honest) prover sends the “midpoint” \r\n of the current statement to the verifier and they together reduce the statement to\r\n\r\n“\r\n satisfies \r\n”,\r\n\r\nwhere \r\n and \r\n for a random challenge r. This is continued until \r\n is obtained at which point the verifier simply checks whether \r\n.\r\n\r\nThe main problem, we face while designing our protocol is ensuring that the verifier can check whether \r\n sent by prover lies in an appropriate subgroup of \r\n. In the first draft of Pietrzak’s protocol [41], prover sends a square root of \r\n, from which the original \r\n can be recovered easily (by simply squaring it) with a guarantee, that the result lies in a group of quadratic residues \r\n. Notice that the prover knows the square root of \r\n, because it is just a previous term in the sequence he computed.\r\n\r\nUsing Pietrzak’s protocol directly for our delay function would require computing a-th roots in RSA group for some arbitrary a. Since this is a computationally hard problem, we cannot use the same trick. In fact, the VDF construction of Wesolowski [54] is based on similar hardness assumption.\r\n\r\nWhile Pietrzak shifted from \r\n to the group of signed quadratic residues \r\n in his following paper [42] to get unique proofs, we resort to his old idea of ‘squaring a square root’ and generalise it.\r\n\r\nThe high level idea is simple. First, on input \r\n, prover computes the sequence \r\n. Next, during the protocol, verifier maps all elements sent by the prover by homomorphism\r\n\r\n(11)\r\ninto the target strong group \r\n. This process is illustrated in Fig. 2. Notice that the equality \r\n for the original sequence implies the equality \r\n for the mapped sequence \r\n.\r\n\r\nFig. 2.\r\nfigure 2\r\nIllustration of our computation of the iterated squaring using the a-th root of \r\n. Horizontal arrows are \r\n and diagonal arrows are \r\n.\r\n\r\nFull size image\r\nRestriction to Elements of \r\n. Mapping Eq. (11) introduces a new technical difficulty. Since \r\n is not injective, we narrow the domain inputs, for which the output of our VDF is verifiable, from \r\n to \r\n. Furthermore, the only way to verify that a certain x is an element of \r\n is to get an a-th root of x and raise it to the ath power. So we have to represent elements of \r\n by elements of \r\n anyway. To resolve these two issues, we introduce a non-unique representation of elements of \r\n.\r\n\r\nDefinition 13\r\nFor \r\n and \r\n, we denote \r\n (an element of \r\n) by [x]. Since this representation of \r\n is not unique, we define an equality relation by\r\n\r\nWe will denote by tilde () the elements that were already powered to the a by a verifier (i.e. ). Thus tilded variables verifiably belong to the target group \r\n.\r\n\r\nIn the following text, the goal of the brackets notation in Definition 13 is to distinguish places where the equality means the equality of elements of \r\n from those places, where the equality holds up to \r\n. A reader can also see the notation in Definition 13 as a concrete representation of elements of a factor group \r\n.\r\n\r\nOur security reduction 2 required the delay function to operate everywhere on \r\n. This is not a problem if the \r\n algorithm is modified to output the set \r\n.\r\n\r\nFig. 3.\r\nfigure 3\r\nOur Interactive Protocol for \r\n.\r\n\r\nFull size image\r\n4.4 Security\r\nRecall here that \r\n is \r\n-strong group, so there exist\r\n\r\n and \r\n such that\r\n\r\n(12)\r\nDefinition 14\r\nFor \r\n and \r\n, we define \r\n as i-th coordinate of \r\n, where \r\n is the isomorphism given by Eq. (12).\r\n\r\nLemma 3\r\nLet \r\n and \r\n. If \r\n, then\r\n\r\n\t(13)\r\nProof\r\nFix \r\n, \r\n and y. Let some \r\n satisfy\r\n\r\n(14)\r\nUsing notation from Definition 14, we rewrite Eq. (14) as a set of equations\r\n\r\nFor every \r\n, by reordering the terms, the j-th equation becomes\r\n\r\n(15)\r\nIf \r\n, then \r\n. Further for every \r\n. It follows that \r\n. Putting these two equations together gives us \r\n, which contradicts our assumption \r\n.\r\n\r\nIt follows that there exists \r\n such that\r\n\r\n(16)\r\nThereafter there exists \r\n such that \r\n divides \r\n and\r\n\r\n(17)\r\nFurthermore, from Eq. (15), \r\n divides \r\n. Finally, dividing eq. Eq. (15) by \r\n, we get that r is determined uniquely (\r\n),\r\n\r\nUsing the fact that \r\n, this uniqueness of r upper bounds number of \r\n, such that Eq. (14) holds, to one. It follows that the probability that Eq. (14) holds for r chosen randomly from the uniform distribution over \r\n is less than \r\n. \r\n\r\nCorollary 2\r\nThe halving protocol will turn an invalid input tuple (i.e. \r\n) into a valid output tuple (i.e. \r\n) with probability less than \r\n.\r\n\r\nTheorem 3\r\nFor any computationally unbounded prover who submits anything other than \r\n such that \r\n in phase 2 of the protocol, the soundness error is upper-bounded by \r\n\r\nProof\r\nIn each round of the protocol, T decreases to \r\n. It follows that the number of rounds of the halving protocol before reaching \r\n is upper bounded by \r\n.\r\n\r\nIf the verifier accepts the solution tuple \r\n in the last round, then the equality \r\n must hold. It follows that the initial inequality must have turned into equality in some round of the halving protocol. By Lemma 3, the probability of this event is bounded by \r\n. Finally, using the union bound for all rounds, we obtain the upper bound (\r\n. \r\n\r\n4.5 Our VDF\r\nAnalogously to the VDF of Pietrzak [42], we compile our public-coin interactive proof given in Fig. 3 into a VDF using the Fiat-Shamir heuristic. The complete construction is given in Fig. 4. For ease of exposition, we assume that the time parameter T is always a power of two.\r\n\r\nFig. 4.\r\nfigure 4\r\n based on Lucas sequences\r\n\r\nFull size image\r\nAs discussed in Sect. 4.3, it is crucial for the security of the protocol that the prover computes a sequence of powers of the a-th root of the challenge and the resulting value (as well as the intermediate values) received from the prover is lifted to the appropriate group by raising it to the a-th power. We use the tilde notation in Fig. 4 in order to denote elements on the sequence relative to the a-th root.\r\n\r\nNote that, by the construction, the output of our VDF is the \r\n-th power of the root of the characteristic polynomial for Lucas sequence with parameters P and Q. Therefore, the value of the delay function implicitly corresponds to the \r\n-th term of the Lucas sequence.\r\n\r\nTheorem 4\r\nLet \r\n be the statistical security parameter. The \r\n VDF defined in Fig. 4 is correct and statistically-sound with a negligible soundness error if \r\n is modelled as a random oracle, against any adversary that makes \r\n oracle queries.\r\n\r\nProof\r\nThe correctness follows directly by construction.\r\n\r\nTo prove its statistical soundness, we proceed in a similar way to [42]. We cannot apply Fiat-Shamir transformation directly, because our protocol does not have constant number of rounds, thus we use Fiat-Shamir heuristic to each round separately.\r\n\r\nFirst, we use a random oracle as the \r\n function. Second, if a malicious prover computed a proof accepted by verifier for some tuple \r\n such that\r\n\r\n(19)\r\nthen he must have succeeded in turning inequality from Eq. (19) into equality in some round. By Lemma 3, probability of such a flipping is bounded by \r\n. Every such an attempt requires one query to random oracle. Using a union bound, it follows that the probability that a malicious prover who made q queries to random oracle succeeds in flipping initial inequality into equality in some round is upper-bounded by \r\n.\r\n\r\nSince q is \r\n, \r\n is a negligible function and thus the soundness error is negligible. \r\n\r\nNotes\r\n1.\r\nNote that integer sequences like Fibonacci numbers and Mersenne numbers are special cases of Lucas sequences.\r\n\r\n2.\r\nThe choice of modulus N is said to be safe if \r\n for safe primes \r\n and \r\n, where \r\n and \r\n are also prime.\r\n\r\n3.\r\nFurther, using the ideas from [14, 20], it is possible to construct so-called continuous VDFs from Lucas sequences.\r\n\r\n4.\r\nSince we set a to be at most polynomial in \r\n, its is possible to go over all possible candidate values for a in time polynomial in \r\n. Thus, any algorithm that could factor N using the knowledge of a can be efficiently simulated even without the knowledge of a.\r\n\r\nReferences\r\nAbusalah, H., Kamath, C., Klein, K., Pietrzak, K., Walter, M.: Reversible proofs of sequential work. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11477, pp. 277–291. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17656-3_10\r\n\r\nCrossRef\r\n \r\nGoogle Scholar\r\n \r\n\r\nAggarwal, D., Maurer, U.: Breaking RSA generically is equivalent to factoring. IEEE Trans. Inf. Theory 62(11), 6251–6259 (2016). https://doi.org/10.1109/TIT.2016.2594197\r\n\r\nCrossRef\r\n \r\nMathSciNet\r\n \r\nMATH\r\n \r\nGoogle Scholar\r\n \r\n\r\nArun, A., Bonneau, J., Clark, J.: Short-lived zero-knowledge proofs and signatures. In: Agrawal, S., Lin, D. (eds.) Advances in Cryptology – ASIACRYPT 2022. Lecture Notes in Computer Science, vol. 13793, pp. 487–516. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-22969-5_17\r\n\r\nCrossRef\r\n \r\nGoogle Scholar\r\n \r\n\r\nBernstein, D., Sorenson, J.: Modular exponentiation via the explicit Chinese remainder theorem. Math. Comput. 76, 443–454 (2007). https://doi.org/10.1090/S0025-5718-06-01849-7\r\n\r\nCrossRef\r\n \r\nMathSciNet\r\n \r\nMATH\r\n \r\nGoogle Scholar\r\n \r\n\r\nBitansky, N., et al.: PPAD is as hard as LWE and iterated squaring. IACR Cryptol. ePrint Arch., p. 1072 (2022)\r\n\r\nGoogle Scholar\r\n \r\n\r\nBitansky, N., Goldwasser, S., Jain, A., Paneth, O., Vaikuntanathan, V., Waters, B.: Time-lock puzzles from randomized encodings. In: ITCS, pp. 345–356. ACM (2016)\r\n\r\nGoogle Scholar\r\n \r\n\r\nBleichenbacher, D., Bosma, W., Lenstra, A.K.: Some remarks on Lucas-based cryptosystems. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 386–396. Springer, Heidelberg (1995). https://doi.org/10.1007/3-540-44750-4_31\r\n\r\nCrossRef\r\n \r\nGoogle Scholar\r\n \r\n\r\nBlock, A.R., Holmgren, J., Rosen, A., Rothblum, R.D., Soni, P.: Time- and space-efficient arguments from groups of unknown order. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021. LNCS, vol. 12828, pp. 123–152. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84259-8_5\r\n\r\nCrossRef\r\n \r\nGoogle Scholar\r\n \r\n\r\nBoneh, D., Bonneau, J., Bünz, B., Fisch, B.: Verifiable delay functions. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10991, pp. 757–788. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96884-1_25\r\n\r\nCrossRef\r\n \r\nGoogle Scholar\r\n \r\n\r\nBoneh, D., Bünz, B., Fisch, B.: A survey of two verifiable delay functions. IACR Cryptol. ePrint Arch. 2018, 712 (2018)\r\n\r\nMATH\r\n \r\nGoogle Scholar\r\n \r\n\r\nBoneh, D., Venkatesan, R.: Breaking RSA may not be equivalent to factoring. In: Nyberg, K. (ed.) Advances in Cryptology - EUROCRYPT ’98. Lecture Notes in Computer Science, vol. 1403, pp. 59–71. Springer, Cham (1998). https://doi.org/10.1007/BFb0054117\r\n\r\nCrossRef\r\n \r\nGoogle Scholar\r\n \r\n\r\nBuchmann, J., Williams, H.C.: A key-exchange system based on imaginary quadratic fields. J. Cryptol. 1(2), 107–118 (1988). https://doi.org/10.1007/BF02351719\r\n\r\nCrossRef\r\n \r\nMathSciNet\r\n \r\nMATH\r\n \r\nGoogle Scholar\r\n \r\n\r\nChavez-Saab, J., Rodríguez-Henríquez, F., Tibouchi, M.: Verifiable Isogeny walks: towards an isogeny-based postquantum VDF. In: AlTawy, R., Hülsing, A. (eds.) SAC 2021. LNCS, vol. 13203, pp. 441–460. Springer, Cham (2022). https://doi.org/10.1007/978-3-030-99277-4_21\r\n\r\nCrossRef\r\n \r\nGoogle Scholar\r\n \r\n\r\nChoudhuri, A.R., Hubáček, P., Kamath, C., Pietrzak, K., Rosen, A., Rothblum, G.N.: PPAD-hardness via iterated squaring modulo a composite. IACR Cryptol. ePrint Arch. 2019, 667 (2019)\r\n\r\nGoogle Scholar\r\n \r\n\r\nCini, V., Lai, R.W.F., Malavolta, G.: Lattice-based succinct arguments from vanishing polynomials. In: Handschuh, H., Lysyanskaya, A. (eds.) Advances in Cryptology - CRYPTO 2023. Lecture Notes in Computer Science, pp. 72–105. Springer Nature Switzerland, Cham (2023). https://doi.org/10.1007/978-3-031-38545-2_3\r\n\r\nCrossRef\r\n \r\nGoogle Scholar\r\n \r\n\r\nCohen, B., Pietrzak, K.: Simple proofs of sequential work. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10821, pp. 451–467. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78375-8_15\r\n\r\nCrossRef\r\n \r\nGoogle Scholar\r\n \r\n\r\nCohen, B., Pietrzak, K.: The Chia network blockchain. Technical report, Chia Network (2019). https://www.chia.net/assets/ChiaGreenPaper.pdf. Accessed 29 July 2022\r\n\r\nDöttling, N., Garg, S., Malavolta, G., Vasudevan, P.N.: Tight verifiable delay functions. In: Galdi, C., Kolesnikov, V. (eds.) SCN 2020. LNCS, vol. 12238, pp. 65–84. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-57990-6_4\r\n\r\nCrossRef\r\n \r\nGoogle Scholar\r\n \r\n\r\nDöttling, N., Lai, R.W.F., Malavolta, G.: Incremental proofs of sequential work. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11477, pp. 292–323. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17656-3_11\r\n\r\nCrossRef\r\n \r\nGoogle Scholar\r\n \r\n\r\nEphraim, N., Freitag, C., Komargodski, I., Pass, R.: Continuous verifiable delay functions. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12107, pp. 125–154. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45727-3_5\r\n\r\nCrossRef\r\n \r\nGoogle Scholar\r\n \r\n\r\nDe Feo, L., Masson, S., Petit, C., Sanso, A.: Verifiable delay functions from supersingular isogenies and pairings. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019. LNCS, vol. 11921, pp. 248–277. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34578-5_10\r\n\r\nCrossRef\r\n \r\nGoogle Scholar\r\n \r\n\r\nFiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). https://doi.org/10.1007/3-540-47721-7_12\r\n\r\nCrossRef\r\n \r\nGoogle Scholar\r\n \r\n\r\nFreitag, C., Pass, R., Sirkin, N.: Parallelizable delegation from LWE. IACR Cryptol. ePrint Arch., p. 1025 (2022)\r\n\r\nGoogle Scholar\r\n \r\n\r\nGoldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proof systems. SIAM J. Comput. 18(1), 186–208 (1989)\r\n\r\nCrossRef\r\n \r\nMathSciNet\r\n \r\nMATH\r\n \r\nGoogle Scholar\r\n \r\n\r\nHoffmann, C., Hubáček, P., Kamath, C., Klein, K., Pietrzak, K.: Practical statistically sound proofs of exponentiation in any group. In: Dodis, Y., Shrimpton, T. (eds.) Advances in Cryptology – CRYPTO 2022. Lecture Notes in Computer Science, vol. 13508, pp. 1–30. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-15979-4_13\r\n\r\nCrossRef\r\n \r\nMATH\r\n \r\nGoogle Scholar\r\n \r\n\r\nHofheinz, D., Kiltz, E.: The group of signed quadratic residues and applications. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 637–653. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03356-8_37\r\n\r\nCrossRef\r\n \r\nGoogle Scholar\r\n \r\n\r\nKatz, J., Loss, J., Xu, J.: On the security of time-lock puzzles and timed commitments. In: Pass, R., Pietrzak, K. (eds.) TCC 2020, Part III. LNCS, vol. 12552, pp. 390–413. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64381-2_14\r\n\r\nCrossRef\r\n \r\nMATH\r\n \r\nGoogle Scholar\r\n \r\n\r\nLai, R.W.F., Malavolta, G.: Lattice-based timed cryptography. In: Handschuh, H., Lysyanskaya, A. (eds.) Advances in Cryptology - CRYPTO 2023. Lecture Notes in Computer Science, pp. 782–804. Springer Nature Switzerland, Cham (2023). https://doi.org/10.1007/978-3-031-38554-4_25\r\n\r\nCrossRef\r\n \r\nGoogle Scholar\r\n \r\n\r\nLehmer, D.H.: An extended theory of Lucas’ functions. Ann. Math. 31(3), 419–448 (1930). https://www.jstor.org/stable/1968235\r\n\r\nLennon, M.J.J., Smith, P.J.: LUC: A new public key system. In: Douglas, E.G. (ed.) Ninth IFIP Symposium on Computer Security, pp. 103–117. Elsevier Science Publishers (1993)\r\n\r\nGoogle Scholar\r\n \r\n\r\nLenstra, A.K., Wesolowski, B.: Trustworthy public randomness with sloth, unicorn, and trx. IJACT 3(4), 330–343 (2017)\r\n\r\nCrossRef\r\n \r\nMathSciNet\r\n \r\nMATH\r\n \r\nGoogle Scholar\r\n \r\n\r\nLipmaa, H.: On Diophantine complexity and statistical zero-knowledge arguments. In: Laih, C.-S. (ed.) ASIACRYPT 2003. LNCS, vol. 2894, pp. 398–415. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-40061-5_26\r\n\r\nCrossRef\r\n \r\nGoogle Scholar\r\n \r\n\r\nLombardi, A., Vaikuntanathan, V.: Fiat-Shamir for repeated squaring with applications to PPAD-hardness and VDFs. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12172, pp. 632–651. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56877-1_22\r\n\r\nCrossRef\r\n \r\nGoogle Scholar\r\n \r\n\r\nLucas, E.: Théorie des fonctions numériques simplement périodiques. Am. J. Math. 1(4), 289–321 (1878). https://www.jstor.org/stable/2369373\r\n\r\nLund, C., Fortnow, L., Karloff, H.J., Nisan, N.: Algebraic methods for interactive proof systems. J. ACM 39(4), 859–868 (1992)\r\n\r\nCrossRef\r\n \r\nMathSciNet\r\n \r\nMATH\r\n \r\nGoogle Scholar\r\n \r\n\r\nMahmoody, M., Moran, T., Vadhan, S.P.: Publicly verifiable proofs of sequential work. In: ITCS, pp. 373–388. ACM (2013)\r\n\r\nGoogle Scholar\r\n \r\n\r\nMahmoody, M., Smith, C., Wu, D.J.: A note on the (Im)possibility of verifiable delay functions in the random oracle model. IACR Cryptol. ePrint Arch. 2019, 663 (2019)\r\n\r\nGoogle Scholar\r\n \r\n\r\nMalavolta, G., Thyagarajan, S.A.K.: Homomorphic time-lock puzzles and applications. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11692, pp. 620–649. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26948-7_22\r\n\r\nCrossRef\r\n \r\nGoogle Scholar\r\n \r\n\r\nMüller, W.B., Nöbauer, W.: Some remarks on public-key cryptosystems. Studia Sci. Math. Hungar. 16, 71–76 (1981)\r\n\r\nMathSciNet\r\n \r\nMATH\r\n \r\nGoogle Scholar\r\n \r\n\r\nBressoud, D.M.: Factorization and primality testing. Math. Comput. 56(193), 400 (1991)\r\n\r\nCrossRef\r\n \r\nGoogle Scholar\r\n \r\n\r\nPietrzak, K.: Simple verifiable delay functions. IACR Cryptol. ePrint Arch. 2018, 627 (2018). https://eprint.iacr.org/2018/627/20180720:081000\r\n\r\nPietrzak, K.: Simple verifiable delay functions. In: ITCS. LIPIcs, vol. 124, pp. 1–15. Schloss Dagstuhl - Leibniz-Zentrum für Informatik (2019)\r\n\r\nGoogle Scholar\r\n \r\n\r\nRabin, M.O.: Transaction protection by beacons. J. Comput. Syst. Sci. 27(2), 256–267 (1983)\r\n\r\nCrossRef\r\n \r\nMathSciNet\r\n \r\nMATH\r\n \r\nGoogle Scholar\r\n \r\n\r\nRibenboim, P.: My Numbers, My Friends: Popular Lectures on Number Theory. Springer-Verlag, New York (2000)\r\n\r\nCrossRef\r\n \r\nMATH\r\n \r\nGoogle Scholar\r\n \r\n\r\nRiesel, H.: Prime Numbers and Computer Methods for Factorization, Progress in Mathematics, vol. 57. Birkhäuser, Basel (1985)\r\n\r\nCrossRef\r\n \r\nMATH\r\n \r\nGoogle Scholar\r\n \r\n\r\nRivest, R., Silverman, R.: Are ’strong’ primes needed for RSA. Cryptology ePrint Archive, Report 2001/007 (2001). https://eprint.iacr.org/2001/007\r\n\r\nRivest, R.L., Shamir, A., Adleman, L.M.: A method for obtaining digital signatures and public-key cryptosystems (reprint). Commun. ACM 26(1), 96–99 (1983)\r\n\r\nCrossRef\r\n \r\nMATH\r\n \r\nGoogle Scholar\r\n \r\n\r\nRivest, R.L., Shamir, A., Wagner, D.A.: Time-lock puzzles and timed-release crypto. Technical report, Massachusetts Institute of Technology (1996)\r\n\r\nGoogle Scholar\r\n \r\n\r\nRotem, L., Segev, G.: Generically speeding-up repeated squaring is equivalent to factoring: sharp thresholds for all generic-ring delay functions. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12172, pp. 481–509. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56877-1_17\r\n\r\nCrossRef\r\n \r\nGoogle Scholar\r\n \r\n\r\nRotem, L., Segev, G., Shahaf, I.: Generic-group delay functions require hidden-order groups. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12107, pp. 155–180. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45727-3_6\r\n\r\nCrossRef\r\n \r\nGoogle Scholar\r\n \r\n\r\nSchindler, P., Judmayer, A., Hittmeir, M., Stifter, N., Weippl, E.R.: RandRunner: distributed randomness from trapdoor VDFs with strong uniqueness. In: 28th Annual Network and Distributed System Security Symposium, NDSS 2021, virtually, 21–25 February 2021. The Internet Society (2021)\r\n\r\nGoogle Scholar\r\n \r\n\r\nShani, B.: A note on isogeny-based hybrid verifiable delay functions. IACR Cryptol. ePrint Arch. 2019, 205 (2019)\r\n\r\nGoogle Scholar\r\n \r\n\r\nValiant, P.: Incrementally verifiable computation or proofs of knowledge imply time/space efficiency. In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948, pp. 1–18. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78524-8_1\r\n\r\nCrossRef\r\n \r\nMATH\r\n \r\nGoogle Scholar\r\n \r\n\r\nWesolowski, B.: Efficient verifiable delay functions. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11478, pp. 379–407. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17659-4_13\r\n\r\nCrossRef\r\n \r\nGoogle Scholar\r\n \r\n\r\nWesolowski, B.: Efficient verifiable delay functions. J. Cryptol. 33(4), 2113–2147 (2020). https://doi.org/10.1007/s00145-020-09364-x\r\n\r\nCrossRef\r\n \r\nMathSciNet\r\n \r\nMATH\r\n \r\nGoogle Scholar\r\n \r\n\r\nWilliams, H.C.: A \r\n method of factoring. Math. Comput. 39(159), 225–234 (1982)\r\n\r\nMathSciNet\r\n \r\nMATH\r\n \r\nGoogle Scholar\r\n \r\n\r\nWilliams, H.C.: Édouard lucas and primality testing. Math. Gaz. 83, 173 (1999)\r\n\r\nCrossRef\r\n \r\nGoogle Scholar\r\n \r\n\r\nDownload references\r\n\r\nAcknowledgements\r\nWe thank Krzysztof Pietrzak and Alon Rosen for several fruitful discussions about this work and the anonymous reviewers of SCN 2022 and TCC 2023 for valuable suggestions.\r\n\r\nPavel Hubáček is supported by the Czech Academy of Sciences (RVO 67985840), by the Grant Agency of the Czech Republic under the grant agreement no. 19-27871X, and by the Charles University project UNCE/SCI/004. Chethan Kamath is supported by Azrieli International Postdoctoral Fellowship, by the European Research Council (ERC) under the European Union’s Horizon Europe research and innovation programme (grant agreement No. 101042417, acronym SPP), and by ISF grant 1789/19.","oa":1,"quality_controlled":"1","publisher":"Springer Nature"},{"language":[{"iso":"eng"}],"publication_status":"published","publication_identifier":{"isbn":["9783031486203"],"eissn":["1611-3349"],"issn":["0302-9743"]},"volume":14371,"oa_version":"Preprint","abstract":[{"text":"Continuous Group-Key Agreement (CGKA) allows a group of users to maintain a shared key. It is the fundamental cryptographic primitive underlying group messaging schemes and related protocols, most notably TreeKEM, the underlying key agreement protocol of the Messaging Layer Security (MLS) protocol, a standard for group messaging by the IETF. CKGA works in an asynchronous setting where parties only occasionally must come online, and their messages are relayed by an untrusted server. The most expensive operation provided by CKGA is that which allows for a user to refresh their key material in order to achieve forward secrecy (old messages are secure when a user is compromised) and post-compromise security (users can heal from compromise). One caveat of early CGKA protocols is that these update operations had to be performed sequentially, with any user wanting to update their key material having had to receive and process all previous updates. Late versions of TreeKEM do allow for concurrent updates at the cost of a communication overhead per update message that is linear in the number of updating parties. This was shown to be indeed necessary when achieving PCS in just two rounds of communication by [Bienstock et al. TCC’20].\r\nThe recently proposed protocol CoCoA [Alwen et al. Eurocrypt’22], however, shows that this overhead can be reduced if PCS requirements are relaxed, and only a logarithmic number of rounds is required. The natural question, thus, is whether CoCoA is optimal in this setting.\r\nIn this work we answer this question, providing a lower bound on the cost (concretely, the amount of data to be uploaded to the server) for CGKA protocols that heal in an arbitrary k number of rounds, that shows that CoCoA is very close to optimal. Additionally, we extend CoCoA to heal in an arbitrary number of rounds, and propose a modification of it, with a reduced communication cost for certain k.\r\nWe prove our bound in a combinatorial setting where the state of the protocol progresses in rounds, and the state of the protocol in each round is captured by a set system, each set specifying a set of users who share a secret key. We show this combinatorial model is equivalent to a symbolic model capturing building blocks including PRFs and public-key encryption, related to the one used by Bienstock et al.\r\nOur lower bound is of order k•n1+1/(k-1)/log(k), where 2≤k≤log(n) is the number of updates per user the protocol requires to heal. This generalizes the n2 bound for k=2 from Bienstock et al.. This bound almost matches the k⋅n1+2/(k-1) or k2⋅n1+1/(k-1) efficiency we get for the variants of the CoCoA protocol also introduced in this paper.","lang":"eng"}],"intvolume":" 14371","month":"11","main_file_link":[{"open_access":"1","url":"https://eprint.iacr.org/2023/1123"}],"scopus_import":"1","alternative_title":["LNCS"],"date_updated":"2023-12-18T08:36:51Z","department":[{"_id":"KrPi"}],"_id":"14691","status":"public","conference":{"name":"TCC: Theory of Cryptography","start_date":"2023-11-29","location":"Taipei, Taiwan","end_date":"2023-12-02"},"type":"conference","publication":"21st International Conference on Theory of Cryptography","day":"27","year":"2023","date_created":"2023-12-17T23:00:53Z","doi":"10.1007/978-3-031-48621-0_10","date_published":"2023-11-27T00:00:00Z","page":"271-300","oa":1,"quality_controlled":"1","publisher":"Springer Nature","user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","citation":{"mla":"Auerbach, Benedikt, et al. “On the Cost of Post-Compromise Security in Concurrent Continuous Group-Key Agreement.” 21st International Conference on Theory of Cryptography, vol. 14371, Springer Nature, 2023, pp. 271–300, doi:10.1007/978-3-031-48621-0_10.","ama":"Auerbach B, Cueto Noval M, Pascual Perez G, Pietrzak KZ. On the cost of post-compromise security in concurrent Continuous Group-Key Agreement. In: 21st International Conference on Theory of Cryptography. Vol 14371. Springer Nature; 2023:271-300. doi:10.1007/978-3-031-48621-0_10","apa":"Auerbach, B., Cueto Noval, M., Pascual Perez, G., & Pietrzak, K. Z. (2023). On the cost of post-compromise security in concurrent Continuous Group-Key Agreement. In 21st International Conference on Theory of Cryptography (Vol. 14371, pp. 271–300). Taipei, Taiwan: Springer Nature. https://doi.org/10.1007/978-3-031-48621-0_10","ieee":"B. Auerbach, M. Cueto Noval, G. Pascual Perez, and K. Z. Pietrzak, “On the cost of post-compromise security in concurrent Continuous Group-Key Agreement,” in 21st International Conference on Theory of Cryptography, Taipei, Taiwan, 2023, vol. 14371, pp. 271–300.","short":"B. Auerbach, M. Cueto Noval, G. Pascual Perez, K.Z. Pietrzak, in:, 21st International Conference on Theory of Cryptography, Springer Nature, 2023, pp. 271–300.","chicago":"Auerbach, Benedikt, Miguel Cueto Noval, Guillermo Pascual Perez, and Krzysztof Z Pietrzak. “On the Cost of Post-Compromise Security in Concurrent Continuous Group-Key Agreement.” In 21st International Conference on Theory of Cryptography, 14371:271–300. Springer Nature, 2023. https://doi.org/10.1007/978-3-031-48621-0_10.","ista":"Auerbach B, Cueto Noval M, Pascual Perez G, Pietrzak KZ. 2023. On the cost of post-compromise security in concurrent Continuous Group-Key Agreement. 21st International Conference on Theory of Cryptography. TCC: Theory of Cryptography, LNCS, vol. 14371, 271–300."},"title":"On the cost of post-compromise security in concurrent Continuous Group-Key Agreement","article_processing_charge":"No","author":[{"last_name":"Auerbach","orcid":"0000-0002-7553-6606","full_name":"Auerbach, Benedikt","id":"D33D2B18-E445-11E9-ABB7-15F4E5697425","first_name":"Benedikt"},{"full_name":"Cueto Noval, Miguel","last_name":"Cueto Noval","first_name":"Miguel","id":"ffc563a3-f6e0-11ea-865d-e3cce03d17cc"},{"orcid":"0000-0001-8630-415X","full_name":"Pascual Perez, Guillermo","last_name":"Pascual Perez","id":"2D7ABD02-F248-11E8-B48F-1D18A9856A87","first_name":"Guillermo"},{"orcid":"0000-0002-9139-1654","full_name":"Pietrzak, Krzysztof Z","last_name":"Pietrzak","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","first_name":"Krzysztof Z"}]},{"_id":"14692","status":"public","type":"conference","date_updated":"2023-12-18T09:17:03Z","department":[{"_id":"KrPi"}],"oa_version":"Preprint","abstract":[{"lang":"eng","text":"The generic-group model (GGM) aims to capture algorithms working over groups of prime order that only rely on the group operation, but do not exploit any additional structure given by the concrete implementation of the group. In it, it is possible to prove information-theoretic lower bounds on the hardness of problems like the discrete logarithm (DL) or computational Diffie-Hellman (CDH). Thus, since its introduction, it has served as a valuable tool to assess the concrete security provided by cryptographic schemes based on such problems. A work on the related algebraic-group model (AGM) introduced a method, used by many subsequent works, to adapt GGM lower bounds for one problem to another, by means of conceptually simple reductions.\r\nIn this work, we propose an alternative approach to extend GGM bounds from one problem to another. Following an idea by Yun [EC15], we show that, in the GGM, the security of a large class of problems can be reduced to that of geometric search-problems. By reducing the security of the resulting geometric-search problems to variants of the search-by-hypersurface problem, for which information theoretic lower bounds exist, we give alternative proofs of several results that used the AGM approach.\r\nThe main advantage of our approach is that our reduction from geometric search-problems works, as well, for the GGM with preprocessing (more precisely the bit-fixing GGM introduced by Coretti, Dodis and Guo [Crypto18]). As a consequence, this opens up the possibility of transferring preprocessing GGM bounds from one problem to another, also by means of simple reductions. Concretely, we prove novel preprocessing bounds on the hardness of the d-strong discrete logarithm, the d-strong Diffie-Hellman inversion, and multi-instance CDH problems, as well as a large class of Uber assumptions. Additionally, our approach applies to Shoup’s GGM without additional restrictions on the query behavior of the adversary, while the recent works of Zhang, Zhou, and Katz [AC22] and Zhandry [Crypto22] highlight that this is not the case for the AGM approach."}],"intvolume":" 14371","month":"11","main_file_link":[{"url":"https://eprint.iacr.org/2023/808","open_access":"1"}],"alternative_title":["LNCS"],"scopus_import":"1","language":[{"iso":"eng"}],"publication_status":"published","publication_identifier":{"issn":["0302-9743"],"eissn":["1611-3349"],"isbn":["9783031486203"]},"volume":14371,"user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","citation":{"mla":"Auerbach, Benedikt, et al. “Generic-Group Lower Bounds via Reductions between Geometric-Search Problems: With and without Preprocessing.” 21st International Conference on Theory of Cryptography, vol. 14371, Springer Nature, 2023, pp. 301–30, doi:10.1007/978-3-031-48621-0_11.","apa":"Auerbach, B., Hoffmann, C., & Pascual Perez, G. (2023). Generic-group lower bounds via reductions between geometric-search problems: With and without preprocessing. In 21st International Conference on Theory of Cryptography (Vol. 14371, pp. 301–330). Springer Nature. https://doi.org/10.1007/978-3-031-48621-0_11","ama":"Auerbach B, Hoffmann C, Pascual Perez G. Generic-group lower bounds via reductions between geometric-search problems: With and without preprocessing. In: 21st International Conference on Theory of Cryptography. Vol 14371. Springer Nature; 2023:301-330. doi:10.1007/978-3-031-48621-0_11","short":"B. Auerbach, C. Hoffmann, G. Pascual Perez, in:, 21st International Conference on Theory of Cryptography, Springer Nature, 2023, pp. 301–330.","ieee":"B. Auerbach, C. Hoffmann, and G. Pascual Perez, “Generic-group lower bounds via reductions between geometric-search problems: With and without preprocessing,” in 21st International Conference on Theory of Cryptography, 2023, vol. 14371, pp. 301–330.","chicago":"Auerbach, Benedikt, Charlotte Hoffmann, and Guillermo Pascual Perez. “Generic-Group Lower Bounds via Reductions between Geometric-Search Problems: With and without Preprocessing.” In 21st International Conference on Theory of Cryptography, 14371:301–30. Springer Nature, 2023. https://doi.org/10.1007/978-3-031-48621-0_11.","ista":"Auerbach B, Hoffmann C, Pascual Perez G. 2023. Generic-group lower bounds via reductions between geometric-search problems: With and without preprocessing. 21st International Conference on Theory of Cryptography. , LNCS, vol. 14371, 301–330."},"title":"Generic-group lower bounds via reductions between geometric-search problems: With and without preprocessing","article_processing_charge":"No","author":[{"orcid":"0000-0002-7553-6606","full_name":"Auerbach, Benedikt","last_name":"Auerbach","id":"D33D2B18-E445-11E9-ABB7-15F4E5697425","first_name":"Benedikt"},{"id":"0f78d746-dc7d-11ea-9b2f-83f92091afe7","first_name":"Charlotte","orcid":"0000-0003-2027-5549","full_name":"Hoffmann, Charlotte","last_name":"Hoffmann"},{"full_name":"Pascual Perez, Guillermo","orcid":"0000-0001-8630-415X","last_name":"Pascual Perez","first_name":"Guillermo","id":"2D7ABD02-F248-11E8-B48F-1D18A9856A87"}],"oa":1,"publisher":"Springer Nature","quality_controlled":"1","publication":"21st International Conference on Theory of Cryptography","day":"27","year":"2023","date_created":"2023-12-17T23:00:54Z","doi":"10.1007/978-3-031-48621-0_11","date_published":"2023-11-27T00:00:00Z","page":"301-330"},{"volume":13950,"ec_funded":1,"language":[{"iso":"eng"}],"publication_identifier":{"eisbn":["9783031477546"],"eissn":["1611-3349"],"isbn":["9783031477539"],"issn":["0302-9743"]},"publication_status":"published","month":"12","intvolume":" 13950","alternative_title":["LNCS"],"oa_version":"None","abstract":[{"text":"Payment channel networks (PCNs) are a promising technology to improve the scalability of cryptocurrencies. PCNs, however, face the challenge that the frequent usage of certain routes may deplete channels in one direction, and hence prevent further transactions. In order to reap the full potential of PCNs, recharging and rebalancing mechanisms are required to provision channels, as well as an admission control logic to decide which transactions to reject in case capacity is insufficient. This paper presents a formal model of this optimisation problem. In particular, we consider an online algorithms perspective, where transactions arrive over time in an unpredictable manner. Our main contributions are competitive online algorithms which come with provable guarantees over time. We empirically evaluate our algorithms on randomly generated transactions to compare the average performance of our algorithms to our theoretical bounds. We also show how this model and approach differs from related problems in classic communication networks.","lang":"eng"}],"department":[{"_id":"KrCh"},{"_id":"KrPi"}],"date_updated":"2024-01-08T09:36:36Z","status":"public","type":"conference","conference":{"end_date":"2023-05-05","location":"Bol, Brac, Croatia","start_date":"2023-05-01","name":"FC: Financial Cryptography and Data Security"},"_id":"14736","doi":"10.1007/978-3-031-47754-6_18","date_published":"2023-12-01T00:00:00Z","date_created":"2024-01-08T09:30:22Z","page":"309-325","day":"01","publication":"27th International Conference on Financial Cryptography and Data Security","year":"2023","publisher":"Springer Nature","quality_controlled":"1","acknowledgement":"Supported by the German Federal Ministry of Education and Research (BMBF), grant 16KISK020K (6G-RIC), 2021–2025, and ERC CoG 863818 (ForM-SMArt).","title":"R2: Boosting liquidity in payment channel networks with online admission control","author":[{"full_name":"Bastankhah, Mahsa","last_name":"Bastankhah","first_name":"Mahsa"},{"first_name":"Krishnendu","id":"2E5DCA20-F248-11E8-B48F-1D18A9856A87","last_name":"Chatterjee","orcid":"0000-0002-4561-241X","full_name":"Chatterjee, Krishnendu"},{"first_name":"Mohammad Ali","last_name":"Maddah-Ali","full_name":"Maddah-Ali, Mohammad Ali"},{"first_name":"Stefan","last_name":"Schmid","full_name":"Schmid, Stefan"},{"first_name":"Jakub","id":"130759D2-D7DD-11E9-87D2-DE0DE6697425","full_name":"Svoboda, Jakub","orcid":"0000-0002-1419-3267","last_name":"Svoboda"},{"first_name":"Michelle X","id":"2D82B818-F248-11E8-B48F-1D18A9856A87","full_name":"Yeo, Michelle X","last_name":"Yeo"}],"article_processing_charge":"No","user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","citation":{"mla":"Bastankhah, Mahsa, et al. “R2: Boosting Liquidity in Payment Channel Networks with Online Admission Control.” 27th International Conference on Financial Cryptography and Data Security, vol. 13950, Springer Nature, 2023, pp. 309–25, doi:10.1007/978-3-031-47754-6_18.","ama":"Bastankhah M, Chatterjee K, Maddah-Ali MA, Schmid S, Svoboda J, Yeo MX. R2: Boosting liquidity in payment channel networks with online admission control. In: 27th International Conference on Financial Cryptography and Data Security. Vol 13950. Springer Nature; 2023:309-325. doi:10.1007/978-3-031-47754-6_18","apa":"Bastankhah, M., Chatterjee, K., Maddah-Ali, M. A., Schmid, S., Svoboda, J., & Yeo, M. X. (2023). R2: Boosting liquidity in payment channel networks with online admission control. In 27th International Conference on Financial Cryptography and Data Security (Vol. 13950, pp. 309–325). Bol, Brac, Croatia: Springer Nature. https://doi.org/10.1007/978-3-031-47754-6_18","ieee":"M. Bastankhah, K. Chatterjee, M. A. Maddah-Ali, S. Schmid, J. Svoboda, and M. X. Yeo, “R2: Boosting liquidity in payment channel networks with online admission control,” in 27th International Conference on Financial Cryptography and Data Security, Bol, Brac, Croatia, 2023, vol. 13950, pp. 309–325.","short":"M. Bastankhah, K. Chatterjee, M.A. Maddah-Ali, S. Schmid, J. Svoboda, M.X. Yeo, in:, 27th International Conference on Financial Cryptography and Data Security, Springer Nature, 2023, pp. 309–325.","chicago":"Bastankhah, Mahsa, Krishnendu Chatterjee, Mohammad Ali Maddah-Ali, Stefan Schmid, Jakub Svoboda, and Michelle X Yeo. “R2: Boosting Liquidity in Payment Channel Networks with Online Admission Control.” In 27th International Conference on Financial Cryptography and Data Security, 13950:309–25. Springer Nature, 2023. https://doi.org/10.1007/978-3-031-47754-6_18.","ista":"Bastankhah M, Chatterjee K, Maddah-Ali MA, Schmid S, Svoboda J, Yeo MX. 2023. R2: Boosting liquidity in payment channel networks with online admission control. 27th International Conference on Financial Cryptography and Data Security. FC: Financial Cryptography and Data Security, LNCS, vol. 13950, 309–325."},"project":[{"call_identifier":"H2020","_id":"0599E47C-7A3F-11EA-A408-12923DDC885E","grant_number":"863818","name":"Formal Methods for Stochastic Models: Algorithms and Applications"}]},{"department":[{"_id":"GradSch"},{"_id":"KrPi"}],"date_updated":"2023-08-03T07:25:02Z","status":"public","conference":{"name":"EUROCRYPT: Annual International Conference on the Theory and Applications of Cryptology and Information Security","location":"Trondheim, Norway","end_date":"2022-06-03","start_date":"2022-05-30"},"type":"conference","_id":"11476","ec_funded":1,"volume":13276,"language":[{"iso":"eng"}],"publication_status":"published","publication_identifier":{"eisbn":["9783031070853"],"isbn":["9783031070846"],"eissn":["1611-3349"],"issn":["0302-9743"]},"intvolume":" 13276","place":"Cham","month":"05","main_file_link":[{"open_access":"1","url":"https://eprint.iacr.org/2022/251"}],"scopus_import":"1","alternative_title":["LNCS"],"oa_version":"Preprint","abstract":[{"lang":"eng","text":"Messaging platforms like Signal are widely deployed and provide strong security in an asynchronous setting. It is a challenging problem to construct a protocol with similar security guarantees that can efficiently scale to large groups. A major bottleneck are the frequent key rotations users need to perform to achieve post compromise forward security.\r\n\r\nIn current proposals – most notably in TreeKEM (which is part of the IETF’s Messaging Layer Security (MLS) protocol draft) – for users in a group of size n to rotate their keys, they must each craft a message of size log(n) to be broadcast to the group using an (untrusted) delivery server.\r\n\r\nIn larger groups, having users sequentially rotate their keys requires too much bandwidth (or takes too long), so variants allowing any T≤n users to simultaneously rotate their keys in just 2 communication rounds have been suggested (e.g. “Propose and Commit” by MLS). Unfortunately, 2-round concurrent updates are either damaging or expensive (or both); i.e. they either result in future operations being more costly (e.g. via “blanking” or “tainting”) or are costly themselves requiring Ω(T) communication for each user [Bienstock et al., TCC’20].\r\n\r\nIn this paper we propose CoCoA; a new scheme that allows for T concurrent updates that are neither damaging nor costly. That is, they add no cost to future operations yet they only require Ω(log2(n)) communication per user. To circumvent the [Bienstock et al.] lower bound, CoCoA increases the number of rounds needed to complete all updates from 2 up to (at most) log(n); though typically fewer rounds are needed.\r\n\r\nThe key insight of our protocol is the following: in the (non-concurrent version of) TreeKEM, a delivery server which gets T concurrent update requests will approve one and reject the remaining T−1. In contrast, our server attempts to apply all of them. If more than one user requests to rotate the same key during a round, the server arbitrarily picks a winner. Surprisingly, we prove that regardless of how the server chooses the winners, all previously compromised users will recover after at most log(n) such update rounds.\r\n\r\nTo keep the communication complexity low, CoCoA is a server-aided CGKA. That is, the delivery server no longer blindly forwards packets, but instead actively computes individualized packets tailored to each user. As the server is untrusted, this change requires us to develop new mechanisms ensuring robustness of the protocol."}],"title":"CoCoA: Concurrent continuous group key agreement","external_id":{"isi":["000832305300028"]},"article_processing_charge":"No","author":[{"last_name":"Alwen","full_name":"Alwen, Joël","first_name":"Joël"},{"last_name":"Auerbach","orcid":"0000-0002-7553-6606","full_name":"Auerbach, Benedikt","id":"D33D2B18-E445-11E9-ABB7-15F4E5697425","first_name":"Benedikt"},{"first_name":"Miguel","id":"ffc563a3-f6e0-11ea-865d-e3cce03d17cc","full_name":"Cueto Noval, Miguel","last_name":"Cueto Noval"},{"id":"3E83A2F8-F248-11E8-B48F-1D18A9856A87","first_name":"Karen","full_name":"Klein, Karen","last_name":"Klein"},{"id":"2D7ABD02-F248-11E8-B48F-1D18A9856A87","first_name":"Guillermo","last_name":"Pascual Perez","full_name":"Pascual Perez, Guillermo"},{"orcid":"0000-0002-9139-1654","full_name":"Pietrzak, Krzysztof Z","last_name":"Pietrzak","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","first_name":"Krzysztof Z"},{"full_name":"Walter, Michael","last_name":"Walter","first_name":"Michael"}],"user_id":"4359f0d1-fa6c-11eb-b949-802e58b17ae8","citation":{"apa":"Alwen, J., Auerbach, B., Cueto Noval, M., Klein, K., Pascual Perez, G., Pietrzak, K. Z., & Walter, M. (2022). CoCoA: Concurrent continuous group key agreement. In Advances in Cryptology – EUROCRYPT 2022 (Vol. 13276, pp. 815–844). Cham: Springer Nature. https://doi.org/10.1007/978-3-031-07085-3_28","ama":"Alwen J, Auerbach B, Cueto Noval M, et al. CoCoA: Concurrent continuous group key agreement. In: Advances in Cryptology – EUROCRYPT 2022. Vol 13276. Cham: Springer Nature; 2022:815–844. doi:10.1007/978-3-031-07085-3_28","ieee":"J. Alwen et al., “CoCoA: Concurrent continuous group key agreement,” in Advances in Cryptology – EUROCRYPT 2022, Trondheim, Norway, 2022, vol. 13276, pp. 815–844.","short":"J. Alwen, B. Auerbach, M. Cueto Noval, K. Klein, G. Pascual Perez, K.Z. Pietrzak, M. Walter, in:, Advances in Cryptology – EUROCRYPT 2022, Springer Nature, Cham, 2022, pp. 815–844.","mla":"Alwen, Joël, et al. “CoCoA: Concurrent Continuous Group Key Agreement.” Advances in Cryptology – EUROCRYPT 2022, vol. 13276, Springer Nature, 2022, pp. 815–844, doi:10.1007/978-3-031-07085-3_28.","ista":"Alwen J, Auerbach B, Cueto Noval M, Klein K, Pascual Perez G, Pietrzak KZ, Walter M. 2022. CoCoA: Concurrent continuous group key agreement. Advances in Cryptology – EUROCRYPT 2022. EUROCRYPT: Annual International Conference on the Theory and Applications of Cryptology and Information Security, LNCS, vol. 13276, 815–844.","chicago":"Alwen, Joël, Benedikt Auerbach, Miguel Cueto Noval, Karen Klein, Guillermo Pascual Perez, Krzysztof Z Pietrzak, and Michael Walter. “CoCoA: Concurrent Continuous Group Key Agreement.” In Advances in Cryptology – EUROCRYPT 2022, 13276:815–844. Cham: Springer Nature, 2022. https://doi.org/10.1007/978-3-031-07085-3_28."},"project":[{"call_identifier":"H2020","_id":"258AA5B2-B435-11E9-9278-68D0E5697425","grant_number":"682815","name":"Teaching Old Crypto New Tricks"},{"grant_number":"665385","name":"International IST Doctoral Program","call_identifier":"H2020","_id":"2564DBCA-B435-11E9-9278-68D0E5697425"}],"date_created":"2022-06-30T16:48:00Z","doi":"10.1007/978-3-031-07085-3_28","date_published":"2022-05-25T00:00:00Z","page":"815–844","publication":"Advances in Cryptology – EUROCRYPT 2022","day":"25","year":"2022","isi":1,"oa":1,"publisher":"Springer Nature","quality_controlled":"1","acknowledgement":"We thank Marta Mularczyk and Yiannis Tselekounis for their very helpful feedback on an earlier draft of this paper."},{"oa_version":"Preprint","abstract":[{"text":"The homogeneous continuous LWE (hCLWE) problem is to distinguish samples of a specific high-dimensional Gaussian mixture from standard normal samples. It was shown to be at least as hard as Learning with Errors, but no reduction in the other direction is currently known.\r\nWe present four new public-key encryption schemes based on the hardness of hCLWE, with varying tradeoffs between decryption and security errors, and different discretization techniques. Our schemes yield a polynomial-time algorithm for solving hCLWE using a Statistical Zero-Knowledge oracle.","lang":"eng"}],"month":"12","intvolume":" 13748","alternative_title":["LNCS"],"scopus_import":"1","main_file_link":[{"open_access":"1","url":"https://eprint.iacr.org/2022/093"}],"language":[{"iso":"eng"}],"publication_identifier":{"isbn":["9783031223648"],"eissn":["1611-3349"],"issn":["0302-9743"]},"publication_status":"published","volume":13748,"_id":"12516","status":"public","type":"conference","conference":{"location":"Chicago, IL, United States","end_date":"2022-11-10","start_date":"2022-11-07","name":"TCC: Theory of Cryptography"},"date_updated":"2023-08-04T10:39:30Z","department":[{"_id":"KrPi"}],"acknowledgement":"We are grateful to Devika Sharma and Luca Trevisan for their insight and advice and to an anonymous reviewer for helpful comments.\r\n\r\nThis work was supported by the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation programme (Grant agreement No. 101019547). The first author was additionally supported by RGC GRF CUHK14209920 and the fourth author was additionally supported by ISF grant No. 1399/17, project PROMETHEUS (Grant 780701), and Cariplo CRYPTONOMEX grant.","publisher":"Springer Nature","quality_controlled":"1","oa":1,"day":"21","publication":"Theory of Cryptography","isi":1,"year":"2022","doi":"10.1007/978-3-031-22365-5_20","date_published":"2022-12-21T00:00:00Z","date_created":"2023-02-05T23:01:00Z","page":"565-592","user_id":"4359f0d1-fa6c-11eb-b949-802e58b17ae8","citation":{"ista":"Bogdanov A, Cueto Noval M, Hoffmann C, Rosen A. 2022. Public-Key Encryption from Homogeneous CLWE. Theory of Cryptography. TCC: Theory of Cryptography, LNCS, vol. 13748, 565–592.","chicago":"Bogdanov, Andrej, Miguel Cueto Noval, Charlotte Hoffmann, and Alon Rosen. “Public-Key Encryption from Homogeneous CLWE.” In Theory of Cryptography, 13748:565–92. Springer Nature, 2022. https://doi.org/10.1007/978-3-031-22365-5_20.","short":"A. Bogdanov, M. Cueto Noval, C. Hoffmann, A. Rosen, in:, Theory of Cryptography, Springer Nature, 2022, pp. 565–592.","ieee":"A. Bogdanov, M. Cueto Noval, C. Hoffmann, and A. Rosen, “Public-Key Encryption from Homogeneous CLWE,” in Theory of Cryptography, Chicago, IL, United States, 2022, vol. 13748, pp. 565–592.","ama":"Bogdanov A, Cueto Noval M, Hoffmann C, Rosen A. Public-Key Encryption from Homogeneous CLWE. In: Theory of Cryptography. Vol 13748. Springer Nature; 2022:565-592. doi:10.1007/978-3-031-22365-5_20","apa":"Bogdanov, A., Cueto Noval, M., Hoffmann, C., & Rosen, A. (2022). Public-Key Encryption from Homogeneous CLWE. In Theory of Cryptography (Vol. 13748, pp. 565–592). Chicago, IL, United States: Springer Nature. https://doi.org/10.1007/978-3-031-22365-5_20","mla":"Bogdanov, Andrej, et al. “Public-Key Encryption from Homogeneous CLWE.” Theory of Cryptography, vol. 13748, Springer Nature, 2022, pp. 565–92, doi:10.1007/978-3-031-22365-5_20."},"title":"Public-Key Encryption from Homogeneous CLWE","author":[{"full_name":"Bogdanov, Andrej","last_name":"Bogdanov","first_name":"Andrej"},{"full_name":"Cueto Noval, Miguel","last_name":"Cueto Noval","first_name":"Miguel","id":"ffc563a3-f6e0-11ea-865d-e3cce03d17cc"},{"id":"0f78d746-dc7d-11ea-9b2f-83f92091afe7","first_name":"Charlotte","full_name":"Hoffmann, Charlotte","last_name":"Hoffmann"},{"full_name":"Rosen, Alon","last_name":"Rosen","first_name":"Alon"}],"external_id":{"isi":["000921318200020"]},"article_processing_charge":"No"},{"department":[{"_id":"KrPi"}],"date_updated":"2023-09-05T15:10:57Z","conference":{"name":"FC: Financial Cryptography and Data Security","end_date":"2022-05-06","location":"Grenada","start_date":"2022-05-02"},"type":"conference","status":"public","_id":"12167","volume":13411,"publication_status":"published","publication_identifier":{"issn":["0302-9743"],"eissn":["1611-3349"],"isbn":["9783031182822"],"eisbn":["9783031182839"]},"language":[{"iso":"eng"}],"main_file_link":[{"url":"https://doi.org/10.48550/arXiv.2110.08848","open_access":"1"}],"alternative_title":["LNCS"],"scopus_import":"1","intvolume":" 13411","month":"10","abstract":[{"text":"Payment channels effectively move the transaction load off-chain thereby successfully addressing the inherent scalability problem most cryptocurrencies face. A major drawback of payment channels is the need to “top up” funds on-chain when a channel is depleted. Rebalancing was proposed to alleviate this issue, where parties with depleting channels move their funds along a cycle to replenish their channels off-chain. Protocols for rebalancing so far either introduce local solutions or compromise privacy.\r\nIn this work, we present an opt-in rebalancing protocol that is both private and globally optimal, meaning our protocol maximizes the total amount of rebalanced funds. We study rebalancing from the framework of linear programming. To obtain full privacy guarantees, we leverage multi-party computation in solving the linear program, which is executed by selected participants to maintain efficiency. Finally, we efficiently decompose the rebalancing solution into incentive-compatible cycles which conserve user balances when executed atomically.","lang":"eng"}],"oa_version":"Preprint","external_id":{"arxiv":["2110.08848"]},"article_processing_charge":"No","author":[{"id":"c20482a0-3b89-11eb-9862-88cf6404b88c","first_name":"Georgia","full_name":"Avarikioti, Georgia","last_name":"Avarikioti"},{"id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","first_name":"Krzysztof Z","full_name":"Pietrzak, Krzysztof Z","orcid":"0000-0002-9139-1654","last_name":"Pietrzak"},{"first_name":"Iosif","full_name":"Salem, Iosif","last_name":"Salem"},{"full_name":"Schmid, Stefan","last_name":"Schmid","first_name":"Stefan"},{"full_name":"Tiwari, Samarth","last_name":"Tiwari","first_name":"Samarth"},{"first_name":"Michelle X","id":"2D82B818-F248-11E8-B48F-1D18A9856A87","last_name":"Yeo","full_name":"Yeo, Michelle X"}],"title":"Hide & Seek: Privacy-preserving rebalancing on payment channel networks","citation":{"chicago":"Avarikioti, Georgia, Krzysztof Z Pietrzak, Iosif Salem, Stefan Schmid, Samarth Tiwari, and Michelle X Yeo. “Hide & Seek: Privacy-Preserving Rebalancing on Payment Channel Networks.” In Financial Cryptography and Data Security, 13411:358–73. Springer Nature, 2022. https://doi.org/10.1007/978-3-031-18283-9_17.","ista":"Avarikioti G, Pietrzak KZ, Salem I, Schmid S, Tiwari S, Yeo MX. 2022. Hide & Seek: Privacy-preserving rebalancing on payment channel networks. Financial Cryptography and Data Security. FC: Financial Cryptography and Data Security, LNCS, vol. 13411, 358–373.","mla":"Avarikioti, Georgia, et al. “Hide & Seek: Privacy-Preserving Rebalancing on Payment Channel Networks.” Financial Cryptography and Data Security, vol. 13411, Springer Nature, 2022, pp. 358–73, doi:10.1007/978-3-031-18283-9_17.","apa":"Avarikioti, G., Pietrzak, K. Z., Salem, I., Schmid, S., Tiwari, S., & Yeo, M. X. (2022). Hide & Seek: Privacy-preserving rebalancing on payment channel networks. In Financial Cryptography and Data Security (Vol. 13411, pp. 358–373). Grenada: Springer Nature. https://doi.org/10.1007/978-3-031-18283-9_17","ama":"Avarikioti G, Pietrzak KZ, Salem I, Schmid S, Tiwari S, Yeo MX. Hide & Seek: Privacy-preserving rebalancing on payment channel networks. In: Financial Cryptography and Data Security. Vol 13411. Springer Nature; 2022:358-373. doi:10.1007/978-3-031-18283-9_17","short":"G. Avarikioti, K.Z. Pietrzak, I. Salem, S. Schmid, S. Tiwari, M.X. Yeo, in:, Financial Cryptography and Data Security, Springer Nature, 2022, pp. 358–373.","ieee":"G. Avarikioti, K. Z. Pietrzak, I. Salem, S. Schmid, S. Tiwari, and M. X. Yeo, “Hide & Seek: Privacy-preserving rebalancing on payment channel networks,” in Financial Cryptography and Data Security, Grenada, 2022, vol. 13411, pp. 358–373."},"user_id":"c635000d-4b10-11ee-a964-aac5a93f6ac1","page":"358-373","date_created":"2023-01-12T12:10:38Z","doi":"10.1007/978-3-031-18283-9_17","date_published":"2022-10-22T00:00:00Z","year":"2022","publication":"Financial Cryptography and Data Security","day":"22","oa":1,"quality_controlled":"1","publisher":"Springer Nature"},{"volume":13508,"language":[{"iso":"eng"}],"publication_status":"published","publication_identifier":{"eisbn":["9783031159794"],"eissn":["1611-3349"],"isbn":["9783031159787"],"issn":["0302-9743"]},"intvolume":" 13508","month":"10","main_file_link":[{"url":"https://eprint.iacr.org/2022/1021","open_access":"1"}],"alternative_title":["LNCS"],"scopus_import":"1","oa_version":"Preprint","abstract":[{"lang":"eng","text":"A proof of exponentiation (PoE) in a group G of unknown order allows a prover to convince a verifier that a tuple (x,q,T,y)∈G×N×N×G satisfies xqT=y. This primitive has recently found exciting applications in the constructions of verifiable delay functions and succinct arguments of knowledge. The most practical PoEs only achieve soundness either under computational assumptions, i.e., they are arguments (Wesolowski, Journal of Cryptology 2020), or in groups that come with the promise of not having any small subgroups (Pietrzak, ITCS 2019). The only statistically-sound PoE in general groups of unknown order is due to Block et al. (CRYPTO 2021), and can be seen as an elaborate parallel repetition of Pietrzak’s PoE: to achieve λ bits of security, say λ=80, the number of repetitions required (and thus the blow-up in communication) is as large as λ.\r\n\r\nIn this work, we propose a statistically-sound PoE for the case where the exponent q is the product of all primes up to some bound B. We show that, in this case, it suffices to run only λ/log(B) parallel instances of Pietrzak’s PoE, which reduces the concrete proof-size compared to Block et al. by an order of magnitude. Furthermore, we show that in the known applications where PoEs are used as a building block such structured exponents are viable. Finally, we also discuss batching of our PoE, showing that many proofs (for the same G and q but different x and T) can be batched by adding only a single element to the proof per additional statement."}],"department":[{"_id":"KrPi"}],"date_updated":"2023-09-05T15:12:27Z","status":"public","conference":{"end_date":"2022-08-18","location":"Santa Barbara, CA, United States","start_date":"2022-08-15","name":"CRYYPTO: International Cryptology Conference"},"type":"conference","_id":"12176","date_created":"2023-01-12T12:12:07Z","date_published":"2022-10-13T00:00:00Z","doi":"10.1007/978-3-031-15979-4_13","page":"370-399","publication":"Advances in Cryptology – CRYPTO 2022","day":"13","year":"2022","isi":1,"oa":1,"publisher":"Springer Nature","quality_controlled":"1","acknowledgement":"We would like to thank the authors of [BHR+21] for clarifying several questions we had\r\nregarding their results. Pavel Hubá£ek was supported by the Grant Agency of the Czech\r\nRepublic under the grant agreement no. 19-27871X and by the Charles University project\r\nUNCE/SCI/004. Chethan Kamath is supported by Azrieli International Postdoctoral Fellowship\r\nand ISF grants 484/18 and 1789/19. Karen Klein was supported in part by ERC CoG grant\r\n724307 and conducted part of this work at Institute of Science and Technology Austria.","title":"Practical statistically-sound proofs of exponentiation in any group","article_processing_charge":"No","external_id":{"isi":["000886792700013"]},"author":[{"last_name":"Hoffmann","orcid":"0000-0003-2027-5549","full_name":"Hoffmann, Charlotte","id":"0f78d746-dc7d-11ea-9b2f-83f92091afe7","first_name":"Charlotte"},{"first_name":"Pavel","last_name":"Hubáček","full_name":"Hubáček, Pavel"},{"last_name":"Kamath","full_name":"Kamath, Chethan","first_name":"Chethan"},{"first_name":"Karen","full_name":"Klein, Karen","last_name":"Klein"},{"full_name":"Pietrzak, Krzysztof Z","orcid":"0000-0002-9139-1654","last_name":"Pietrzak","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","first_name":"Krzysztof Z"}],"user_id":"c635000d-4b10-11ee-a964-aac5a93f6ac1","citation":{"chicago":"Hoffmann, Charlotte, Pavel Hubáček, Chethan Kamath, Karen Klein, and Krzysztof Z Pietrzak. “Practical Statistically-Sound Proofs of Exponentiation in Any Group.” In Advances in Cryptology – CRYPTO 2022, 13508:370–99. Springer Nature, 2022. https://doi.org/10.1007/978-3-031-15979-4_13.","ista":"Hoffmann C, Hubáček P, Kamath C, Klein K, Pietrzak KZ. 2022. Practical statistically-sound proofs of exponentiation in any group. Advances in Cryptology – CRYPTO 2022. CRYYPTO: International Cryptology Conference, LNCS, vol. 13508, 370–399.","mla":"Hoffmann, Charlotte, et al. “Practical Statistically-Sound Proofs of Exponentiation in Any Group.” Advances in Cryptology – CRYPTO 2022, vol. 13508, Springer Nature, 2022, pp. 370–99, doi:10.1007/978-3-031-15979-4_13.","ieee":"C. Hoffmann, P. Hubáček, C. Kamath, K. Klein, and K. Z. Pietrzak, “Practical statistically-sound proofs of exponentiation in any group,” in Advances in Cryptology – CRYPTO 2022, Santa Barbara, CA, United States, 2022, vol. 13508, pp. 370–399.","short":"C. Hoffmann, P. Hubáček, C. Kamath, K. Klein, K.Z. Pietrzak, in:, Advances in Cryptology – CRYPTO 2022, Springer Nature, 2022, pp. 370–399.","apa":"Hoffmann, C., Hubáček, P., Kamath, C., Klein, K., & Pietrzak, K. Z. (2022). Practical statistically-sound proofs of exponentiation in any group. In Advances in Cryptology – CRYPTO 2022 (Vol. 13508, pp. 370–399). Santa Barbara, CA, United States: Springer Nature. https://doi.org/10.1007/978-3-031-15979-4_13","ama":"Hoffmann C, Hubáček P, Kamath C, Klein K, Pietrzak KZ. Practical statistically-sound proofs of exponentiation in any group. In: Advances in Cryptology – CRYPTO 2022. Vol 13508. Springer Nature; 2022:370-399. doi:10.1007/978-3-031-15979-4_13"}},{"publication_status":"published","publication_identifier":{"isbn":["9783030752446"],"eissn":["16113349"],"issn":["03029743"]},"language":[{"iso":"eng"}],"file":[{"content_type":"application/pdf","relation":"main_file","access_level":"open_access","success":1,"checksum":"413e564d645ed93d7318672361d9d470","file_id":"11416","file_size":489017,"date_updated":"2022-05-27T09:48:31Z","creator":"dernst","file_name":"2021_PKC_Walter.pdf","date_created":"2022-05-27T09:48:31Z"}],"ec_funded":1,"volume":12710,"abstract":[{"text":"In this work, we apply the dynamical systems analysis of Hanrot et al. (CRYPTO’11) to a class of lattice block reduction algorithms that includes (natural variants of) slide reduction and block-Rankin reduction. This implies sharper bounds on the polynomial running times (in the query model) for these algorithms and opens the door to faster practical variants of slide reduction. We give heuristic arguments showing that such variants can indeed speed up slide reduction significantly in practice. This is confirmed by experimental evidence, which also shows that our variants are competitive with state-of-the-art reduction algorithms.","lang":"eng"}],"oa_version":"Published Version","scopus_import":"1","alternative_title":["LNCS"],"intvolume":" 12710","month":"05","date_updated":"2023-02-23T13:58:47Z","ddc":["000"],"department":[{"_id":"KrPi"}],"file_date_updated":"2022-05-27T09:48:31Z","_id":"9466","tmp":{"legal_code_url":"https://creativecommons.org/licenses/by/4.0/legalcode","image":"/images/cc_by.png","name":"Creative Commons Attribution 4.0 International Public License (CC-BY 4.0)","short":"CC BY (4.0)"},"conference":{"name":"PKC: IACR International Conference on Practice and Theory of Public Key Cryptography","start_date":"2021-05-10","end_date":"2021-05-13","location":"Virtual"},"type":"conference","status":"public","year":"2021","has_accepted_license":"1","publication":"Public-Key Cryptography – PKC 2021","day":"01","page":"45-67","date_created":"2021-06-06T22:01:29Z","date_published":"2021-05-01T00:00:00Z","doi":"10.1007/978-3-030-75245-3_3","acknowledgement":"This work was initiated in discussions with Léo Ducas, when the author was visiting the Simons Institute for the Theory of Computation during the program “Lattices: Algorithms, Complexity, and Cryptography”. We thank Thomas Espitau for pointing out a bug in a proof in an earlier version of this manuscript.","oa":1,"quality_controlled":"1","publisher":"Springer Nature","citation":{"apa":"Walter, M. (2021). The convergence of slide-type reductions. In Public-Key Cryptography – PKC 2021 (Vol. 12710, pp. 45–67). Virtual: Springer Nature. https://doi.org/10.1007/978-3-030-75245-3_3","ama":"Walter M. The convergence of slide-type reductions. In: Public-Key Cryptography – PKC 2021. Vol 12710. Springer Nature; 2021:45-67. doi:10.1007/978-3-030-75245-3_3","short":"M. Walter, in:, Public-Key Cryptography – PKC 2021, Springer Nature, 2021, pp. 45–67.","ieee":"M. Walter, “The convergence of slide-type reductions,” in Public-Key Cryptography – PKC 2021, Virtual, 2021, vol. 12710, pp. 45–67.","mla":"Walter, Michael. “The Convergence of Slide-Type Reductions.” Public-Key Cryptography – PKC 2021, vol. 12710, Springer Nature, 2021, pp. 45–67, doi:10.1007/978-3-030-75245-3_3.","ista":"Walter M. 2021. The convergence of slide-type reductions. Public-Key Cryptography – PKC 2021. PKC: IACR International Conference on Practice and Theory of Public Key Cryptography, LNCS, vol. 12710, 45–67.","chicago":"Walter, Michael. “The Convergence of Slide-Type Reductions.” In Public-Key Cryptography – PKC 2021, 12710:45–67. Springer Nature, 2021. https://doi.org/10.1007/978-3-030-75245-3_3."},"user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","article_processing_charge":"No","author":[{"id":"488F98B0-F248-11E8-B48F-1D18A9856A87","first_name":"Michael","orcid":"0000-0003-3186-2482","full_name":"Walter, Michael","last_name":"Walter"}],"title":"The convergence of slide-type reductions","project":[{"_id":"258AA5B2-B435-11E9-9278-68D0E5697425","call_identifier":"H2020","grant_number":"682815","name":"Teaching Old Crypto New Tricks"}]},{"department":[{"_id":"KrPi"},{"_id":"GradSch"}],"date_updated":"2023-02-23T14:09:56Z","type":"conference","conference":{"name":"CT-RSA: Cryptographers’ Track at the RSA Conference","start_date":"2021-05-17","end_date":"2021-05-20","location":"Virtual Event"},"status":"public","_id":"9826","volume":12704,"ec_funded":1,"publication_identifier":{"issn":["03029743"],"isbn":["9783030755386"],"eissn":["16113349"]},"publication_status":"published","language":[{"iso":"eng"}],"scopus_import":"1","alternative_title":["LNCS"],"main_file_link":[{"url":"https://eprint.iacr.org/2020/670","open_access":"1"}],"month":"05","intvolume":" 12704","abstract":[{"lang":"eng","text":"Automated contract tracing aims at supporting manual contact tracing during pandemics by alerting users of encounters with infected people. There are currently many proposals for protocols (like the “decentralized” DP-3T and PACT or the “centralized” ROBERT and DESIRE) to be run on mobile phones, where the basic idea is to regularly broadcast (using low energy Bluetooth) some values, and at the same time store (a function of) incoming messages broadcasted by users in their proximity. In the existing proposals one can trigger false positives on a massive scale by an “inverse-Sybil” attack, where a large number of devices (malicious users or hacked phones) pretend to be the same user, such that later, just a single person needs to be diagnosed (and allowed to upload) to trigger an alert for all users who were in proximity to any of this large group of devices.\r\n\r\nWe propose the first protocols that do not succumb to such attacks assuming the devices involved in the attack do not constantly communicate, which we observe is a necessary assumption. The high level idea of the protocols is to derive the values to be broadcasted by a hash chain, so that two (or more) devices who want to launch an inverse-Sybil attack will not be able to connect their respective chains and thus only one of them will be able to upload. Our protocols also achieve security against replay, belated replay, and one of them even against relay attacks."}],"oa_version":"Submitted Version","author":[{"full_name":"Auerbach, Benedikt","orcid":"0000-0002-7553-6606","last_name":"Auerbach","id":"D33D2B18-E445-11E9-ABB7-15F4E5697425","first_name":"Benedikt"},{"full_name":"Chakraborty, Suvradip","last_name":"Chakraborty","id":"B9CD0494-D033-11E9-B219-A439E6697425","first_name":"Suvradip"},{"first_name":"Karen","id":"3E83A2F8-F248-11E8-B48F-1D18A9856A87","last_name":"Klein","full_name":"Klein, Karen"},{"first_name":"Guillermo","id":"2D7ABD02-F248-11E8-B48F-1D18A9856A87","last_name":"Pascual Perez","full_name":"Pascual Perez, Guillermo"},{"last_name":"Pietrzak","orcid":"0000-0002-9139-1654","full_name":"Pietrzak, Krzysztof Z","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","first_name":"Krzysztof Z"},{"last_name":"Walter","full_name":"Walter, Michael","orcid":"0000-0003-3186-2482","id":"488F98B0-F248-11E8-B48F-1D18A9856A87","first_name":"Michael"},{"full_name":"Yeo, Michelle X","last_name":"Yeo","id":"2D82B818-F248-11E8-B48F-1D18A9856A87","first_name":"Michelle X"}],"article_processing_charge":"No","title":"Inverse-Sybil attacks in automated contact tracing","citation":{"short":"B. Auerbach, S. Chakraborty, K. Klein, G. Pascual Perez, K.Z. Pietrzak, M. Walter, M.X. Yeo, in:, Topics in Cryptology – CT-RSA 2021, Springer Nature, 2021, pp. 399–421.","ieee":"B. Auerbach et al., “Inverse-Sybil attacks in automated contact tracing,” in Topics in Cryptology – CT-RSA 2021, Virtual Event, 2021, vol. 12704, pp. 399–421.","ama":"Auerbach B, Chakraborty S, Klein K, et al. Inverse-Sybil attacks in automated contact tracing. In: Topics in Cryptology – CT-RSA 2021. Vol 12704. Springer Nature; 2021:399-421. doi:10.1007/978-3-030-75539-3_17","apa":"Auerbach, B., Chakraborty, S., Klein, K., Pascual Perez, G., Pietrzak, K. Z., Walter, M., & Yeo, M. X. (2021). Inverse-Sybil attacks in automated contact tracing. In Topics in Cryptology – CT-RSA 2021 (Vol. 12704, pp. 399–421). Virtual Event: Springer Nature. https://doi.org/10.1007/978-3-030-75539-3_17","mla":"Auerbach, Benedikt, et al. “Inverse-Sybil Attacks in Automated Contact Tracing.” Topics in Cryptology – CT-RSA 2021, vol. 12704, Springer Nature, 2021, pp. 399–421, doi:10.1007/978-3-030-75539-3_17.","ista":"Auerbach B, Chakraborty S, Klein K, Pascual Perez G, Pietrzak KZ, Walter M, Yeo MX. 2021. Inverse-Sybil attacks in automated contact tracing. Topics in Cryptology – CT-RSA 2021. CT-RSA: Cryptographers’ Track at the RSA Conference, LNCS, vol. 12704, 399–421.","chicago":"Auerbach, Benedikt, Suvradip Chakraborty, Karen Klein, Guillermo Pascual Perez, Krzysztof Z Pietrzak, Michael Walter, and Michelle X Yeo. “Inverse-Sybil Attacks in Automated Contact Tracing.” In Topics in Cryptology – CT-RSA 2021, 12704:399–421. Springer Nature, 2021. https://doi.org/10.1007/978-3-030-75539-3_17."},"user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","project":[{"grant_number":"665385","name":"International IST Doctoral Program","_id":"2564DBCA-B435-11E9-9278-68D0E5697425","call_identifier":"H2020"},{"name":"Teaching Old Crypto New Tricks","grant_number":"682815","call_identifier":"H2020","_id":"258AA5B2-B435-11E9-9278-68D0E5697425"}],"page":"399-421","doi":"10.1007/978-3-030-75539-3_17","date_published":"2021-05-11T00:00:00Z","date_created":"2021-08-08T22:01:30Z","year":"2021","day":"11","publication":"Topics in Cryptology – CT-RSA 2021","publisher":"Springer Nature","quality_controlled":"1","oa":1,"acknowledgement":"Guillermo Pascual-Perez and Michelle Yeo were funded by the European Union’s Horizon 2020 research and innovation programme under the Marie Skłodowska–Curie Grant Agreement No. 665385; the remaining contributors to this project have received funding from the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation programme (682815 - TOCNeT)."},{"_id":"9825","type":"conference","conference":{"start_date":"2021-05-17","end_date":"2021-05-20","location":"Virtual Event","name":"CT-RSA: Cryptographers’ Track at the RSA Conference"},"status":"public","date_updated":"2023-02-23T14:09:54Z","department":[{"_id":"KrPi"}],"abstract":[{"lang":"eng","text":"The dual attack has long been considered a relevant attack on lattice-based cryptographic schemes relying on the hardness of learning with errors (LWE) and its structured variants. As solving LWE corresponds to finding a nearest point on a lattice, one may naturally wonder how efficient this dual approach is for solving more general closest vector problems, such as the classical closest vector problem (CVP), the variants bounded distance decoding (BDD) and approximate CVP, and preprocessing versions of these problems. While primal, sieving-based solutions to these problems (with preprocessing) were recently studied in a series of works on approximate Voronoi cells [Laa16b, DLdW19, Laa20, DLvW20], for the dual attack no such overview exists, especially for problems with preprocessing. With one of the take-away messages of the approximate Voronoi cell line of work being that primal attacks work well for approximate CVP(P) but scale poorly for BDD(P), one may further wonder if the dual attack suffers the same drawbacks, or if it is perhaps a better solution when trying to solve BDD(P).\r\n\r\nIn this work we provide an overview of cost estimates for dual algorithms for solving these “classical” closest lattice vector problems. Heuristically we expect to solve the search version of average-case CVPP in time and space 20.293𝑑+𝑜(𝑑) in the single-target model. The distinguishing version of average-case CVPP, where we wish to distinguish between random targets and targets planted at distance (say) 0.99⋅𝑔𝑑 from the lattice, has the same complexity in the single-target model, but can be solved in time and space 20.195𝑑+𝑜(𝑑) in the multi-target setting, when given a large number of targets from either target distribution. This suggests an inequivalence between distinguishing and searching, as we do not expect a similar improvement in the multi-target setting to hold for search-CVPP. We analyze three slightly different decoders, both for distinguishing and searching, and experimentally obtain concrete cost estimates for the dual attack in dimensions 50 to 80, which confirm our heuristic assumptions, and show that the hidden order terms in the asymptotic estimates are quite small.\r\n\r\nOur main take-away message is that the dual attack appears to mirror the approximate Voronoi cell line of work – whereas using approximate Voronoi cells works well for approximate CVP(P) but scales poorly for BDD(P), the dual approach scales well for BDD(P) instances but performs poorly on approximate CVP(P)."}],"oa_version":"Preprint","alternative_title":["LNCS"],"scopus_import":"1","main_file_link":[{"open_access":"1","url":"https://eprint.iacr.org/2021/557"}],"month":"05","intvolume":" 12704","publication_identifier":{"eissn":["16113349"],"isbn":["9783030755386"],"issn":["03029743"]},"publication_status":"published","language":[{"iso":"eng"}],"volume":12704,"citation":{"chicago":"Laarhoven, Thijs, and Michael Walter. “Dual Lattice Attacks for Closest Vector Problems (with Preprocessing).” In Topics in Cryptology – CT-RSA 2021, 12704:478–502. Springer Nature, 2021. https://doi.org/10.1007/978-3-030-75539-3_20.","ista":"Laarhoven T, Walter M. 2021. Dual lattice attacks for closest vector problems (with preprocessing). Topics in Cryptology – CT-RSA 2021. CT-RSA: Cryptographers’ Track at the RSA Conference, LNCS, vol. 12704, 478–502.","mla":"Laarhoven, Thijs, and Michael Walter. “Dual Lattice Attacks for Closest Vector Problems (with Preprocessing).” Topics in Cryptology – CT-RSA 2021, vol. 12704, Springer Nature, 2021, pp. 478–502, doi:10.1007/978-3-030-75539-3_20.","apa":"Laarhoven, T., & Walter, M. (2021). Dual lattice attacks for closest vector problems (with preprocessing). In Topics in Cryptology – CT-RSA 2021 (Vol. 12704, pp. 478–502). Virtual Event: Springer Nature. https://doi.org/10.1007/978-3-030-75539-3_20","ama":"Laarhoven T, Walter M. Dual lattice attacks for closest vector problems (with preprocessing). In: Topics in Cryptology – CT-RSA 2021. Vol 12704. Springer Nature; 2021:478-502. doi:10.1007/978-3-030-75539-3_20","short":"T. Laarhoven, M. Walter, in:, Topics in Cryptology – CT-RSA 2021, Springer Nature, 2021, pp. 478–502.","ieee":"T. Laarhoven and M. Walter, “Dual lattice attacks for closest vector problems (with preprocessing),” in Topics in Cryptology – CT-RSA 2021, Virtual Event, 2021, vol. 12704, pp. 478–502."},"user_id":"6785fbc1-c503-11eb-8a32-93094b40e1cf","author":[{"last_name":"Laarhoven","full_name":"Laarhoven, Thijs","first_name":"Thijs"},{"full_name":"Walter, Michael","orcid":"0000-0003-3186-2482","last_name":"Walter","first_name":"Michael","id":"488F98B0-F248-11E8-B48F-1D18A9856A87"}],"article_processing_charge":"No","title":"Dual lattice attacks for closest vector problems (with preprocessing)","acknowledgement":"The authors thank Sauvik Bhattacharya, L´eo Ducas, Rachel Player, and Christine van Vredendaal for early discussions on this topic and on preliminary results. The authors further thank the reviewers of CT-RSA 2021 for their valuable feedback.","publisher":"Springer Nature","quality_controlled":"1","oa":1,"year":"2021","day":"11","publication":"Topics in Cryptology – CT-RSA 2021","page":"478-502","doi":"10.1007/978-3-030-75539-3_20","date_published":"2021-05-11T00:00:00Z","date_created":"2021-08-08T22:01:30Z"},{"project":[{"name":"Teaching Old Crypto New Tricks","grant_number":"682815","_id":"258AA5B2-B435-11E9-9278-68D0E5697425","call_identifier":"H2020"}],"user_id":"4359f0d1-fa6c-11eb-b949-802e58b17ae8","citation":{"ieee":"S. Chakraborty, S. Dziembowski, M. Gałązka, T. Lizurej, K. Z. Pietrzak, and M. X. Yeo, “Trojan-resilience without cryptography,” presented at the TCC: Theory of Cryptography Conference, Raleigh, NC, United States, 2021, vol. 13043, pp. 397–428.","short":"S. Chakraborty, S. Dziembowski, M. Gałązka, T. Lizurej, K.Z. Pietrzak, M.X. Yeo, in:, Springer Nature, 2021, pp. 397–428.","apa":"Chakraborty, S., Dziembowski, S., Gałązka, M., Lizurej, T., Pietrzak, K. Z., & Yeo, M. X. (2021). Trojan-resilience without cryptography (Vol. 13043, pp. 397–428). Presented at the TCC: Theory of Cryptography Conference, Raleigh, NC, United States: Springer Nature. https://doi.org/10.1007/978-3-030-90453-1_14","ama":"Chakraborty S, Dziembowski S, Gałązka M, Lizurej T, Pietrzak KZ, Yeo MX. Trojan-resilience without cryptography. In: Vol 13043. Springer Nature; 2021:397-428. doi:10.1007/978-3-030-90453-1_14","mla":"Chakraborty, Suvradip, et al. Trojan-Resilience without Cryptography. Vol. 13043, Springer Nature, 2021, pp. 397–428, doi:10.1007/978-3-030-90453-1_14.","ista":"Chakraborty S, Dziembowski S, Gałązka M, Lizurej T, Pietrzak KZ, Yeo MX. 2021. Trojan-resilience without cryptography. TCC: Theory of Cryptography Conference, LNCS, vol. 13043, 397–428.","chicago":"Chakraborty, Suvradip, Stefan Dziembowski, Małgorzata Gałązka, Tomasz Lizurej, Krzysztof Z Pietrzak, and Michelle X Yeo. “Trojan-Resilience without Cryptography,” 13043:397–428. Springer Nature, 2021. https://doi.org/10.1007/978-3-030-90453-1_14."},"title":"Trojan-resilience without cryptography","external_id":{"isi":["000728364000014"]},"article_processing_charge":"No","author":[{"full_name":"Chakraborty, Suvradip","last_name":"Chakraborty","first_name":"Suvradip","id":"B9CD0494-D033-11E9-B219-A439E6697425"},{"full_name":"Dziembowski, Stefan","last_name":"Dziembowski","first_name":"Stefan"},{"last_name":"Gałązka","full_name":"Gałązka, Małgorzata","first_name":"Małgorzata"},{"full_name":"Lizurej, Tomasz","last_name":"Lizurej","first_name":"Tomasz"},{"id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","first_name":"Krzysztof Z","orcid":"0000-0002-9139-1654","full_name":"Pietrzak, Krzysztof Z","last_name":"Pietrzak"},{"full_name":"Yeo, Michelle X","last_name":"Yeo","first_name":"Michelle X","id":"2D82B818-F248-11E8-B48F-1D18A9856A87"}],"oa":1,"publisher":"Springer Nature","quality_controlled":"1","day":"04","year":"2021","isi":1,"date_created":"2021-12-05T23:01:42Z","doi":"10.1007/978-3-030-90453-1_14","date_published":"2021-11-04T00:00:00Z","page":"397-428","_id":"10407","status":"public","conference":{"end_date":"2021-11-11","location":"Raleigh, NC, United States","start_date":"2021-11-08","name":"TCC: Theory of Cryptography Conference"},"type":"conference","date_updated":"2023-08-14T13:07:46Z","department":[{"_id":"KrPi"}],"oa_version":"Preprint","abstract":[{"lang":"eng","text":"Digital hardware Trojans are integrated circuits whose implementation differ from the specification in an arbitrary and malicious way. For example, the circuit can differ from its specified input/output behavior after some fixed number of queries (known as “time bombs”) or on some particular input (known as “cheat codes”). To detect such Trojans, countermeasures using multiparty computation (MPC) or verifiable computation (VC) have been proposed. On a high level, to realize a circuit with specification F one has more sophisticated circuits F⋄ manufactured (where F⋄ specifies a MPC or VC of F ), and then embeds these F⋄ ’s into a master circuit which must be trusted but is relatively simple compared to F . Those solutions impose a significant overhead as F⋄ is much more complex than F , also the master circuits are not exactly trivial. In this work, we show that in restricted settings, where F has no evolving state and is queried on independent inputs, we can achieve a relaxed security notion using very simple constructions. In particular, we do not change the specification of the circuit at all (i.e., F=F⋄ ). Moreover the master circuit basically just queries a subset of its manufactured circuits and checks if they’re all the same. The security we achieve guarantees that, if the manufactured circuits are initially tested on up to T inputs, the master circuit will catch Trojans that try to deviate on significantly more than a 1/T fraction of the inputs. This bound is optimal for the type of construction considered, and we provably achieve it using a construction where 12 instantiations of F need to be embedded into the master. We also discuss an extremely simple construction with just 2 instantiations for which we conjecture that it already achieves the optimal bound."}],"intvolume":" 13043","month":"11","main_file_link":[{"open_access":"1","url":"https://eprint.iacr.org/2021/1224"}],"scopus_import":"1","alternative_title":["LNCS"],"language":[{"iso":"eng"}],"publication_status":"published","publication_identifier":{"eissn":["1611-3349"],"isbn":["9-783-0309-0452-4"],"issn":["0302-9743"]},"ec_funded":1,"volume":13043},{"language":[{"iso":"eng"}],"publication_identifier":{"isbn":["9-783-0309-0455-5"],"eissn":["1611-3349"],"issn":["0302-9743"],"eisbn":["978-3-030-90456-2"]},"publication_status":"published","volume":13044,"ec_funded":1,"oa_version":"Preprint","abstract":[{"text":"Key trees are often the best solution in terms of transmission cost and storage requirements for managing keys in a setting where a group needs to share a secret key, while being able to efficiently rotate the key material of users (in order to recover from a potential compromise, or to add or remove users). Applications include multicast encryption protocols like LKH (Logical Key Hierarchies) or group messaging like the current IETF proposal TreeKEM. A key tree is a (typically balanced) binary tree, where each node is identified with a key: leaf nodes hold users’ secret keys while the root is the shared group key. For a group of size N, each user just holds log(N) keys (the keys on the path from its leaf to the root) and its entire key material can be rotated by broadcasting 2log(N) ciphertexts (encrypting each fresh key on the path under the keys of its parents). In this work we consider the natural setting where we have many groups with partially overlapping sets of users, and ask if we can find solutions where the cost of rotating a key is better than in the trivial one where we have a separate key tree for each group. We show that in an asymptotic setting (where the number m of groups is fixed while the number N of users grows) there exist more general key graphs whose cost converges to the cost of a single group, thus saving a factor linear in the number of groups over the trivial solution. As our asymptotic “solution” converges very slowly and performs poorly on concrete examples, we propose an algorithm that uses a natural heuristic to compute a key graph for any given group structure. Our algorithm combines two greedy algorithms, and is thus very efficient: it first converts the group structure into a “lattice graph”, which is then turned into a key graph by repeatedly applying the algorithm for constructing a Huffman code. To better understand how far our proposal is from an optimal solution, we prove lower bounds on the update cost of continuous group-key agreement and multicast encryption in a symbolic model admitting (asymmetric) encryption, pseudorandom generators, and secret sharing as building blocks.","lang":"eng"}],"month":"11","intvolume":" 13044","scopus_import":"1","alternative_title":["LNCS"],"main_file_link":[{"url":"https://eprint.iacr.org/2021/1158","open_access":"1"}],"date_updated":"2023-08-14T13:19:39Z","department":[{"_id":"KrPi"}],"_id":"10408","status":"public","type":"conference","conference":{"name":"TCC: Theory of Cryptography","start_date":"2021-11-08","end_date":"2021-11-11","location":"Raleigh, NC, United States"},"day":"04","publication":"19th International Conference","isi":1,"year":"2021","doi":"10.1007/978-3-030-90456-2_8","date_published":"2021-11-04T00:00:00Z","date_created":"2021-12-05T23:01:42Z","page":"222-253","acknowledgement":"B. Auerbach, M.A. Baig and K. Pietrzak—received funding from the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation programme (682815 - TOCNeT); Karen Klein was supported in part by ERC CoG grant 724307 and conducted part of this work at IST Austria, funded by the ERC under the European Union’s Horizon 2020 research and innovation programme (682815 - TOCNeT); Guillermo Pascual-Perez was funded by the European Union’s Horizon 2020 research and innovation programme under the Marie Skłodowska-Curie Grant Agreement No. 665385; Michael Walter conducted part of this work at IST Austria, funded by the ERC under the European Union’s Horizon 2020 research and innovation programme (682815 - TOCNeT).","publisher":"Springer Nature","quality_controlled":"1","oa":1,"user_id":"4359f0d1-fa6c-11eb-b949-802e58b17ae8","citation":{"ista":"Alwen JF, Auerbach B, Baig MA, Cueto Noval M, Klein K, Pascual Perez G, Pietrzak KZ, Walter M. 2021. Grafting key trees: Efficient key management for overlapping groups. 19th International Conference. TCC: Theory of Cryptography, LNCS, vol. 13044, 222–253.","chicago":"Alwen, Joel F, Benedikt Auerbach, Mirza Ahad Baig, Miguel Cueto Noval, Karen Klein, Guillermo Pascual Perez, Krzysztof Z Pietrzak, and Michael Walter. “Grafting Key Trees: Efficient Key Management for Overlapping Groups.” In 19th International Conference, 13044:222–53. Springer Nature, 2021. https://doi.org/10.1007/978-3-030-90456-2_8.","ieee":"J. F. Alwen et al., “Grafting key trees: Efficient key management for overlapping groups,” in 19th International Conference, Raleigh, NC, United States, 2021, vol. 13044, pp. 222–253.","short":"J.F. Alwen, B. Auerbach, M.A. Baig, M. Cueto Noval, K. Klein, G. Pascual Perez, K.Z. Pietrzak, M. Walter, in:, 19th International Conference, Springer Nature, 2021, pp. 222–253.","apa":"Alwen, J. F., Auerbach, B., Baig, M. A., Cueto Noval, M., Klein, K., Pascual Perez, G., … Walter, M. (2021). Grafting key trees: Efficient key management for overlapping groups. In 19th International Conference (Vol. 13044, pp. 222–253). Raleigh, NC, United States: Springer Nature. https://doi.org/10.1007/978-3-030-90456-2_8","ama":"Alwen JF, Auerbach B, Baig MA, et al. Grafting key trees: Efficient key management for overlapping groups. In: 19th International Conference. Vol 13044. Springer Nature; 2021:222-253. doi:10.1007/978-3-030-90456-2_8","mla":"Alwen, Joel F., et al. “Grafting Key Trees: Efficient Key Management for Overlapping Groups.” 19th International Conference, vol. 13044, Springer Nature, 2021, pp. 222–53, doi:10.1007/978-3-030-90456-2_8."},"title":"Grafting key trees: Efficient key management for overlapping groups","author":[{"last_name":"Alwen","full_name":"Alwen, Joel F","first_name":"Joel F","id":"2A8DFA8C-F248-11E8-B48F-1D18A9856A87"},{"last_name":"Auerbach","orcid":"0000-0002-7553-6606","full_name":"Auerbach, Benedikt","first_name":"Benedikt","id":"D33D2B18-E445-11E9-ABB7-15F4E5697425"},{"last_name":"Baig","full_name":"Baig, Mirza Ahad","first_name":"Mirza Ahad","id":"3EDE6DE4-AA5A-11E9-986D-341CE6697425"},{"last_name":"Cueto Noval","full_name":"Cueto Noval, Miguel","first_name":"Miguel","id":"ffc563a3-f6e0-11ea-865d-e3cce03d17cc"},{"id":"3E83A2F8-F248-11E8-B48F-1D18A9856A87","first_name":"Karen","full_name":"Klein, Karen","last_name":"Klein"},{"id":"2D7ABD02-F248-11E8-B48F-1D18A9856A87","first_name":"Guillermo","full_name":"Pascual Perez, Guillermo","orcid":"0000-0001-8630-415X","last_name":"Pascual Perez"},{"last_name":"Pietrzak","orcid":"0000-0002-9139-1654","full_name":"Pietrzak, Krzysztof Z","first_name":"Krzysztof Z","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87"},{"first_name":"Michael","id":"488F98B0-F248-11E8-B48F-1D18A9856A87","orcid":"0000-0003-3186-2482","full_name":"Walter, Michael","last_name":"Walter"}],"external_id":{"isi":["000728363700008"]},"article_processing_charge":"No","project":[{"_id":"258AA5B2-B435-11E9-9278-68D0E5697425","call_identifier":"H2020","grant_number":"682815","name":"Teaching Old Crypto New Tricks"},{"grant_number":"665385","name":"International IST Doctoral Program","_id":"2564DBCA-B435-11E9-9278-68D0E5697425","call_identifier":"H2020"}]},{"quality_controlled":"1","publisher":"Springer Nature","oa":1,"acknowledgement":"We are grateful to Daniel Wichs for helpful discussions on the landscape of adaptive security of Yao’s garbling. We would also like to thank Crypto 2021 and TCC 2021 reviewers for their detailed review and suggestions, which helped improve presentation considerably.","page":"486-517","date_published":"2021-11-04T00:00:00Z","doi":"10.1007/978-3-030-90453-1_17","date_created":"2021-12-05T23:01:43Z","isi":1,"year":"2021","day":"04","publication":"19th International Conference","project":[{"name":"Teaching Old Crypto New Tricks","grant_number":"682815","call_identifier":"H2020","_id":"258AA5B2-B435-11E9-9278-68D0E5697425"}],"author":[{"last_name":"Kamath Hosdurg","full_name":"Kamath Hosdurg, Chethan","id":"4BD3F30E-F248-11E8-B48F-1D18A9856A87","first_name":"Chethan"},{"last_name":"Klein","full_name":"Klein, Karen","id":"3E83A2F8-F248-11E8-B48F-1D18A9856A87","first_name":"Karen"},{"last_name":"Pietrzak","full_name":"Pietrzak, Krzysztof Z","orcid":"0000-0002-9139-1654","first_name":"Krzysztof Z","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87"}],"article_processing_charge":"No","external_id":{"isi":["000728364000017"]},"title":"On treewidth, separators and Yao’s garbling","citation":{"ista":"Kamath Hosdurg C, Klein K, Pietrzak KZ. 2021. On treewidth, separators and Yao’s garbling. 19th International Conference. TCC: Theory of Cryptography, LNCS, vol. 13043, 486–517.","chicago":"Kamath Hosdurg, Chethan, Karen Klein, and Krzysztof Z Pietrzak. “On Treewidth, Separators and Yao’s Garbling.” In 19th International Conference, 13043:486–517. Springer Nature, 2021. https://doi.org/10.1007/978-3-030-90453-1_17.","ama":"Kamath Hosdurg C, Klein K, Pietrzak KZ. On treewidth, separators and Yao’s garbling. In: 19th International Conference. Vol 13043. Springer Nature; 2021:486-517. doi:10.1007/978-3-030-90453-1_17","apa":"Kamath Hosdurg, C., Klein, K., & Pietrzak, K. Z. (2021). On treewidth, separators and Yao’s garbling. In 19th International Conference (Vol. 13043, pp. 486–517). Raleigh, NC, United States: Springer Nature. https://doi.org/10.1007/978-3-030-90453-1_17","short":"C. Kamath Hosdurg, K. Klein, K.Z. Pietrzak, in:, 19th International Conference, Springer Nature, 2021, pp. 486–517.","ieee":"C. Kamath Hosdurg, K. Klein, and K. Z. Pietrzak, “On treewidth, separators and Yao’s garbling,” in 19th International Conference, Raleigh, NC, United States, 2021, vol. 13043, pp. 486–517.","mla":"Kamath Hosdurg, Chethan, et al. “On Treewidth, Separators and Yao’s Garbling.” 19th International Conference, vol. 13043, Springer Nature, 2021, pp. 486–517, doi:10.1007/978-3-030-90453-1_17."},"user_id":"4359f0d1-fa6c-11eb-b949-802e58b17ae8","alternative_title":["LNCS"],"scopus_import":"1","main_file_link":[{"url":"https://eprint.iacr.org/2021/926","open_access":"1"}],"month":"11","abstract":[{"lang":"eng","text":"We show that Yao’s garbling scheme is adaptively indistinguishable for the class of Boolean circuits of size S and treewidth w with only a SO(w) loss in security. For instance, circuits with constant treewidth are as a result adaptively indistinguishable with only a polynomial loss. This (partially) complements a negative result of Applebaum et al. (Crypto 2013), which showed (assuming one-way functions) that Yao’s garbling scheme cannot be adaptively simulatable. As main technical contributions, we introduce a new pebble game that abstracts out our security reduction and then present a pebbling strategy for this game where the number of pebbles used is roughly O(δwlog(S)) , δ being the fan-out of the circuit. The design of the strategy relies on separators, a graph-theoretic notion with connections to circuit complexity. with only a SO(w) loss in security. For instance, circuits with constant treewidth are as a result adaptively indistinguishable with only a polynomial loss. This (partially) complements a negative result of Applebaum et al. (Crypto 2013), which showed (assuming one-way functions) that Yao’s garbling scheme cannot be adaptively simulatable. As main technical contributions, we introduce a new pebble game that abstracts out our security reduction and then present a pebbling strategy for this game where the number of pebbles used is roughly O(δwlog(S)) , δ being the fan-out of the circuit. The design of the strategy relies on separators, a graph-theoretic notion with connections to circuit complexity."}],"oa_version":"Preprint","related_material":{"record":[{"relation":"earlier_version","id":"10044","status":"public"}]},"volume":"13043 ","ec_funded":1,"publication_identifier":{"isbn":["9-783-0309-0452-4"],"eissn":["1611-3349"],"issn":["0302-9743"]},"publication_status":"published","language":[{"iso":"eng"}],"type":"conference","conference":{"name":"TCC: Theory of Cryptography","start_date":"2021-11-08","end_date":"2021-11-11","location":"Raleigh, NC, United States"},"status":"public","_id":"10409","department":[{"_id":"KrPi"}],"date_updated":"2023-08-17T06:21:38Z"},{"publisher":"Springer Nature","quality_controlled":"1","oa":1,"date_published":"2021-12-01T00:00:00Z","doi":"10.1007/978-3-030-92075-3_12","date_created":"2022-01-09T23:01:27Z","page":"335-364","day":"01","publication":"27th International Conference on the Theory and Application of Cryptology and Information Security","isi":1,"year":"2021","project":[{"call_identifier":"H2020","_id":"258AA5B2-B435-11E9-9278-68D0E5697425","name":"Teaching Old Crypto New Tricks","grant_number":"682815"}],"title":"Reverse firewalls for adaptively secure MPC without setup","author":[{"id":"B9CD0494-D033-11E9-B219-A439E6697425","first_name":"Suvradip","full_name":"Chakraborty, Suvradip","last_name":"Chakraborty"},{"first_name":"Chaya","full_name":"Ganesh, Chaya","last_name":"Ganesh"},{"first_name":"Mahak","full_name":"Pancholi, Mahak","last_name":"Pancholi"},{"first_name":"Pratik","full_name":"Sarkar, Pratik","last_name":"Sarkar"}],"article_processing_charge":"No","external_id":{"isi":["000927876200012"]},"user_id":"4359f0d1-fa6c-11eb-b949-802e58b17ae8","citation":{"ieee":"S. Chakraborty, C. Ganesh, M. Pancholi, and P. Sarkar, “Reverse firewalls for adaptively secure MPC without setup,” in 27th International Conference on the Theory and Application of Cryptology and Information Security, Virtual, Singapore, 2021, vol. 13091, pp. 335–364.","short":"S. Chakraborty, C. Ganesh, M. Pancholi, P. Sarkar, in:, 27th International Conference on the Theory and Application of Cryptology and Information Security, Springer Nature, 2021, pp. 335–364.","apa":"Chakraborty, S., Ganesh, C., Pancholi, M., & Sarkar, P. (2021). Reverse firewalls for adaptively secure MPC without setup. In 27th International Conference on the Theory and Application of Cryptology and Information Security (Vol. 13091, pp. 335–364). Virtual, Singapore: Springer Nature. https://doi.org/10.1007/978-3-030-92075-3_12","ama":"Chakraborty S, Ganesh C, Pancholi M, Sarkar P. Reverse firewalls for adaptively secure MPC without setup. In: 27th International Conference on the Theory and Application of Cryptology and Information Security. Vol 13091. Springer Nature; 2021:335-364. doi:10.1007/978-3-030-92075-3_12","mla":"Chakraborty, Suvradip, et al. “Reverse Firewalls for Adaptively Secure MPC without Setup.” 27th International Conference on the Theory and Application of Cryptology and Information Security, vol. 13091, Springer Nature, 2021, pp. 335–64, doi:10.1007/978-3-030-92075-3_12.","ista":"Chakraborty S, Ganesh C, Pancholi M, Sarkar P. 2021. Reverse firewalls for adaptively secure MPC without setup. 27th International Conference on the Theory and Application of Cryptology and Information Security. ASIACRYPT: International Conference on Cryptology in Asia, LNCS, vol. 13091, 335–364.","chicago":"Chakraborty, Suvradip, Chaya Ganesh, Mahak Pancholi, and Pratik Sarkar. “Reverse Firewalls for Adaptively Secure MPC without Setup.” In 27th International Conference on the Theory and Application of Cryptology and Information Security, 13091:335–64. Springer Nature, 2021. https://doi.org/10.1007/978-3-030-92075-3_12."},"month":"12","intvolume":" 13091","alternative_title":["LNCS"],"scopus_import":"1","main_file_link":[{"url":"https://eprint.iacr.org/2021/1262","open_access":"1"}],"oa_version":"Preprint","abstract":[{"lang":"eng","text":"We study Multi-party computation (MPC) in the setting of subversion, where the adversary tampers with the machines of honest parties. Our goal is to construct actively secure MPC protocols where parties are corrupted adaptively by an adversary (as in the standard adaptive security setting), and in addition, honest parties’ machines are compromised.\r\nThe idea of reverse firewalls (RF) was introduced at EUROCRYPT’15 by Mironov and Stephens-Davidowitz as an approach to protecting protocols against corruption of honest parties’ devices. Intuitively, an RF for a party P is an external entity that sits between P and the outside world and whose scope is to sanitize P ’s incoming and outgoing messages in the face of subversion of their computer. Mironov and Stephens-Davidowitz constructed a protocol for passively-secure two-party computation. At CRYPTO’20, Chakraborty, Dziembowski and Nielsen constructed a protocol for secure computation with firewalls that improved on this result, both by extending it to multi-party computation protocol, and considering active security in the presence of static corruptions. In this paper, we initiate the study of RF for MPC in the adaptive setting. We put forward a definition for adaptively secure MPC in the reverse firewall setting, explore relationships among the security notions, and then construct reverse firewalls for MPC in this stronger setting of adaptive security. We also resolve the open question of Chakraborty, Dziembowski and Nielsen by removing the need for a trusted setup in constructing RF for MPC. Towards this end, we construct reverse firewalls for adaptively secure augmented coin tossing and adaptively secure zero-knowledge protocols and obtain a constant round adaptively secure MPC protocol in the reverse firewall setting without setup. Along the way, we propose a new multi-party adaptively secure coin tossing protocol in the plain model, that is of independent interest."}],"volume":13091,"ec_funded":1,"language":[{"iso":"eng"}],"publication_identifier":{"eissn":["1611-3349"],"isbn":["978-3-030-92074-6"],"issn":["0302-9743"],"eisbn":["978-3-030-92075-3"]},"publication_status":"published","status":"public","type":"conference","conference":{"end_date":"2021-12-10","location":"Virtual, Singapore","start_date":"2021-12-06","name":"ASIACRYPT: International Conference on Cryptology in Asia"},"_id":"10609","department":[{"_id":"KrPi"}],"date_updated":"2023-08-17T06:34:41Z"},{"ec_funded":1,"related_material":{"record":[{"relation":"dissertation_contains","status":"public","id":"10035"}]},"volume":12826,"language":[{"iso":"eng"}],"publication_status":"published","publication_identifier":{"eisbn":["978-3-030-84245-1"],"isbn":["978-3-030-84244-4"],"eissn":["1611-3349"],"issn":["0302-9743"]},"intvolume":" 12826","month":"08","place":"Cham","main_file_link":[{"open_access":"1","url":"https://eprint.iacr.org/2021/945"}],"alternative_title":["LCNS"],"oa_version":"Preprint","abstract":[{"text":"Yao’s garbling scheme is one of the most fundamental cryptographic constructions. Lindell and Pinkas (Journal of Cryptograhy 2009) gave a formal proof of security in the selective setting where the adversary chooses the challenge inputs before seeing the garbled circuit assuming secure symmetric-key encryption (and hence one-way functions). This was followed by results, both positive and negative, concerning its security in the, stronger, adaptive setting. Applebaum et al. (Crypto 2013) showed that it cannot satisfy adaptive security as is, due to a simple incompressibility argument. Jafargholi and Wichs (TCC 2017) considered a natural adaptation of Yao’s scheme (where the output mapping is sent in the online phase, together with the garbled input) that circumvents this negative result, and proved that it is adaptively secure, at least for shallow circuits. In particular, they showed that for the class of circuits of depth δ , the loss in security is at most exponential in δ . The above results all concern the simulation-based notion of security. In this work, we show that the upper bound of Jafargholi and Wichs is basically optimal in a strong sense. As our main result, we show that there exists a family of Boolean circuits, one for each depth δ∈N , such that any black-box reduction proving the adaptive indistinguishability of the natural adaptation of Yao’s scheme from any symmetric-key encryption has to lose a factor that is exponential in δ√ . Since indistinguishability is a weaker notion than simulation, our bound also applies to adaptive simulation. To establish our results, we build on the recent approach of Kamath et al. (Eprint 2021), which uses pebbling lower bounds in conjunction with oracle separations to prove fine-grained lower bounds on loss in cryptographic security.","lang":"eng"}],"department":[{"_id":"KrPi"}],"date_updated":"2023-09-07T13:32:11Z","status":"public","conference":{"end_date":"2021-08-20","location":"Virtual","start_date":"2021-08-16","name":"CRYPTO: Annual International Cryptology Conference"},"type":"conference","_id":"10041","date_created":"2021-09-23T14:06:15Z","doi":"10.1007/978-3-030-84245-1_17","date_published":"2021-08-11T00:00:00Z","page":"486-515","publication":"41st Annual International Cryptology Conference, Part II ","day":"11","year":"2021","oa":1,"quality_controlled":"1","publisher":"Springer Nature","acknowledgement":"We would like to thank the anonymous reviewers of Crypto’21 whose detailed comments helped us considerably improve the presentation of the paper.","title":"Limits on the Adaptive Security of Yao’s Garbling","article_processing_charge":"No","author":[{"full_name":"Kamath Hosdurg, Chethan","last_name":"Kamath Hosdurg","id":"4BD3F30E-F248-11E8-B48F-1D18A9856A87","first_name":"Chethan"},{"first_name":"Karen","id":"3E83A2F8-F248-11E8-B48F-1D18A9856A87","full_name":"Klein, Karen","last_name":"Klein"},{"first_name":"Krzysztof Z","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","orcid":"0000-0002-9139-1654","full_name":"Pietrzak, Krzysztof Z","last_name":"Pietrzak"},{"last_name":"Wichs","full_name":"Wichs, Daniel","first_name":"Daniel"}],"user_id":"c635000d-4b10-11ee-a964-aac5a93f6ac1","citation":{"chicago":"Kamath Hosdurg, Chethan, Karen Klein, Krzysztof Z Pietrzak, and Daniel Wichs. “Limits on the Adaptive Security of Yao’s Garbling.” In 41st Annual International Cryptology Conference, Part II , 12826:486–515. Cham: Springer Nature, 2021. https://doi.org/10.1007/978-3-030-84245-1_17.","ista":"Kamath Hosdurg C, Klein K, Pietrzak KZ, Wichs D. 2021. Limits on the Adaptive Security of Yao’s Garbling. 41st Annual International Cryptology Conference, Part II . CRYPTO: Annual International Cryptology Conference, LCNS, vol. 12826, 486–515.","mla":"Kamath Hosdurg, Chethan, et al. “Limits on the Adaptive Security of Yao’s Garbling.” 41st Annual International Cryptology Conference, Part II , vol. 12826, Springer Nature, 2021, pp. 486–515, doi:10.1007/978-3-030-84245-1_17.","short":"C. Kamath Hosdurg, K. Klein, K.Z. Pietrzak, D. Wichs, in:, 41st Annual International Cryptology Conference, Part II , Springer Nature, Cham, 2021, pp. 486–515.","ieee":"C. Kamath Hosdurg, K. Klein, K. Z. Pietrzak, and D. Wichs, “Limits on the Adaptive Security of Yao’s Garbling,” in 41st Annual International Cryptology Conference, Part II , Virtual, 2021, vol. 12826, pp. 486–515.","apa":"Kamath Hosdurg, C., Klein, K., Pietrzak, K. Z., & Wichs, D. (2021). Limits on the Adaptive Security of Yao’s Garbling. In 41st Annual International Cryptology Conference, Part II (Vol. 12826, pp. 486–515). Cham: Springer Nature. https://doi.org/10.1007/978-3-030-84245-1_17","ama":"Kamath Hosdurg C, Klein K, Pietrzak KZ, Wichs D. Limits on the Adaptive Security of Yao’s Garbling. In: 41st Annual International Cryptology Conference, Part II . Vol 12826. Cham: Springer Nature; 2021:486-515. doi:10.1007/978-3-030-84245-1_17"},"project":[{"call_identifier":"H2020","_id":"258AA5B2-B435-11E9-9278-68D0E5697425","grant_number":"682815","name":"Teaching Old Crypto New Tricks"}]},{"month":"08","main_file_link":[{"url":"https://eprint.iacr.org/2019/1489","open_access":"1"}],"oa_version":"Preprint","abstract":[{"text":"While messaging systems with strong security guarantees are widely used in practice, designing a protocol that scales efficiently to large groups and enjoys similar security guarantees remains largely open. The two existing proposals to date are ART (Cohn-Gordon et al., CCS18) and TreeKEM (IETF, The Messaging Layer Security Protocol, draft). TreeKEM is the currently considered candidate by the IETF MLS working group, but dynamic group operations (i.e. adding and removing users) can cause efficiency issues. In this paper we formalize and analyze a variant of TreeKEM which we term Tainted TreeKEM (TTKEM for short). The basic idea underlying TTKEM was suggested by Millican (MLS mailing list, February 2018). This version is more efficient than TreeKEM for some natural distributions of group operations, we quantify this through simulations.Our second contribution is two security proofs for TTKEM which establish post compromise and forward secrecy even against adaptive attackers. The security loss (to the underlying PKE) in the Random Oracle Model is a polynomial factor, and a quasipolynomial one in the Standard Model. Our proofs can be adapted to TreeKEM as well. Before our work no security proof for any TreeKEM-like protocol establishing tight security against an adversary who can adaptively choose the sequence of operations was known. We also are the first to prove (or even formalize) active security where the server can arbitrarily deviate from the protocol specification. Proving fully active security – where also the users can arbitrarily deviate – remains open.","lang":"eng"}],"related_material":{"record":[{"relation":"dissertation_contains","id":"10035","status":"public"}]},"ec_funded":1,"language":[{"iso":"eng"}],"publication_status":"published","status":"public","type":"conference","conference":{"end_date":"2021-05-27","location":"San Francisco, CA, United States","start_date":"2021-05-24","name":"SP: Symposium on Security and Privacy"},"_id":"10049","department":[{"_id":"KrPi"},{"_id":"DaAl"}],"date_updated":"2023-09-07T13:32:11Z","quality_controlled":"1","publisher":"IEEE","oa":1,"acknowledgement":"The first three authors contributed equally to this work. Funded by the European Research Council (ERC) under the European Union’s Horizon2020 research and innovation programme (682815-TOCNeT). Funded by the European Union’s Horizon 2020 research and innovation programme under the Marie Skłodowska-Curie Grant Agreement No.665385.","date_published":"2021-08-26T00:00:00Z","doi":"10.1109/sp40001.2021.00035","date_created":"2021-09-27T13:46:27Z","page":"268-284","day":"26","publication":"2021 IEEE Symposium on Security and Privacy ","year":"2021","project":[{"_id":"2564DBCA-B435-11E9-9278-68D0E5697425","call_identifier":"H2020","grant_number":"665385","name":"International IST Doctoral Program"},{"grant_number":"682815","name":"Teaching Old Crypto New Tricks","call_identifier":"H2020","_id":"258AA5B2-B435-11E9-9278-68D0E5697425"}],"title":"Keep the dirt: tainted TreeKEM, adaptively and actively secure continuous group key agreement","author":[{"id":"3E83A2F8-F248-11E8-B48F-1D18A9856A87","first_name":"Karen","last_name":"Klein","full_name":"Klein, Karen"},{"first_name":"Guillermo","id":"2D7ABD02-F248-11E8-B48F-1D18A9856A87","full_name":"Pascual Perez, Guillermo","orcid":"0000-0001-8630-415X","last_name":"Pascual Perez"},{"full_name":"Walter, Michael","orcid":"0000-0003-3186-2482","last_name":"Walter","first_name":"Michael","id":"488F98B0-F248-11E8-B48F-1D18A9856A87"},{"last_name":"Kamath Hosdurg","full_name":"Kamath Hosdurg, Chethan","first_name":"Chethan","id":"4BD3F30E-F248-11E8-B48F-1D18A9856A87"},{"last_name":"Capretto","full_name":"Capretto, Margarita","first_name":"Margarita"},{"last_name":"Cueto Noval","full_name":"Cueto Noval, Miguel","first_name":"Miguel","id":"ffc563a3-f6e0-11ea-865d-e3cce03d17cc"},{"full_name":"Markov, Ilia","last_name":"Markov","first_name":"Ilia","id":"D0CF4148-C985-11E9-8066-0BDEE5697425"},{"first_name":"Michelle X","id":"2D82B818-F248-11E8-B48F-1D18A9856A87","last_name":"Yeo","full_name":"Yeo, Michelle X"},{"id":"2A8DFA8C-F248-11E8-B48F-1D18A9856A87","first_name":"Joel F","last_name":"Alwen","full_name":"Alwen, Joel F"},{"full_name":"Pietrzak, Krzysztof Z","orcid":"0000-0002-9139-1654","last_name":"Pietrzak","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","first_name":"Krzysztof Z"}],"article_processing_charge":"No","user_id":"8b945eb4-e2f2-11eb-945a-df72226e66a9","citation":{"mla":"Klein, Karen, et al. “Keep the Dirt: Tainted TreeKEM, Adaptively and Actively Secure Continuous Group Key Agreement.” 2021 IEEE Symposium on Security and Privacy , IEEE, 2021, pp. 268–84, doi:10.1109/sp40001.2021.00035.","short":"K. Klein, G. Pascual Perez, M. Walter, C. Kamath Hosdurg, M. Capretto, M. Cueto Noval, I. Markov, M.X. Yeo, J.F. Alwen, K.Z. Pietrzak, in:, 2021 IEEE Symposium on Security and Privacy , IEEE, 2021, pp. 268–284.","ieee":"K. Klein et al., “Keep the dirt: tainted TreeKEM, adaptively and actively secure continuous group key agreement,” in 2021 IEEE Symposium on Security and Privacy , San Francisco, CA, United States, 2021, pp. 268–284.","ama":"Klein K, Pascual Perez G, Walter M, et al. Keep the dirt: tainted TreeKEM, adaptively and actively secure continuous group key agreement. In: 2021 IEEE Symposium on Security and Privacy . IEEE; 2021:268-284. doi:10.1109/sp40001.2021.00035","apa":"Klein, K., Pascual Perez, G., Walter, M., Kamath Hosdurg, C., Capretto, M., Cueto Noval, M., … Pietrzak, K. Z. (2021). Keep the dirt: tainted TreeKEM, adaptively and actively secure continuous group key agreement. In 2021 IEEE Symposium on Security and Privacy (pp. 268–284). San Francisco, CA, United States: IEEE. https://doi.org/10.1109/sp40001.2021.00035","chicago":"Klein, Karen, Guillermo Pascual Perez, Michael Walter, Chethan Kamath Hosdurg, Margarita Capretto, Miguel Cueto Noval, Ilia Markov, Michelle X Yeo, Joel F Alwen, and Krzysztof Z Pietrzak. “Keep the Dirt: Tainted TreeKEM, Adaptively and Actively Secure Continuous Group Key Agreement.” In 2021 IEEE Symposium on Security and Privacy , 268–84. IEEE, 2021. https://doi.org/10.1109/sp40001.2021.00035.","ista":"Klein K, Pascual Perez G, Walter M, Kamath Hosdurg C, Capretto M, Cueto Noval M, Markov I, Yeo MX, Alwen JF, Pietrzak KZ. 2021. Keep the dirt: tainted TreeKEM, adaptively and actively secure continuous group key agreement. 2021 IEEE Symposium on Security and Privacy . SP: Symposium on Security and Privacy, 268–284."}},{"date_updated":"2023-09-07T13:32:11Z","citation":{"ieee":"C. Kamath Hosdurg, K. Klein, and K. Z. Pietrzak, “On treewidth, separators and Yao’s garbling,” in 19th Theory of Cryptography Conference 2021, Raleigh, NC, United States, 2021.","short":"C. Kamath Hosdurg, K. Klein, K.Z. Pietrzak, in:, 19th Theory of Cryptography Conference 2021, International Association for Cryptologic Research, 2021.","ama":"Kamath Hosdurg C, Klein K, Pietrzak KZ. On treewidth, separators and Yao’s garbling. In: 19th Theory of Cryptography Conference 2021. International Association for Cryptologic Research; 2021.","apa":"Kamath Hosdurg, C., Klein, K., & Pietrzak, K. Z. (2021). On treewidth, separators and Yao’s garbling. In 19th Theory of Cryptography Conference 2021. Raleigh, NC, United States: International Association for Cryptologic Research.","mla":"Kamath Hosdurg, Chethan, et al. “On Treewidth, Separators and Yao’s Garbling.” 19th Theory of Cryptography Conference 2021, 2021/926, International Association for Cryptologic Research, 2021.","ista":"Kamath Hosdurg C, Klein K, Pietrzak KZ. 2021. On treewidth, separators and Yao’s garbling. 19th Theory of Cryptography Conference 2021. TCC: Theory of Cryptography Conference, 2021/926.","chicago":"Kamath Hosdurg, Chethan, Karen Klein, and Krzysztof Z Pietrzak. “On Treewidth, Separators and Yao’s Garbling.” In 19th Theory of Cryptography Conference 2021. International Association for Cryptologic Research, 2021."},"user_id":"8b945eb4-e2f2-11eb-945a-df72226e66a9","author":[{"full_name":"Kamath Hosdurg, Chethan","last_name":"Kamath Hosdurg","first_name":"Chethan","id":"4BD3F30E-F248-11E8-B48F-1D18A9856A87"},{"id":"3E83A2F8-F248-11E8-B48F-1D18A9856A87","first_name":"Karen","full_name":"Klein, Karen","last_name":"Klein"},{"last_name":"Pietrzak","orcid":"0000-0002-9139-1654","full_name":"Pietrzak, Krzysztof Z","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","first_name":"Krzysztof Z"}],"article_processing_charge":"No","department":[{"_id":"KrPi"}],"title":"On treewidth, separators and Yao's garbling","_id":"10044","article_number":"2021/926","type":"conference","conference":{"location":"Raleigh, NC, United States","end_date":"2021-11-11","start_date":"2021-11-08","name":"TCC: Theory of Cryptography Conference"},"status":"public","project":[{"grant_number":"682815","name":"Teaching Old Crypto New Tricks","_id":"258AA5B2-B435-11E9-9278-68D0E5697425","call_identifier":"H2020"}],"year":"2021","publication_status":"published","day":"08","publication":"19th Theory of Cryptography Conference 2021","language":[{"iso":"eng"}],"date_published":"2021-07-08T00:00:00Z","related_material":{"record":[{"status":"public","id":"10409","relation":"later_version"},{"status":"public","id":"10035","relation":"dissertation_contains"}]},"date_created":"2021-09-24T12:01:34Z","ec_funded":1,"abstract":[{"text":"We show that Yao’s garbling scheme is adaptively indistinguishable for the class of Boolean circuits of size S and treewidth w with only a S^O(w) loss in security. For instance, circuits with constant treewidth are as a result adaptively indistinguishable with only a polynomial loss. This (partially) complements a negative result of Applebaum et al. (Crypto 2013), which showed (assuming one-way functions) that Yao’s garbling scheme cannot be adaptively simulatable. As main technical contributions, we introduce a new pebble game that abstracts out our security reduction and then present a pebbling strategy for this game where the number of pebbles used is roughly O(d w log(S)), d being the fan-out of the circuit. The design of the strategy relies on separators, a graph-theoretic notion with connections to circuit complexity.","lang":"eng"}],"oa_version":"Preprint","acknowledgement":"We would like to thank Daniel Wichs for helpful discussions on the landscape of adaptive security of Yao’s garbling. ","publisher":"International Association for Cryptologic Research","quality_controlled":"1","main_file_link":[{"open_access":"1","url":"https://eprint.iacr.org/2021/926"}],"oa":1,"month":"07"},{"related_material":{"record":[{"id":"10044","status":"public","relation":"part_of_dissertation"},{"relation":"part_of_dissertation","status":"public","id":"10049"},{"id":"637","status":"public","relation":"part_of_dissertation"},{"id":"10041","status":"public","relation":"part_of_dissertation"},{"relation":"part_of_dissertation","id":"6430","status":"public"},{"id":"10048","status":"public","relation":"part_of_dissertation"}]},"ec_funded":1,"publication_identifier":{"issn":["2663-337X"]},"publication_status":"published","degree_awarded":"PhD","file":[{"date_updated":"2021-10-04T12:22:33Z","file_size":2104726,"creator":"cchlebak","date_created":"2021-10-04T12:22:33Z","file_name":"thesis_pdfa.pdf","content_type":"application/pdf","access_level":"open_access","relation":"main_file","file_id":"10082","checksum":"73a44345c683e81f3e765efbf86fdcc5","success":1},{"creator":"cchlebak","file_size":9538359,"date_updated":"2022-03-10T12:15:18Z","file_name":"thesis_final (1).zip","date_created":"2021-10-05T07:04:37Z","relation":"source_file","access_level":"closed","content_type":"application/x-zip-compressed","file_id":"10085","checksum":"7b80df30a0e686c3ef6a56d4e1c59e29"}],"language":[{"iso":"eng"}],"alternative_title":["ISTA Thesis"],"month":"09","abstract":[{"lang":"eng","text":"Many security definitions come in two flavors: a stronger “adaptive” flavor, where the adversary can arbitrarily make various choices during the course of the attack, and a weaker “selective” flavor where the adversary must commit to some or all of their choices a-priori. For example, in the context of identity-based encryption, selective security requires the adversary to decide on the identity of the attacked party at the very beginning of the game whereas adaptive security allows the attacker to first see the master public key and some secret keys before making this choice. Often, it appears to be much easier to achieve selective security than it is to achieve adaptive security. A series of several recent works shows how to cleverly achieve adaptive security in several such scenarios including generalized selective decryption [Pan07][FJP15], constrained PRFs [FKPR14], and Yao’s garbled circuits [JW16]. Although the above works expressed vague intuition that they share a common technique, the connection was never made precise. In this work we present a new framework (published at Crypto ’17 [JKK+17a]) that connects all of these works and allows us to present them in a unified and simplified fashion. Having the framework in place, we show how to achieve adaptive security for proxy re-encryption schemes (published at PKC ’19 [FKKP19]) and provide the first adaptive security proofs for continuous group key agreement protocols (published at S&P ’21 [KPW+21]). Questioning optimality of our framework, we then show that currently used proof techniques cannot lead to significantly better security guarantees for \"graph-building\" games (published at TCC ’21 [KKPW21a]). These games cover generalized selective decryption, as well as the security of prominent constructions for constrained PRFs, continuous group key agreement, and proxy re-encryption. Finally, we revisit the adaptive security of Yao’s garbled circuits and extend the analysis of Jafargholi and Wichs in two directions: While they prove adaptive security only for a modified construction with increased online complexity, we provide the first positive results for the original construction by Yao (published at TCC ’21 [KKP21a]). On the negative side, we prove that the results of Jafargholi and Wichs are essentially optimal by showing that no black-box reduction can provide a significantly better security bound (published at Crypto ’21 [KKPW21c])."}],"oa_version":"Published Version","department":[{"_id":"GradSch"},{"_id":"KrPi"}],"file_date_updated":"2022-03-10T12:15:18Z","supervisor":[{"last_name":"Pietrzak","full_name":"Pietrzak, Krzysztof Z","orcid":"0000-0002-9139-1654","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","first_name":"Krzysztof Z"}],"date_updated":"2023-10-17T09:24:07Z","ddc":["519"],"type":"dissertation","tmp":{"legal_code_url":"https://creativecommons.org/licenses/by/4.0/legalcode","image":"/images/cc_by.png","name":"Creative Commons Attribution 4.0 International Public License (CC-BY 4.0)","short":"CC BY (4.0)"},"status":"public","_id":"10035","page":"276","date_published":"2021-09-23T00:00:00Z","doi":"10.15479/at:ista:10035","date_created":"2021-09-23T07:31:44Z","has_accepted_license":"1","year":"2021","day":"23","publisher":"Institute of Science and Technology Austria","oa":1,"acknowledgement":"I want to acknowledge the funding by the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation programme (682815 - TOCNeT).\r\n","author":[{"full_name":"Klein, Karen","last_name":"Klein","id":"3E83A2F8-F248-11E8-B48F-1D18A9856A87","first_name":"Karen"}],"article_processing_charge":"No","title":"On the adaptive security of graph-based games","citation":{"mla":"Klein, Karen. On the Adaptive Security of Graph-Based Games. Institute of Science and Technology Austria, 2021, doi:10.15479/at:ista:10035.","apa":"Klein, K. (2021). On the adaptive security of graph-based games. Institute of Science and Technology Austria. https://doi.org/10.15479/at:ista:10035","ama":"Klein K. On the adaptive security of graph-based games. 2021. doi:10.15479/at:ista:10035","ieee":"K. Klein, “On the adaptive security of graph-based games,” Institute of Science and Technology Austria, 2021.","short":"K. Klein, On the Adaptive Security of Graph-Based Games, Institute of Science and Technology Austria, 2021.","chicago":"Klein, Karen. “On the Adaptive Security of Graph-Based Games.” Institute of Science and Technology Austria, 2021. https://doi.org/10.15479/at:ista:10035.","ista":"Klein K. 2021. On the adaptive security of graph-based games. Institute of Science and Technology Austria."},"user_id":"c635000d-4b10-11ee-a964-aac5a93f6ac1","project":[{"grant_number":"682815","name":"Teaching Old Crypto New Tricks","_id":"258AA5B2-B435-11E9-9278-68D0E5697425","call_identifier":"H2020"}]},{"project":[{"name":"Teaching Old Crypto New Tricks","grant_number":"682815","_id":"258AA5B2-B435-11E9-9278-68D0E5697425","call_identifier":"H2020"}],"title":"The cost of adaptivity in security games on graphs","author":[{"last_name":"Kamath Hosdurg","full_name":"Kamath Hosdurg, Chethan","id":"4BD3F30E-F248-11E8-B48F-1D18A9856A87","first_name":"Chethan"},{"full_name":"Klein, Karen","last_name":"Klein","id":"3E83A2F8-F248-11E8-B48F-1D18A9856A87","first_name":"Karen"},{"orcid":"0000-0002-9139-1654","full_name":"Pietrzak, Krzysztof Z","last_name":"Pietrzak","first_name":"Krzysztof Z","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87"},{"last_name":"Walter","orcid":"0000-0003-3186-2482","full_name":"Walter, Michael","first_name":"Michael","id":"488F98B0-F248-11E8-B48F-1D18A9856A87"}],"article_processing_charge":"No","external_id":{"isi":["000728364000019"]},"user_id":"4359f0d1-fa6c-11eb-b949-802e58b17ae8","citation":{"ista":"Kamath Hosdurg C, Klein K, Pietrzak KZ, Walter M. 2021. The cost of adaptivity in security games on graphs. 19th International Conference. TCC: Theory of Cryptography, LNCS, vol. 13043, 550–581.","chicago":"Kamath Hosdurg, Chethan, Karen Klein, Krzysztof Z Pietrzak, and Michael Walter. “The Cost of Adaptivity in Security Games on Graphs.” In 19th International Conference, 13043:550–81. Springer Nature, 2021. https://doi.org/10.1007/978-3-030-90453-1_19.","apa":"Kamath Hosdurg, C., Klein, K., Pietrzak, K. Z., & Walter, M. (2021). The cost of adaptivity in security games on graphs. In 19th International Conference (Vol. 13043, pp. 550–581). Raleigh, NC, United States: Springer Nature. https://doi.org/10.1007/978-3-030-90453-1_19","ama":"Kamath Hosdurg C, Klein K, Pietrzak KZ, Walter M. The cost of adaptivity in security games on graphs. In: 19th International Conference. Vol 13043. Springer Nature; 2021:550-581. doi:10.1007/978-3-030-90453-1_19","ieee":"C. Kamath Hosdurg, K. Klein, K. Z. Pietrzak, and M. Walter, “The cost of adaptivity in security games on graphs,” in 19th International Conference, Raleigh, NC, United States, 2021, vol. 13043, pp. 550–581.","short":"C. Kamath Hosdurg, K. Klein, K.Z. Pietrzak, M. Walter, in:, 19th International Conference, Springer Nature, 2021, pp. 550–581.","mla":"Kamath Hosdurg, Chethan, et al. “The Cost of Adaptivity in Security Games on Graphs.” 19th International Conference, vol. 13043, Springer Nature, 2021, pp. 550–81, doi:10.1007/978-3-030-90453-1_19."},"quality_controlled":"1","publisher":"Springer Nature","oa":1,"acknowledgement":"C. Kamath—Supported by Azrieli International Postdoctoral Fellowship. Most of the work was done while the author was at Northeastern University and Charles University, funded by the IARPA grant IARPA/2019-19-020700009 and project PRIMUS/17/SCI/9, respectively. K. Klein—Supported in part by ERC CoG grant 724307. Most of the work was done while the author was at IST Austria funded by the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation programme (682815 - TOCNeT). K. Pietrzak—Funded by the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation programme (682815 - TOCNeT).","doi":"10.1007/978-3-030-90453-1_19","date_published":"2021-11-04T00:00:00Z","date_created":"2021-12-05T23:01:43Z","page":"550-581","day":"04","publication":"19th International Conference","isi":1,"year":"2021","status":"public","type":"conference","conference":{"name":"TCC: Theory of Cryptography","location":"Raleigh, NC, United States","end_date":"2021-11-11","start_date":"2021-11-08"},"_id":"10410","department":[{"_id":"KrPi"}],"date_updated":"2023-10-17T09:24:07Z","month":"11","intvolume":" 13043","scopus_import":"1","alternative_title":["LNCS"],"main_file_link":[{"open_access":"1","url":"https://ia.cr/2021/059"}],"oa_version":"Preprint","abstract":[{"text":"The security of cryptographic primitives and protocols against adversaries that are allowed to make adaptive choices (e.g., which parties to corrupt or which queries to make) is notoriously difficult to establish. A broad theoretical framework was introduced by Jafargholi et al. [Crypto’17] for this purpose. In this paper we initiate the study of lower bounds on loss in adaptive security for certain cryptographic protocols considered in the framework. We prove lower bounds that almost match the upper bounds (proven using the framework) for proxy re-encryption, prefix-constrained PRFs and generalized selective decryption, a security game that captures the security of certain group messaging and broadcast encryption schemes. Those primitives have in common that their security game involves an underlying graph that can be adaptively built by the adversary. Some of our lower bounds only apply to a restricted class of black-box reductions which we term “oblivious” (the existing upper bounds are of this restricted type), some apply to the broader but still restricted class of non-rewinding reductions, while our lower bound for proxy re-encryption applies to all black-box reductions. The fact that some of our lower bounds seem to crucially rely on obliviousness or at least a non-rewinding reduction hints to the exciting possibility that the existing upper bounds can be improved by using more sophisticated reductions. Our main conceptual contribution is a two-player multi-stage game called the Builder-Pebbler Game. We can translate bounds on the winning probabilities for various instantiations of this game into cryptographic lower bounds for the above-mentioned primitives using oracle separation techniques.","lang":"eng"}],"volume":13043,"related_material":{"record":[{"relation":"earlier_version","id":"10048","status":"public"}]},"ec_funded":1,"language":[{"iso":"eng"}],"publication_identifier":{"issn":["0302-9743"],"eissn":["1611-3349"],"isbn":["9-783-0309-0452-4"]},"publication_status":"published"},{"status":"public","type":"conference","conference":{"end_date":"2021-11-11","location":"Raleigh, NC, United States","start_date":"2021-11-08","name":"TCC: Theory of Cryptography Conference"},"_id":"10048","department":[{"_id":"KrPi"}],"title":"The cost of adaptivity in security games on graphs","author":[{"first_name":"Chethan","id":"4BD3F30E-F248-11E8-B48F-1D18A9856A87","last_name":"Kamath Hosdurg","full_name":"Kamath Hosdurg, Chethan"},{"first_name":"Karen","id":"3E83A2F8-F248-11E8-B48F-1D18A9856A87","full_name":"Klein, Karen","last_name":"Klein"},{"first_name":"Krzysztof Z","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","full_name":"Pietrzak, Krzysztof Z","orcid":"0000-0002-9139-1654","last_name":"Pietrzak"},{"id":"488F98B0-F248-11E8-B48F-1D18A9856A87","first_name":"Michael","last_name":"Walter","orcid":"0000-0003-3186-2482","full_name":"Walter, Michael"}],"article_processing_charge":"No","user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","citation":{"ista":"Kamath Hosdurg C, Klein K, Pietrzak KZ, Walter M. 2021. The cost of adaptivity in security games on graphs. 19th Theory of Cryptography Conference 2021. TCC: Theory of Cryptography Conference.","chicago":"Kamath Hosdurg, Chethan, Karen Klein, Krzysztof Z Pietrzak, and Michael Walter. “The Cost of Adaptivity in Security Games on Graphs.” In 19th Theory of Cryptography Conference 2021. International Association for Cryptologic Research, 2021.","short":"C. Kamath Hosdurg, K. Klein, K.Z. Pietrzak, M. Walter, in:, 19th Theory of Cryptography Conference 2021, International Association for Cryptologic Research, 2021.","ieee":"C. Kamath Hosdurg, K. Klein, K. Z. Pietrzak, and M. Walter, “The cost of adaptivity in security games on graphs,” in 19th Theory of Cryptography Conference 2021, Raleigh, NC, United States, 2021.","ama":"Kamath Hosdurg C, Klein K, Pietrzak KZ, Walter M. The cost of adaptivity in security games on graphs. In: 19th Theory of Cryptography Conference 2021. International Association for Cryptologic Research; 2021.","apa":"Kamath Hosdurg, C., Klein, K., Pietrzak, K. Z., & Walter, M. (2021). The cost of adaptivity in security games on graphs. In 19th Theory of Cryptography Conference 2021. Raleigh, NC, United States: International Association for Cryptologic Research.","mla":"Kamath Hosdurg, Chethan, et al. “The Cost of Adaptivity in Security Games on Graphs.” 19th Theory of Cryptography Conference 2021, International Association for Cryptologic Research, 2021."},"date_updated":"2023-10-17T09:24:08Z","month":"07","publisher":"International Association for Cryptologic Research","quality_controlled":"1","oa":1,"main_file_link":[{"open_access":"1","url":"https://ia.cr/2021/059"}],"oa_version":"Preprint","abstract":[{"text":"The security of cryptographic primitives and protocols against adversaries that are allowed to make adaptive choices (e.g., which parties to corrupt or which queries to make) is notoriously difficult to establish. A broad theoretical\r\nframework was introduced by Jafargholi et al. [Crypto’17] for this purpose. In this paper we initiate the study of lower bounds on loss in adaptive security for certain cryptographic protocols considered in the framework. We prove lower\r\nbounds that almost match the upper bounds (proven using the framework) for proxy re-encryption, prefix-constrained PRFs and generalized selective decryption, a security game that captures the security of certain group messaging and\r\nbroadcast encryption schemes. Those primitives have in common that their security game involves an underlying graph that can be adaptively built by the adversary. Some of our lower bounds only apply to a restricted class of black-box reductions which we term “oblivious” (the existing upper bounds are of this restricted type), some apply to the broader but still restricted class of non-rewinding reductions, while our lower bound for proxy re-encryption applies to all black-box reductions. The fact that some of our lower bounds seem to crucially rely on obliviousness or at least a non-rewinding reduction hints to the exciting possibility that the existing upper bounds can be improved by using more sophisticated reductions. Our main conceptual contribution is a two-player multi-stage game called the Builder-Pebbler Game. We can translate bounds on the winning probabilities for various instantiations of this game into cryptographic lower bounds for the above-mentioned primitives using oracle separation techniques.\r\n","lang":"eng"}],"related_material":{"record":[{"relation":"later_version","id":"10410","status":"public"},{"relation":"dissertation_contains","id":"10035","status":"public"}]},"date_published":"2021-07-08T00:00:00Z","date_created":"2021-09-27T12:52:05Z","day":"08","language":[{"iso":"eng"}],"publication":"19th Theory of Cryptography Conference 2021","year":"2021","publication_status":"published"},{"status":"public","type":"conference","conference":{"name":"2021 IFIP Networking Conference (IFIP Networking)","start_date":"2021-06-21","end_date":"2021-06-24","location":"Espoo and Helsinki, Finland"},"_id":"9969","department":[{"_id":"KrPi"}],"date_updated":"2023-11-30T10:54:50Z","month":"06","scopus_import":"1","main_file_link":[{"url":"https://arxiv.org/abs/2104.04293","open_access":"1"}],"oa_version":"Submitted Version","abstract":[{"text":"Payment channel networks are a promising approach to improve the scalability of cryptocurrencies: they allow to perform transactions in a peer-to-peer fashion, along multihop routes in the network, without requiring consensus on the blockchain. However, during the discovery of cost-efficient routes for the transaction, critical information may be revealed about the transacting entities. This paper initiates the study of privacy-preserving route discovery mechanisms for payment channel networks. In particular, we present LightPIR, an approach which allows a client to learn the shortest (or cheapest in terms of fees) path between two nodes without revealing any information about the endpoints of the transaction to the servers. The two main observations which allow for an efficient solution in LightPIR are that: (1) surprisingly, hub labelling algorithms – which were developed to preprocess “street network like” graphs so one can later efficiently compute shortest paths – also perform well for the graphs underlying payment channel networks, and that (2) hub labelling algorithms can be conveniently combined with private information retrieval. LightPIR relies on a simple hub labeling heuristic on top of existing hub labeling algorithms which leverages the specific topological features of cryptocurrency networks to further minimize storage and bandwidth overheads. In a case study considering the Lightning network, we show that our approach is an order of magnitude more efficient compared to a privacy-preserving baseline based on using private information retrieval on a database that stores all pairs shortest paths.","lang":"eng"}],"related_material":{"record":[{"id":"14506","status":"public","relation":"dissertation_contains"}]},"ec_funded":1,"language":[{"iso":"eng"}],"publication_identifier":{"eisbn":["978-3-9031-7639-3"],"eissn":["1861-2288"],"isbn":["978-1-6654-4501-6"]},"publication_status":"published","project":[{"_id":"258AA5B2-B435-11E9-9278-68D0E5697425","call_identifier":"H2020","grant_number":"682815","name":"Teaching Old Crypto New Tricks"}],"title":"LightPIR: Privacy-preserving route discovery for payment channel networks","author":[{"id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","first_name":"Krzysztof Z","last_name":"Pietrzak","orcid":"0000-0002-9139-1654","full_name":"Pietrzak, Krzysztof Z"},{"first_name":"Iosif","full_name":"Salem, Iosif","last_name":"Salem"},{"first_name":"Stefan","last_name":"Schmid","full_name":"Schmid, Stefan"},{"last_name":"Yeo","full_name":"Yeo, Michelle X","first_name":"Michelle X","id":"2D82B818-F248-11E8-B48F-1D18A9856A87"}],"external_id":{"arxiv":["2104.04293"],"isi":["000853016800008"]},"article_processing_charge":"No","user_id":"4359f0d1-fa6c-11eb-b949-802e58b17ae8","citation":{"ieee":"K. Z. Pietrzak, I. Salem, S. Schmid, and M. X. Yeo, “LightPIR: Privacy-preserving route discovery for payment channel networks,” presented at the 2021 IFIP Networking Conference (IFIP Networking), Espoo and Helsinki, Finland, 2021.","short":"K.Z. Pietrzak, I. Salem, S. Schmid, M.X. Yeo, in:, IEEE, 2021.","apa":"Pietrzak, K. Z., Salem, I., Schmid, S., & Yeo, M. X. (2021). LightPIR: Privacy-preserving route discovery for payment channel networks. Presented at the 2021 IFIP Networking Conference (IFIP Networking), Espoo and Helsinki, Finland: IEEE. https://doi.org/10.23919/IFIPNetworking52078.2021.9472205","ama":"Pietrzak KZ, Salem I, Schmid S, Yeo MX. LightPIR: Privacy-preserving route discovery for payment channel networks. In: IEEE; 2021. doi:10.23919/IFIPNetworking52078.2021.9472205","mla":"Pietrzak, Krzysztof Z., et al. LightPIR: Privacy-Preserving Route Discovery for Payment Channel Networks. IEEE, 2021, doi:10.23919/IFIPNetworking52078.2021.9472205.","ista":"Pietrzak KZ, Salem I, Schmid S, Yeo MX. 2021. LightPIR: Privacy-preserving route discovery for payment channel networks. 2021 IFIP Networking Conference (IFIP Networking).","chicago":"Pietrzak, Krzysztof Z, Iosif Salem, Stefan Schmid, and Michelle X Yeo. “LightPIR: Privacy-Preserving Route Discovery for Payment Channel Networks.” IEEE, 2021. https://doi.org/10.23919/IFIPNetworking52078.2021.9472205."},"quality_controlled":"1","publisher":"IEEE","oa":1,"doi":"10.23919/IFIPNetworking52078.2021.9472205","date_published":"2021-06-21T00:00:00Z","date_created":"2021-08-29T22:01:16Z","day":"21","isi":1,"year":"2021"},{"publication_status":"published","publication_identifier":{"eissn":["16113349"],"isbn":["9783030568795"],"issn":["03029743"]},"language":[{"iso":"eng"}],"ec_funded":1,"volume":12171,"abstract":[{"text":"Reverse firewalls were introduced at Eurocrypt 2015 by Miro-nov and Stephens-Davidowitz, as a method for protecting cryptographic protocols against attacks on the devices of the honest parties. In a nutshell: a reverse firewall is placed outside of a device and its goal is to “sanitize” the messages sent by it, in such a way that a malicious device cannot leak its secrets to the outside world. It is typically assumed that the cryptographic devices are attacked in a “functionality-preserving way” (i.e. informally speaking, the functionality of the protocol remains unchanged under this attacks). In their paper, Mironov and Stephens-Davidowitz construct a protocol for passively-secure two-party computations with firewalls, leaving extension of this result to stronger models as an open question.\r\nIn this paper, we address this problem by constructing a protocol for secure computation with firewalls that has two main advantages over the original protocol from Eurocrypt 2015. Firstly, it is a multiparty computation protocol (i.e. it works for an arbitrary number n of the parties, and not just for 2). Secondly, it is secure in much stronger corruption settings, namely in the active corruption model. More precisely: we consider an adversary that can fully corrupt up to 𝑛−1 parties, while the remaining parties are corrupt in a functionality-preserving way.\r\nOur core techniques are: malleable commitments and malleable non-interactive zero-knowledge, which in particular allow us to create a novel protocol for multiparty augmented coin-tossing into the well with reverse firewalls (that is based on a protocol of Lindell from Crypto 2001).","lang":"eng"}],"oa_version":"Preprint","main_file_link":[{"open_access":"1","url":"https://eprint.iacr.org/2019/1317"}],"scopus_import":"1","alternative_title":["LNCS"],"intvolume":" 12171","month":"08","date_updated":"2021-01-12T08:18:08Z","department":[{"_id":"KrPi"}],"_id":"8322","conference":{"end_date":"2020-08-21","location":"Santa Barbara, CA, United States","start_date":"2020-08-17","name":"CRYPTO: Annual International Cryptology Conference"},"type":"conference","status":"public","year":"2020","publication":"Advances in Cryptology – CRYPTO 2020","day":"10","page":"732-762","date_created":"2020-08-30T22:01:12Z","doi":"10.1007/978-3-030-56880-1_26","date_published":"2020-08-10T00:00:00Z","acknowledgement":"We would like to thank the anonymous reviewers for their helpful comments and suggestions. The work was initiated while the first author was in IIT Madras, India. Part of this work was done while the author was visiting the University of Warsaw. This project has received funding from the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation programme (682815 - TOCNeT) and from the Foundation for Polish Science under grant TEAM/2016-1/4 founded within the UE 2014–2020 Smart Growth Operational Program. The last author was supported by the Independent Research Fund Denmark project BETHE and the Concordium Blockchain Research Center, Aarhus University, Denmark.","oa":1,"quality_controlled":"1","publisher":"Springer Nature","citation":{"mla":"Chakraborty, Suvradip, et al. “Reverse Firewalls for Actively Secure MPCs.” Advances in Cryptology – CRYPTO 2020, vol. 12171, Springer Nature, 2020, pp. 732–62, doi:10.1007/978-3-030-56880-1_26.","ieee":"S. Chakraborty, S. Dziembowski, and J. B. Nielsen, “Reverse firewalls for actively secure MPCs,” in Advances in Cryptology – CRYPTO 2020, Santa Barbara, CA, United States, 2020, vol. 12171, pp. 732–762.","short":"S. Chakraborty, S. Dziembowski, J.B. Nielsen, in:, Advances in Cryptology – CRYPTO 2020, Springer Nature, 2020, pp. 732–762.","apa":"Chakraborty, S., Dziembowski, S., & Nielsen, J. B. (2020). Reverse firewalls for actively secure MPCs. In Advances in Cryptology – CRYPTO 2020 (Vol. 12171, pp. 732–762). Santa Barbara, CA, United States: Springer Nature. https://doi.org/10.1007/978-3-030-56880-1_26","ama":"Chakraborty S, Dziembowski S, Nielsen JB. Reverse firewalls for actively secure MPCs. In: Advances in Cryptology – CRYPTO 2020. Vol 12171. Springer Nature; 2020:732-762. doi:10.1007/978-3-030-56880-1_26","chicago":"Chakraborty, Suvradip, Stefan Dziembowski, and Jesper Buus Nielsen. “Reverse Firewalls for Actively Secure MPCs.” In Advances in Cryptology – CRYPTO 2020, 12171:732–62. Springer Nature, 2020. https://doi.org/10.1007/978-3-030-56880-1_26.","ista":"Chakraborty S, Dziembowski S, Nielsen JB. 2020. Reverse firewalls for actively secure MPCs. Advances in Cryptology – CRYPTO 2020. CRYPTO: Annual International Cryptology Conference, LNCS, vol. 12171, 732–762."},"user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","article_processing_charge":"No","author":[{"first_name":"Suvradip","id":"B9CD0494-D033-11E9-B219-A439E6697425","full_name":"Chakraborty, Suvradip","last_name":"Chakraborty"},{"last_name":"Dziembowski","full_name":"Dziembowski, Stefan","first_name":"Stefan"},{"first_name":"Jesper Buus","last_name":"Nielsen","full_name":"Nielsen, Jesper Buus"}],"title":"Reverse firewalls for actively secure MPCs","project":[{"grant_number":"682815","name":"Teaching Old Crypto New Tricks","_id":"258AA5B2-B435-11E9-9278-68D0E5697425","call_identifier":"H2020"}]},{"volume":12110,"ec_funded":1,"language":[{"iso":"eng"}],"publication_identifier":{"issn":["03029743"],"isbn":["9783030453732"],"eissn":["16113349"]},"publication_status":"published","month":"05","intvolume":" 12110","alternative_title":["LNCS"],"scopus_import":"1","main_file_link":[{"open_access":"1","url":"https://eprint.iacr.org/2020/337"}],"oa_version":"Preprint","abstract":[{"text":"Discrete Gaussian distributions over lattices are central to lattice-based cryptography, and to the computational and mathematical aspects of lattices more broadly. The literature contains a wealth of useful theorems about the behavior of discrete Gaussians under convolutions and related operations. Yet despite their structural similarities, most of these theorems are formally incomparable, and their proofs tend to be monolithic and written nearly “from scratch,” making them unnecessarily hard to verify, understand, and extend.\r\nIn this work we present a modular framework for analyzing linear operations on discrete Gaussian distributions. The framework abstracts away the particulars of Gaussians, and usually reduces proofs to the choice of appropriate linear transformations and elementary linear algebra. To showcase the approach, we establish several general properties of discrete Gaussians, and show how to obtain all prior convolution theorems (along with some new ones) as straightforward corollaries. As another application, we describe a self-reduction for Learning With Errors (LWE) that uses a fixed number of samples to generate an unlimited number of additional ones (having somewhat larger error). The distinguishing features of our reduction are its simple analysis in our framework, and its exclusive use of discrete Gaussians without any loss in parameters relative to a prior mixed discrete-and-continuous approach.\r\nAs a contribution of independent interest, for subgaussian random matrices we prove a singular value concentration bound with explicitly stated constants, and we give tighter heuristics for specific distributions that are commonly used for generating lattice trapdoors. These bounds yield improvements in the concrete bit-security estimates for trapdoor lattice cryptosystems.","lang":"eng"}],"department":[{"_id":"KrPi"}],"date_updated":"2023-02-23T13:31:06Z","status":"public","type":"conference","conference":{"location":"Edinburgh, United Kingdom","end_date":"2020-05-07","start_date":"2020-05-04","name":"PKC: Public-Key Cryptography"},"_id":"8339","date_published":"2020-05-15T00:00:00Z","doi":"10.1007/978-3-030-45374-9_21","date_created":"2020-09-06T22:01:13Z","page":"623-651","day":"15","publication":"23rd IACR International Conference on the Practice and Theory of Public-Key Cryptography","year":"2020","publisher":"Springer Nature","quality_controlled":"1","oa":1,"title":"Improved discrete Gaussian and subgaussian analysis for lattice cryptography","author":[{"full_name":"Genise, Nicholas","last_name":"Genise","first_name":"Nicholas"},{"full_name":"Micciancio, Daniele","last_name":"Micciancio","first_name":"Daniele"},{"last_name":"Peikert","full_name":"Peikert, Chris","first_name":"Chris"},{"last_name":"Walter","full_name":"Walter, Michael","orcid":"0000-0003-3186-2482","first_name":"Michael","id":"488F98B0-F248-11E8-B48F-1D18A9856A87"}],"article_processing_charge":"No","user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","citation":{"chicago":"Genise, Nicholas, Daniele Micciancio, Chris Peikert, and Michael Walter. “Improved Discrete Gaussian and Subgaussian Analysis for Lattice Cryptography.” In 23rd IACR International Conference on the Practice and Theory of Public-Key Cryptography, 12110:623–51. Springer Nature, 2020. https://doi.org/10.1007/978-3-030-45374-9_21.","ista":"Genise N, Micciancio D, Peikert C, Walter M. 2020. Improved discrete Gaussian and subgaussian analysis for lattice cryptography. 23rd IACR International Conference on the Practice and Theory of Public-Key Cryptography. PKC: Public-Key Cryptography, LNCS, vol. 12110, 623–651.","mla":"Genise, Nicholas, et al. “Improved Discrete Gaussian and Subgaussian Analysis for Lattice Cryptography.” 23rd IACR International Conference on the Practice and Theory of Public-Key Cryptography, vol. 12110, Springer Nature, 2020, pp. 623–51, doi:10.1007/978-3-030-45374-9_21.","ama":"Genise N, Micciancio D, Peikert C, Walter M. Improved discrete Gaussian and subgaussian analysis for lattice cryptography. In: 23rd IACR International Conference on the Practice and Theory of Public-Key Cryptography. Vol 12110. Springer Nature; 2020:623-651. doi:10.1007/978-3-030-45374-9_21","apa":"Genise, N., Micciancio, D., Peikert, C., & Walter, M. (2020). Improved discrete Gaussian and subgaussian analysis for lattice cryptography. In 23rd IACR International Conference on the Practice and Theory of Public-Key Cryptography (Vol. 12110, pp. 623–651). Edinburgh, United Kingdom: Springer Nature. https://doi.org/10.1007/978-3-030-45374-9_21","short":"N. Genise, D. Micciancio, C. Peikert, M. Walter, in:, 23rd IACR International Conference on the Practice and Theory of Public-Key Cryptography, Springer Nature, 2020, pp. 623–651.","ieee":"N. Genise, D. Micciancio, C. Peikert, and M. Walter, “Improved discrete Gaussian and subgaussian analysis for lattice cryptography,” in 23rd IACR International Conference on the Practice and Theory of Public-Key Cryptography, Edinburgh, United Kingdom, 2020, vol. 12110, pp. 623–651."},"project":[{"grant_number":"682815","name":"Teaching Old Crypto New Tricks","call_identifier":"H2020","_id":"258AA5B2-B435-11E9-9278-68D0E5697425"}]},{"department":[{"_id":"KrPi"}],"date_updated":"2023-08-24T11:08:58Z","conference":{"start_date":"2020-12-13","location":"Bangalore, India","end_date":"2020-12-16","name":"INDOCRYPT: International Conference on Cryptology in India"},"type":"conference","status":"public","_id":"8987","series_title":"LNCS","ec_funded":1,"volume":12578,"publication_status":"published","publication_identifier":{"issn":["03029743"],"eissn":["16113349"],"isbn":["9783030652760"]},"language":[{"iso":"eng"}],"main_file_link":[{"open_access":"1","url":"https://eprint.iacr.org/2020/418"}],"scopus_import":"1","intvolume":" 12578","month":"12","abstract":[{"text":"Currently several projects aim at designing and implementing protocols for privacy preserving automated contact tracing to help fight the current pandemic. Those proposal are quite similar, and in their most basic form basically propose an app for mobile phones which broadcasts frequently changing pseudorandom identifiers via (low energy) Bluetooth, and at the same time, the app stores IDs broadcast by phones in its proximity. Only if a user is tested positive, they upload either the beacons they did broadcast (which is the case in decentralized proposals as DP-3T, east and west coast PACT or Covid watch) or received (as in Popp-PT or ROBERT) during the last two weeks or so.\r\n\r\nVaudenay [eprint 2020/399] observes that this basic scheme (he considers the DP-3T proposal) succumbs to relay and even replay attacks, and proposes more complex interactive schemes which prevent those attacks without giving up too many privacy aspects. Unfortunately interaction is problematic for this application for efficiency and security reasons. The countermeasures that have been suggested so far are either not practical or give up on key privacy aspects. We propose a simple non-interactive variant of the basic protocol that\r\n(security) Provably prevents replay and (if location data is available) relay attacks.\r\n(privacy) The data of all parties (even jointly) reveals no information on the location or time where encounters happened.\r\n(efficiency) The broadcasted message can fit into 128 bits and uses only basic crypto (commitments and secret key authentication).\r\n\r\nTowards this end we introduce the concept of “delayed authentication”, which basically is a message authentication code where verification can be done in two steps, where the first doesn’t require the key, and the second doesn’t require the message.","lang":"eng"}],"oa_version":"Preprint","external_id":{"isi":["000927592800001"]},"article_processing_charge":"No","author":[{"last_name":"Pietrzak","full_name":"Pietrzak, Krzysztof Z","orcid":"0000-0002-9139-1654","first_name":"Krzysztof Z","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87"}],"title":"Delayed authentication: Preventing replay and relay attacks in private contact tracing","citation":{"mla":"Pietrzak, Krzysztof Z. “Delayed Authentication: Preventing Replay and Relay Attacks in Private Contact Tracing.” Progress in Cryptology, vol. 12578, Springer Nature, 2020, pp. 3–15, doi:10.1007/978-3-030-65277-7_1.","ieee":"K. Z. Pietrzak, “Delayed authentication: Preventing replay and relay attacks in private contact tracing,” in Progress in Cryptology, Bangalore, India, 2020, vol. 12578, pp. 3–15.","short":"K.Z. Pietrzak, in:, Progress in Cryptology, Springer Nature, 2020, pp. 3–15.","ama":"Pietrzak KZ. Delayed authentication: Preventing replay and relay attacks in private contact tracing. In: Progress in Cryptology. Vol 12578. LNCS. Springer Nature; 2020:3-15. doi:10.1007/978-3-030-65277-7_1","apa":"Pietrzak, K. Z. (2020). Delayed authentication: Preventing replay and relay attacks in private contact tracing. In Progress in Cryptology (Vol. 12578, pp. 3–15). Bangalore, India: Springer Nature. https://doi.org/10.1007/978-3-030-65277-7_1","chicago":"Pietrzak, Krzysztof Z. “Delayed Authentication: Preventing Replay and Relay Attacks in Private Contact Tracing.” In Progress in Cryptology, 12578:3–15. LNCS. Springer Nature, 2020. https://doi.org/10.1007/978-3-030-65277-7_1.","ista":"Pietrzak KZ. 2020. Delayed authentication: Preventing replay and relay attacks in private contact tracing. Progress in Cryptology. INDOCRYPT: International Conference on Cryptology in IndiaLNCS vol. 12578, 3–15."},"user_id":"4359f0d1-fa6c-11eb-b949-802e58b17ae8","project":[{"_id":"258AA5B2-B435-11E9-9278-68D0E5697425","call_identifier":"H2020","grant_number":"682815","name":"Teaching Old Crypto New Tricks"}],"page":"3-15","date_created":"2021-01-03T23:01:23Z","date_published":"2020-12-08T00:00:00Z","doi":"10.1007/978-3-030-65277-7_1","year":"2020","isi":1,"publication":"Progress in Cryptology","day":"08","oa":1,"publisher":"Springer Nature","quality_controlled":"1"},{"year":"2020","isi":1,"publication":"Advances in Cryptology – EUROCRYPT 2020","day":"01","page":"475-506","date_created":"2020-06-15T07:13:37Z","doi":"10.1007/978-3-030-45727-3_16","date_published":"2020-05-01T00:00:00Z","oa":1,"publisher":"Springer Nature","quality_controlled":"1","citation":{"ieee":"B. Auerbach, F. Giacon, and E. Kiltz, “Everybody’s a target: Scalability in public-key encryption,” in Advances in Cryptology – EUROCRYPT 2020, 2020, vol. 12107, pp. 475–506.","short":"B. Auerbach, F. Giacon, E. Kiltz, in:, Advances in Cryptology – EUROCRYPT 2020, Springer Nature, 2020, pp. 475–506.","apa":"Auerbach, B., Giacon, F., & Kiltz, E. (2020). Everybody’s a target: Scalability in public-key encryption. In Advances in Cryptology – EUROCRYPT 2020 (Vol. 12107, pp. 475–506). Springer Nature. https://doi.org/10.1007/978-3-030-45727-3_16","ama":"Auerbach B, Giacon F, Kiltz E. Everybody’s a target: Scalability in public-key encryption. In: Advances in Cryptology – EUROCRYPT 2020. Vol 12107. Springer Nature; 2020:475-506. doi:10.1007/978-3-030-45727-3_16","mla":"Auerbach, Benedikt, et al. “Everybody’s a Target: Scalability in Public-Key Encryption.” Advances in Cryptology – EUROCRYPT 2020, vol. 12107, Springer Nature, 2020, pp. 475–506, doi:10.1007/978-3-030-45727-3_16.","ista":"Auerbach B, Giacon F, Kiltz E. 2020. Everybody’s a target: Scalability in public-key encryption. Advances in Cryptology – EUROCRYPT 2020. EUROCRYPT: Theory and Applications of Cryptographic Techniques, LNCS, vol. 12107, 475–506.","chicago":"Auerbach, Benedikt, Federico Giacon, and Eike Kiltz. “Everybody’s a Target: Scalability in Public-Key Encryption.” In Advances in Cryptology – EUROCRYPT 2020, 12107:475–506. Springer Nature, 2020. https://doi.org/10.1007/978-3-030-45727-3_16."},"user_id":"c635000d-4b10-11ee-a964-aac5a93f6ac1","external_id":{"isi":["000828688000016"]},"article_processing_charge":"No","author":[{"first_name":"Benedikt","id":"D33D2B18-E445-11E9-ABB7-15F4E5697425","last_name":"Auerbach","full_name":"Auerbach, Benedikt","orcid":"0000-0002-7553-6606"},{"first_name":"Federico","full_name":"Giacon, Federico","last_name":"Giacon"},{"full_name":"Kiltz, Eike","last_name":"Kiltz","first_name":"Eike"}],"title":"Everybody’s a target: Scalability in public-key encryption","project":[{"call_identifier":"H2020","_id":"258AA5B2-B435-11E9-9278-68D0E5697425","grant_number":"682815","name":"Teaching Old Crypto New Tricks"}],"publication_status":"published","publication_identifier":{"issn":["0302-9743"],"isbn":["9783030457266","9783030457273"],"eissn":["1611-3349"]},"language":[{"iso":"eng"}],"ec_funded":1,"volume":12107,"abstract":[{"lang":"eng","text":"For 1≤m≤n, we consider a natural m-out-of-n multi-instance scenario for a public-key encryption (PKE) scheme. An adversary, given n independent instances of PKE, wins if he breaks at least m out of the n instances. In this work, we are interested in the scaling factor of PKE schemes, SF, which measures how well the difficulty of breaking m out of the n instances scales in m. That is, a scaling factor SF=ℓ indicates that breaking m out of n instances is at least ℓ times more difficult than breaking one single instance. A PKE scheme with small scaling factor hence provides an ideal target for mass surveillance. In fact, the Logjam attack (CCS 2015) implicitly exploited, among other things, an almost constant scaling factor of ElGamal over finite fields (with shared group parameters).\r\n\r\nFor Hashed ElGamal over elliptic curves, we use the generic group model to argue that the scaling factor depends on the scheme's granularity. In low granularity, meaning each public key contains its independent group parameter, the scheme has optimal scaling factor SF=m; In medium and high granularity, meaning all public keys share the same group parameter, the scheme still has a reasonable scaling factor SF=√m. Our findings underline that instantiating ElGamal over elliptic curves should be preferred to finite fields in a multi-instance scenario.\r\n\r\nAs our main technical contribution, we derive new generic-group lower bounds of Ω(√(mp)) on the difficulty of solving both the m-out-of-n Gap Discrete Logarithm and the m-out-of-n Gap Computational Diffie-Hellman problem over groups of prime order p, extending a recent result by Yun (EUROCRYPT 2015). We establish the lower bound by studying the hardness of a related computational problem which we call the search-by-hypersurface problem."}],"oa_version":"Submitted Version","main_file_link":[{"open_access":"1","url":"https://eprint.iacr.org/2019/364"}],"alternative_title":["LNCS"],"intvolume":" 12107","month":"05","date_updated":"2023-09-05T15:06:40Z","department":[{"_id":"KrPi"}],"_id":"7966","conference":{"start_date":"2020-05-11","end_date":"2020-05-15","name":"EUROCRYPT: Theory and Applications of Cryptographic Techniques"},"type":"conference","status":"public"},{"status":"public","tmp":{"legal_code_url":"https://creativecommons.org/licenses/by/4.0/legalcode","image":"/images/cc_by.png","name":"Creative Commons Attribution 4.0 International Public License (CC-BY 4.0)","short":"CC BY (4.0)"},"type":"dissertation","_id":"7896","file_date_updated":"2020-07-14T12:48:04Z","department":[{"_id":"KrPi"}],"ddc":["000"],"date_updated":"2023-09-07T13:15:55Z","supervisor":[{"last_name":"Pietrzak","full_name":"Pietrzak, Krzysztof Z","orcid":"0000-0002-9139-1654","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","first_name":"Krzysztof Z"}],"month":"05","alternative_title":["ISTA Thesis"],"oa_version":"Published Version","abstract":[{"text":"A search problem lies in the complexity class FNP if a solution to the given instance of the problem can be verified efficiently. The complexity class TFNP consists of all search problems in FNP that are total in the sense that a solution is guaranteed to exist. TFNP contains a host of interesting problems from fields such as algorithmic game theory, computational topology, number theory and combinatorics. Since TFNP is a semantic class, it is unlikely to have a complete problem. Instead, one studies its syntactic subclasses which are defined based on the combinatorial principle used to argue totality. Of particular interest is the subclass PPAD, which contains important problems\r\nlike computing Nash equilibrium for bimatrix games and computational counterparts of several fixed-point theorems as complete. In the thesis, we undertake the study of averagecase hardness of TFNP, and in particular its subclass PPAD.\r\nAlmost nothing was known about average-case hardness of PPAD before a series of recent results showed how to achieve it using a cryptographic primitive called program obfuscation.\r\nHowever, it is currently not known how to construct program obfuscation from standard cryptographic assumptions. Therefore, it is desirable to relax the assumption under which average-case hardness of PPAD can be shown. In the thesis we take a step in this direction. First, we show that assuming the (average-case) hardness of a numbertheoretic\r\nproblem related to factoring of integers, which we call Iterated-Squaring, PPAD is hard-on-average in the random-oracle model. Then we strengthen this result to show that the average-case hardness of PPAD reduces to the (adaptive) soundness of the Fiat-Shamir Transform, a well-known technique used to compile a public-coin interactive protocol into a non-interactive one. As a corollary, we obtain average-case hardness for PPAD in the random-oracle model assuming the worst-case hardness of #SAT. Moreover, the above results can all be strengthened to obtain average-case hardness for the class CLS ⊆ PPAD.\r\nOur main technical contribution is constructing incrementally-verifiable procedures for computing Iterated-Squaring and #SAT. By incrementally-verifiable, we mean that every intermediate state of the computation includes a proof of its correctness, and the proof can be updated and verified in polynomial time. Previous constructions of such procedures relied on strong, non-standard assumptions. Instead, we introduce a technique called recursive proof-merging to obtain the same from weaker assumptions. ","lang":"eng"}],"ec_funded":1,"related_material":{"record":[{"relation":"part_of_dissertation","id":"6677","status":"public"}]},"language":[{"iso":"eng"}],"file":[{"checksum":"b39e2e1c376f5819b823fb7077491c64","file_id":"7897","access_level":"open_access","relation":"main_file","content_type":"application/pdf","date_created":"2020-05-26T14:08:13Z","file_name":"2020_Thesis_Kamath.pdf","creator":"dernst","date_updated":"2020-07-14T12:48:04Z","file_size":1622742},{"file_id":"7898","checksum":"8b26ba729c1a85ac6bea775f5d73cdc7","relation":"source_file","access_level":"closed","content_type":"application/x-zip-compressed","file_name":"Thesis_Kamath.zip","date_created":"2020-05-26T14:08:23Z","creator":"dernst","file_size":15301529,"date_updated":"2020-07-14T12:48:04Z"}],"publication_status":"published","degree_awarded":"PhD","publication_identifier":{"issn":["2663-337X"]},"project":[{"_id":"258C570E-B435-11E9-9278-68D0E5697425","call_identifier":"FP7","name":"Provable Security for Physical Cryptography","grant_number":"259668"},{"call_identifier":"H2020","_id":"258AA5B2-B435-11E9-9278-68D0E5697425","name":"Teaching Old Crypto New Tricks","grant_number":"682815"}],"title":"On the average-case hardness of total search problems","article_processing_charge":"No","author":[{"id":"4BD3F30E-F248-11E8-B48F-1D18A9856A87","first_name":"Chethan","last_name":"Kamath Hosdurg","full_name":"Kamath Hosdurg, Chethan"}],"user_id":"c635000d-4b10-11ee-a964-aac5a93f6ac1","citation":{"ista":"Kamath Hosdurg C. 2020. On the average-case hardness of total search problems. Institute of Science and Technology Austria.","chicago":"Kamath Hosdurg, Chethan. “On the Average-Case Hardness of Total Search Problems.” Institute of Science and Technology Austria, 2020. https://doi.org/10.15479/AT:ISTA:7896.","short":"C. Kamath Hosdurg, On the Average-Case Hardness of Total Search Problems, Institute of Science and Technology Austria, 2020.","ieee":"C. Kamath Hosdurg, “On the average-case hardness of total search problems,” Institute of Science and Technology Austria, 2020.","ama":"Kamath Hosdurg C. On the average-case hardness of total search problems. 2020. doi:10.15479/AT:ISTA:7896","apa":"Kamath Hosdurg, C. (2020). On the average-case hardness of total search problems. Institute of Science and Technology Austria. https://doi.org/10.15479/AT:ISTA:7896","mla":"Kamath Hosdurg, Chethan. On the Average-Case Hardness of Total Search Problems. Institute of Science and Technology Austria, 2020, doi:10.15479/AT:ISTA:7896."},"oa":1,"publisher":"Institute of Science and Technology Austria","date_created":"2020-05-26T14:08:55Z","date_published":"2020-05-25T00:00:00Z","doi":"10.15479/AT:ISTA:7896","page":"126","day":"25","year":"2020","has_accepted_license":"1"},{"project":[{"call_identifier":"H2020","_id":"258AA5B2-B435-11E9-9278-68D0E5697425","name":"Teaching Old Crypto New Tricks","grant_number":"682815"}],"title":"Per-session security: Password-based cryptography revisited","article_processing_charge":"No","author":[{"full_name":"Demay, Gregory","last_name":"Demay","first_name":"Gregory"},{"last_name":"Gazi","full_name":"Gazi, Peter","id":"3E0BFE38-F248-11E8-B48F-1D18A9856A87","first_name":"Peter"},{"first_name":"Ueli","full_name":"Maurer, Ueli","last_name":"Maurer"},{"first_name":"Bjorn","last_name":"Tackmann","full_name":"Tackmann, Bjorn"}],"user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","citation":{"apa":"Demay, G., Gazi, P., Maurer, U., & Tackmann, B. (2019). Per-session security: Password-based cryptography revisited. Journal of Computer Security. IOS Press. https://doi.org/10.3233/JCS-181131","ama":"Demay G, Gazi P, Maurer U, Tackmann B. Per-session security: Password-based cryptography revisited. Journal of Computer Security. 2019;27(1):75-111. doi:10.3233/JCS-181131","ieee":"G. Demay, P. Gazi, U. Maurer, and B. Tackmann, “Per-session security: Password-based cryptography revisited,” Journal of Computer Security, vol. 27, no. 1. IOS Press, pp. 75–111, 2019.","short":"G. Demay, P. Gazi, U. Maurer, B. Tackmann, Journal of Computer Security 27 (2019) 75–111.","mla":"Demay, Gregory, et al. “Per-Session Security: Password-Based Cryptography Revisited.” Journal of Computer Security, vol. 27, no. 1, IOS Press, 2019, pp. 75–111, doi:10.3233/JCS-181131.","ista":"Demay G, Gazi P, Maurer U, Tackmann B. 2019. Per-session security: Password-based cryptography revisited. Journal of Computer Security. 27(1), 75–111.","chicago":"Demay, Gregory, Peter Gazi, Ueli Maurer, and Bjorn Tackmann. “Per-Session Security: Password-Based Cryptography Revisited.” Journal of Computer Security. IOS Press, 2019. https://doi.org/10.3233/JCS-181131."},"oa":1,"publisher":"IOS Press","quality_controlled":"1","date_created":"2019-01-27T22:59:10Z","date_published":"2019-01-01T00:00:00Z","doi":"10.3233/JCS-181131","page":"75-111","publication":"Journal of Computer Security","day":"1","year":"2019","status":"public","type":"journal_article","article_type":"original","_id":"5887","department":[{"_id":"KrPi"}],"date_updated":"2021-01-12T08:05:08Z","intvolume":" 27","month":"01","main_file_link":[{"url":"https://eprint.iacr.org/2016/166","open_access":"1"}],"scopus_import":"1","oa_version":"Preprint","abstract":[{"lang":"eng","text":"Cryptographic security is usually defined as a guarantee that holds except when a bad event with negligible probability occurs, and nothing is guaranteed in that bad case. However, in settings where such failure can happen with substantial probability, one needs to provide guarantees even for the bad case. A typical example is where a (possibly weak) password is used instead of a secure cryptographic key to protect a session, the bad event being that the adversary correctly guesses the password. In a situation with multiple such sessions, a per-session guarantee is desired: any session for which the password has not been guessed remains secure, independently of whether other sessions have been compromised. A new formalism for stating such gracefully degrading security guarantees is introduced and applied to analyze the examples of password-based message authentication and password-based encryption. While a natural per-message guarantee is achieved for authentication, the situation of password-based encryption is more delicate: a per-session confidentiality guarantee only holds against attackers for which the distribution of password-guessing effort over the sessions is known in advance. In contrast, for more general attackers without such a restriction, a strong, composable notion of security cannot be achieved."}],"ec_funded":1,"volume":27,"issue":"1","language":[{"iso":"eng"}],"publication_status":"published","publication_identifier":{"issn":["0926227X"]}},{"publication_status":"published","publication_identifier":{"issn":["1868-8969"],"isbn":["978-3-95977-095-8"]},"language":[{"iso":"eng"}],"file":[{"date_created":"2019-06-06T14:22:04Z","file_name":"2019_LIPIcs_Pietrzak.pdf","date_updated":"2020-07-14T12:47:33Z","file_size":558770,"creator":"dernst","file_id":"6529","checksum":"f0ae1bb161431d9db3dea5ace082bfb5","content_type":"application/pdf","access_level":"open_access","relation":"main_file"}],"ec_funded":1,"volume":124,"abstract":[{"text":"We construct a verifiable delay function (VDF) by showing how the Rivest-Shamir-Wagner time-lock puzzle can be made publicly verifiable. Concretely, we give a statistically sound public-coin protocol to prove that a tuple (N,x,T,y) satisfies y=x2T (mod N) where the prover doesn’t know the factorization of N and its running time is dominated by solving the puzzle, that is, compute x2T, which is conjectured to require T sequential squarings. To get a VDF we make this protocol non-interactive using the Fiat-Shamir heuristic.The motivation for this work comes from the Chia blockchain design, which uses a VDF as akey ingredient. For typical parameters (T≤2 40, N= 2048), our proofs are of size around 10K B, verification cost around three RSA exponentiations and computing the proof is 8000 times faster than solving the puzzle even without any parallelism.","lang":"eng"}],"oa_version":"Published Version","main_file_link":[{"url":"https://eprint.iacr.org/2018/627","open_access":"1"}],"scopus_import":1,"alternative_title":["LIPIcs"],"intvolume":" 124","month":"01","date_updated":"2021-01-12T08:07:53Z","ddc":["000"],"file_date_updated":"2020-07-14T12:47:33Z","department":[{"_id":"KrPi"}],"_id":"6528","tmp":{"legal_code_url":"https://creativecommons.org/licenses/by/4.0/legalcode","image":"/images/cc_by.png","name":"Creative Commons Attribution 4.0 International Public License (CC-BY 4.0)","short":"CC BY (4.0)"},"conference":{"name":"ITCS 2019: Innovations in Theoretical Computer Science","location":"San Diego, CA, United States","end_date":"2019-01-12","start_date":"2019-01-10"},"type":"conference","status":"public","year":"2019","has_accepted_license":"1","publication":"10th Innovations in Theoretical Computer Science Conference","day":"10","date_created":"2019-06-06T14:12:36Z","date_published":"2019-01-10T00:00:00Z","doi":"10.4230/LIPICS.ITCS.2019.60","oa":1,"quality_controlled":"1","publisher":"Schloss Dagstuhl - Leibniz-Zentrum für Informatik","citation":{"mla":"Pietrzak, Krzysztof Z. “Simple Verifiable Delay Functions.” 10th Innovations in Theoretical Computer Science Conference, vol. 124, 60, Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 2019, doi:10.4230/LIPICS.ITCS.2019.60.","ieee":"K. Z. Pietrzak, “Simple verifiable delay functions,” in 10th Innovations in Theoretical Computer Science Conference, San Diego, CA, United States, 2019, vol. 124.","short":"K.Z. Pietrzak, in:, 10th Innovations in Theoretical Computer Science Conference, Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 2019.","ama":"Pietrzak KZ. Simple verifiable delay functions. In: 10th Innovations in Theoretical Computer Science Conference. Vol 124. Schloss Dagstuhl - Leibniz-Zentrum für Informatik; 2019. doi:10.4230/LIPICS.ITCS.2019.60","apa":"Pietrzak, K. Z. (2019). Simple verifiable delay functions. In 10th Innovations in Theoretical Computer Science Conference (Vol. 124). San Diego, CA, United States: Schloss Dagstuhl - Leibniz-Zentrum für Informatik. https://doi.org/10.4230/LIPICS.ITCS.2019.60","chicago":"Pietrzak, Krzysztof Z. “Simple Verifiable Delay Functions.” In 10th Innovations in Theoretical Computer Science Conference, Vol. 124. Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 2019. https://doi.org/10.4230/LIPICS.ITCS.2019.60.","ista":"Pietrzak KZ. 2019. Simple verifiable delay functions. 10th Innovations in Theoretical Computer Science Conference. ITCS 2019: Innovations in Theoretical Computer Science, LIPIcs, vol. 124, 60."},"user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","article_processing_charge":"No","author":[{"id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","first_name":"Krzysztof Z","orcid":"0000-0002-9139-1654","full_name":"Pietrzak, Krzysztof Z","last_name":"Pietrzak"}],"title":"Simple verifiable delay functions","article_number":"60","project":[{"name":"Teaching Old Crypto New Tricks","grant_number":"682815","call_identifier":"H2020","_id":"258AA5B2-B435-11E9-9278-68D0E5697425"}]},{"department":[{"_id":"KrPi"}],"date_updated":"2023-02-23T12:50:15Z","type":"book_chapter","conference":{"end_date":"2019-07-11","location":"Rabat, Morocco","start_date":"2019-07-09","name":"AFRICACRYPT: International Conference on Cryptology in Africa"},"status":"public","series_title":"LNCS","_id":"6726","volume":11627,"ec_funded":1,"publication_identifier":{"eisbn":["978-3-0302-3696-0"],"isbn":["978-3-0302-3695-3"],"issn":["0302-9743","1611-3349"]},"publication_status":"published","language":[{"iso":"eng"}],"scopus_import":"1","main_file_link":[{"url":"https://eprint.iacr.org/2019/068","open_access":"1"}],"month":"06","place":"Cham","intvolume":" 11627","abstract":[{"lang":"eng","text":"Randomness is an essential part of any secure cryptosystem, but many constructions rely on distributions that are not uniform. This is particularly true for lattice based cryptosystems, which more often than not make use of discrete Gaussian distributions over the integers. For practical purposes it is crucial to evaluate the impact that approximation errors have on the security of a scheme to provide the best possible trade-off between security and performance. Recent years have seen surprising results allowing to use relatively low precision while maintaining high levels of security. A key insight in these results is that sampling a distribution with low relative error can provide very strong security guarantees. Since floating point numbers provide guarantees on the relative approximation error, they seem a suitable tool in this setting, but it is not obvious which sampling algorithms can actually profit from them. While previous works have shown that inversion sampling can be adapted to provide a low relative error (Pöppelmann et al., CHES 2014; Prest, ASIACRYPT 2017), other works have called into question if this is possible for other sampling techniques (Zheng et al., Eprint report 2018/309). In this work, we consider all sampling algorithms that are popular in the cryptographic setting and analyze the relationship of floating point precision and the resulting relative error. We show that all of the algorithms either natively achieve a low relative error or can be adapted to do so."}],"oa_version":"Preprint","author":[{"last_name":"Walter","orcid":"0000-0003-3186-2482","full_name":"Walter, Michael","id":"488F98B0-F248-11E8-B48F-1D18A9856A87","first_name":"Michael"}],"article_processing_charge":"No","editor":[{"last_name":"Buchmann","full_name":"Buchmann, J","first_name":"J"},{"full_name":"Nitaj, A","last_name":"Nitaj","first_name":"A"},{"full_name":"Rachidi, T","last_name":"Rachidi","first_name":"T"}],"title":"Sampling the integers with low relative error","citation":{"ista":"Walter M. 2019.Sampling the integers with low relative error. In: Progress in Cryptology – AFRICACRYPT 2019. vol. 11627, 157–180.","chicago":"Walter, Michael. “Sampling the Integers with Low Relative Error.” In Progress in Cryptology – AFRICACRYPT 2019, edited by J Buchmann, A Nitaj, and T Rachidi, 11627:157–80. LNCS. Cham: Springer Nature, 2019. https://doi.org/10.1007/978-3-030-23696-0_9.","ama":"Walter M. Sampling the integers with low relative error. In: Buchmann J, Nitaj A, Rachidi T, eds. Progress in Cryptology – AFRICACRYPT 2019. Vol 11627. LNCS. Cham: Springer Nature; 2019:157-180. doi:10.1007/978-3-030-23696-0_9","apa":"Walter, M. (2019). Sampling the integers with low relative error. In J. Buchmann, A. Nitaj, & T. Rachidi (Eds.), Progress in Cryptology – AFRICACRYPT 2019 (Vol. 11627, pp. 157–180). Cham: Springer Nature. https://doi.org/10.1007/978-3-030-23696-0_9","short":"M. Walter, in:, J. Buchmann, A. Nitaj, T. Rachidi (Eds.), Progress in Cryptology – AFRICACRYPT 2019, Springer Nature, Cham, 2019, pp. 157–180.","ieee":"M. Walter, “Sampling the integers with low relative error,” in Progress in Cryptology – AFRICACRYPT 2019, vol. 11627, J. Buchmann, A. Nitaj, and T. Rachidi, Eds. Cham: Springer Nature, 2019, pp. 157–180.","mla":"Walter, Michael. “Sampling the Integers with Low Relative Error.” Progress in Cryptology – AFRICACRYPT 2019, edited by J Buchmann et al., vol. 11627, Springer Nature, 2019, pp. 157–80, doi:10.1007/978-3-030-23696-0_9."},"user_id":"8b945eb4-e2f2-11eb-945a-df72226e66a9","project":[{"name":"Teaching Old Crypto New Tricks","grant_number":"682815","_id":"258AA5B2-B435-11E9-9278-68D0E5697425","call_identifier":"H2020"}],"page":"157-180","doi":"10.1007/978-3-030-23696-0_9","date_published":"2019-06-29T00:00:00Z","date_created":"2019-07-29T12:25:31Z","year":"2019","day":"29","publication":"Progress in Cryptology – AFRICACRYPT 2019","quality_controlled":"1","publisher":"Springer Nature","oa":1},{"publication_status":"published","publication_identifier":{"isbn":["9781538692912"]},"language":[{"iso":"eng"}],"main_file_link":[{"url":"https://arxiv.org/abs/1702.08476","open_access":"1"}],"scopus_import":"1","month":"07","abstract":[{"text":"It is well established that the notion of min-entropy fails to satisfy the \\emph{chain rule} of the form H(X,Y)=H(X|Y)+H(Y), known for Shannon Entropy. Such a property would help to analyze how min-entropy is split among smaller blocks. Problems of this kind arise for example when constructing extractors and dispersers.\r\nWe show that any sequence of variables exhibits a very strong strong block-source structure (conditional distributions of blocks are nearly flat) when we \\emph{spoil few correlated bits}. This implies, conditioned on the spoiled bits, that \\emph{splitting-recombination properties} hold. In particular, we have many nice properties that min-entropy doesn't obey in general, for example strong chain rules, \"information can't hurt\" inequalities, equivalences of average and worst-case conditional entropy definitions and others. Quantitatively, for any sequence X1,…,Xt of random variables over an alphabet X we prove that, when conditioned on m=t⋅O(loglog|X|+loglog(1/ϵ)+logt) bits of auxiliary information, all conditional distributions of the form Xi|X2019 IEEE International Symposium on Information Theory. IEEE, 2019. https://doi.org/10.1109/isit.2019.8849240.","ista":"Skórski M. 2019. Strong chain rules for min-entropy under few bits spoiled. 2019 IEEE International Symposium on Information Theory. ISIT: International Symposium on Information Theory, 8849240.","mla":"Skórski, Maciej. “Strong Chain Rules for Min-Entropy under Few Bits Spoiled.” 2019 IEEE International Symposium on Information Theory, 8849240, IEEE, 2019, doi:10.1109/isit.2019.8849240.","ieee":"M. Skórski, “Strong chain rules for min-entropy under few bits spoiled,” in 2019 IEEE International Symposium on Information Theory, Paris, France, 2019.","short":"M. Skórski, in:, 2019 IEEE International Symposium on Information Theory, IEEE, 2019.","ama":"Skórski M. Strong chain rules for min-entropy under few bits spoiled. In: 2019 IEEE International Symposium on Information Theory. IEEE; 2019. doi:10.1109/isit.2019.8849240","apa":"Skórski, M. (2019). Strong chain rules for min-entropy under few bits spoiled. In 2019 IEEE International Symposium on Information Theory. Paris, France: IEEE. https://doi.org/10.1109/isit.2019.8849240"},"user_id":"c635000d-4b10-11ee-a964-aac5a93f6ac1","article_number":"8849240"},{"citation":{"chicago":"Abusalah, Hamza M, Chethan Kamath Hosdurg, Karen Klein, Krzysztof Z Pietrzak, and Michael Walter. “Reversible Proofs of Sequential Work.” In Advances in Cryptology – EUROCRYPT 2019, 11477:277–91. Springer International Publishing, 2019. https://doi.org/10.1007/978-3-030-17656-3_10.","ista":"Abusalah HM, Kamath Hosdurg C, Klein K, Pietrzak KZ, Walter M. 2019. Reversible proofs of sequential work. Advances in Cryptology – EUROCRYPT 2019. International Conference on the Theory and Applications of Cryptographic Techniques, LNCS, vol. 11477, 277–291.","mla":"Abusalah, Hamza M., et al. “Reversible Proofs of Sequential Work.” Advances in Cryptology – EUROCRYPT 2019, vol. 11477, Springer International Publishing, 2019, pp. 277–91, doi:10.1007/978-3-030-17656-3_10.","short":"H.M. Abusalah, C. Kamath Hosdurg, K. Klein, K.Z. Pietrzak, M. Walter, in:, Advances in Cryptology – EUROCRYPT 2019, Springer International Publishing, 2019, pp. 277–291.","ieee":"H. M. Abusalah, C. Kamath Hosdurg, K. Klein, K. Z. Pietrzak, and M. Walter, “Reversible proofs of sequential work,” in Advances in Cryptology – EUROCRYPT 2019, Darmstadt, Germany, 2019, vol. 11477, pp. 277–291.","ama":"Abusalah HM, Kamath Hosdurg C, Klein K, Pietrzak KZ, Walter M. Reversible proofs of sequential work. In: Advances in Cryptology – EUROCRYPT 2019. Vol 11477. Springer International Publishing; 2019:277-291. doi:10.1007/978-3-030-17656-3_10","apa":"Abusalah, H. M., Kamath Hosdurg, C., Klein, K., Pietrzak, K. Z., & Walter, M. (2019). Reversible proofs of sequential work. In Advances in Cryptology – EUROCRYPT 2019 (Vol. 11477, pp. 277–291). Darmstadt, Germany: Springer International Publishing. https://doi.org/10.1007/978-3-030-17656-3_10"},"user_id":"c635000d-4b10-11ee-a964-aac5a93f6ac1","author":[{"id":"40297222-F248-11E8-B48F-1D18A9856A87","first_name":"Hamza M","full_name":"Abusalah, Hamza M","last_name":"Abusalah"},{"first_name":"Chethan","id":"4BD3F30E-F248-11E8-B48F-1D18A9856A87","full_name":"Kamath Hosdurg, Chethan","last_name":"Kamath Hosdurg"},{"id":"3E83A2F8-F248-11E8-B48F-1D18A9856A87","first_name":"Karen","full_name":"Klein, Karen","last_name":"Klein"},{"orcid":"0000-0002-9139-1654","full_name":"Pietrzak, Krzysztof Z","last_name":"Pietrzak","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","first_name":"Krzysztof Z"},{"first_name":"Michael","id":"488F98B0-F248-11E8-B48F-1D18A9856A87","orcid":"0000-0003-3186-2482","full_name":"Walter, Michael","last_name":"Walter"}],"external_id":{"isi":["000483516200010"]},"article_processing_charge":"No","title":"Reversible proofs of sequential work","project":[{"call_identifier":"H2020","_id":"258AA5B2-B435-11E9-9278-68D0E5697425","grant_number":"682815","name":"Teaching Old Crypto New Tricks"}],"isi":1,"year":"2019","day":"24","publication":"Advances in Cryptology – EUROCRYPT 2019","page":"277-291","date_published":"2019-04-24T00:00:00Z","doi":"10.1007/978-3-030-17656-3_10","date_created":"2020-01-30T09:26:14Z","publisher":"Springer International Publishing","quality_controlled":"1","oa":1,"date_updated":"2023-09-06T15:26:06Z","department":[{"_id":"KrPi"}],"_id":"7411","type":"conference","conference":{"name":"International Conference on the Theory and Applications of Cryptographic Techniques","location":"Darmstadt, Germany","end_date":"2019-05-23","start_date":"2019-05-19"},"status":"public","publication_identifier":{"issn":["0302-9743"],"isbn":["9783030176556","9783030176563"],"eissn":["1611-3349"]},"publication_status":"published","language":[{"iso":"eng"}],"volume":11477,"ec_funded":1,"abstract":[{"text":"Proofs of sequential work (PoSW) are proof systems where a prover, upon receiving a statement χ and a time parameter T computes a proof ϕ(χ,T) which is efficiently and publicly verifiable. The proof can be computed in T sequential steps, but not much less, even by a malicious party having large parallelism. A PoSW thus serves as a proof that T units of time have passed since χ\r\n\r\nwas received.\r\n\r\nPoSW were introduced by Mahmoody, Moran and Vadhan [MMV11], a simple and practical construction was only recently proposed by Cohen and Pietrzak [CP18].\r\n\r\nIn this work we construct a new simple PoSW in the random permutation model which is almost as simple and efficient as [CP18] but conceptually very different. Whereas the structure underlying [CP18] is a hash tree, our construction is based on skip lists and has the interesting property that computing the PoSW is a reversible computation.\r\nThe fact that the construction is reversible can potentially be used for new applications like constructing proofs of replication. We also show how to “embed” the sloth function of Lenstra and Weselowski [LW17] into our PoSW to get a PoSW where one additionally can verify correctness of the output much more efficiently than recomputing it (though recent constructions of “verifiable delay functions” subsume most of the applications this construction was aiming at).","lang":"eng"}],"oa_version":"Submitted Version","alternative_title":["LNCS"],"scopus_import":"1","main_file_link":[{"open_access":"1","url":"https://eprint.iacr.org/2019/252"}],"month":"04","intvolume":" 11477"},{"main_file_link":[{"open_access":"1","url":"https://eprint.iacr.org/2019/549"}],"scopus_import":"1","month":"06","abstract":[{"text":"The Fiat-Shamir heuristic transforms a public-coin interactive proof into a non-interactive argument, by replacing the verifier with a cryptographic hash function that is applied to the protocol’s transcript. Constructing hash functions for which this transformation is sound is a central and long-standing open question in cryptography.\r\n\r\nWe show that solving the END−OF−METERED−LINE problem is no easier than breaking the soundness of the Fiat-Shamir transformation when applied to the sumcheck protocol. In particular, if the transformed protocol is sound, then any hard problem in #P gives rise to a hard distribution in the class CLS, which is contained in PPAD. Our result opens up the possibility of sampling moderately-sized games for which it is hard to find a Nash equilibrium, by reducing the inversion of appropriately chosen one-way functions to #SAT.\r\n\r\nOur main technical contribution is a stateful incrementally verifiable procedure that, given a SAT instance over n variables, counts the number of satisfying assignments. This is accomplished via an exponential sequence of small steps, each computable in time poly(n). Incremental verifiability means that each intermediate state includes a sumcheck-based proof of its correctness, and the proof can be updated and verified in time poly(n).","lang":"eng"}],"oa_version":"Preprint","ec_funded":1,"related_material":{"record":[{"id":"7896","status":"public","relation":"dissertation_contains"}]},"publication_status":"published","publication_identifier":{"isbn":["9781450367059"]},"language":[{"iso":"eng"}],"conference":{"end_date":"2019-06-26","location":"Phoenix, AZ, United States","start_date":"2019-06-23","name":"STOC: Symposium on Theory of Computing"},"type":"conference","status":"public","_id":"6677","department":[{"_id":"KrPi"}],"date_updated":"2023-09-07T13:15:55Z","oa":1,"quality_controlled":"1","publisher":"ACM Press","page":"1103-1114","date_created":"2019-07-24T09:20:53Z","doi":"10.1145/3313276.3316400","date_published":"2019-06-01T00:00:00Z","year":"2019","isi":1,"publication":"Proceedings of the 51st Annual ACM SIGACT Symposium on Theory of Computing - STOC 2019","day":"01","project":[{"name":"Teaching Old Crypto New Tricks","grant_number":"682815","_id":"258AA5B2-B435-11E9-9278-68D0E5697425","call_identifier":"H2020"}],"article_processing_charge":"No","external_id":{"isi":["000523199100100"]},"author":[{"last_name":"Choudhuri","full_name":"Choudhuri, Arka Rai","first_name":"Arka Rai"},{"first_name":"Pavel","full_name":"Hubáček, Pavel","last_name":"Hubáček"},{"id":"4BD3F30E-F248-11E8-B48F-1D18A9856A87","first_name":"Chethan","full_name":"Kamath Hosdurg, Chethan","last_name":"Kamath Hosdurg"},{"first_name":"Krzysztof Z","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","last_name":"Pietrzak","orcid":"0000-0002-9139-1654","full_name":"Pietrzak, Krzysztof Z"},{"last_name":"Rosen","full_name":"Rosen, Alon","first_name":"Alon"},{"first_name":"Guy N.","last_name":"Rothblum","full_name":"Rothblum, Guy N."}],"title":"Finding a Nash equilibrium is no easier than breaking Fiat-Shamir","citation":{"ieee":"A. R. Choudhuri, P. Hubáček, C. Kamath Hosdurg, K. Z. Pietrzak, A. Rosen, and G. N. Rothblum, “Finding a Nash equilibrium is no easier than breaking Fiat-Shamir,” in Proceedings of the 51st Annual ACM SIGACT Symposium on Theory of Computing - STOC 2019, Phoenix, AZ, United States, 2019, pp. 1103–1114.","short":"A.R. Choudhuri, P. Hubáček, C. Kamath Hosdurg, K.Z. Pietrzak, A. Rosen, G.N. Rothblum, in:, Proceedings of the 51st Annual ACM SIGACT Symposium on Theory of Computing - STOC 2019, ACM Press, 2019, pp. 1103–1114.","ama":"Choudhuri AR, Hubáček P, Kamath Hosdurg C, Pietrzak KZ, Rosen A, Rothblum GN. Finding a Nash equilibrium is no easier than breaking Fiat-Shamir. In: Proceedings of the 51st Annual ACM SIGACT Symposium on Theory of Computing - STOC 2019. ACM Press; 2019:1103-1114. doi:10.1145/3313276.3316400","apa":"Choudhuri, A. R., Hubáček, P., Kamath Hosdurg, C., Pietrzak, K. Z., Rosen, A., & Rothblum, G. N. (2019). Finding a Nash equilibrium is no easier than breaking Fiat-Shamir. In Proceedings of the 51st Annual ACM SIGACT Symposium on Theory of Computing - STOC 2019 (pp. 1103–1114). Phoenix, AZ, United States: ACM Press. https://doi.org/10.1145/3313276.3316400","mla":"Choudhuri, Arka Rai, et al. “Finding a Nash Equilibrium Is No Easier than Breaking Fiat-Shamir.” Proceedings of the 51st Annual ACM SIGACT Symposium on Theory of Computing - STOC 2019, ACM Press, 2019, pp. 1103–14, doi:10.1145/3313276.3316400.","ista":"Choudhuri AR, Hubáček P, Kamath Hosdurg C, Pietrzak KZ, Rosen A, Rothblum GN. 2019. Finding a Nash equilibrium is no easier than breaking Fiat-Shamir. Proceedings of the 51st Annual ACM SIGACT Symposium on Theory of Computing - STOC 2019. STOC: Symposium on Theory of Computing, 1103–1114.","chicago":"Choudhuri, Arka Rai, Pavel Hubáček, Chethan Kamath Hosdurg, Krzysztof Z Pietrzak, Alon Rosen, and Guy N. Rothblum. “Finding a Nash Equilibrium Is No Easier than Breaking Fiat-Shamir.” In Proceedings of the 51st Annual ACM SIGACT Symposium on Theory of Computing - STOC 2019, 1103–14. ACM Press, 2019. https://doi.org/10.1145/3313276.3316400."},"user_id":"4359f0d1-fa6c-11eb-b949-802e58b17ae8"},{"intvolume":" 11443","month":"04","main_file_link":[{"url":"https://eprint.iacr.org/2018/426","open_access":"1"}],"alternative_title":["LNCS"],"scopus_import":"1","oa_version":"Preprint","abstract":[{"text":"A proxy re-encryption (PRE) scheme is a public-key encryption scheme that allows the holder of a key pk to derive a re-encryption key for any other key 𝑝𝑘′. This re-encryption key lets anyone transform ciphertexts under pk into ciphertexts under 𝑝𝑘′ without having to know the underlying message, while transformations from 𝑝𝑘′ to pk should not be possible (unidirectional). Security is defined in a multi-user setting against an adversary that gets the users’ public keys and can ask for re-encryption keys and can corrupt users by requesting their secret keys. Any ciphertext that the adversary cannot trivially decrypt given the obtained secret and re-encryption keys should be secure.\r\n\r\nAll existing security proofs for PRE only show selective security, where the adversary must first declare the users it wants to corrupt. This can be lifted to more meaningful adaptive security by guessing the set of corrupted users among the n users, which loses a factor exponential in Open image in new window , rendering the result meaningless already for moderate Open image in new window .\r\n\r\nJafargholi et al. (CRYPTO’17) proposed a framework that in some cases allows to give adaptive security proofs for schemes which were previously only known to be selectively secure, while avoiding the exponential loss that results from guessing the adaptive choices made by an adversary. We apply their framework to PREs that satisfy some natural additional properties. Concretely, we give a more fine-grained reduction for several unidirectional PREs, proving adaptive security at a much smaller loss. The loss depends on the graph of users whose edges represent the re-encryption keys queried by the adversary. For trees and chains the loss is quasi-polynomial in the size and for general graphs it is exponential in their depth and indegree (instead of their size as for previous reductions). Fortunately, trees and low-depth graphs cover many, if not most, interesting applications.\r\n\r\nOur results apply e.g. to the bilinear-map based PRE schemes by Ateniese et al. (NDSS’05 and CT-RSA’09), Gentry’s FHE-based scheme (STOC’09) and the LWE-based scheme by Chandran et al. (PKC’14).","lang":"eng"}],"ec_funded":1,"related_material":{"record":[{"status":"public","id":"10035","relation":"dissertation_contains"}]},"volume":11443,"language":[{"iso":"eng"}],"publication_status":"published","publication_identifier":{"issn":["03029743"],"isbn":["9783030172589"],"eissn":["16113349"]},"status":"public","conference":{"start_date":"2019-04-14","end_date":"2019-04-17","location":"Beijing, China","name":"PKC: Public-Key Cryptograhy"},"type":"conference","_id":"6430","department":[{"_id":"KrPi"}],"date_updated":"2023-09-08T11:33:20Z","oa":1,"publisher":"Springer Nature","quality_controlled":"1","date_created":"2019-05-13T08:13:46Z","doi":"10.1007/978-3-030-17259-6_11","date_published":"2019-04-06T00:00:00Z","page":"317-346","day":"06","year":"2019","project":[{"call_identifier":"H2020","_id":"258AA5B2-B435-11E9-9278-68D0E5697425","grant_number":"682815","name":"Teaching Old Crypto New Tricks"}],"title":"Adaptively secure proxy re-encryption","article_processing_charge":"No","author":[{"id":"46B4C3EE-F248-11E8-B48F-1D18A9856A87","first_name":"Georg","last_name":"Fuchsbauer","full_name":"Fuchsbauer, Georg"},{"id":"4BD3F30E-F248-11E8-B48F-1D18A9856A87","first_name":"Chethan","full_name":"Kamath Hosdurg, Chethan","last_name":"Kamath Hosdurg"},{"last_name":"Klein","full_name":"Klein, Karen","id":"3E83A2F8-F248-11E8-B48F-1D18A9856A87","first_name":"Karen"},{"orcid":"0000-0002-9139-1654","full_name":"Pietrzak, Krzysztof Z","last_name":"Pietrzak","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","first_name":"Krzysztof Z"}],"user_id":"c635000d-4b10-11ee-a964-aac5a93f6ac1","citation":{"ista":"Fuchsbauer G, Kamath Hosdurg C, Klein K, Pietrzak KZ. 2019. Adaptively secure proxy re-encryption. PKC: Public-Key Cryptograhy, LNCS, vol. 11443, 317–346.","chicago":"Fuchsbauer, Georg, Chethan Kamath Hosdurg, Karen Klein, and Krzysztof Z Pietrzak. “Adaptively Secure Proxy Re-Encryption,” 11443:317–46. Springer Nature, 2019. https://doi.org/10.1007/978-3-030-17259-6_11.","apa":"Fuchsbauer, G., Kamath Hosdurg, C., Klein, K., & Pietrzak, K. Z. (2019). Adaptively secure proxy re-encryption (Vol. 11443, pp. 317–346). Presented at the PKC: Public-Key Cryptograhy, Beijing, China: Springer Nature. https://doi.org/10.1007/978-3-030-17259-6_11","ama":"Fuchsbauer G, Kamath Hosdurg C, Klein K, Pietrzak KZ. Adaptively secure proxy re-encryption. In: Vol 11443. Springer Nature; 2019:317-346. doi:10.1007/978-3-030-17259-6_11","ieee":"G. Fuchsbauer, C. Kamath Hosdurg, K. Klein, and K. Z. Pietrzak, “Adaptively secure proxy re-encryption,” presented at the PKC: Public-Key Cryptograhy, Beijing, China, 2019, vol. 11443, pp. 317–346.","short":"G. Fuchsbauer, C. Kamath Hosdurg, K. Klein, K.Z. Pietrzak, in:, Springer Nature, 2019, pp. 317–346.","mla":"Fuchsbauer, Georg, et al. Adaptively Secure Proxy Re-Encryption. Vol. 11443, Springer Nature, 2019, pp. 317–46, doi:10.1007/978-3-030-17259-6_11."}},{"year":"2018","has_accepted_license":"1","publication":"IACR Transactions on Cryptographic Hardware and Embedded Systems","day":"01","page":"214-242","date_created":"2021-11-14T23:01:25Z","date_published":"2018-01-01T00:00:00Z","doi":"10.13154/tches.v2018.i3.214-242","oa":1,"quality_controlled":"1","publisher":"International Association for Cryptologic Research","citation":{"apa":"Allini, E. N., Skórski, M., Petura, O., Bernard, F., Laban, M., & Fischer, V. (2018). Evaluation and monitoring of free running oscillators serving as source of randomness. IACR Transactions on Cryptographic Hardware and Embedded Systems. International Association for Cryptologic Research. https://doi.org/10.13154/tches.v2018.i3.214-242","ama":"Allini EN, Skórski M, Petura O, Bernard F, Laban M, Fischer V. Evaluation and monitoring of free running oscillators serving as source of randomness. IACR Transactions on Cryptographic Hardware and Embedded Systems. 2018;2018(3):214-242. doi:10.13154/tches.v2018.i3.214-242","short":"E.N. Allini, M. Skórski, O. Petura, F. Bernard, M. Laban, V. Fischer, IACR Transactions on Cryptographic Hardware and Embedded Systems 2018 (2018) 214–242.","ieee":"E. N. Allini, M. Skórski, O. Petura, F. Bernard, M. Laban, and V. Fischer, “Evaluation and monitoring of free running oscillators serving as source of randomness,” IACR Transactions on Cryptographic Hardware and Embedded Systems, vol. 2018, no. 3. International Association for Cryptologic Research, pp. 214–242, 2018.","mla":"Allini, Elie Noumon, et al. “Evaluation and Monitoring of Free Running Oscillators Serving as Source of Randomness.” IACR Transactions on Cryptographic Hardware and Embedded Systems, vol. 2018, no. 3, International Association for Cryptologic Research, 2018, pp. 214–42, doi:10.13154/tches.v2018.i3.214-242.","ista":"Allini EN, Skórski M, Petura O, Bernard F, Laban M, Fischer V. 2018. Evaluation and monitoring of free running oscillators serving as source of randomness. IACR Transactions on Cryptographic Hardware and Embedded Systems. 2018(3), 214–242.","chicago":"Allini, Elie Noumon, Maciej Skórski, Oto Petura, Florent Bernard, Marek Laban, and Viktor Fischer. “Evaluation and Monitoring of Free Running Oscillators Serving as Source of Randomness.” IACR Transactions on Cryptographic Hardware and Embedded Systems. International Association for Cryptologic Research, 2018. https://doi.org/10.13154/tches.v2018.i3.214-242."},"user_id":"8b945eb4-e2f2-11eb-945a-df72226e66a9","article_processing_charge":"No","author":[{"last_name":"Allini","full_name":"Allini, Elie Noumon","first_name":"Elie Noumon"},{"full_name":"Skórski, Maciej","last_name":"Skórski","first_name":"Maciej","id":"EC09FA6A-02D0-11E9-8223-86B7C91467DD"},{"last_name":"Petura","full_name":"Petura, Oto","first_name":"Oto"},{"last_name":"Bernard","full_name":"Bernard, Florent","first_name":"Florent"},{"first_name":"Marek","last_name":"Laban","full_name":"Laban, Marek"},{"full_name":"Fischer, Viktor","last_name":"Fischer","first_name":"Viktor"}],"title":"Evaluation and monitoring of free running oscillators serving as source of randomness","publication_status":"published","publication_identifier":{"eissn":["2569-2925"]},"language":[{"iso":"eng"}],"file":[{"file_id":"10289","checksum":"b816b848f046c48a8357700d9305dce5","success":1,"content_type":"application/pdf","access_level":"open_access","relation":"main_file","date_created":"2021-11-15T10:27:29Z","file_name":"2018_IACR_Allini.pdf","date_updated":"2021-11-15T10:27:29Z","file_size":955755,"creator":"cchlebak"}],"issue":"3","volume":2018,"abstract":[{"lang":"eng","text":"In this paper, we evaluate clock signals generated in ring oscillators and self-timed rings and the way their jitter can be transformed into random numbers. We show that counting the periods of the jittery clock signal produces random numbers of significantly better quality than the methods in which the jittery signal is simply sampled (the case in almost all current methods). Moreover, we use the counter values to characterize and continuously monitor the source of randomness. However, instead of using the widely used statistical variance, we propose to use Allan variance to do so. There are two main advantages: Allan variance is insensitive to low frequency noises such as flicker noise that are known to be autocorrelated and significantly less circuitry is required for its computation than that used to compute commonly used variance. We also show that it is essential to use a differential principle of randomness extraction from the jitter based on the use of two identical oscillators to avoid autocorrelations originating from external and internal global jitter sources and that this fact is valid for both kinds of rings. Last but not least, we propose a method of statistical testing based on high order Markov model to show the reduced dependencies when the proposed randomness extraction is applied."}],"oa_version":"Published Version","scopus_import":"1","intvolume":" 2018","month":"01","date_updated":"2021-11-15T10:48:49Z","ddc":["000"],"file_date_updated":"2021-11-15T10:27:29Z","department":[{"_id":"KrPi"}],"_id":"10286","tmp":{"legal_code_url":"https://creativecommons.org/licenses/by/4.0/legalcode","image":"/images/cc_by.png","name":"Creative Commons Attribution 4.0 International Public License (CC-BY 4.0)","short":"CC BY (4.0)"},"article_type":"original","type":"journal_article","status":"public"},{"_id":"7407","status":"public","conference":{"start_date":"2019-01-10","end_date":"2019-01-12","location":"San Diego, CA, United States","name":"ITCS: Innovations in theoretical Computer Science Conference"},"tmp":{"legal_code_url":"https://creativecommons.org/licenses/by/4.0/legalcode","image":"/images/cc_by.png","name":"Creative Commons Attribution 4.0 International Public License (CC-BY 4.0)","short":"CC BY (4.0)"},"type":"conference","ddc":["000"],"date_updated":"2021-01-12T08:13:26Z","file_date_updated":"2020-07-14T12:47:57Z","department":[{"_id":"KrPi"}],"oa_version":"Published Version","abstract":[{"text":"Proofs of space (PoS) [Dziembowski et al., CRYPTO'15] are proof systems where a prover can convince a verifier that he \"wastes\" disk space. PoS were introduced as a more ecological and economical replacement for proofs of work which are currently used to secure blockchains like Bitcoin. In this work we investigate extensions of PoS which allow the prover to embed useful data into the dedicated space, which later can be recovered. Our first contribution is a security proof for the original PoS from CRYPTO'15 in the random oracle model (the original proof only applied to a restricted class of adversaries which can store a subset of the data an honest prover would store). When this PoS is instantiated with recent constructions of maximally depth robust graphs, our proof implies basically optimal security. As a second contribution we show three different extensions of this PoS where useful data can be embedded into the space required by the prover. Our security proof for the PoS extends (non-trivially) to these constructions. We discuss how some of these variants can be used as proofs of catalytic space (PoCS), a notion we put forward in this work, and which basically is a PoS where most of the space required by the prover can be used to backup useful data. Finally we discuss how one of the extensions is a candidate construction for a proof of replication (PoR), a proof system recently suggested in the Filecoin whitepaper. ","lang":"eng"}],"intvolume":" 124","month":"12","main_file_link":[{"open_access":"1","url":"https://eprint.iacr.org/2018/194"}],"scopus_import":1,"alternative_title":["LIPIcs"],"language":[{"iso":"eng"}],"file":[{"file_id":"7443","checksum":"5cebb7f7849a3beda898f697d755dd96","relation":"main_file","access_level":"open_access","content_type":"application/pdf","file_name":"2018_LIPIcs_Pietrzak.pdf","date_created":"2020-02-04T08:17:52Z","creator":"dernst","file_size":822884,"date_updated":"2020-07-14T12:47:57Z"}],"publication_status":"published","publication_identifier":{"isbn":["978-3-95977-095-8"],"issn":["1868-8969"]},"ec_funded":1,"volume":124,"project":[{"name":"Teaching Old Crypto New Tricks","grant_number":"682815","call_identifier":"H2020","_id":"258AA5B2-B435-11E9-9278-68D0E5697425"}],"user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","citation":{"ista":"Pietrzak KZ. 2018. Proofs of catalytic space. 10th Innovations in Theoretical Computer Science Conference (ITCS 2019). ITCS: Innovations in theoretical Computer Science Conference, LIPIcs, vol. 124, 59:1-59:25.","chicago":"Pietrzak, Krzysztof Z. “Proofs of Catalytic Space.” In 10th Innovations in Theoretical Computer Science Conference (ITCS 2019), 124:59:1-59:25. Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 2018. https://doi.org/10.4230/LIPICS.ITCS.2019.59.","short":"K.Z. Pietrzak, in:, 10th Innovations in Theoretical Computer Science Conference (ITCS 2019), Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 2018, p. 59:1-59:25.","ieee":"K. Z. Pietrzak, “Proofs of catalytic space,” in 10th Innovations in Theoretical Computer Science Conference (ITCS 2019), San Diego, CA, United States, 2018, vol. 124, p. 59:1-59:25.","apa":"Pietrzak, K. Z. (2018). Proofs of catalytic space. In 10th Innovations in Theoretical Computer Science Conference (ITCS 2019) (Vol. 124, p. 59:1-59:25). San Diego, CA, United States: Schloss Dagstuhl - Leibniz-Zentrum für Informatik. https://doi.org/10.4230/LIPICS.ITCS.2019.59","ama":"Pietrzak KZ. Proofs of catalytic space. In: 10th Innovations in Theoretical Computer Science Conference (ITCS 2019). Vol 124. Schloss Dagstuhl - Leibniz-Zentrum für Informatik; 2018:59:1-59:25. doi:10.4230/LIPICS.ITCS.2019.59","mla":"Pietrzak, Krzysztof Z. “Proofs of Catalytic Space.” 10th Innovations in Theoretical Computer Science Conference (ITCS 2019), vol. 124, Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 2018, p. 59:1-59:25, doi:10.4230/LIPICS.ITCS.2019.59."},"title":"Proofs of catalytic space","article_processing_charge":"No","author":[{"last_name":"Pietrzak","full_name":"Pietrzak, Krzysztof Z","orcid":"0000-0002-9139-1654","first_name":"Krzysztof Z","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87"}],"oa":1,"quality_controlled":"1","publisher":"Schloss Dagstuhl - Leibniz-Zentrum für Informatik","publication":"10th Innovations in Theoretical Computer Science Conference (ITCS 2019)","day":"31","year":"2018","has_accepted_license":"1","date_created":"2020-01-30T09:16:05Z","doi":"10.4230/LIPICS.ITCS.2019.59","date_published":"2018-12-31T00:00:00Z","page":"59:1-59:25"},{"_id":"83","pubrep_id":"1046","status":"public","type":"dissertation","ddc":["004"],"date_updated":"2023-09-07T12:30:23Z","supervisor":[{"id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","first_name":"Krzysztof Z","full_name":"Pietrzak, Krzysztof Z","orcid":"0000-0002-9139-1654","last_name":"Pietrzak"}],"file_date_updated":"2020-07-14T12:48:11Z","department":[{"_id":"KrPi"}],"oa_version":"Published Version","abstract":[{"lang":"eng","text":"A proof system is a protocol between a prover and a verifier over a common input in which an honest prover convinces the verifier of the validity of true statements. Motivated by the success of decentralized cryptocurrencies, exemplified by Bitcoin, the focus of this thesis will be on proof systems which found applications in some sustainable alternatives to Bitcoin, such as the Spacemint and Chia cryptocurrencies. In particular, we focus on proofs of space and proofs of sequential work.\r\nProofs of space (PoSpace) were suggested as more ecological, economical, and egalitarian alternative to the energy-wasteful proof-of-work mining of Bitcoin. However, the state-of-the-art constructions of PoSpace are based on sophisticated graph pebbling lower bounds, and are therefore complex. Moreover, when these PoSpace are used in cryptocurrencies like Spacemint, miners can only start mining after ensuring that a commitment to their space is already added in a special transaction to the blockchain. Proofs of sequential work (PoSW) are proof systems in which a prover, upon receiving a statement x and a time parameter T, computes a proof which convinces the verifier that T time units had passed since x was received. Whereas Spacemint assumes synchrony to retain some interesting Bitcoin dynamics, Chia requires PoSW with unique proofs, i.e., PoSW in which it is hard to come up with more than one accepting proof for any true statement. In this thesis we construct simple and practically-efficient PoSpace and PoSW. When using our PoSpace in cryptocurrencies, miners can start mining on the fly, like in Bitcoin, and unlike current constructions of PoSW, which either achieve efficient verification of sequential work, or faster-than-recomputing verification of correctness of proofs, but not both at the same time, ours achieve the best of these two worlds."}],"month":"09","alternative_title":["ISTA Thesis"],"language":[{"iso":"eng"}],"file":[{"content_type":"application/pdf","relation":"main_file","access_level":"open_access","file_id":"6245","checksum":"c4b5f7d111755d1396787f41886fc674","file_size":876241,"date_updated":"2020-07-14T12:48:11Z","creator":"dernst","file_name":"2018_Thesis_Abusalah.pdf","date_created":"2019-04-09T06:43:41Z"},{"file_id":"6246","checksum":"0f382ac56b471c48fd907d63eb87dafe","content_type":"application/x-gzip","access_level":"closed","relation":"source_file","date_created":"2019-04-09T06:43:41Z","file_name":"2018_Thesis_Abusalah_source.tar.gz","date_updated":"2020-07-14T12:48:11Z","file_size":2029190,"creator":"dernst"}],"degree_awarded":"PhD","publication_status":"published","publication_identifier":{"issn":["2663-337X"]},"ec_funded":1,"related_material":{"record":[{"id":"1229","status":"public","relation":"part_of_dissertation"},{"relation":"part_of_dissertation","status":"public","id":"1235"},{"status":"public","id":"1236","relation":"part_of_dissertation"},{"status":"public","id":"559","relation":"part_of_dissertation"}]},"project":[{"_id":"258C570E-B435-11E9-9278-68D0E5697425","call_identifier":"FP7","grant_number":"259668","name":"Provable Security for Physical Cryptography"},{"_id":"258AA5B2-B435-11E9-9278-68D0E5697425","call_identifier":"H2020","grant_number":"682815","name":"Teaching Old Crypto New Tricks"}],"user_id":"c635000d-4b10-11ee-a964-aac5a93f6ac1","citation":{"chicago":"Abusalah, Hamza M. “Proof Systems for Sustainable Decentralized Cryptocurrencies.” Institute of Science and Technology Austria, 2018. https://doi.org/10.15479/AT:ISTA:TH_1046.","ista":"Abusalah HM. 2018. Proof systems for sustainable decentralized cryptocurrencies. Institute of Science and Technology Austria.","mla":"Abusalah, Hamza M. Proof Systems for Sustainable Decentralized Cryptocurrencies. Institute of Science and Technology Austria, 2018, doi:10.15479/AT:ISTA:TH_1046.","apa":"Abusalah, H. M. (2018). Proof systems for sustainable decentralized cryptocurrencies. Institute of Science and Technology Austria. https://doi.org/10.15479/AT:ISTA:TH_1046","ama":"Abusalah HM. Proof systems for sustainable decentralized cryptocurrencies. 2018. doi:10.15479/AT:ISTA:TH_1046","short":"H.M. Abusalah, Proof Systems for Sustainable Decentralized Cryptocurrencies, Institute of Science and Technology Austria, 2018.","ieee":"H. M. Abusalah, “Proof systems for sustainable decentralized cryptocurrencies,” Institute of Science and Technology Austria, 2018."},"title":"Proof systems for sustainable decentralized cryptocurrencies","article_processing_charge":"No","author":[{"id":"40297222-F248-11E8-B48F-1D18A9856A87","first_name":"Hamza M","full_name":"Abusalah, Hamza M","last_name":"Abusalah"}],"publist_id":"7971","oa":1,"publisher":"Institute of Science and Technology Austria","day":"05","year":"2018","has_accepted_license":"1","date_created":"2018-12-11T11:44:32Z","date_published":"2018-09-05T00:00:00Z","doi":"10.15479/AT:ISTA:TH_1046","page":"59"},{"oa":1,"publisher":"IEEE","quality_controlled":"1","day":"16","year":"2018","isi":1,"date_created":"2018-12-11T11:44:40Z","date_published":"2018-08-16T00:00:00Z","doi":"10.1109/ISIT.2018.8437654","user_id":"c635000d-4b10-11ee-a964-aac5a93f6ac1","citation":{"mla":"Obremski, Marciej, and Maciej Skórski. Inverted Leftover Hash Lemma. Vol. 2018, IEEE, 2018, doi:10.1109/ISIT.2018.8437654.","apa":"Obremski, M., & Skórski, M. (2018). Inverted leftover hash lemma (Vol. 2018). Presented at the ISIT: International Symposium on Information Theory, Vail, CO, USA: IEEE. https://doi.org/10.1109/ISIT.2018.8437654","ama":"Obremski M, Skórski M. Inverted leftover hash lemma. In: Vol 2018. IEEE; 2018. doi:10.1109/ISIT.2018.8437654","short":"M. Obremski, M. Skórski, in:, IEEE, 2018.","ieee":"M. Obremski and M. Skórski, “Inverted leftover hash lemma,” presented at the ISIT: International Symposium on Information Theory, Vail, CO, USA, 2018, vol. 2018.","chicago":"Obremski, Marciej, and Maciej Skórski. “Inverted Leftover Hash Lemma,” Vol. 2018. IEEE, 2018. https://doi.org/10.1109/ISIT.2018.8437654.","ista":"Obremski M, Skórski M. 2018. Inverted leftover hash lemma. ISIT: International Symposium on Information Theory, ISIT Proceedings, vol. 2018."},"title":"Inverted leftover hash lemma","external_id":{"isi":["000448139300368"]},"article_processing_charge":"No","author":[{"first_name":"Marciej","full_name":"Obremski, Marciej","last_name":"Obremski"},{"first_name":"Maciej","id":"EC09FA6A-02D0-11E9-8223-86B7C91467DD","last_name":"Skorski","full_name":"Skorski, Maciej"}],"publist_id":"7946","oa_version":"Submitted Version","abstract":[{"lang":"eng","text":"Universal hashing found a lot of applications in computer science. In cryptography the most important fact about universal families is the so called Leftover Hash Lemma, proved by Impagliazzo, Levin and Luby. In the language of modern cryptography it states that almost universal families are good extractors. In this work we provide a somewhat surprising characterization in the opposite direction. Namely, every extractor with sufficiently good parameters yields a universal family on a noticeable fraction of its inputs. Our proof technique is based on tools from extremal graph theory applied to the \\'collision graph\\' induced by the extractor, and may be of independent interest. We discuss possible applications to the theory of randomness extractors and non-malleable codes."}],"intvolume":" 2018","month":"08","main_file_link":[{"open_access":"1","url":"https://eprint.iacr.org/2017/507"}],"alternative_title":["ISIT Proceedings"],"scopus_import":"1","language":[{"iso":"eng"}],"publication_status":"published","volume":2018,"_id":"108","status":"public","conference":{"end_date":"2018-06-22","location":"Vail, CO, USA","start_date":"2018-06-17 ","name":"ISIT: International Symposium on Information Theory"},"type":"conference","date_updated":"2023-09-13T08:23:18Z","department":[{"_id":"KrPi"}]},{"issue":"4","volume":65,"ec_funded":1,"language":[{"iso":"eng"}],"publication_status":"published","month":"08","intvolume":" 65","scopus_import":"1","main_file_link":[{"open_access":"1","url":"https://eprint.iacr.org/2009/608"}],"oa_version":"Preprint","abstract":[{"text":"We introduce the notion of “non-malleable codes” which relaxes the notion of error correction and error detection. Informally, a code is non-malleable if the message contained in a modified codeword is either the original message, or a completely unrelated value. In contrast to error correction and error detection, non-malleability can be achieved for very rich classes of modifications. We construct an efficient code that is non-malleable with respect to modifications that affect each bit of the codeword arbitrarily (i.e., leave it untouched, flip it, or set it to either 0 or 1), but independently of the value of the other bits of the codeword. Using the probabilistic method, we also show a very strong and general statement: there exists a non-malleable code for every “small enough” family F of functions via which codewords can be modified. Although this probabilistic method argument does not directly yield efficient constructions, it gives us efficient non-malleable codes in the random-oracle model for very general classes of tampering functions—e.g., functions where every bit in the tampered codeword can depend arbitrarily on any 99% of the bits in the original codeword. As an application of non-malleable codes, we show that they provide an elegant algorithmic solution to the task of protecting functionalities implemented in hardware (e.g., signature cards) against “tampering attacks.” In such attacks, the secret state of a physical system is tampered, in the hopes that future interaction with the modified system will reveal some secret information. This problem was previously studied in the work of Gennaro et al. in 2004 under the name “algorithmic tamper proof security” (ATP). We show that non-malleable codes can be used to achieve important improvements over the prior work. In particular, we show that any functionality can be made secure against a large class of tampering attacks, simply by encoding the secret state with a non-malleable code while it is stored in memory.","lang":"eng"}],"department":[{"_id":"KrPi"}],"date_updated":"2023-09-13T09:05:17Z","status":"public","article_type":"original","type":"journal_article","_id":"107","date_published":"2018-08-01T00:00:00Z","doi":"10.1145/3178432","date_created":"2018-12-11T11:44:40Z","day":"01","publication":"Journal of the ACM","isi":1,"year":"2018","publisher":"ACM","quality_controlled":"1","oa":1,"title":"Non-malleable codes","publist_id":"7947","author":[{"first_name":"Stefan","last_name":"Dziembowski","full_name":"Dziembowski, Stefan"},{"first_name":"Krzysztof Z","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","orcid":"0000-0002-9139-1654","full_name":"Pietrzak, Krzysztof Z","last_name":"Pietrzak"},{"first_name":"Daniel","last_name":"Wichs","full_name":"Wichs, Daniel"}],"article_processing_charge":"No","external_id":{"isi":["000442938200004"]},"user_id":"c635000d-4b10-11ee-a964-aac5a93f6ac1","citation":{"chicago":"Dziembowski, Stefan, Krzysztof Z Pietrzak, and Daniel Wichs. “Non-Malleable Codes.” Journal of the ACM. ACM, 2018. https://doi.org/10.1145/3178432.","ista":"Dziembowski S, Pietrzak KZ, Wichs D. 2018. Non-malleable codes. Journal of the ACM. 65(4), 20.","mla":"Dziembowski, Stefan, et al. “Non-Malleable Codes.” Journal of the ACM, vol. 65, no. 4, 20, ACM, 2018, doi:10.1145/3178432.","ieee":"S. Dziembowski, K. Z. Pietrzak, and D. Wichs, “Non-malleable codes,” Journal of the ACM, vol. 65, no. 4. ACM, 2018.","short":"S. Dziembowski, K.Z. Pietrzak, D. Wichs, Journal of the ACM 65 (2018).","ama":"Dziembowski S, Pietrzak KZ, Wichs D. Non-malleable codes. Journal of the ACM. 2018;65(4). doi:10.1145/3178432","apa":"Dziembowski, S., Pietrzak, K. Z., & Wichs, D. (2018). Non-malleable codes. Journal of the ACM. ACM. https://doi.org/10.1145/3178432"},"project":[{"_id":"258AA5B2-B435-11E9-9278-68D0E5697425","call_identifier":"H2020","grant_number":"682815","name":"Teaching Old Crypto New Tricks"},{"call_identifier":"FP7","_id":"258C570E-B435-11E9-9278-68D0E5697425","grant_number":"259668","name":"Provable Security for Physical Cryptography"}],"article_number":"20"},{"status":"public","type":"conference","conference":{"end_date":"2018-06-08","location":"Incheon, Republic of Korea","start_date":"2018-06-04","name":"ASIACCS: Asia Conference on Computer and Communications Security "},"_id":"193","department":[{"_id":"KrPi"},{"_id":"HeEd"},{"_id":"VlKo"}],"date_updated":"2023-09-13T09:13:12Z","month":"06","scopus_import":"1","main_file_link":[{"open_access":"1","url":"https://eprint.iacr.org/2016/783"}],"oa_version":"Submitted Version","abstract":[{"lang":"eng","text":"We show attacks on five data-independent memory-hard functions (iMHF) that were submitted to the password hashing competition (PHC). Informally, an MHF is a function which cannot be evaluated on dedicated hardware, like ASICs, at significantly lower hardware and/or energy cost than evaluating a single instance on a standard single-core architecture. Data-independent means the memory access pattern of the function is independent of the input; this makes iMHFs harder to construct than data-dependent ones, but the latter can be attacked by various side-channel attacks. Following [Alwen-Blocki'16], we capture the evaluation of an iMHF as a directed acyclic graph (DAG). The cumulative parallel pebbling complexity of this DAG is a measure for the hardware cost of evaluating the iMHF on an ASIC. Ideally, one would like the complexity of a DAG underlying an iMHF to be as close to quadratic in the number of nodes of the graph as possible. Instead, we show that (the DAGs underlying) the following iMHFs are far from this bound: Rig.v2, TwoCats and Gambit each having an exponent no more than 1.75. Moreover, we show that the complexity of the iMHF modes of the PHC finalists Pomelo and Lyra2 have exponents at most 1.83 and 1.67 respectively. To show this we investigate a combinatorial property of each underlying DAG (called its depth-robustness. By establishing upper bounds on this property we are then able to apply the general technique of [Alwen-Block'16] for analyzing the hardware costs of an iMHF."}],"ec_funded":1,"language":[{"iso":"eng"}],"publication_status":"published","project":[{"grant_number":"616160","name":"Discrete Optimization in Computer Vision: Theory and Practice","call_identifier":"FP7","_id":"25FBA906-B435-11E9-9278-68D0E5697425"},{"grant_number":"682815","name":"Teaching Old Crypto New Tricks","call_identifier":"H2020","_id":"258AA5B2-B435-11E9-9278-68D0E5697425"}],"title":"On the memory hardness of data independent password hashing functions","author":[{"full_name":"Alwen, Joel F","last_name":"Alwen","first_name":"Joel F","id":"2A8DFA8C-F248-11E8-B48F-1D18A9856A87"},{"last_name":"Gazi","full_name":"Gazi, Peter","first_name":"Peter"},{"id":"4BD3F30E-F248-11E8-B48F-1D18A9856A87","first_name":"Chethan","last_name":"Kamath Hosdurg","full_name":"Kamath Hosdurg, Chethan"},{"last_name":"Klein","full_name":"Klein, Karen","id":"3E83A2F8-F248-11E8-B48F-1D18A9856A87","first_name":"Karen"},{"orcid":"0000-0002-8882-5116","full_name":"Osang, Georg F","last_name":"Osang","id":"464B40D6-F248-11E8-B48F-1D18A9856A87","first_name":"Georg F"},{"id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","first_name":"Krzysztof Z","last_name":"Pietrzak","orcid":"0000-0002-9139-1654","full_name":"Pietrzak, Krzysztof Z"},{"first_name":"Lenoid","full_name":"Reyzin, Lenoid","last_name":"Reyzin"},{"id":"3CB3BC06-F248-11E8-B48F-1D18A9856A87","first_name":"Michal","last_name":"Rolinek","full_name":"Rolinek, Michal"},{"full_name":"Rybar, Michal","last_name":"Rybar","first_name":"Michal","id":"2B3E3DE8-F248-11E8-B48F-1D18A9856A87"}],"publist_id":"7723","article_processing_charge":"No","external_id":{"isi":["000516620100005"]},"user_id":"c635000d-4b10-11ee-a964-aac5a93f6ac1","citation":{"ista":"Alwen JF, Gazi P, Kamath Hosdurg C, Klein K, Osang GF, Pietrzak KZ, Reyzin L, Rolinek M, Rybar M. 2018. On the memory hardness of data independent password hashing functions. Proceedings of the 2018 on Asia Conference on Computer and Communication Security. ASIACCS: Asia Conference on Computer and Communications Security , 51–65.","chicago":"Alwen, Joel F, Peter Gazi, Chethan Kamath Hosdurg, Karen Klein, Georg F Osang, Krzysztof Z Pietrzak, Lenoid Reyzin, Michal Rolinek, and Michal Rybar. “On the Memory Hardness of Data Independent Password Hashing Functions.” In Proceedings of the 2018 on Asia Conference on Computer and Communication Security, 51–65. ACM, 2018. https://doi.org/10.1145/3196494.3196534.","apa":"Alwen, J. F., Gazi, P., Kamath Hosdurg, C., Klein, K., Osang, G. F., Pietrzak, K. Z., … Rybar, M. (2018). On the memory hardness of data independent password hashing functions. In Proceedings of the 2018 on Asia Conference on Computer and Communication Security (pp. 51–65). Incheon, Republic of Korea: ACM. https://doi.org/10.1145/3196494.3196534","ama":"Alwen JF, Gazi P, Kamath Hosdurg C, et al. On the memory hardness of data independent password hashing functions. In: Proceedings of the 2018 on Asia Conference on Computer and Communication Security. ACM; 2018:51-65. doi:10.1145/3196494.3196534","ieee":"J. F. Alwen et al., “On the memory hardness of data independent password hashing functions,” in Proceedings of the 2018 on Asia Conference on Computer and Communication Security, Incheon, Republic of Korea, 2018, pp. 51–65.","short":"J.F. Alwen, P. Gazi, C. Kamath Hosdurg, K. Klein, G.F. Osang, K.Z. Pietrzak, L. Reyzin, M. Rolinek, M. Rybar, in:, Proceedings of the 2018 on Asia Conference on Computer and Communication Security, ACM, 2018, pp. 51–65.","mla":"Alwen, Joel F., et al. “On the Memory Hardness of Data Independent Password Hashing Functions.” Proceedings of the 2018 on Asia Conference on Computer and Communication Security, ACM, 2018, pp. 51–65, doi:10.1145/3196494.3196534."},"publisher":"ACM","quality_controlled":"1","oa":1,"acknowledgement":"Leonid Reyzin was supported in part by IST Austria and by US NSF grants 1012910, 1012798, and 1422965; this research was performed while he was visiting IST Austria.","doi":"10.1145/3196494.3196534","date_published":"2018-06-01T00:00:00Z","date_created":"2018-12-11T11:45:07Z","page":"51 - 65","day":"01","publication":"Proceedings of the 2018 on Asia Conference on Computer and Communication Security","isi":1,"year":"2018"},{"date_updated":"2023-09-13T09:12:04Z","department":[{"_id":"KrPi"}],"_id":"300","conference":{"name":"Eurocrypt: Advances in Cryptology","start_date":"2018-04-29","location":"Tel Aviv, Israel","end_date":"2018-05-03"},"type":"conference","status":"public","publication_status":"published","language":[{"iso":"eng"}],"ec_funded":1,"volume":10820,"abstract":[{"text":"We introduce a formal quantitative notion of “bit security” for a general type of cryptographic games (capturing both decision and search problems), aimed at capturing the intuition that a cryptographic primitive with k-bit security is as hard to break as an ideal cryptographic function requiring a brute force attack on a k-bit key space. Our new definition matches the notion of bit security commonly used by cryptographers and cryptanalysts when studying search (e.g., key recovery) problems, where the use of the traditional definition is well established. However, it produces a quantitatively different metric in the case of decision (indistinguishability) problems, where the use of (a straightforward generalization of) the traditional definition is more problematic and leads to a number of paradoxical situations or mismatches between theoretical/provable security and practical/common sense intuition. Key to our new definition is to consider adversaries that may explicitly declare failure of the attack. We support and justify the new definition by proving a number of technical results, including tight reductions between several standard cryptographic problems, a new hybrid theorem that preserves bit security, and an application to the security analysis of indistinguishability primitives making use of (approximate) floating point numbers. This is the first result showing that (standard precision) 53-bit floating point numbers can be used to achieve 100-bit security in the context of cryptographic primitives with general indistinguishability-based security definitions. Previous results of this type applied only to search problems, or special types of decision problems.","lang":"eng"}],"oa_version":"Submitted Version","main_file_link":[{"url":"https://eprint.iacr.org/2018/077","open_access":"1"}],"scopus_import":"1","alternative_title":["LNCS"],"intvolume":" 10820","month":"03","citation":{"mla":"Micciancio, Daniele, and Michael Walter. On the Bit Security of Cryptographic Primitives. Vol. 10820, Springer, 2018, pp. 3–28, doi:10.1007/978-3-319-78381-9_1.","ama":"Micciancio D, Walter M. On the bit security of cryptographic primitives. In: Vol 10820. Springer; 2018:3-28. doi:10.1007/978-3-319-78381-9_1","apa":"Micciancio, D., & Walter, M. (2018). On the bit security of cryptographic primitives (Vol. 10820, pp. 3–28). Presented at the Eurocrypt: Advances in Cryptology, Tel Aviv, Israel: Springer. https://doi.org/10.1007/978-3-319-78381-9_1","short":"D. Micciancio, M. Walter, in:, Springer, 2018, pp. 3–28.","ieee":"D. Micciancio and M. Walter, “On the bit security of cryptographic primitives,” presented at the Eurocrypt: Advances in Cryptology, Tel Aviv, Israel, 2018, vol. 10820, pp. 3–28.","chicago":"Micciancio, Daniele, and Michael Walter. “On the Bit Security of Cryptographic Primitives,” 10820:3–28. Springer, 2018. https://doi.org/10.1007/978-3-319-78381-9_1.","ista":"Micciancio D, Walter M. 2018. On the bit security of cryptographic primitives. Eurocrypt: Advances in Cryptology, LNCS, vol. 10820, 3–28."},"user_id":"c635000d-4b10-11ee-a964-aac5a93f6ac1","article_processing_charge":"No","external_id":{"isi":["000517097500001"]},"publist_id":"7581","author":[{"last_name":"Micciancio","full_name":"Micciancio, Daniele","first_name":"Daniele"},{"orcid":"0000-0003-3186-2482","full_name":"Walter, Michael","last_name":"Walter","first_name":"Michael","id":"488F98B0-F248-11E8-B48F-1D18A9856A87"}],"title":"On the bit security of cryptographic primitives","project":[{"call_identifier":"H2020","_id":"258AA5B2-B435-11E9-9278-68D0E5697425","grant_number":"682815","name":"Teaching Old Crypto New Tricks"}],"year":"2018","isi":1,"day":"31","page":"3 - 28","date_created":"2018-12-11T11:45:42Z","date_published":"2018-03-31T00:00:00Z","doi":"10.1007/978-3-319-78381-9_1","acknowledgement":"Research supported in part by the Defense Advanced Research Projects Agency (DARPA) and the U.S. Army Research Office under the SafeWare program. Opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views, position or policy of the Government. The second author was also supported by the European Research Council, ERC consolidator grant (682815 - TOCNeT).","oa":1,"publisher":"Springer","quality_controlled":"1"},{"department":[{"_id":"KrPi"}],"date_updated":"2023-09-18T09:29:33Z","status":"public","type":"conference","conference":{"name":"Eurocrypt: Advances in Cryptology","start_date":"2018-04-29","location":"Tel Aviv, Israel","end_date":"2018-05-03"},"_id":"302","volume":10821,"ec_funded":1,"language":[{"iso":"eng"}],"publication_status":"published","month":"05","intvolume":" 10821","alternative_title":["LNCS"],"scopus_import":"1","main_file_link":[{"open_access":"1","url":"https://eprint.iacr.org/2018/183.pdf"}],"oa_version":"Submitted Version","abstract":[{"lang":"eng","text":"At ITCS 2013, Mahmoody, Moran and Vadhan [MMV13] introduce and construct publicly verifiable proofs of sequential work, which is a protocol for proving that one spent sequential computational work related to some statement. The original motivation for such proofs included non-interactive time-stamping and universally verifiable CPU benchmarks. A more recent application, and our main motivation, are blockchain designs, where proofs of sequential work can be used – in combination with proofs of space – as a more ecological and economical substitute for proofs of work which are currently used to secure Bitcoin and other cryptocurrencies. The construction proposed by [MMV13] is based on a hash function and can be proven secure in the random oracle model, or assuming inherently sequential hash-functions, which is a new standard model assumption introduced in their work. In a proof of sequential work, a prover gets a “statement” χ, a time parameter N and access to a hash-function H, which for the security proof is modelled as a random oracle. Correctness requires that an honest prover can make a verifier accept making only N queries to H, while soundness requires that any prover who makes the verifier accept must have made (almost) N sequential queries to H. Thus a solution constitutes a proof that N time passed since χ was received. Solutions must be publicly verifiable in time at most polylogarithmic in N. The construction of [MMV13] is based on “depth-robust” graphs, and as a consequence has rather poor concrete parameters. But the major drawback is that the prover needs not just N time, but also N space to compute a proof. In this work we propose a proof of sequential work which is much simpler, more efficient and achieves much better concrete bounds. Most importantly, the space required can be as small as log (N) (but we get better soundness using slightly more memory than that). An open problem stated by [MMV13] that our construction does not solve either is achieving a “unique” proof, where even a cheating prover can only generate a single accepting proof. This property would be extremely useful for applications to blockchains."}],"title":"Simple proofs of sequential work","author":[{"full_name":"Cohen, Bram","last_name":"Cohen","first_name":"Bram"},{"orcid":"0000-0002-9139-1654","full_name":"Pietrzak, Krzysztof Z","last_name":"Pietrzak","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","first_name":"Krzysztof Z"}],"publist_id":"7579","article_processing_charge":"No","external_id":{"isi":["000517098700015"]},"user_id":"c635000d-4b10-11ee-a964-aac5a93f6ac1","citation":{"short":"B. Cohen, K.Z. Pietrzak, in:, Springer, 2018, pp. 451–467.","ieee":"B. Cohen and K. Z. Pietrzak, “Simple proofs of sequential work,” presented at the Eurocrypt: Advances in Cryptology, Tel Aviv, Israel, 2018, vol. 10821, pp. 451–467.","apa":"Cohen, B., & Pietrzak, K. Z. (2018). Simple proofs of sequential work (Vol. 10821, pp. 451–467). Presented at the Eurocrypt: Advances in Cryptology, Tel Aviv, Israel: Springer. https://doi.org/10.1007/978-3-319-78375-8_15","ama":"Cohen B, Pietrzak KZ. Simple proofs of sequential work. In: Vol 10821. Springer; 2018:451-467. doi:10.1007/978-3-319-78375-8_15","mla":"Cohen, Bram, and Krzysztof Z. Pietrzak. Simple Proofs of Sequential Work. Vol. 10821, Springer, 2018, pp. 451–67, doi:10.1007/978-3-319-78375-8_15.","ista":"Cohen B, Pietrzak KZ. 2018. Simple proofs of sequential work. Eurocrypt: Advances in Cryptology, LNCS, vol. 10821, 451–467.","chicago":"Cohen, Bram, and Krzysztof Z Pietrzak. “Simple Proofs of Sequential Work,” 10821:451–67. Springer, 2018. https://doi.org/10.1007/978-3-319-78375-8_15."},"project":[{"call_identifier":"H2020","_id":"258AA5B2-B435-11E9-9278-68D0E5697425","name":"Teaching Old Crypto New Tricks","grant_number":"682815"}],"doi":"10.1007/978-3-319-78375-8_15","date_published":"2018-05-29T00:00:00Z","date_created":"2018-12-11T11:45:42Z","page":"451 - 467","day":"29","isi":1,"year":"2018","quality_controlled":"1","publisher":"Springer","oa":1},{"publisher":"Springer","quality_controlled":"1","oa":1,"doi":"10.1007/978-3-319-78375-8_4","date_published":"2018-03-31T00:00:00Z","date_created":"2018-12-11T11:45:41Z","page":"99 - 130","day":"31","isi":1,"year":"2018","project":[{"_id":"258AA5B2-B435-11E9-9278-68D0E5697425","call_identifier":"H2020","grant_number":"682815","name":"Teaching Old Crypto New Tricks"}],"title":"Sustained space complexity","author":[{"first_name":"Joel F","id":"2A8DFA8C-F248-11E8-B48F-1D18A9856A87","full_name":"Alwen, Joel F","last_name":"Alwen"},{"full_name":"Blocki, Jeremiah","last_name":"Blocki","first_name":"Jeremiah"},{"first_name":"Krzysztof Z","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","full_name":"Pietrzak, Krzysztof Z","orcid":"0000-0002-9139-1654","last_name":"Pietrzak"}],"publist_id":"7583","external_id":{"isi":["000517098700004"],"arxiv":["1705.05313"]},"article_processing_charge":"No","user_id":"c635000d-4b10-11ee-a964-aac5a93f6ac1","citation":{"mla":"Alwen, Joel F., et al. Sustained Space Complexity. Vol. 10821, Springer, 2018, pp. 99–130, doi:10.1007/978-3-319-78375-8_4.","ieee":"J. F. Alwen, J. Blocki, and K. Z. Pietrzak, “Sustained space complexity,” presented at the Eurocrypt 2018: Advances in Cryptology, Tel Aviv, Israel, 2018, vol. 10821, pp. 99–130.","short":"J.F. Alwen, J. Blocki, K.Z. Pietrzak, in:, Springer, 2018, pp. 99–130.","apa":"Alwen, J. F., Blocki, J., & Pietrzak, K. Z. (2018). Sustained space complexity (Vol. 10821, pp. 99–130). Presented at the Eurocrypt 2018: Advances in Cryptology, Tel Aviv, Israel: Springer. https://doi.org/10.1007/978-3-319-78375-8_4","ama":"Alwen JF, Blocki J, Pietrzak KZ. Sustained space complexity. In: Vol 10821. Springer; 2018:99-130. doi:10.1007/978-3-319-78375-8_4","chicago":"Alwen, Joel F, Jeremiah Blocki, and Krzysztof Z Pietrzak. “Sustained Space Complexity,” 10821:99–130. Springer, 2018. https://doi.org/10.1007/978-3-319-78375-8_4.","ista":"Alwen JF, Blocki J, Pietrzak KZ. 2018. Sustained space complexity. Eurocrypt 2018: Advances in Cryptology, LNCS, vol. 10821, 99–130."},"month":"03","intvolume":" 10821","alternative_title":["LNCS"],"scopus_import":"1","main_file_link":[{"open_access":"1","url":"https://arxiv.org/abs/1705.05313"}],"oa_version":"Preprint","abstract":[{"lang":"eng","text":"Memory-hard functions (MHF) are functions whose evaluation cost is dominated by memory cost. MHFs are egalitarian, in the sense that evaluating them on dedicated hardware (like FPGAs or ASICs) is not much cheaper than on off-the-shelf hardware (like x86 CPUs). MHFs have interesting cryptographic applications, most notably to password hashing and securing blockchains.\r\n\r\nAlwen and Serbinenko [STOC’15] define the cumulative memory complexity (cmc) of a function as the sum (over all time-steps) of the amount of memory required to compute the function. They advocate that a good MHF must have high cmc. Unlike previous notions, cmc takes into account that dedicated hardware might exploit amortization and parallelism. Still, cmc has been critizised as insufficient, as it fails to capture possible time-memory trade-offs; as memory cost doesn’t scale linearly, functions with the same cmc could still have very different actual hardware cost.\r\n\r\nIn this work we address this problem, and introduce the notion of sustained-memory complexity, which requires that any algorithm evaluating the function must use a large amount of memory for many steps. We construct functions (in the parallel random oracle model) whose sustained-memory complexity is almost optimal: our function can be evaluated using n steps and O(n/log(n)) memory, in each step making one query to the (fixed-input length) random oracle, while any algorithm that can make arbitrary many parallel queries to the random oracle, still needs Ω(n/log(n)) memory for Ω(n) steps.\r\n\r\nAs has been done for various notions (including cmc) before, we reduce the task of constructing an MHFs with high sustained-memory complexity to proving pebbling lower bounds on DAGs. Our main technical contribution is the construction is a family of DAGs on n nodes with constant indegree with high “sustained-space complexity”, meaning that any parallel black-pebbling strategy requires Ω(n/log(n)) pebbles for at least Ω(n) steps.\r\n\r\nAlong the way we construct a family of maximally “depth-robust” DAGs with maximum indegree O(logn) , improving upon the construction of Mahmoody et al. [ITCS’13] which had maximum indegree O(log2n⋅"}],"volume":10821,"ec_funded":1,"language":[{"iso":"eng"}],"publication_status":"published","status":"public","type":"conference","conference":{"start_date":"2018-04-29","end_date":"2018-05-03","location":"Tel Aviv, Israel","name":"Eurocrypt 2018: Advances in Cryptology"},"_id":"298","department":[{"_id":"KrPi"}],"date_updated":"2023-09-19T09:59:30Z"},{"page":"17-47","date_created":"2019-02-13T13:49:41Z","doi":"10.3934/amc.2018002","issue":"1","volume":12,"date_published":"2018-02-01T00:00:00Z","year":"2018","publication_status":"published","isi":1,"language":[{"iso":"eng"}],"publication":"American Institute of Mathematical Sciences","day":"01","scopus_import":"1","quality_controlled":"1","publisher":"AIMS","intvolume":" 12","month":"02","abstract":[{"lang":"eng","text":"The problem of private set-intersection (PSI) has been traditionally treated as an instance of the more general problem of multi-party computation (MPC). Consequently, in order to argue security, or compose these protocols one has to rely on the general theory that was developed for the purpose of MPC. The pursuit of efficient protocols, however, has resulted in designs that exploit properties pertaining to PSI. In almost all practical applications where a PSI protocol is deployed, it is expected to be executed multiple times, possibly on related inputs. In this work we initiate a dedicated study of PSI in the multi-interaction (MI) setting. In this model a server sets up the common system parameters and executes set-intersection multiple times with potentially different clients. We discuss a few attacks that arise when protocols are naïvely composed in this manner and, accordingly, craft security definitions for the MI setting and study their inter-relation. Finally, we suggest a set of protocols that are MI-secure, at the same time almost as efficient as their parent, stand-alone, protocols."}],"oa_version":"None","external_id":{"isi":["000430950400002"]},"article_processing_charge":"No","author":[{"first_name":"Sanjit","last_name":"Chatterjee","full_name":"Chatterjee, Sanjit"},{"first_name":"Chethan","id":"4BD3F30E-F248-11E8-B48F-1D18A9856A87","last_name":"Kamath Hosdurg","full_name":"Kamath Hosdurg, Chethan"},{"last_name":"Kumar","full_name":"Kumar, Vikas","first_name":"Vikas"}],"department":[{"_id":"KrPi"}],"title":"Private set-intersection with common set-up","citation":{"apa":"Chatterjee, S., Kamath Hosdurg, C., & Kumar, V. (2018). Private set-intersection with common set-up. American Institute of Mathematical Sciences. AIMS. https://doi.org/10.3934/amc.2018002","ama":"Chatterjee S, Kamath Hosdurg C, Kumar V. Private set-intersection with common set-up. American Institute of Mathematical Sciences. 2018;12(1):17-47. doi:10.3934/amc.2018002","short":"S. Chatterjee, C. Kamath Hosdurg, V. Kumar, American Institute of Mathematical Sciences 12 (2018) 17–47.","ieee":"S. Chatterjee, C. Kamath Hosdurg, and V. Kumar, “Private set-intersection with common set-up,” American Institute of Mathematical Sciences, vol. 12, no. 1. AIMS, pp. 17–47, 2018.","mla":"Chatterjee, Sanjit, et al. “Private Set-Intersection with Common Set-Up.” American Institute of Mathematical Sciences, vol. 12, no. 1, AIMS, 2018, pp. 17–47, doi:10.3934/amc.2018002.","ista":"Chatterjee S, Kamath Hosdurg C, Kumar V. 2018. Private set-intersection with common set-up. American Institute of Mathematical Sciences. 12(1), 17–47.","chicago":"Chatterjee, Sanjit, Chethan Kamath Hosdurg, and Vikas Kumar. “Private Set-Intersection with Common Set-Up.” American Institute of Mathematical Sciences. AIMS, 2018. https://doi.org/10.3934/amc.2018002."},"date_updated":"2023-09-19T14:27:59Z","user_id":"c635000d-4b10-11ee-a964-aac5a93f6ac1","type":"journal_article","status":"public","_id":"5980"},{"author":[{"last_name":"Park","full_name":"Park, Sunoo","first_name":"Sunoo"},{"first_name":"Albert","last_name":"Kwon","full_name":"Kwon, Albert"},{"first_name":"Georg","id":"46B4C3EE-F248-11E8-B48F-1D18A9856A87","last_name":"Fuchsbauer","full_name":"Fuchsbauer, Georg"},{"first_name":"Peter","id":"3E0BFE38-F248-11E8-B48F-1D18A9856A87","full_name":"Gazi, Peter","last_name":"Gazi"},{"full_name":"Alwen, Joel F","last_name":"Alwen","first_name":"Joel F","id":"2A8DFA8C-F248-11E8-B48F-1D18A9856A87"},{"id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","first_name":"Krzysztof Z","last_name":"Pietrzak","full_name":"Pietrzak, Krzysztof Z","orcid":"0000-0002-9139-1654"}],"article_processing_charge":"No","external_id":{"isi":["000540656400026"]},"title":"SpaceMint: A cryptocurrency based on proofs of space","citation":{"short":"S. Park, A. Kwon, G. Fuchsbauer, P. Gazi, J.F. Alwen, K.Z. Pietrzak, in:, 22nd International Conference on Financial Cryptography and Data Security, Springer Nature, 2018, pp. 480–499.","ieee":"S. Park, A. Kwon, G. Fuchsbauer, P. Gazi, J. F. Alwen, and K. Z. Pietrzak, “SpaceMint: A cryptocurrency based on proofs of space,” in 22nd International Conference on Financial Cryptography and Data Security, Nieuwpoort, Curacao, 2018, vol. 10957, pp. 480–499.","ama":"Park S, Kwon A, Fuchsbauer G, Gazi P, Alwen JF, Pietrzak KZ. SpaceMint: A cryptocurrency based on proofs of space. In: 22nd International Conference on Financial Cryptography and Data Security. Vol 10957. Springer Nature; 2018:480-499. doi:10.1007/978-3-662-58387-6_26","apa":"Park, S., Kwon, A., Fuchsbauer, G., Gazi, P., Alwen, J. F., & Pietrzak, K. Z. (2018). SpaceMint: A cryptocurrency based on proofs of space. In 22nd International Conference on Financial Cryptography and Data Security (Vol. 10957, pp. 480–499). Nieuwpoort, Curacao: Springer Nature. https://doi.org/10.1007/978-3-662-58387-6_26","mla":"Park, Sunoo, et al. “SpaceMint: A Cryptocurrency Based on Proofs of Space.” 22nd International Conference on Financial Cryptography and Data Security, vol. 10957, Springer Nature, 2018, pp. 480–99, doi:10.1007/978-3-662-58387-6_26.","ista":"Park S, Kwon A, Fuchsbauer G, Gazi P, Alwen JF, Pietrzak KZ. 2018. SpaceMint: A cryptocurrency based on proofs of space. 22nd International Conference on Financial Cryptography and Data Security. FC: Financial Cryptography and Data Security, LNCS, vol. 10957, 480–499.","chicago":"Park, Sunoo, Albert Kwon, Georg Fuchsbauer, Peter Gazi, Joel F Alwen, and Krzysztof Z Pietrzak. “SpaceMint: A Cryptocurrency Based on Proofs of Space.” In 22nd International Conference on Financial Cryptography and Data Security, 10957:480–99. Springer Nature, 2018. https://doi.org/10.1007/978-3-662-58387-6_26."},"user_id":"c635000d-4b10-11ee-a964-aac5a93f6ac1","project":[{"grant_number":"682815","name":"Teaching Old Crypto New Tricks","call_identifier":"H2020","_id":"258AA5B2-B435-11E9-9278-68D0E5697425"}],"page":"480-499","date_published":"2018-12-07T00:00:00Z","doi":"10.1007/978-3-662-58387-6_26","date_created":"2019-10-14T06:35:38Z","isi":1,"year":"2018","day":"07","publication":"22nd International Conference on Financial Cryptography and Data Security","publisher":"Springer Nature","quality_controlled":"1","oa":1,"department":[{"_id":"KrPi"}],"date_updated":"2023-09-19T15:02:13Z","type":"conference","conference":{"start_date":"2018-02-26","end_date":"2018-03-02","location":"Nieuwpoort, Curacao","name":"FC: Financial Cryptography and Data Security"},"status":"public","_id":"6941","volume":10957,"ec_funded":1,"publication_identifier":{"issn":["0302-9743"],"eissn":["1611-3349"],"isbn":["9783662583869","9783662583876"]},"publication_status":"published","language":[{"iso":"eng"}],"alternative_title":["LNCS"],"scopus_import":"1","main_file_link":[{"url":"https://eprint.iacr.org/2015/528","open_access":"1"}],"month":"12","intvolume":" 10957","abstract":[{"text":"Bitcoin has become the most successful cryptocurrency ever deployed, and its most distinctive feature is that it is decentralized. Its underlying protocol (Nakamoto consensus) achieves this by using proof of work, which has the drawback that it causes the consumption of vast amounts of energy to maintain the ledger. Moreover, Bitcoin mining dynamics have become less distributed over time.\r\n\r\nTowards addressing these issues, we propose SpaceMint, a cryptocurrency based on proofs of space instead of proofs of work. Miners in SpaceMint dedicate disk space rather than computation. We argue that SpaceMint’s design solves or alleviates several of Bitcoin’s issues: most notably, its large energy consumption. SpaceMint also rewards smaller miners fairly according to their contribution to the network, thus incentivizing more distributed participation.\r\n\r\nThis paper adapts proof of space to enable its use in cryptocurrency, studies the attacks that can arise against a Bitcoin-like blockchain that uses proof of space, and proposes a new blockchain format and transaction types to address these attacks. Our prototype shows that initializing 1 TB for mining takes about a day (a one-off setup cost), and miners spend on average just a fraction of a second per block mined. Finally, we provide a game-theoretic analysis modeling SpaceMint as an extensive game (the canonical game-theoretic notion for games that take place over time) and show that this stylized game satisfies a strong equilibrium notion, thereby arguing for SpaceMint ’s stability and consensus.","lang":"eng"}],"oa_version":"Submitted Version"},{"oa":1,"quality_controlled":"1","publisher":"Schloss Dagstuhl - Leibniz-Zentrum für Informatik","year":"2017","has_accepted_license":"1","day":"01","page":"38:1-38-21","date_created":"2018-12-11T11:50:33Z","date_published":"2017-01-01T00:00:00Z","doi":"10.4230/LIPIcs.ITCS.2017.38","citation":{"ista":"Alwen JF, De Rezende S, Nordstrom J, Vinyals M. 2017. Cumulative space in black-white pebbling and resolution. ITCS: Innovations in Theoretical Computer Science, LIPIcs, vol. 67, 38:1-38-21.","chicago":"Alwen, Joel F, Susanna De Rezende, Jakob Nordstrom, and Marc Vinyals. “Cumulative Space in Black-White Pebbling and Resolution.” edited by Christos Papadimitriou, 67:38:1-38-21. Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 2017. https://doi.org/10.4230/LIPIcs.ITCS.2017.38.","ieee":"J. F. Alwen, S. De Rezende, J. Nordstrom, and M. Vinyals, “Cumulative space in black-white pebbling and resolution,” presented at the ITCS: Innovations in Theoretical Computer Science, Berkeley, CA, United States, 2017, vol. 67, p. 38:1-38-21.","short":"J.F. Alwen, S. De Rezende, J. Nordstrom, M. Vinyals, in:, C. Papadimitriou (Ed.), Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 2017, p. 38:1-38-21.","ama":"Alwen JF, De Rezende S, Nordstrom J, Vinyals M. Cumulative space in black-white pebbling and resolution. In: Papadimitriou C, ed. Vol 67. Schloss Dagstuhl - Leibniz-Zentrum für Informatik; 2017:38:1-38-21. doi:10.4230/LIPIcs.ITCS.2017.38","apa":"Alwen, J. F., De Rezende, S., Nordstrom, J., & Vinyals, M. (2017). Cumulative space in black-white pebbling and resolution. In C. Papadimitriou (Ed.) (Vol. 67, p. 38:1-38-21). Presented at the ITCS: Innovations in Theoretical Computer Science, Berkeley, CA, United States: Schloss Dagstuhl - Leibniz-Zentrum für Informatik. https://doi.org/10.4230/LIPIcs.ITCS.2017.38","mla":"Alwen, Joel F., et al. Cumulative Space in Black-White Pebbling and Resolution. Edited by Christos Papadimitriou, vol. 67, Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 2017, p. 38:1-38-21, doi:10.4230/LIPIcs.ITCS.2017.38."},"user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","author":[{"id":"2A8DFA8C-F248-11E8-B48F-1D18A9856A87","first_name":"Joel F","last_name":"Alwen","full_name":"Alwen, Joel F"},{"first_name":"Susanna","full_name":"De Rezende, Susanna","last_name":"De Rezende"},{"last_name":"Nordstrom","full_name":"Nordstrom, Jakob","first_name":"Jakob"},{"first_name":"Marc","full_name":"Vinyals, Marc","last_name":"Vinyals"}],"publist_id":"6179","editor":[{"first_name":"Christos","full_name":"Papadimitriou, Christos","last_name":"Papadimitriou"}],"title":"Cumulative space in black-white pebbling and resolution","abstract":[{"lang":"eng","text":"We study space complexity and time-space trade-offs with a focus not on peak memory usage but on overall memory consumption throughout the computation. Such a cumulative space measure was introduced for the computational model of parallel black pebbling by [Alwen and Serbinenko ’15] as a tool for obtaining results in cryptography. We consider instead the non- deterministic black-white pebble game and prove optimal cumulative space lower bounds and trade-offs, where in order to minimize pebbling time the space has to remain large during a significant fraction of the pebbling. We also initiate the study of cumulative space in proof complexity, an area where other space complexity measures have been extensively studied during the last 10–15 years. Using and extending the connection between proof complexity and pebble games in [Ben-Sasson and Nordström ’08, ’11] we obtain several strong cumulative space results for (even parallel versions of) the resolution proof system, and outline some possible future directions of study of this, in our opinion, natural and interesting space measure."}],"oa_version":"Published Version","alternative_title":["LIPIcs"],"scopus_import":1,"intvolume":" 67","month":"01","publication_status":"published","publication_identifier":{"issn":["18688969"]},"language":[{"iso":"eng"}],"file":[{"file_name":"IST-2018-927-v1+1_LIPIcs-ITCS-2017-38.pdf","date_created":"2018-12-12T10:17:11Z","file_size":557769,"date_updated":"2020-07-14T12:44:37Z","creator":"system","checksum":"dbc94810be07c2fb1945d5c2a6130e6c","file_id":"5263","content_type":"application/pdf","relation":"main_file","access_level":"open_access"}],"volume":67,"_id":"1175","conference":{"start_date":"2017-01-09","location":"Berkeley, CA, United States","end_date":"2017-01-11","name":"ITCS: Innovations in Theoretical Computer Science"},"tmp":{"legal_code_url":"https://creativecommons.org/licenses/by/4.0/legalcode","image":"/images/cc_by.png","name":"Creative Commons Attribution 4.0 International Public License (CC-BY 4.0)","short":"CC BY (4.0)"},"type":"conference","pubrep_id":"927","status":"public","date_updated":"2021-01-12T06:48:51Z","ddc":["005","600"],"department":[{"_id":"KrPi"}],"file_date_updated":"2020-07-14T12:44:37Z"},{"oa":1,"quality_controlled":"1","publisher":"Springer","page":"56 - 81","date_created":"2018-12-11T11:47:27Z","doi":"10.1007/978-3-319-70500-2_3","date_published":"2017-11-05T00:00:00Z","year":"2017","day":"05","project":[{"_id":"258AA5B2-B435-11E9-9278-68D0E5697425","call_identifier":"H2020","name":"Teaching Old Crypto New Tricks","grant_number":"682815"}],"author":[{"full_name":"Brody, Joshua","last_name":"Brody","first_name":"Joshua"},{"full_name":"Dziembowski, Stefan","last_name":"Dziembowski","first_name":"Stefan"},{"first_name":"Sebastian","full_name":"Faust, Sebastian","last_name":"Faust"},{"orcid":"0000-0002-9139-1654","full_name":"Pietrzak, Krzysztof Z","last_name":"Pietrzak","first_name":"Krzysztof Z","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87"}],"publist_id":"7200","title":"Position based cryptography and multiparty communication complexity","editor":[{"first_name":"Yael","full_name":"Kalai, Yael","last_name":"Kalai"},{"first_name":"Leonid","last_name":"Reyzin","full_name":"Reyzin, Leonid"}],"citation":{"ista":"Brody J, Dziembowski S, Faust S, Pietrzak KZ. 2017. Position based cryptography and multiparty communication complexity. TCC: Theory of Cryptography Conference, LNCS, vol. 10677, 56–81.","chicago":"Brody, Joshua, Stefan Dziembowski, Sebastian Faust, and Krzysztof Z Pietrzak. “Position Based Cryptography and Multiparty Communication Complexity.” edited by Yael Kalai and Leonid Reyzin, 10677:56–81. Springer, 2017. https://doi.org/10.1007/978-3-319-70500-2_3.","short":"J. Brody, S. Dziembowski, S. Faust, K.Z. Pietrzak, in:, Y. Kalai, L. Reyzin (Eds.), Springer, 2017, pp. 56–81.","ieee":"J. Brody, S. Dziembowski, S. Faust, and K. Z. Pietrzak, “Position based cryptography and multiparty communication complexity,” presented at the TCC: Theory of Cryptography Conference, Baltimore, MD, United States, 2017, vol. 10677, pp. 56–81.","apa":"Brody, J., Dziembowski, S., Faust, S., & Pietrzak, K. Z. (2017). Position based cryptography and multiparty communication complexity. In Y. Kalai & L. Reyzin (Eds.) (Vol. 10677, pp. 56–81). Presented at the TCC: Theory of Cryptography Conference, Baltimore, MD, United States: Springer. https://doi.org/10.1007/978-3-319-70500-2_3","ama":"Brody J, Dziembowski S, Faust S, Pietrzak KZ. Position based cryptography and multiparty communication complexity. In: Kalai Y, Reyzin L, eds. Vol 10677. Springer; 2017:56-81. doi:10.1007/978-3-319-70500-2_3","mla":"Brody, Joshua, et al. Position Based Cryptography and Multiparty Communication Complexity. Edited by Yael Kalai and Leonid Reyzin, vol. 10677, Springer, 2017, pp. 56–81, doi:10.1007/978-3-319-70500-2_3."},"user_id":"3E5EF7F0-F248-11E8-B48F-1D18A9856A87","main_file_link":[{"open_access":"1","url":"https://eprint.iacr.org/2016/536"}],"alternative_title":["LNCS"],"scopus_import":1,"intvolume":" 10677","month":"11","abstract":[{"lang":"eng","text":"Position based cryptography (PBC), proposed in the seminal work of Chandran, Goyal, Moriarty, and Ostrovsky (SIAM J. Computing, 2014), aims at constructing cryptographic schemes in which the identity of the user is his geographic position. Chandran et al. construct PBC schemes for secure positioning and position-based key agreement in the bounded-storage model (Maurer, J. Cryptology, 1992). Apart from bounded memory, their security proofs need a strong additional restriction on the power of the adversary: he cannot compute joint functions of his inputs. Removing this assumption is left as an open problem. We show that an answer to this question would resolve a long standing open problem in multiparty communication complexity: finding a function that is hard to compute with low communication complexity in the simultaneous message model, but easy to compute in the fully adaptive model. On a more positive side: we also show some implications in the other direction, i.e.: we prove that lower bounds on the communication complexity of certain multiparty problems imply existence of PBC primitives. Using this result we then show two attractive ways to “bypass” our hardness result: the first uses the random oracle model, the second weakens the locality requirement in the bounded-storage model to online computability. The random oracle construction is arguably one of the simplest proposed so far in this area. Our results indicate that constructing improved provably secure protocols for PBC requires a better understanding of multiparty communication complexity. This is yet another example where negative results in one area (in our case: lower bounds in multiparty communication complexity) can be used to construct secure cryptographic schemes."}],"oa_version":"Submitted Version","ec_funded":1,"volume":10677,"publication_status":"published","publication_identifier":{"isbn":["978-331970499-9"]},"language":[{"iso":"eng"}],"conference":{"end_date":"2017-11-15","location":"Baltimore, MD, United States","start_date":"2017-11-12","name":"TCC: Theory of Cryptography Conference"},"type":"conference","status":"public","_id":"605","department":[{"_id":"KrPi"}],"date_updated":"2021-01-12T08:05:53Z"},{"citation":{"apa":"Alwen, J. F., & Tackmann, B. (2017). Moderately hard functions: Definition, instantiations, and applications. In Y. Kalai & L. Reyzin (Eds.) (Vol. 10677, pp. 493–526). Presented at the TCC: Theory of Cryptography, Baltimore, MD, United States: Springer. https://doi.org/10.1007/978-3-319-70500-2_17","ama":"Alwen JF, Tackmann B. Moderately hard functions: Definition, instantiations, and applications. In: Kalai Y, Reyzin L, eds. Vol 10677. Springer; 2017:493-526. doi:10.1007/978-3-319-70500-2_17","short":"J.F. Alwen, B. Tackmann, in:, Y. Kalai, L. Reyzin (Eds.), Springer, 2017, pp. 493–526.","ieee":"J. F. Alwen and B. Tackmann, “Moderately hard functions: Definition, instantiations, and applications,” presented at the TCC: Theory of Cryptography, Baltimore, MD, United States, 2017, vol. 10677, pp. 493–526.","mla":"Alwen, Joel F., and Björn Tackmann. Moderately Hard Functions: Definition, Instantiations, and Applications. Edited by Yael Kalai and Leonid Reyzin, vol. 10677, Springer, 2017, pp. 493–526, doi:10.1007/978-3-319-70500-2_17.","ista":"Alwen JF, Tackmann B. 2017. Moderately hard functions: Definition, instantiations, and applications. TCC: Theory of Cryptography, LNCS, vol. 10677, 493–526.","chicago":"Alwen, Joel F, and Björn Tackmann. “Moderately Hard Functions: Definition, Instantiations, and Applications.” edited by Yael Kalai and Leonid Reyzin, 10677:493–526. Springer, 2017. https://doi.org/10.1007/978-3-319-70500-2_17."},"user_id":"3E5EF7F0-F248-11E8-B48F-1D18A9856A87","publist_id":"7196","author":[{"last_name":"Alwen","full_name":"Alwen, Joel F","first_name":"Joel F","id":"2A8DFA8C-F248-11E8-B48F-1D18A9856A87"},{"last_name":"Tackmann","full_name":"Tackmann, Björn","first_name":"Björn"}],"editor":[{"first_name":"Yael","full_name":"Kalai, Yael","last_name":"Kalai"},{"last_name":"Reyzin","full_name":"Reyzin, Leonid","first_name":"Leonid"}],"title":"Moderately hard functions: Definition, instantiations, and applications","quality_controlled":"1","publisher":"Springer","oa":1,"year":"2017","day":"05","page":"493 - 526","doi":"10.1007/978-3-319-70500-2_17","date_published":"2017-11-05T00:00:00Z","date_created":"2018-12-11T11:47:28Z","_id":"609","type":"conference","conference":{"name":"TCC: Theory of Cryptography","start_date":"2017-11-12","location":"Baltimore, MD, United States","end_date":"2017-11-15"},"status":"public","date_updated":"2021-01-12T08:06:04Z","department":[{"_id":"KrPi"}],"abstract":[{"text":"Several cryptographic schemes and applications are based on functions that are both reasonably efficient to compute and moderately hard to invert, including client puzzles for Denial-of-Service protection, password protection via salted hashes, or recent proof-of-work blockchain systems. Despite their wide use, a definition of this concept has not yet been distilled and formalized explicitly. Instead, either the applications are proven directly based on the assumptions underlying the function, or some property of the function is proven, but the security of the application is argued only informally. The goal of this work is to provide a (universal) definition that decouples the efforts of designing new moderately hard functions and of building protocols based on them, serving as an interface between the two. On a technical level, beyond the mentioned definitions, we instantiate the model for four different notions of hardness. We extend the work of Alwen and Serbinenko (STOC 2015) by providing a general tool for proving security for the first notion of memory-hard functions that allows for provably secure applications. The tool allows us to recover all of the graph-theoretic techniques developed for proving security under the older, non-composable, notion of security used by Alwen and Serbinenko. As an application of our definition of moderately hard functions, we prove the security of two different schemes for proofs of effort (PoE). We also formalize and instantiate the concept of a non-interactive proof of effort (niPoE), in which the proof is not bound to a particular communication context but rather any bit-string chosen by the prover.","lang":"eng"}],"oa_version":"Submitted Version","scopus_import":1,"alternative_title":["LNCS"],"main_file_link":[{"open_access":"1","url":"https://eprint.iacr.org/2017/945"}],"month":"11","intvolume":" 10677","publication_identifier":{"isbn":["978-331970499-9"]},"publication_status":"published","language":[{"iso":"eng"}],"volume":10677},{"_id":"635","conference":{"location":"Paris, France","end_date":"2017-05-04","start_date":"2017-04-30","name":"EUROCRYPT: Theory and Applications of Cryptographic Techniques"},"type":"conference","status":"public","date_updated":"2021-01-12T08:07:10Z","department":[{"_id":"KrPi"}],"abstract":[{"lang":"eng","text":"Memory-hard functions (MHFs) are hash algorithms whose evaluation cost is dominated by memory cost. As memory, unlike computation, costs about the same across different platforms, MHFs cannot be evaluated at significantly lower cost on dedicated hardware like ASICs. MHFs have found widespread applications including password hashing, key derivation, and proofs-of-work. This paper focuses on scrypt, a simple candidate MHF designed by Percival, and described in RFC 7914. It has been used within a number of cryptocurrencies (e.g., Litecoin and Dogecoin) and has been an inspiration for Argon2d, one of the winners of the recent password-hashing competition. Despite its popularity, no rigorous lower bounds on its memory complexity are known. We prove that scrypt is optimally memory-hard, i.e., its cumulative memory complexity (cmc) in the parallel random oracle model is Ω(n2w), where w and n are the output length and number of invocations of the underlying hash function, respectively. High cmc is a strong security target for MHFs introduced by Alwen and Serbinenko (STOC’15) which implies high memory cost even for adversaries who can amortize the cost over many evaluations and evaluate the underlying hash functions many times in parallel. Our proof is the first showing optimal memory-hardness for any MHF. Our result improves both quantitatively and qualitatively upon the recent work by Alwen et al. (EUROCRYPT’16) who proved a weaker lower bound of Ω(n2w/ log2 n) for a restricted class of adversaries."}],"oa_version":"Submitted Version","main_file_link":[{"open_access":"1","url":"https://eprint.iacr.org/2016/989"}],"scopus_import":1,"alternative_title":["LNCS"],"intvolume":" 10212","month":"01","publication_status":"published","publication_identifier":{"isbn":["978-331956616-0"]},"language":[{"iso":"eng"}],"ec_funded":1,"volume":10212,"project":[{"name":"Teaching Old Crypto New Tricks","grant_number":"682815","_id":"258AA5B2-B435-11E9-9278-68D0E5697425","call_identifier":"H2020"}],"citation":{"ista":"Alwen JF, Chen B, Pietrzak KZ, Reyzin L, Tessaro S. 2017. Scrypt is maximally memory hard. EUROCRYPT: Theory and Applications of Cryptographic Techniques, LNCS, vol. 10212, 33–62.","chicago":"Alwen, Joel F, Binchi Chen, Krzysztof Z Pietrzak, Leonid Reyzin, and Stefano Tessaro. “Scrypt Is Maximally Memory Hard.” edited by Jean-Sébastien Coron and Jesper Buus Nielsen, 10212:33–62. Springer, 2017. https://doi.org/10.1007/978-3-319-56617-7_2.","ieee":"J. F. Alwen, B. Chen, K. Z. Pietrzak, L. Reyzin, and S. Tessaro, “Scrypt is maximally memory hard,” presented at the EUROCRYPT: Theory and Applications of Cryptographic Techniques, Paris, France, 2017, vol. 10212, pp. 33–62.","short":"J.F. Alwen, B. Chen, K.Z. Pietrzak, L. Reyzin, S. Tessaro, in:, J.-S. Coron, J. Buus Nielsen (Eds.), Springer, 2017, pp. 33–62.","apa":"Alwen, J. F., Chen, B., Pietrzak, K. Z., Reyzin, L., & Tessaro, S. (2017). Scrypt is maximally memory hard. In J.-S. Coron & J. Buus Nielsen (Eds.) (Vol. 10212, pp. 33–62). Presented at the EUROCRYPT: Theory and Applications of Cryptographic Techniques, Paris, France: Springer. https://doi.org/10.1007/978-3-319-56617-7_2","ama":"Alwen JF, Chen B, Pietrzak KZ, Reyzin L, Tessaro S. Scrypt is maximally memory hard. In: Coron J-S, Buus Nielsen J, eds. Vol 10212. Springer; 2017:33-62. doi:10.1007/978-3-319-56617-7_2","mla":"Alwen, Joel F., et al. Scrypt Is Maximally Memory Hard. Edited by Jean-Sébastien Coron and Jesper Buus Nielsen, vol. 10212, Springer, 2017, pp. 33–62, doi:10.1007/978-3-319-56617-7_2."},"user_id":"4435EBFC-F248-11E8-B48F-1D18A9856A87","author":[{"id":"2A8DFA8C-F248-11E8-B48F-1D18A9856A87","first_name":"Joel F","last_name":"Alwen","full_name":"Alwen, Joel F"},{"first_name":"Binchi","full_name":"Chen, Binchi","last_name":"Chen"},{"full_name":"Pietrzak, Krzysztof Z","orcid":"0000-0002-9139-1654","last_name":"Pietrzak","first_name":"Krzysztof Z","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87"},{"full_name":"Reyzin, Leonid","last_name":"Reyzin","first_name":"Leonid"},{"last_name":"Tessaro","full_name":"Tessaro, Stefano","first_name":"Stefano"}],"publist_id":"7154","title":"Scrypt is maximally memory hard","editor":[{"first_name":"Jean-Sébastien","full_name":"Coron, Jean-Sébastien","last_name":"Coron"},{"first_name":"Jesper","last_name":"Buus Nielsen","full_name":"Buus Nielsen, Jesper"}],"oa":1,"quality_controlled":"1","publisher":"Springer","year":"2017","day":"01","page":"33 - 62","date_created":"2018-12-11T11:47:37Z","date_published":"2017-01-01T00:00:00Z","doi":"10.1007/978-3-319-56617-7_2"},{"oa":1,"quality_controlled":"1","publisher":"Springer","year":"2017","day":"01","page":"3 - 32","date_created":"2018-12-11T11:47:39Z","doi":"10.1007/978-3-319-56617-7_1","date_published":"2017-04-01T00:00:00Z","project":[{"name":"Teaching Old Crypto New Tricks","grant_number":"682815","_id":"258AA5B2-B435-11E9-9278-68D0E5697425","call_identifier":"H2020"}],"citation":{"ista":"Alwen JF, Blocki J, Pietrzak KZ. 2017. Depth-robust graphs and their cumulative memory complexity. EUROCRYPT: Theory and Applications of Cryptographic Techniques, LNCS, vol. 10212, 3–32.","chicago":"Alwen, Joel F, Jeremiah Blocki, and Krzysztof Z Pietrzak. “Depth-Robust Graphs and Their Cumulative Memory Complexity.” edited by Jean-Sébastien Coron and Jesper Buus Nielsen, 10212:3–32. Springer, 2017. https://doi.org/10.1007/978-3-319-56617-7_1.","ama":"Alwen JF, Blocki J, Pietrzak KZ. Depth-robust graphs and their cumulative memory complexity. In: Coron J-S, Buus Nielsen J, eds. Vol 10212. Springer; 2017:3-32. doi:10.1007/978-3-319-56617-7_1","apa":"Alwen, J. F., Blocki, J., & Pietrzak, K. Z. (2017). Depth-robust graphs and their cumulative memory complexity. In J.-S. Coron & J. Buus Nielsen (Eds.) (Vol. 10212, pp. 3–32). Presented at the EUROCRYPT: Theory and Applications of Cryptographic Techniques, Paris, France: Springer. https://doi.org/10.1007/978-3-319-56617-7_1","ieee":"J. F. Alwen, J. Blocki, and K. Z. Pietrzak, “Depth-robust graphs and their cumulative memory complexity,” presented at the EUROCRYPT: Theory and Applications of Cryptographic Techniques, Paris, France, 2017, vol. 10212, pp. 3–32.","short":"J.F. Alwen, J. Blocki, K.Z. Pietrzak, in:, J.-S. Coron, J. Buus Nielsen (Eds.), Springer, 2017, pp. 3–32.","mla":"Alwen, Joel F., et al. Depth-Robust Graphs and Their Cumulative Memory Complexity. Edited by Jean-Sébastien Coron and Jesper Buus Nielsen, vol. 10212, Springer, 2017, pp. 3–32, doi:10.1007/978-3-319-56617-7_1."},"user_id":"3E5EF7F0-F248-11E8-B48F-1D18A9856A87","publist_id":"7148","author":[{"full_name":"Alwen, Joel F","last_name":"Alwen","first_name":"Joel F","id":"2A8DFA8C-F248-11E8-B48F-1D18A9856A87"},{"last_name":"Blocki","full_name":"Blocki, Jeremiah","first_name":"Jeremiah"},{"first_name":"Krzysztof Z","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","orcid":"0000-0002-9139-1654","full_name":"Pietrzak, Krzysztof Z","last_name":"Pietrzak"}],"editor":[{"first_name":"Jean-Sébastien","last_name":"Coron","full_name":"Coron, Jean-Sébastien"},{"first_name":"Jesper","full_name":"Buus Nielsen, Jesper","last_name":"Buus Nielsen"}],"title":"Depth-robust graphs and their cumulative memory complexity","abstract":[{"text":"Data-independent Memory Hard Functions (iMHFS) are finding a growing number of applications in security; especially in the domain of password hashing. An important property of a concrete iMHF is specified by fixing a directed acyclic graph (DAG) Gn on n nodes. The quality of that iMHF is then captured by the following two pebbling complexities of Gn: – The parallel cumulative pebbling complexity Π∥cc(Gn) must be as high as possible (to ensure that the amortized cost of computing the function on dedicated hardware is dominated by the cost of memory). – The sequential space-time pebbling complexity Πst(Gn) should be as close as possible to Π∥cc(Gn) (to ensure that using many cores in parallel and amortizing over many instances does not give much of an advantage). In this paper we construct a family of DAGs with best possible parameters in an asymptotic sense, i.e., where Π∥cc(Gn) = Ω(n2/ log(n)) (which matches a known upper bound) and Πst(Gn) is within a constant factor of Π∥cc(Gn). Our analysis relies on a new connection between the pebbling complexity of a DAG and its depth-robustness (DR) – a well studied combinatorial property. We show that high DR is sufficient for high Π∥cc. Alwen and Blocki (CRYPTO’16) showed that high DR is necessary and so, together, these results fully characterize DAGs with high Π∥cc in terms of DR. Complementing these results, we provide new upper and lower bounds on the Π∥cc of several important candidate iMHFs from the literature. We give the first lower bounds on the memory hardness of the Catena and Balloon Hashing functions in a parallel model of computation and we give the first lower bounds of any kind for (a version) of Argon2i. Finally we describe a new class of pebbling attacks improving on those of Alwen and Blocki (CRYPTO’16). By instantiating these attacks we upperbound the Π∥cc of the Password Hashing Competition winner Argon2i and one of the Balloon Hashing functions by O (n1.71). We also show an upper bound of O(n1.625) for the Catena functions and the two remaining Balloon Hashing functions.","lang":"eng"}],"oa_version":"Submitted Version","main_file_link":[{"url":"https://eprint.iacr.org/2016/875","open_access":"1"}],"scopus_import":1,"alternative_title":["LNCS"],"intvolume":" 10212","month":"04","publication_status":"published","publication_identifier":{"isbn":["978-331956616-0"]},"language":[{"iso":"eng"}],"ec_funded":1,"volume":10212,"_id":"640","conference":{"location":"Paris, France","end_date":"2017-05-04","start_date":"2017-04-30","name":"EUROCRYPT: Theory and Applications of Cryptographic Techniques"},"type":"conference","status":"public","date_updated":"2021-01-12T08:07:22Z","department":[{"_id":"KrPi"}]},{"author":[{"id":"EC09FA6A-02D0-11E9-8223-86B7C91467DD","first_name":"Maciej","full_name":"Skórski, Maciej","last_name":"Skórski"}],"publist_id":"7125","editor":[{"first_name":"Gerhard","full_name":"Jäger, Gerhard","last_name":"Jäger"},{"first_name":"Silvia","full_name":"Steila, Silvia","last_name":"Steila"}],"title":"On the complexity of breaking pseudoentropy","citation":{"mla":"Skórski, Maciej. On the Complexity of Breaking Pseudoentropy. Edited by Gerhard Jäger and Silvia Steila, vol. 10185, Springer, 2017, pp. 600–13, doi:10.1007/978-3-319-55911-7_43.","ama":"Skórski M. On the complexity of breaking pseudoentropy. In: Jäger G, Steila S, eds. Vol 10185. Springer; 2017:600-613. doi:10.1007/978-3-319-55911-7_43","apa":"Skórski, M. (2017). On the complexity of breaking pseudoentropy. In G. Jäger & S. Steila (Eds.) (Vol. 10185, pp. 600–613). Presented at the TAMC: Theory and Applications of Models of Computation, Bern, Switzerland: Springer. https://doi.org/10.1007/978-3-319-55911-7_43","ieee":"M. Skórski, “On the complexity of breaking pseudoentropy,” presented at the TAMC: Theory and Applications of Models of Computation, Bern, Switzerland, 2017, vol. 10185, pp. 600–613.","short":"M. Skórski, in:, G. Jäger, S. Steila (Eds.), Springer, 2017, pp. 600–613.","chicago":"Skórski, Maciej. “On the Complexity of Breaking Pseudoentropy.” edited by Gerhard Jäger and Silvia Steila, 10185:600–613. Springer, 2017. https://doi.org/10.1007/978-3-319-55911-7_43.","ista":"Skórski M. 2017. On the complexity of breaking pseudoentropy. TAMC: Theory and Applications of Models of Computation, LNCS, vol. 10185, 600–613."},"user_id":"3E5EF7F0-F248-11E8-B48F-1D18A9856A87","publisher":"Springer","quality_controlled":"1","oa":1,"page":"600 - 613","doi":"10.1007/978-3-319-55911-7_43","date_published":"2017-04-01T00:00:00Z","date_created":"2018-12-11T11:47:42Z","year":"2017","day":"01","type":"conference","conference":{"name":"TAMC: Theory and Applications of Models of Computation","end_date":"2017-04-22","location":"Bern, Switzerland","start_date":"2017-04-20"},"status":"public","_id":"648","department":[{"_id":"KrPi"}],"date_updated":"2021-01-12T08:07:39Z","scopus_import":1,"alternative_title":["LNCS"],"main_file_link":[{"url":"https://eprint.iacr.org/2016/1186.pdf","open_access":"1"}],"month":"04","intvolume":" 10185","abstract":[{"lang":"eng","text":"Pseudoentropy has found a lot of important applications to cryptography and complexity theory. In this paper we focus on the foundational problem that has not been investigated so far, namely by how much pseudoentropy (the amount seen by computationally bounded attackers) differs from its information-theoretic counterpart (seen by unbounded observers), given certain limits on attacker’s computational power? We provide the following answer for HILL pseudoentropy, which exhibits a threshold behavior around the size exponential in the entropy amount:– If the attacker size (s) and advantage () satisfy s (formula presented) where k is the claimed amount of pseudoentropy, then the pseudoentropy boils down to the information-theoretic smooth entropy. – If s (formula presented) then pseudoentropy could be arbitrarily bigger than the information-theoretic smooth entropy. Besides answering the posted question, we show an elegant application of our result to the complexity theory, namely that it implies the clas-sical result on the existence of functions hard to approximate (due to Pippenger). In our approach we utilize non-constructive techniques: the duality of linear programming and the probabilistic method."}],"oa_version":"Submitted Version","volume":10185,"publication_identifier":{"isbn":["978-331955910-0"]},"publication_status":"published","language":[{"iso":"eng"}]},{"month":"01","intvolume":" 10185","scopus_import":1,"alternative_title":["LNCS"],"main_file_link":[{"open_access":"1","url":"https://eprint.iacr.org/2016/965.pdf"}],"oa_version":"Submitted Version","abstract":[{"text":"In this work we present a short and unified proof for the Strong and Weak Regularity Lemma, based on the cryptographic tech-nique called low-complexity approximations. In short, both problems reduce to a task of finding constructively an approximation for a certain target function under a class of distinguishers (test functions), where dis-tinguishers are combinations of simple rectangle-indicators. In our case these approximations can be learned by a simple iterative procedure, which yields a unified and simple proof, achieving for any graph with density d and any approximation parameter the partition size. The novelty in our proof is: (a) a simple approach which yields both strong and weaker variant, and (b) improvements when d = o(1). At an abstract level, our proof can be seen a refinement and simplification of the “analytic” proof given by Lovasz and Szegedy.","lang":"eng"}],"volume":10185,"language":[{"iso":"eng"}],"publication_identifier":{"issn":["03029743"]},"publication_status":"published","status":"public","type":"conference","conference":{"start_date":"2017-04-20","end_date":"2017-04-22","location":"Bern, Switzerland","name":"TAMC: Theory and Applications of Models of Computation"},"_id":"650","department":[{"_id":"KrPi"}],"date_updated":"2021-01-12T08:07:46Z","publisher":"Springer","quality_controlled":"1","oa":1,"date_published":"2017-01-01T00:00:00Z","doi":"10.1007/978-3-319-55911-7_42","date_created":"2018-12-11T11:47:42Z","page":"586 - 599","day":"01","year":"2017","editor":[{"first_name":"Gerhard","last_name":"Jäger","full_name":"Jäger, Gerhard"},{"last_name":"Steila","full_name":"Steila, Silvia","first_name":"Silvia"}],"title":"A cryptographic view of regularity lemmas: Simpler unified proofs and refined bounds","author":[{"id":"EC09FA6A-02D0-11E9-8223-86B7C91467DD","first_name":"Maciej","full_name":"Skórski, Maciej","last_name":"Skórski"}],"publist_id":"7119","user_id":"3E5EF7F0-F248-11E8-B48F-1D18A9856A87","citation":{"mla":"Skórski, Maciej. A Cryptographic View of Regularity Lemmas: Simpler Unified Proofs and Refined Bounds. Edited by Gerhard Jäger and Silvia Steila, vol. 10185, Springer, 2017, pp. 586–99, doi:10.1007/978-3-319-55911-7_42.","apa":"Skórski, M. (2017). A cryptographic view of regularity lemmas: Simpler unified proofs and refined bounds. In G. Jäger & S. Steila (Eds.) (Vol. 10185, pp. 586–599). Presented at the TAMC: Theory and Applications of Models of Computation, Bern, Switzerland: Springer. https://doi.org/10.1007/978-3-319-55911-7_42","ama":"Skórski M. A cryptographic view of regularity lemmas: Simpler unified proofs and refined bounds. In: Jäger G, Steila S, eds. Vol 10185. Springer; 2017:586-599. doi:10.1007/978-3-319-55911-7_42","ieee":"M. Skórski, “A cryptographic view of regularity lemmas: Simpler unified proofs and refined bounds,” presented at the TAMC: Theory and Applications of Models of Computation, Bern, Switzerland, 2017, vol. 10185, pp. 586–599.","short":"M. Skórski, in:, G. Jäger, S. Steila (Eds.), Springer, 2017, pp. 586–599.","chicago":"Skórski, Maciej. “A Cryptographic View of Regularity Lemmas: Simpler Unified Proofs and Refined Bounds.” edited by Gerhard Jäger and Silvia Steila, 10185:586–99. Springer, 2017. https://doi.org/10.1007/978-3-319-55911-7_42.","ista":"Skórski M. 2017. A cryptographic view of regularity lemmas: Simpler unified proofs and refined bounds. TAMC: Theory and Applications of Models of Computation, LNCS, vol. 10185, 586–599."}},{"_id":"6527","project":[{"_id":"258AA5B2-B435-11E9-9278-68D0E5697425","call_identifier":"H2020","name":"Teaching Old Crypto New Tricks","grant_number":"682815"}],"status":"public","type":"conference","conference":{"location":"Dallas, TX, USA","end_date":"2017-11-03","start_date":"2017-10-30","name":"CCS: Conference on Computer and Communications Security"},"user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","date_updated":"2021-01-12T08:07:53Z","citation":{"mla":"Alwen, Joel F., et al. “Practical Graphs for Optimal Side-Channel Resistant Memory-Hard Functions.” Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, ACM Press, 2017, pp. 1001–17, doi:10.1145/3133956.3134031.","ama":"Alwen JF, Blocki J, Harsha B. Practical graphs for optimal side-channel resistant memory-hard functions. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. ACM Press; 2017:1001-1017. doi:10.1145/3133956.3134031","apa":"Alwen, J. F., Blocki, J., & Harsha, B. (2017). Practical graphs for optimal side-channel resistant memory-hard functions. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (pp. 1001–1017). Dallas, TX, USA: ACM Press. https://doi.org/10.1145/3133956.3134031","short":"J.F. Alwen, J. Blocki, B. Harsha, in:, Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, ACM Press, 2017, pp. 1001–1017.","ieee":"J. F. Alwen, J. Blocki, and B. Harsha, “Practical graphs for optimal side-channel resistant memory-hard functions,” in Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, Dallas, TX, USA, 2017, pp. 1001–1017.","chicago":"Alwen, Joel F, Jeremiah Blocki, and Ben Harsha. “Practical Graphs for Optimal Side-Channel Resistant Memory-Hard Functions.” In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, 1001–17. ACM Press, 2017. https://doi.org/10.1145/3133956.3134031.","ista":"Alwen JF, Blocki J, Harsha B. 2017. Practical graphs for optimal side-channel resistant memory-hard functions. Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. CCS: Conference on Computer and Communications Security, 1001–1017."},"department":[{"_id":"KrPi"}],"title":"Practical graphs for optimal side-channel resistant memory-hard functions","author":[{"first_name":"Joel F","id":"2A8DFA8C-F248-11E8-B48F-1D18A9856A87","last_name":"Alwen","full_name":"Alwen, Joel F"},{"first_name":"Jeremiah","full_name":"Blocki, Jeremiah","last_name":"Blocki"},{"full_name":"Harsha, Ben","last_name":"Harsha","first_name":"Ben"}],"oa_version":"Submitted Version","abstract":[{"text":"A memory-hard function (MHF) ƒn with parameter n can be computed in sequential time and space n. Simultaneously, a high amortized parallel area-time complexity (aAT) is incurred per evaluation. In practice, MHFs are used to limit the rate at which an adversary (using a custom computational device) can evaluate a security sensitive function that still occasionally needs to be evaluated by honest users (using an off-the-shelf general purpose device). The most prevalent examples of such sensitive functions are Key Derivation Functions (KDFs) and password hashing algorithms where rate limits help mitigate off-line dictionary attacks. As the honest users' inputs to these functions are often (low-entropy) passwords special attention is given to a class of side-channel resistant MHFs called iMHFs.\r\n\r\nEssentially all iMHFs can be viewed as some mode of operation (making n calls to some round function) given by a directed acyclic graph (DAG) with very low indegree. Recently, a combinatorial property of a DAG has been identified (called \"depth-robustness\") which results in good provable security for an iMHF based on that DAG. Depth-robust DAGs have also proven useful in other cryptographic applications. Unfortunately, up till now, all known very depth-robust DAGs are impractically complicated and little is known about their exact (i.e. non-asymptotic) depth-robustness both in theory and in practice.\r\n\r\nIn this work we build and analyze (both formally and empirically) several exceedingly simple and efficient to navigate practical DAGs for use in iMHFs and other applications. For each DAG we:\r\n*Prove that their depth-robustness is asymptotically maximal.\r\n*Prove bounds of at least 3 orders of magnitude better on their exact depth-robustness compared to known bounds for other practical iMHF.\r\n*Implement and empirically evaluate their depth-robustness and aAT against a variety of state-of-the art (and several new) depth-reduction and low aAT attacks. \r\nWe find that, against all attacks, the new DAGs perform significantly better in practice than Argon2i, the most widely deployed iMHF in practice.\r\n\r\nAlong the way we also improve the best known empirical attacks on the aAT of Argon2i by implementing and testing several heuristic versions of a (hitherto purely theoretical) depth-reduction attack. Finally, we demonstrate practicality of our constructions by modifying the Argon2i code base to use one of the new high aAT DAGs. Experimental benchmarks on a standard off-the-shelf CPU show that the new modifications do not adversely affect the impressive throughput of Argon2i (despite seemingly enjoying significantly higher aAT).\r\n","lang":"eng"}],"month":"10","publisher":"ACM Press","quality_controlled":"1","scopus_import":1,"main_file_link":[{"url":"https://eprint.iacr.org/2017/443","open_access":"1"}],"oa":1,"day":"30","publication":"Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security","language":[{"iso":"eng"}],"publication_identifier":{"isbn":["9781450349468"]},"publication_status":"published","year":"2017","date_published":"2017-10-30T00:00:00Z","doi":"10.1145/3133956.3134031","ec_funded":1,"date_created":"2019-06-06T13:21:29Z","page":"1001-1017"},{"author":[{"first_name":"Maciej","id":"EC09FA6A-02D0-11E9-8223-86B7C91467DD","last_name":"Skórski","full_name":"Skórski, Maciej"}],"external_id":{"arxiv":["1702.01666"]},"title":"On the complexity of estimating Rènyi divergences","citation":{"short":"M. Skórski, in:, 2017 IEEE International Symposium on Information Theory (ISIT), IEEE, 2017.","ieee":"M. Skórski, “On the complexity of estimating Rènyi divergences,” in 2017 IEEE International Symposium on Information Theory (ISIT), Aachen, Germany, 2017.","ama":"Skórski M. On the complexity of estimating Rènyi divergences. In: 2017 IEEE International Symposium on Information Theory (ISIT). IEEE; 2017. doi:10.1109/isit.2017.8006529","apa":"Skórski, M. (2017). On the complexity of estimating Rènyi divergences. In 2017 IEEE International Symposium on Information Theory (ISIT). Aachen, Germany: IEEE. https://doi.org/10.1109/isit.2017.8006529","mla":"Skórski, Maciej. “On the Complexity of Estimating Rènyi Divergences.” 2017 IEEE International Symposium on Information Theory (ISIT), 8006529, IEEE, 2017, doi:10.1109/isit.2017.8006529.","ista":"Skórski M. 2017. On the complexity of estimating Rènyi divergences. 2017 IEEE International Symposium on Information Theory (ISIT). ISIT: International Symposium on Information Theory, 8006529.","chicago":"Skórski, Maciej. “On the Complexity of Estimating Rènyi Divergences.” In 2017 IEEE International Symposium on Information Theory (ISIT). IEEE, 2017. https://doi.org/10.1109/isit.2017.8006529."},"user_id":"3E5EF7F0-F248-11E8-B48F-1D18A9856A87","project":[{"grant_number":"682815","name":"Teaching Old Crypto New Tricks","_id":"258AA5B2-B435-11E9-9278-68D0E5697425","call_identifier":"H2020"}],"article_number":"8006529","doi":"10.1109/isit.2017.8006529","date_published":"2017-08-09T00:00:00Z","date_created":"2019-06-06T12:53:09Z","year":"2017","day":"09","publication":"2017 IEEE International Symposium on Information Theory (ISIT)","publisher":"IEEE","quality_controlled":"1","oa":1,"department":[{"_id":"KrPi"}],"date_updated":"2021-01-12T08:07:53Z","type":"conference","conference":{"start_date":"2017-06-25","location":"Aachen, Germany","end_date":"2017-06-30","name":"ISIT: International Symposium on Information Theory"},"status":"public","_id":"6526","ec_funded":1,"publication_identifier":{"isbn":["9781509040964"]},"publication_status":"published","language":[{"iso":"eng"}],"scopus_import":1,"main_file_link":[{"url":"https://arxiv.org/abs/1702.01666","open_access":"1"}],"month":"08","abstract":[{"lang":"eng","text":"This paper studies the complexity of estimating Rényi divergences of discrete distributions: p observed from samples and the baseline distribution q known a priori. Extending the results of Acharya et al. (SODA'15) on estimating Rényi entropy, we present improved estimation techniques together with upper and lower bounds on the sample complexity. We show that, contrarily to estimating Rényi entropy where a sublinear (in the alphabet size) number of samples suffices, the sample complexity is heavily dependent on events occurring unlikely in q, and is unbounded in general (no matter what an estimation technique is used). For any divergence of integer order bigger than 1, we provide upper and lower bounds on the number of samples dependent on probabilities of p and q (the lower bounds hold for non-integer orders as well). We conclude that the worst-case sample complexity is polynomial in the alphabet size if and only if the probabilities of q are non-negligible. This gives theoretical insights into heuristics used in the applied literature to handle numerical instability, which occurs for small probabilities of q. Our result shows that they should be handled with care not only because of numerical issues, but also because of a blow up in the sample complexity."}],"oa_version":"Preprint"},{"quality_controlled":"1","publisher":"Schloss Dagstuhl - Leibniz-Zentrum für Informatik","oa":1,"day":"01","has_accepted_license":"1","year":"2017","doi":"10.4230/LIPIcs.ICALP.2017.39","date_published":"2017-07-01T00:00:00Z","date_created":"2018-12-11T11:47:59Z","article_number":"39","project":[{"name":"Teaching Old Crypto New Tricks","grant_number":"682815","call_identifier":"H2020","_id":"258AA5B2-B435-11E9-9278-68D0E5697425"}],"user_id":"3E5EF7F0-F248-11E8-B48F-1D18A9856A87","citation":{"apa":"Pietrzak, K. Z., & Skórski, M. (2017). Non uniform attacks against pseudoentropy (Vol. 80). Presented at the ICALP: International Colloquium on Automata, Languages, and Programming, Warsaw, Poland: Schloss Dagstuhl - Leibniz-Zentrum für Informatik. https://doi.org/10.4230/LIPIcs.ICALP.2017.39","ama":"Pietrzak KZ, Skórski M. Non uniform attacks against pseudoentropy. In: Vol 80. Schloss Dagstuhl - Leibniz-Zentrum für Informatik; 2017. doi:10.4230/LIPIcs.ICALP.2017.39","ieee":"K. Z. Pietrzak and M. Skórski, “Non uniform attacks against pseudoentropy,” presented at the ICALP: International Colloquium on Automata, Languages, and Programming, Warsaw, Poland, 2017, vol. 80.","short":"K.Z. Pietrzak, M. Skórski, in:, Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 2017.","mla":"Pietrzak, Krzysztof Z., and Maciej Skórski. Non Uniform Attacks against Pseudoentropy. Vol. 80, 39, Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 2017, doi:10.4230/LIPIcs.ICALP.2017.39.","ista":"Pietrzak KZ, Skórski M. 2017. Non uniform attacks against pseudoentropy. ICALP: International Colloquium on Automata, Languages, and Programming, LIPIcs, vol. 80, 39.","chicago":"Pietrzak, Krzysztof Z, and Maciej Skórski. “Non Uniform Attacks against Pseudoentropy,” Vol. 80. Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 2017. https://doi.org/10.4230/LIPIcs.ICALP.2017.39."},"title":"Non uniform attacks against pseudoentropy","author":[{"first_name":"Krzysztof Z","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","full_name":"Pietrzak, Krzysztof Z","orcid":"0000-0002-9139-1654","last_name":"Pietrzak"},{"full_name":"Skórski, Maciej","last_name":"Skórski","id":"EC09FA6A-02D0-11E9-8223-86B7C91467DD","first_name":"Maciej"}],"publist_id":"7003","oa_version":"Published Version","abstract":[{"lang":"eng","text":"De, Trevisan and Tulsiani [CRYPTO 2010] show that every distribution over n-bit strings which has constant statistical distance to uniform (e.g., the output of a pseudorandom generator mapping n-1 to n bit strings), can be distinguished from the uniform distribution with advantage epsilon by a circuit of size O( 2^n epsilon^2). We generalize this result, showing that a distribution which has less than k bits of min-entropy, can be distinguished from any distribution with k bits of delta-smooth min-entropy with advantage epsilon by a circuit of size O(2^k epsilon^2/delta^2). As a special case, this implies that any distribution with support at most 2^k (e.g., the output of a pseudoentropy generator mapping k to n bit strings) can be distinguished from any given distribution with min-entropy k+1 with advantage epsilon by a circuit of size O(2^k epsilon^2). Our result thus shows that pseudoentropy distributions face basically the same non-uniform attacks as pseudorandom distributions. "}],"month":"07","intvolume":" 80","alternative_title":["LIPIcs"],"scopus_import":1,"file":[{"checksum":"e95618a001692f1af2d68f5fde43bc1f","file_id":"4701","access_level":"open_access","relation":"main_file","content_type":"application/pdf","date_created":"2018-12-12T10:08:40Z","file_name":"IST-2017-893-v1+1_LIPIcs-ICALP-2017-39.pdf","creator":"system","date_updated":"2020-07-14T12:47:46Z","file_size":601004}],"language":[{"iso":"eng"}],"publication_identifier":{"issn":["18688969"]},"publication_status":"published","volume":80,"ec_funded":1,"_id":"697","status":"public","pubrep_id":"893","type":"conference","conference":{"end_date":"2017-07-14","location":"Warsaw, Poland","start_date":"2017-07-10","name":"ICALP: International Colloquium on Automata, Languages, and Programming"},"tmp":{"legal_code_url":"https://creativecommons.org/licenses/by/4.0/legalcode","image":"/images/cc_by.png","name":"Creative Commons Attribution 4.0 International Public License (CC-BY 4.0)","short":"CC BY (4.0)"},"ddc":["005"],"date_updated":"2021-01-12T08:11:15Z","department":[{"_id":"KrPi"}],"file_date_updated":"2020-07-14T12:47:46Z"},{"abstract":[{"lang":"eng","text":"We revisit the problem of estimating entropy of discrete distributions from independent samples, studied recently by Acharya, Orlitsky, Suresh and Tyagi (SODA 2015), improving their upper and lower bounds on the necessary sample size n. For estimating Renyi entropy of order alpha, up to constant accuracy and error probability, we show the following * Upper bounds n = O(1) 2^{(1-1/alpha)H_alpha} for integer alpha>1, as the worst case over distributions with Renyi entropy equal to H_alpha. * Lower bounds n = Omega(1) K^{1-1/alpha} for any real alpha>1, with the constant being an inverse polynomial of the accuracy, as the worst case over all distributions on K elements. Our upper bounds essentially replace the alphabet size by a factor exponential in the entropy, which offers improvements especially in low or medium entropy regimes (interesting for example in anomaly detection). As for the lower bounds, our proof explicitly shows how the complexity depends on both alphabet and accuracy, partially solving the open problem posted in previous works. The argument for upper bounds derives a clean identity for the variance of falling-power sum of a multinomial distribution. Our approach for lower bounds utilizes convex optimization to find a distribution with possibly worse estimation performance, and may be of independent interest as a tool to work with Le Cam’s two point method. "}],"oa_version":"Published Version","alternative_title":["LIPIcs"],"scopus_import":1,"month":"08","intvolume":" 81","publication_identifier":{"issn":["18688969"]},"publication_status":"published","file":[{"relation":"main_file","access_level":"open_access","content_type":"application/pdf","file_id":"4991","checksum":"89225c7dcec2c93838458c9102858985","creator":"system","file_size":604813,"date_updated":"2020-07-14T12:47:49Z","file_name":"IST-2017-888-v1+1_LIPIcs-APPROX-RANDOM-2017-20.pdf","date_created":"2018-12-12T10:13:10Z"}],"language":[{"iso":"eng"}],"volume":81,"ec_funded":1,"_id":"710","type":"conference","tmp":{"legal_code_url":"https://creativecommons.org/licenses/by/4.0/legalcode","image":"/images/cc_by.png","name":"Creative Commons Attribution 4.0 International Public License (CC-BY 4.0)","short":"CC BY (4.0)"},"conference":{"name":"20th International Workshop on Approximation Algorithms for Combinatorial Optimization Problems, APPROX","start_date":"2017-08-18","end_date":"2017-08-18","location":"Berkeley, USA"},"status":"public","pubrep_id":"888","date_updated":"2021-01-12T08:11:50Z","ddc":["005","600"],"file_date_updated":"2020-07-14T12:47:49Z","department":[{"_id":"KrPi"}],"quality_controlled":"1","publisher":"Schloss Dagstuhl - Leibniz-Zentrum für Informatik","oa":1,"has_accepted_license":"1","year":"2017","day":"01","date_published":"2017-08-01T00:00:00Z","doi":"10.4230/LIPIcs.APPROX-RANDOM.2017.20","date_created":"2018-12-11T11:48:04Z","article_number":"20","project":[{"_id":"258AA5B2-B435-11E9-9278-68D0E5697425","call_identifier":"H2020","name":"Teaching Old Crypto New Tricks","grant_number":"682815"}],"citation":{"ieee":"M. Obremski and M. Skórski, “Renyi entropy estimation revisited,” presented at the 20th International Workshop on Approximation Algorithms for Combinatorial Optimization Problems, APPROX, Berkeley, USA, 2017, vol. 81.","short":"M. Obremski, M. Skórski, in:, Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 2017.","ama":"Obremski M, Skórski M. Renyi entropy estimation revisited. In: Vol 81. Schloss Dagstuhl - Leibniz-Zentrum für Informatik; 2017. doi:10.4230/LIPIcs.APPROX-RANDOM.2017.20","apa":"Obremski, M., & Skórski, M. (2017). Renyi entropy estimation revisited (Vol. 81). Presented at the 20th International Workshop on Approximation Algorithms for Combinatorial Optimization Problems, APPROX, Berkeley, USA: Schloss Dagstuhl - Leibniz-Zentrum für Informatik. https://doi.org/10.4230/LIPIcs.APPROX-RANDOM.2017.20","mla":"Obremski, Maciej, and Maciej Skórski. Renyi Entropy Estimation Revisited. Vol. 81, 20, Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 2017, doi:10.4230/LIPIcs.APPROX-RANDOM.2017.20.","ista":"Obremski M, Skórski M. 2017. Renyi entropy estimation revisited. 20th International Workshop on Approximation Algorithms for Combinatorial Optimization Problems, APPROX, LIPIcs, vol. 81, 20.","chicago":"Obremski, Maciej, and Maciej Skórski. “Renyi Entropy Estimation Revisited,” Vol. 81. Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 2017. https://doi.org/10.4230/LIPIcs.APPROX-RANDOM.2017.20."},"user_id":"3E5EF7F0-F248-11E8-B48F-1D18A9856A87","publist_id":"6979","author":[{"first_name":"Maciej","full_name":"Obremski, Maciej","last_name":"Obremski"},{"first_name":"Maciej","id":"EC09FA6A-02D0-11E9-8223-86B7C91467DD","full_name":"Skórski, Maciej","last_name":"Skórski"}],"title":"Renyi entropy estimation revisited"},{"status":"public","pubrep_id":"828","type":"dissertation","_id":"838","department":[{"_id":"KrPi"}],"file_date_updated":"2020-07-14T12:48:12Z","ddc":["000"],"date_updated":"2023-09-07T12:02:28Z","month":"06","alternative_title":["ISTA Thesis"],"oa_version":"Published Version","abstract":[{"text":"In this thesis we discuss the exact security of message authentications codes HMAC , NMAC , and PMAC . NMAC is a mode of operation which turns a fixed input-length keyed hash function f into a variable input-length function. A practical single-key variant of NMAC called HMAC is a very popular and widely deployed message authentication code (MAC). PMAC is a block-cipher based mode of operation, which also happens to be the most famous fully parallel MAC. NMAC was introduced by Bellare, Canetti and Krawczyk Crypto’96, who proved it to be a secure pseudorandom function (PRF), and thus also a MAC, under two assumptions. Unfortunately, for many instantiations of HMAC one of them has been found to be wrong. To restore the provable guarantees for NMAC , Bellare [Crypto’06] showed its security without this assumption. PMAC was introduced by Black and Rogaway at Eurocrypt 2002. If instantiated with a pseudorandom permutation over n -bit strings, PMAC constitutes a provably secure variable input-length PRF. For adversaries making q queries, each of length at most ` (in n -bit blocks), and of total length σ ≤ q` , the original paper proves an upper bound on the distinguishing advantage of O ( σ 2 / 2 n ), while the currently best bound is O ( qσ/ 2 n ). In this work we show that this bound is tight by giving an attack with advantage Ω( q 2 `/ 2 n ). In the PMAC construction one initially XORs a mask to every message block, where the mask for the i th block is computed as τ i := γ i · L , where L is a (secret) random value, and γ i is the i -th codeword of the Gray code. Our attack applies more generally to any sequence of γ i ’s which contains a large coset of a subgroup of GF (2 n ). As for NMAC , our first contribution is a simpler and uniform proof: If f is an ε -secure PRF (against q queries) and a δ - non-adaptively secure PRF (against q queries), then NMAC f is an ( ε + `qδ )-secure PRF against q queries of length at most ` blocks each. We also show that this ε + `qδ bound is basically tight by constructing an f for which an attack with advantage `qδ exists. Moreover, we analyze the PRF-security of a modification of NMAC called NI by An and Bellare that avoids the constant rekeying on multi-block messages in NMAC and allows for an information-theoretic analysis. We carry out such an analysis, obtaining a tight `q 2 / 2 c bound for this step, improving over the trivial bound of ` 2 q 2 / 2 c . Finally, we investigate, if the security of PMAC can be further improved by using τ i ’s that are k -wise independent, for k > 1 (the original has k = 1). We observe that the security of PMAC will not increase in general if k = 2, and then prove that the security increases to O ( q 2 / 2 n ), if the k = 4. Due to simple extension attacks, this is the best bound one can hope for, using any distribution on the masks. Whether k = 3 is already sufficient to get this level of security is left as an open problem. Keywords: Message authentication codes, Pseudorandom functions, HMAC, PMAC. ","lang":"eng"}],"related_material":{"record":[{"relation":"part_of_dissertation","status":"public","id":"2082"},{"relation":"part_of_dissertation","status":"public","id":"6196"}]},"file":[{"file_size":847400,"date_updated":"2020-07-14T12:48:12Z","creator":"system","file_name":"IST-2017-828-v1+3_2017_Rybar_thesis.pdf","date_created":"2018-12-12T10:10:13Z","content_type":"application/pdf","relation":"main_file","access_level":"open_access","file_id":"4799","checksum":"ff8639ec4bded6186f44c7bd3ee26804"},{"file_name":"2017_Thesis_Rybar_source.zip","date_created":"2019-04-05T08:24:11Z","file_size":26054879,"date_updated":"2020-07-14T12:48:12Z","creator":"dernst","checksum":"3462101745ce8ad199c2d0f75dae4a7e","file_id":"6202","content_type":"application/zip","relation":"source_file","access_level":"closed"}],"language":[{"iso":"eng"}],"publication_identifier":{"issn":["2663-337X"]},"degree_awarded":"PhD","publication_status":"published","title":"(The exact security of) Message authentication codes","publist_id":"6810","author":[{"last_name":"Rybar","full_name":"Rybar, Michal","id":"2B3E3DE8-F248-11E8-B48F-1D18A9856A87","first_name":"Michal"}],"article_processing_charge":"No","user_id":"c635000d-4b10-11ee-a964-aac5a93f6ac1","citation":{"chicago":"Rybar, Michal. “(The Exact Security of) Message Authentication Codes.” Institute of Science and Technology Austria, 2017. https://doi.org/10.15479/AT:ISTA:th_828.","ista":"Rybar M. 2017. (The exact security of) Message authentication codes. Institute of Science and Technology Austria.","mla":"Rybar, Michal. (The Exact Security of) Message Authentication Codes. Institute of Science and Technology Austria, 2017, doi:10.15479/AT:ISTA:th_828.","short":"M. Rybar, (The Exact Security of) Message Authentication Codes, Institute of Science and Technology Austria, 2017.","ieee":"M. Rybar, “(The exact security of) Message authentication codes,” Institute of Science and Technology Austria, 2017.","apa":"Rybar, M. (2017). (The exact security of) Message authentication codes. Institute of Science and Technology Austria. https://doi.org/10.15479/AT:ISTA:th_828","ama":"Rybar M. (The exact security of) Message authentication codes. 2017. doi:10.15479/AT:ISTA:th_828"},"publisher":"Institute of Science and Technology Austria","oa":1,"doi":"10.15479/AT:ISTA:th_828","date_published":"2017-06-26T00:00:00Z","date_created":"2018-12-11T11:48:46Z","page":"86","day":"26","has_accepted_license":"1","year":"2017"},{"user_id":"3E5EF7F0-F248-11E8-B48F-1D18A9856A87","citation":{"apa":"Gazi, P., Pietrzak, K. Z., & Rybar, M. (2017). The exact security of PMAC. IACR Transactions on Symmetric Cryptology. Ruhr University Bochum. https://doi.org/10.13154/TOSC.V2016.I2.145-161","ama":"Gazi P, Pietrzak KZ, Rybar M. The exact security of PMAC. IACR Transactions on Symmetric Cryptology. 2017;2016(2):145-161. doi:10.13154/TOSC.V2016.I2.145-161","short":"P. Gazi, K.Z. Pietrzak, M. Rybar, IACR Transactions on Symmetric Cryptology 2016 (2017) 145–161.","ieee":"P. Gazi, K. Z. Pietrzak, and M. Rybar, “The exact security of PMAC,” IACR Transactions on Symmetric Cryptology, vol. 2016, no. 2. Ruhr University Bochum, pp. 145–161, 2017.","mla":"Gazi, Peter, et al. “The Exact Security of PMAC.” IACR Transactions on Symmetric Cryptology, vol. 2016, no. 2, Ruhr University Bochum, 2017, pp. 145–61, doi:10.13154/TOSC.V2016.I2.145-161.","ista":"Gazi P, Pietrzak KZ, Rybar M. 2017. The exact security of PMAC. IACR Transactions on Symmetric Cryptology. 2016(2), 145–161.","chicago":"Gazi, Peter, Krzysztof Z Pietrzak, and Michal Rybar. “The Exact Security of PMAC.” IACR Transactions on Symmetric Cryptology. Ruhr University Bochum, 2017. https://doi.org/10.13154/TOSC.V2016.I2.145-161."},"title":"The exact security of PMAC","author":[{"last_name":"Gazi","full_name":"Gazi, Peter","id":"3E0BFE38-F248-11E8-B48F-1D18A9856A87","first_name":"Peter"},{"id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","first_name":"Krzysztof Z","full_name":"Pietrzak, Krzysztof Z","orcid":"0000-0002-9139-1654","last_name":"Pietrzak"},{"id":"2B3E3DE8-F248-11E8-B48F-1D18A9856A87","first_name":"Michal","full_name":"Rybar, Michal","last_name":"Rybar"}],"project":[{"_id":"258AA5B2-B435-11E9-9278-68D0E5697425","call_identifier":"H2020","name":"Teaching Old Crypto New Tricks","grant_number":"682815"}],"publication":"IACR Transactions on Symmetric Cryptology","day":"03","year":"2017","has_accepted_license":"1","date_created":"2019-04-04T13:48:23Z","date_published":"2017-02-03T00:00:00Z","doi":"10.13154/TOSC.V2016.I2.145-161","page":"145-161","oa":1,"publisher":"Ruhr University Bochum","quality_controlled":"1","ddc":["000"],"date_updated":"2023-09-07T12:02:27Z","department":[{"_id":"KrPi"}],"file_date_updated":"2020-07-14T12:47:24Z","_id":"6196","status":"public","tmp":{"legal_code_url":"https://creativecommons.org/licenses/by/4.0/legalcode","image":"/images/cc_by.png","name":"Creative Commons Attribution 4.0 International Public License (CC-BY 4.0)","short":"CC BY (4.0)"},"type":"journal_article","language":[{"iso":"eng"}],"file":[{"creator":"dernst","file_size":597335,"date_updated":"2020-07-14T12:47:24Z","file_name":"2017_IACR_Gazi.pdf","date_created":"2019-04-04T13:53:58Z","relation":"main_file","access_level":"open_access","content_type":"application/pdf","file_id":"6197","checksum":"f23161d685dd957ae8d7274132999684"}],"publication_status":"published","publication_identifier":{"eissn":["2519-173X"]},"ec_funded":1,"related_material":{"record":[{"relation":"dissertation_contains","id":"838","status":"public"}]},"issue":"2","volume":2016,"oa_version":"Published Version","abstract":[{"lang":"eng","text":"PMAC is a simple and parallel block-cipher mode of operation, which was introduced by Black and Rogaway at Eurocrypt 2002. If instantiated with a (pseudo)random permutation over n-bit strings, PMAC constitutes a provably secure variable input-length (pseudo)random function. For adversaries making q queries, each of length at most l (in n-bit blocks), and of total length σ ≤ ql, the original paper proves an upper bound on the distinguishing advantage of Ο(σ2/2n), while the currently best bound is Ο (qσ/2n).In this work we show that this bound is tight by giving an attack with advantage Ω (q2l/2n). In the PMAC construction one initially XORs a mask to every message block, where the mask for the ith block is computed as τi := γi·L, where L is a (secret) random value, and γi is the i-th codeword of the Gray code. Our attack applies more generally to any sequence of γi’s which contains a large coset of a subgroup of GF(2n). We then investigate if the security of PMAC can be further improved by using τi’s that are k-wise independent, for k > 1 (the original distribution is only 1-wise independent). We observe that the security of PMAC will not increase in general, even if the masks are chosen from a 2-wise independent distribution, and then prove that the security increases to O(q<2/2n), if the τi are 4-wise independent. Due to simple extension attacks, this is the best bound one can hope for, using any distribution on the masks. Whether 3-wise independence is already sufficient to get this level of security is left as an open problem."}],"intvolume":" 2016","month":"02"},{"quality_controlled":"1","publisher":"Springer","oa":1,"page":"357 - 379","doi":"10.1007/978-3-319-70697-9_13","date_published":"2017-11-18T00:00:00Z","date_created":"2018-12-11T11:47:10Z","year":"2017","day":"18","project":[{"grant_number":"682815","name":"Teaching Old Crypto New Tricks","_id":"258AA5B2-B435-11E9-9278-68D0E5697425","call_identifier":"H2020"}],"author":[{"last_name":"Abusalah","full_name":"Abusalah, Hamza M","id":"40297222-F248-11E8-B48F-1D18A9856A87","first_name":"Hamza M"},{"id":"2A8DFA8C-F248-11E8-B48F-1D18A9856A87","first_name":"Joel F","full_name":"Alwen, Joel F","last_name":"Alwen"},{"first_name":"Bram","full_name":"Cohen, Bram","last_name":"Cohen"},{"first_name":"Danylo","full_name":"Khilko, Danylo","last_name":"Khilko"},{"orcid":"0000-0002-9139-1654","full_name":"Pietrzak, Krzysztof Z","last_name":"Pietrzak","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","first_name":"Krzysztof Z"},{"last_name":"Reyzin","full_name":"Reyzin, Leonid","first_name":"Leonid"}],"publist_id":"7257","title":"Beyond Hellman’s time-memory trade-offs with applications to proofs of space","citation":{"ista":"Abusalah HM, Alwen JF, Cohen B, Khilko D, Pietrzak KZ, Reyzin L. 2017. Beyond Hellman’s time-memory trade-offs with applications to proofs of space. ASIACRYPT: Theory and Applications of Cryptology and Information Security, LNCS, vol. 10625, 357–379.","chicago":"Abusalah, Hamza M, Joel F Alwen, Bram Cohen, Danylo Khilko, Krzysztof Z Pietrzak, and Leonid Reyzin. “Beyond Hellman’s Time-Memory Trade-Offs with Applications to Proofs of Space,” 10625:357–79. Springer, 2017. https://doi.org/10.1007/978-3-319-70697-9_13.","ama":"Abusalah HM, Alwen JF, Cohen B, Khilko D, Pietrzak KZ, Reyzin L. Beyond Hellman’s time-memory trade-offs with applications to proofs of space. In: Vol 10625. Springer; 2017:357-379. doi:10.1007/978-3-319-70697-9_13","apa":"Abusalah, H. M., Alwen, J. F., Cohen, B., Khilko, D., Pietrzak, K. Z., & Reyzin, L. (2017). Beyond Hellman’s time-memory trade-offs with applications to proofs of space (Vol. 10625, pp. 357–379). Presented at the ASIACRYPT: Theory and Applications of Cryptology and Information Security, Hong Kong, China: Springer. https://doi.org/10.1007/978-3-319-70697-9_13","short":"H.M. Abusalah, J.F. Alwen, B. Cohen, D. Khilko, K.Z. Pietrzak, L. Reyzin, in:, Springer, 2017, pp. 357–379.","ieee":"H. M. Abusalah, J. F. Alwen, B. Cohen, D. Khilko, K. Z. Pietrzak, and L. Reyzin, “Beyond Hellman’s time-memory trade-offs with applications to proofs of space,” presented at the ASIACRYPT: Theory and Applications of Cryptology and Information Security, Hong Kong, China, 2017, vol. 10625, pp. 357–379.","mla":"Abusalah, Hamza M., et al. Beyond Hellman’s Time-Memory Trade-Offs with Applications to Proofs of Space. Vol. 10625, Springer, 2017, pp. 357–79, doi:10.1007/978-3-319-70697-9_13."},"user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","alternative_title":["LNCS"],"scopus_import":1,"main_file_link":[{"open_access":"1","url":"https://eprint.iacr.org/2017/893.pdf"}],"month":"11","intvolume":" 10625","abstract":[{"text":"Proofs of space (PoS) were suggested as more ecological and economical alternative to proofs of work, which are currently used in blockchain designs like Bitcoin. The existing PoS are based on rather sophisticated graph pebbling lower bounds. Much simpler and in several aspects more efficient schemes based on inverting random functions have been suggested, but they don’t give meaningful security guarantees due to existing time-memory trade-offs. In particular, Hellman showed that any permutation over a domain of size N can be inverted in time T by an algorithm that is given S bits of auxiliary information whenever (Formula presented). For functions Hellman gives a weaker attack with S2· T≈ N2 (e.g., S= T≈ N2/3). To prove lower bounds, one considers an adversary who has access to an oracle f: [ N] → [N] and can make T oracle queries. The best known lower bound is S· T∈ Ω(N) and holds for random functions and permutations. We construct functions that provably require more time and/or space to invert. Specifically, for any constant k we construct a function [N] → [N] that cannot be inverted unless Sk· T∈ Ω(Nk) (in particular, S= T≈ (Formula presented). Our construction does not contradict Hellman’s time-memory trade-off, because it cannot be efficiently evaluated in forward direction. However, its entire function table can be computed in time quasilinear in N, which is sufficient for the PoS application. Our simplest construction is built from a random function oracle g: [N] × [N] → [ N] and a random permutation oracle f: [N] → N] and is defined as h(x) = g(x, x′) where f(x) = π(f(x′)) with π being any involution without a fixed point, e.g. flipping all the bits. For this function we prove that any adversary who gets S bits of auxiliary information, makes at most T oracle queries, and inverts h on an ϵ fraction of outputs must satisfy S2· T∈ Ω(ϵ2N2).","lang":"eng"}],"oa_version":"Submitted Version","related_material":{"record":[{"id":"83","status":"public","relation":"dissertation_contains"}]},"volume":10625,"ec_funded":1,"publication_identifier":{"isbn":["978-331970696-2"]},"publication_status":"published","language":[{"iso":"eng"}],"type":"conference","conference":{"location":"Hong Kong, China","end_date":"2017-12-07","start_date":"2017-12-03","name":"ASIACRYPT: Theory and Applications of Cryptology and Information Security"},"status":"public","_id":"559","department":[{"_id":"KrPi"}],"date_updated":"2023-09-07T12:30:22Z"},{"year":"2017","day":"01","page":"133 - 163","doi":"10.1007/978-3-319-63688-7_5","date_published":"2017-01-01T00:00:00Z","date_created":"2018-12-11T11:47:38Z","quality_controlled":"1","publisher":"Springer","oa":1,"citation":{"ista":"Jafargholi Z, Kamath Hosdurg C, Klein K, Komargodski I, Pietrzak KZ, Wichs D. 2017. Be adaptive avoid overcommitting. CRYPTO: Cryptology, LNCS, vol. 10401, 133–163.","chicago":"Jafargholi, Zahra, Chethan Kamath Hosdurg, Karen Klein, Ilan Komargodski, Krzysztof Z Pietrzak, and Daniel Wichs. “Be Adaptive Avoid Overcommitting.” edited by Jonathan Katz and Hovav Shacham, 10401:133–63. Springer, 2017. https://doi.org/10.1007/978-3-319-63688-7_5.","short":"Z. Jafargholi, C. Kamath Hosdurg, K. Klein, I. Komargodski, K.Z. Pietrzak, D. Wichs, in:, J. Katz, H. Shacham (Eds.), Springer, 2017, pp. 133–163.","ieee":"Z. Jafargholi, C. Kamath Hosdurg, K. Klein, I. Komargodski, K. Z. Pietrzak, and D. Wichs, “Be adaptive avoid overcommitting,” presented at the CRYPTO: Cryptology, Santa Barbara, CA, United States, 2017, vol. 10401, pp. 133–163.","ama":"Jafargholi Z, Kamath Hosdurg C, Klein K, Komargodski I, Pietrzak KZ, Wichs D. Be adaptive avoid overcommitting. In: Katz J, Shacham H, eds. Vol 10401. Springer; 2017:133-163. doi:10.1007/978-3-319-63688-7_5","apa":"Jafargholi, Z., Kamath Hosdurg, C., Klein, K., Komargodski, I., Pietrzak, K. Z., & Wichs, D. (2017). Be adaptive avoid overcommitting. In J. Katz & H. Shacham (Eds.) (Vol. 10401, pp. 133–163). Presented at the CRYPTO: Cryptology, Santa Barbara, CA, United States: Springer. https://doi.org/10.1007/978-3-319-63688-7_5","mla":"Jafargholi, Zahra, et al. Be Adaptive Avoid Overcommitting. Edited by Jonathan Katz and Hovav Shacham, vol. 10401, Springer, 2017, pp. 133–63, doi:10.1007/978-3-319-63688-7_5."},"user_id":"3E5EF7F0-F248-11E8-B48F-1D18A9856A87","author":[{"full_name":"Jafargholi, Zahra","last_name":"Jafargholi","first_name":"Zahra"},{"last_name":"Kamath Hosdurg","full_name":"Kamath Hosdurg, Chethan","first_name":"Chethan","id":"4BD3F30E-F248-11E8-B48F-1D18A9856A87"},{"first_name":"Karen","id":"3E83A2F8-F248-11E8-B48F-1D18A9856A87","full_name":"Klein, Karen","last_name":"Klein"},{"first_name":"Ilan","last_name":"Komargodski","full_name":"Komargodski, Ilan"},{"id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","first_name":"Krzysztof Z","full_name":"Pietrzak, Krzysztof Z","orcid":"0000-0002-9139-1654","last_name":"Pietrzak"},{"last_name":"Wichs","full_name":"Wichs, Daniel","first_name":"Daniel"}],"publist_id":"7151","editor":[{"full_name":"Katz, Jonathan","last_name":"Katz","first_name":"Jonathan"},{"first_name":"Hovav","last_name":"Shacham","full_name":"Shacham, Hovav"}],"title":"Be adaptive avoid overcommitting","project":[{"_id":"258AA5B2-B435-11E9-9278-68D0E5697425","call_identifier":"H2020","name":"Teaching Old Crypto New Tricks","grant_number":"682815"}],"publication_identifier":{"isbn":["978-331963687-0"]},"publication_status":"published","language":[{"iso":"eng"}],"related_material":{"record":[{"status":"public","id":"10035","relation":"dissertation_contains"}]},"volume":10401,"ec_funded":1,"abstract":[{"text":"For many cryptographic primitives, it is relatively easy to achieve selective security (where the adversary commits a-priori to some of the choices to be made later in the attack) but appears difficult to achieve the more natural notion of adaptive security (where the adversary can make all choices on the go as the attack progresses). A series of several recent works shows how to cleverly achieve adaptive security in several such scenarios including generalized selective decryption (Panjwani, TCC ’07 and Fuchsbauer et al., CRYPTO ’15), constrained PRFs (Fuchsbauer et al., ASIACRYPT ’14), and Yao garbled circuits (Jafargholi and Wichs, TCC ’16b). Although the above works expressed vague intuition that they share a common technique, the connection was never made precise. In this work we present a new framework that connects all of these works and allows us to present them in a unified and simplified fashion. Moreover, we use the framework to derive a new result for adaptively secure secret sharing over access structures defined via monotone circuits. We envision that further applications will follow in the future. Underlying our framework is the following simple idea. It is well known that selective security, where the adversary commits to n-bits of information about his future choices, automatically implies adaptive security at the cost of amplifying the adversary’s advantage by a factor of up to 2n. However, in some cases the proof of selective security proceeds via a sequence of hybrids, where each pair of adjacent hybrids locally only requires some smaller partial information consisting of m ≪ n bits. The partial information needed might be completely different between different pairs of hybrids, and if we look across all the hybrids we might rely on the entire n-bit commitment. Nevertheless, the above is sufficient to prove adaptive security, at the cost of amplifying the adversary’s advantage by a factor of only 2m ≪ 2n. In all of our examples using the above framework, the different hybrids are captured by some sort of a graph pebbling game and the amount of information that the adversary needs to commit to in each pair of hybrids is bounded by the maximum number of pebbles in play at any point in time. Therefore, coming up with better strategies for proving adaptive security translates to various pebbling strategies for different types of graphs.","lang":"eng"}],"oa_version":"Submitted Version","alternative_title":["LNCS"],"scopus_import":1,"main_file_link":[{"url":"https://eprint.iacr.org/2017/515","open_access":"1"}],"month":"01","intvolume":" 10401","date_updated":"2023-09-07T13:32:11Z","department":[{"_id":"KrPi"}],"_id":"637","type":"conference","conference":{"end_date":"2017-07-24","location":"Santa Barbara, CA, United States","start_date":"2017-07-20","name":"CRYPTO: Cryptology"},"status":"public"},{"quality_controlled":"1","publisher":"Schloss Dagstuhl - Leibniz-Zentrum für Informatik","oa":1,"day":"01","isi":1,"year":"2017","doi":"10.4230/LIPIcs.STACS.2017.57","date_published":"2017-03-01T00:00:00Z","date_created":"2018-12-11T11:50:32Z","article_number":"57","project":[{"name":"Teaching Old Crypto New Tricks","grant_number":"682815","_id":"258AA5B2-B435-11E9-9278-68D0E5697425","call_identifier":"H2020"}],"user_id":"c635000d-4b10-11ee-a964-aac5a93f6ac1","citation":{"chicago":"Skórski, Maciej. “Lower Bounds on Key Derivation for Square-Friendly Applications,” Vol. 66. Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 2017. https://doi.org/10.4230/LIPIcs.STACS.2017.57.","ista":"Skórski M. 2017. Lower bounds on key derivation for square-friendly applications. STACS: Symposium on Theoretical Aspects of Computer Science, LIPIcs, vol. 66, 57.","mla":"Skórski, Maciej. Lower Bounds on Key Derivation for Square-Friendly Applications. Vol. 66, 57, Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 2017, doi:10.4230/LIPIcs.STACS.2017.57.","short":"M. Skórski, in:, Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 2017.","ieee":"M. Skórski, “Lower bounds on key derivation for square-friendly applications,” presented at the STACS: Symposium on Theoretical Aspects of Computer Science, Hannover, Germany, 2017, vol. 66.","ama":"Skórski M. Lower bounds on key derivation for square-friendly applications. In: Vol 66. Schloss Dagstuhl - Leibniz-Zentrum für Informatik; 2017. doi:10.4230/LIPIcs.STACS.2017.57","apa":"Skórski, M. (2017). Lower bounds on key derivation for square-friendly applications (Vol. 66). Presented at the STACS: Symposium on Theoretical Aspects of Computer Science, Hannover, Germany: Schloss Dagstuhl - Leibniz-Zentrum für Informatik. https://doi.org/10.4230/LIPIcs.STACS.2017.57"},"title":"Lower bounds on key derivation for square-friendly applications","author":[{"id":"EC09FA6A-02D0-11E9-8223-86B7C91467DD","first_name":"Maciej","last_name":"Skórski","full_name":"Skórski, Maciej"}],"publist_id":"6180","external_id":{"isi":["000521077300057"]},"article_processing_charge":"No","oa_version":"Submitted Version","abstract":[{"text":"Security of cryptographic applications is typically defined by security games. The adversary, within certain resources, cannot win with probability much better than 0 (for unpredictability applications, like one-way functions) or much better than 1/2 (indistinguishability applications for instance encryption schemes). In so called squared-friendly applications the winning probability of the adversary, for different values of the application secret randomness, is not only close to 0 or 1/2 on average, but also concentrated in the sense that its second central moment is small. The class of squared-friendly applications, which contains all unpredictability applications and many indistinguishability applications, is particularly important for key derivation. Barak et al. observed that for square-friendly applications one can beat the "RT-bound", extracting secure keys with significantly smaller entropy loss. In turn Dodis and Yu showed that in squared-friendly applications one can directly use a "weak" key, which has only high entropy, as a secure key. In this paper we give sharp lower bounds on square security assuming security for "weak" keys. We show that any application which is either (a) secure with weak keys or (b) allows for entropy savings for keys derived by universal hashing, must be square-friendly. Quantitatively, our lower bounds match the positive results of Dodis and Yu and Barak et al. (TCC\\'13, CRYPTO\\'11) Hence, they can be understood as a general characterization of squared-friendly applications. While the positive results on squared-friendly applications where derived by one clever application of the Cauchy-Schwarz Inequality, for tight lower bounds we need more machinery. In our approach we use convex optimization techniques and some theory of circular matrices.","lang":"eng"}],"month":"03","intvolume":" 66","scopus_import":"1","alternative_title":["LIPIcs"],"main_file_link":[{"open_access":"1","url":"http://drops.dagstuhl.de/opus/volltexte/2017/6976"}],"language":[{"iso":"eng"}],"publication_identifier":{"issn":["18688969"]},"publication_status":"published","volume":66,"ec_funded":1,"_id":"1174","status":"public","type":"conference","conference":{"name":"STACS: Symposium on Theoretical Aspects of Computer Science","end_date":"2017-03-11","location":"Hannover, Germany","start_date":"2017-03-08"},"date_updated":"2023-09-20T11:23:15Z","department":[{"_id":"KrPi"}]},{"status":"public","conference":{"name":"EuroS&P: European Symposium on Security and Privacy","location":"Paris, France","end_date":"2017-04-28","start_date":"2017-04-26"},"type":"conference","_id":"1176","department":[{"_id":"KrPi"}],"date_updated":"2023-09-20T11:22:25Z","month":"07","main_file_link":[{"open_access":"1","url":"https://eprint.iacr.org/2016/759"}],"scopus_import":"1","oa_version":"Submitted Version","abstract":[{"lang":"eng","text":"The algorithm Argon2i-B of Biryukov, Dinu and Khovratovich is currently being considered by the IRTF (Internet Research Task Force) as a new de-facto standard for password hashing. An older version (Argon2i-A) of the same algorithm was chosen as the winner of the recent Password Hashing Competition. An important competitor to Argon2i-B is the recently introduced Balloon Hashing (BH) algorithm of Corrigan-Gibs, Boneh and Schechter. A key security desiderata for any such algorithm is that evaluating it (even using a custom device) requires a large amount of memory amortized across multiple instances. Alwen and Blocki (CRYPTO 2016) introduced a class of theoretical attacks against Argon2i-A and BH. While these attacks yield large asymptotic reductions in the amount of memory, it was not, a priori, clear if (1) they can be extended to the newer Argon2i-B, (2) the attacks are effective on any algorithm for practical parameter ranges (e.g., 1GB of memory) and (3) if they can be effectively instantiated against any algorithm under realistic hardware constrains. In this work we answer all three of these questions in the affirmative for all three algorithms. This is also the first work to analyze the security of Argon2i-B. In more detail, we extend the theoretical attacks of Alwen and Blocki (CRYPTO 2016) to the recent Argon2i-B proposal demonstrating severe asymptotic deficiencies in its security. Next we introduce several novel heuristics for improving the attack's concrete memory efficiency even when on-chip memory bandwidth is bounded. We then simulate our attacks on randomly sampled Argon2i-A, Argon2i-B and BH instances and measure the resulting memory consumption for various practical parameter ranges and for a variety of upperbounds on the amount of parallelism available to the attacker. Finally we describe, implement, and test a new heuristic for applying the Alwen-Blocki attack to functions employing a technique developed by Corrigan-Gibs et al. for improving concrete security of memory-hard functions. We analyze the collected data and show the effects various parameters have on the memory consumption of the attack. In particular, we can draw several interesting conclusions about the level of security provided by these functions. · For the Alwen-Blocki attack to fail against practical memory parameters, Argon2i-B must be instantiated with more than 10 passes on memory - beyond the \"paranoid\" parameter setting in the current IRTF proposal. · The technique of Corrigan-Gibs for improving security can also be overcome by the Alwen-Blocki attack under realistic hardware constraints. · On a positive note, both the asymptotic and concrete security of Argon2i-B seem to improve on that of Argon2i-A."}],"language":[{"iso":"eng"}],"publication_status":"published","publication_identifier":{"isbn":["978-150905761-0"]},"article_number":"7961977","title":"Towards practical attacks on Argon2i and balloon hashing","external_id":{"isi":["000424197300011"]},"article_processing_charge":"No","author":[{"full_name":"Alwen, Joel F","last_name":"Alwen","first_name":"Joel F","id":"2A8DFA8C-F248-11E8-B48F-1D18A9856A87"},{"last_name":"Blocki","full_name":"Blocki, Jeremiah","first_name":"Jeremiah"}],"publist_id":"6178","user_id":"c635000d-4b10-11ee-a964-aac5a93f6ac1","citation":{"ista":"Alwen JF, Blocki J. 2017. Towards practical attacks on Argon2i and balloon hashing. EuroS&P: European Symposium on Security and Privacy, 7961977.","chicago":"Alwen, Joel F, and Jeremiah Blocki. “Towards Practical Attacks on Argon2i and Balloon Hashing.” IEEE, 2017. https://doi.org/10.1109/EuroSP.2017.47.","short":"J.F. Alwen, J. Blocki, in:, IEEE, 2017.","ieee":"J. F. Alwen and J. Blocki, “Towards practical attacks on Argon2i and balloon hashing,” presented at the EuroS&P: European Symposium on Security and Privacy, Paris, France, 2017.","apa":"Alwen, J. F., & Blocki, J. (2017). Towards practical attacks on Argon2i and balloon hashing. Presented at the EuroS&P: European Symposium on Security and Privacy, Paris, France: IEEE. https://doi.org/10.1109/EuroSP.2017.47","ama":"Alwen JF, Blocki J. Towards practical attacks on Argon2i and balloon hashing. In: IEEE; 2017. doi:10.1109/EuroSP.2017.47","mla":"Alwen, Joel F., and Jeremiah Blocki. Towards Practical Attacks on Argon2i and Balloon Hashing. 7961977, IEEE, 2017, doi:10.1109/EuroSP.2017.47."},"oa":1,"quality_controlled":"1","publisher":"IEEE","date_created":"2018-12-11T11:50:33Z","doi":"10.1109/EuroSP.2017.47","date_published":"2017-07-03T00:00:00Z","day":"03","year":"2017","isi":1},{"abstract":[{"lang":"eng","text":"We construct efficient authentication protocols and message authentication codes (MACs) whose security can be reduced to the learning parity with noise (LPN) problem. Despite a large body of work—starting with the (Formula presented.) protocol of Hopper and Blum in 2001—until now it was not even known how to construct an efficient authentication protocol from LPN which is secure against man-in-the-middle attacks. A MAC implies such a (two-round) protocol."}],"oa_version":"Submitted Version","scopus_import":"1","intvolume":" 30","month":"10","publication_status":"published","language":[{"iso":"eng"}],"file":[{"checksum":"c647520d115b772a1682fc06fa273eb1","file_id":"7843","relation":"main_file","access_level":"open_access","content_type":"application/pdf","file_name":"2017_JournalCrypto_Kiltz.pdf","date_created":"2020-05-14T16:30:17Z","creator":"dernst","file_size":516959,"date_updated":"2020-07-14T12:44:37Z"}],"ec_funded":1,"issue":"4","related_material":{"record":[{"status":"public","id":"3238","relation":"earlier_version"}]},"volume":30,"_id":"1187","type":"journal_article","article_type":"original","status":"public","date_updated":"2023-09-20T11:20:58Z","ddc":["000"],"department":[{"_id":"KrPi"}],"file_date_updated":"2020-07-14T12:44:37Z","oa":1,"quality_controlled":"1","publisher":"Springer","year":"2017","isi":1,"has_accepted_license":"1","publication":"Journal of Cryptology","day":"01","page":"1238 - 1275","date_created":"2018-12-11T11:50:37Z","date_published":"2017-10-01T00:00:00Z","doi":"10.1007/s00145-016-9247-3","project":[{"call_identifier":"H2020","_id":"258AA5B2-B435-11E9-9278-68D0E5697425","name":"Teaching Old Crypto New Tricks","grant_number":"682815"},{"call_identifier":"FP7","_id":"258C570E-B435-11E9-9278-68D0E5697425","grant_number":"259668","name":"Provable Security for Physical Cryptography"}],"citation":{"chicago":"Kiltz, Eike, Krzysztof Z Pietrzak, Daniele Venturi, David Cash, and Abhishek Jain. “Efficient Authentication from Hard Learning Problems.” Journal of Cryptology. Springer, 2017. https://doi.org/10.1007/s00145-016-9247-3.","ista":"Kiltz E, Pietrzak KZ, Venturi D, Cash D, Jain A. 2017. Efficient authentication from hard learning problems. Journal of Cryptology. 30(4), 1238–1275.","mla":"Kiltz, Eike, et al. “Efficient Authentication from Hard Learning Problems.” Journal of Cryptology, vol. 30, no. 4, Springer, 2017, pp. 1238–75, doi:10.1007/s00145-016-9247-3.","ama":"Kiltz E, Pietrzak KZ, Venturi D, Cash D, Jain A. Efficient authentication from hard learning problems. Journal of Cryptology. 2017;30(4):1238-1275. doi:10.1007/s00145-016-9247-3","apa":"Kiltz, E., Pietrzak, K. Z., Venturi, D., Cash, D., & Jain, A. (2017). Efficient authentication from hard learning problems. Journal of Cryptology. Springer. https://doi.org/10.1007/s00145-016-9247-3","ieee":"E. Kiltz, K. Z. Pietrzak, D. Venturi, D. Cash, and A. Jain, “Efficient authentication from hard learning problems,” Journal of Cryptology, vol. 30, no. 4. Springer, pp. 1238–1275, 2017.","short":"E. Kiltz, K.Z. Pietrzak, D. Venturi, D. Cash, A. Jain, Journal of Cryptology 30 (2017) 1238–1275."},"user_id":"c635000d-4b10-11ee-a964-aac5a93f6ac1","article_processing_charge":"No","external_id":{"isi":["000410788600007"]},"author":[{"first_name":"Eike","full_name":"Kiltz, Eike","last_name":"Kiltz"},{"first_name":"Krzysztof Z","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","orcid":"0000-0002-9139-1654","full_name":"Pietrzak, Krzysztof Z","last_name":"Pietrzak"},{"full_name":"Venturi, Daniele","last_name":"Venturi","first_name":"Daniele"},{"last_name":"Cash","full_name":"Cash, David","first_name":"David"},{"last_name":"Jain","full_name":"Jain, Abhishek","first_name":"Abhishek"}],"publist_id":"6166","title":"Efficient authentication from hard learning problems"},{"day":"01","language":[{"iso":"eng"}],"publication":"Algorithmica","publication_status":"published","year":"2016","date_published":"2016-04-01T00:00:00Z","doi":"10.1007/s00453-015-9997-6","volume":74,"issue":"4","date_created":"2018-12-11T11:50:33Z","page":"1321 - 1362","oa_version":"Submitted Version","acknowledgement":"We are grateful to the anonymous reviewers for their insightful comments. The\r\ndetailed reports helped us a lot to address the technical mistakes as well as to improve the overall presentation of the paper.","abstract":[{"lang":"eng","text":"Boldyreva, Palacio and Warinschi introduced a multiple forking game as an extension of general forking. The notion of (multiple) forking is a useful abstraction from the actual simulation of cryptographic scheme to the adversary in a security reduction, and is achieved through the intermediary of a so-called wrapper algorithm. Multiple forking has turned out to be a useful tool in the security argument of several cryptographic protocols. However, a reduction employing multiple forking incurs a significant degradation of (Formula presented.) , where (Formula presented.) denotes the upper bound on the underlying random oracle calls and (Formula presented.) , the number of forkings. In this work we take a closer look at the reasons for the degradation with a tighter security bound in mind. We nail down the exact set of conditions for success in the multiple forking game. A careful analysis of the cryptographic schemes and corresponding security reduction employing multiple forking leads to the formulation of ‘dependence’ and ‘independence’ conditions pertaining to the output of the wrapper in different rounds. Based on the (in)dependence conditions we propose a general framework of multiple forking and a General Multiple Forking Lemma. Leveraging (in)dependence to the full allows us to improve the degradation factor in the multiple forking game by a factor of (Formula presented.). By implication, the cost of a single forking involving two random oracles (augmented forking) matches that involving a single random oracle (elementary forking). Finally, we study the effect of these observations on the concrete security of existing schemes employing multiple forking. We conclude that by careful design of the protocol (and the wrapper in the security reduction) it is possible to harness our observations to the full extent."}],"month":"04","intvolume":" 74","publisher":"Springer","quality_controlled":"1","main_file_link":[{"url":"http://eprint.iacr.org/2013/651","open_access":"1"}],"oa":1,"user_id":"3E5EF7F0-F248-11E8-B48F-1D18A9856A87","citation":{"chicago":"Kamath Hosdurg, Chethan, and Sanjit Chatterjee. “A Closer Look at Multiple-Forking: Leveraging (in)Dependence for a Tighter Bound.” Algorithmica. Springer, 2016. https://doi.org/10.1007/s00453-015-9997-6.","ista":"Kamath Hosdurg C, Chatterjee S. 2016. A closer look at multiple-forking: Leveraging (in)dependence for a tighter bound. Algorithmica. 74(4), 1321–1362.","mla":"Kamath Hosdurg, Chethan, and Sanjit Chatterjee. “A Closer Look at Multiple-Forking: Leveraging (in)Dependence for a Tighter Bound.” Algorithmica, vol. 74, no. 4, Springer, 2016, pp. 1321–62, doi:10.1007/s00453-015-9997-6.","short":"C. Kamath Hosdurg, S. Chatterjee, Algorithmica 74 (2016) 1321–1362.","ieee":"C. Kamath Hosdurg and S. Chatterjee, “A closer look at multiple-forking: Leveraging (in)dependence for a tighter bound,” Algorithmica, vol. 74, no. 4. Springer, pp. 1321–1362, 2016.","apa":"Kamath Hosdurg, C., & Chatterjee, S. (2016). A closer look at multiple-forking: Leveraging (in)dependence for a tighter bound. Algorithmica. Springer. https://doi.org/10.1007/s00453-015-9997-6","ama":"Kamath Hosdurg C, Chatterjee S. A closer look at multiple-forking: Leveraging (in)dependence for a tighter bound. Algorithmica. 2016;74(4):1321-1362. doi:10.1007/s00453-015-9997-6"},"date_updated":"2021-01-12T06:48:52Z","title":"A closer look at multiple-forking: Leveraging (in)dependence for a tighter bound","department":[{"_id":"KrPi"}],"publist_id":"6177","author":[{"last_name":"Kamath Hosdurg","full_name":"Kamath Hosdurg, Chethan","id":"4BD3F30E-F248-11E8-B48F-1D18A9856A87","first_name":"Chethan"},{"first_name":"Sanjit","last_name":"Chatterjee","full_name":"Chatterjee, Sanjit"}],"_id":"1177","status":"public","type":"journal_article"},{"date_created":"2018-12-11T11:50:34Z","date_published":"2016-10-22T00:00:00Z","doi":"10.1007/978-3-662-53641-4_8","page":"183 - 203","day":"22","year":"2016","oa":1,"publisher":"Springer","quality_controlled":"1","acknowledgement":"K. Pietrzak—Supported by the European Research Council consolidator grant (682815-TOCNeT).\r\nM. Skórski—Supported by the National Science Center, Poland (2015/17/N/ST6/03564).","title":"Pseudoentropy: Lower-bounds for chain rules and transformations","publist_id":"6175","author":[{"last_name":"Pietrzak","orcid":"0000-0002-9139-1654","full_name":"Pietrzak, Krzysztof Z","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","first_name":"Krzysztof Z"},{"first_name":"Skorski","last_name":"Maciej","full_name":"Maciej, Skorski"}],"user_id":"3E5EF7F0-F248-11E8-B48F-1D18A9856A87","citation":{"mla":"Pietrzak, Krzysztof Z., and Skorski Maciej. Pseudoentropy: Lower-Bounds for Chain Rules and Transformations. Vol. 9985, Springer, 2016, pp. 183–203, doi:10.1007/978-3-662-53641-4_8.","apa":"Pietrzak, K. Z., & Maciej, S. (2016). Pseudoentropy: Lower-bounds for chain rules and transformations (Vol. 9985, pp. 183–203). Presented at the TCC: Theory of Cryptography Conference, Beijing, China: Springer. https://doi.org/10.1007/978-3-662-53641-4_8","ama":"Pietrzak KZ, Maciej S. Pseudoentropy: Lower-bounds for chain rules and transformations. In: Vol 9985. Springer; 2016:183-203. doi:10.1007/978-3-662-53641-4_8","ieee":"K. Z. Pietrzak and S. Maciej, “Pseudoentropy: Lower-bounds for chain rules and transformations,” presented at the TCC: Theory of Cryptography Conference, Beijing, China, 2016, vol. 9985, pp. 183–203.","short":"K.Z. Pietrzak, S. Maciej, in:, Springer, 2016, pp. 183–203.","chicago":"Pietrzak, Krzysztof Z, and Skorski Maciej. “Pseudoentropy: Lower-Bounds for Chain Rules and Transformations,” 9985:183–203. Springer, 2016. https://doi.org/10.1007/978-3-662-53641-4_8.","ista":"Pietrzak KZ, Maciej S. 2016. Pseudoentropy: Lower-bounds for chain rules and transformations. TCC: Theory of Cryptography Conference, LNCS, vol. 9985, 183–203."},"project":[{"grant_number":"682815","name":"Teaching Old Crypto New Tricks","_id":"258AA5B2-B435-11E9-9278-68D0E5697425","call_identifier":"H2020"}],"ec_funded":1,"volume":9985,"language":[{"iso":"eng"}],"publication_status":"published","intvolume":" 9985","month":"10","main_file_link":[{"url":"https://eprint.iacr.org/2016/159","open_access":"1"}],"scopus_import":1,"alternative_title":["LNCS"],"oa_version":"Preprint","abstract":[{"text":"Computational notions of entropy have recently found many applications, including leakage-resilient cryptography, deterministic encryption or memory delegation. The two main types of results which make computational notions so useful are (1) Chain rules, which quantify by how much the computational entropy of a variable decreases if conditioned on some other variable (2) Transformations, which quantify to which extend one type of entropy implies another.\r\n\r\nSuch chain rules and transformations typically lose a significant amount in quality of the entropy, and are the reason why applying these results one gets rather weak quantitative security bounds. In this paper we for the first time prove lower bounds in this context, showing that existing results for transformations are, unfortunately, basically optimal for non-adaptive black-box reductions (and it’s hard to imagine how non black-box reductions or adaptivity could be useful here.)\r\n\r\nA variable X has k bits of HILL entropy of quality (ϵ,s)\r\nif there exists a variable Y with k bits min-entropy which cannot be distinguished from X with advantage ϵ\r\n\r\nby distinguishing circuits of size s. A weaker notion is Metric entropy, where we switch quantifiers, and only require that for every distinguisher of size s, such a Y exists.\r\n\r\nWe first describe our result concerning transformations. By definition, HILL implies Metric without any loss in quality. Metric entropy often comes up in applications, but must be transformed to HILL for meaningful security guarantees. The best known result states that if a variable X has k bits of Metric entropy of quality (ϵ,s)\r\n, then it has k bits of HILL with quality (2ϵ,s⋅ϵ2). We show that this loss of a factor Ω(ϵ−2)\r\n\r\nin circuit size is necessary. In fact, we show the stronger result that this loss is already necessary when transforming so called deterministic real valued Metric entropy to randomised boolean Metric (both these variants of Metric entropy are implied by HILL without loss in quality).\r\n\r\nThe chain rule for HILL entropy states that if X has k bits of HILL entropy of quality (ϵ,s)\r\n, then for any variable Z of length m, X conditioned on Z has k−m bits of HILL entropy with quality (ϵ,s⋅ϵ2/2m). We show that a loss of Ω(2m/ϵ) in circuit size necessary here. Note that this still leaves a gap of ϵ between the known bound and our lower bound.","lang":"eng"}],"department":[{"_id":"KrPi"}],"date_updated":"2021-01-12T06:48:53Z","status":"public","conference":{"start_date":"2016-10-31","location":"Beijing, China","end_date":"2016-11-03","name":"TCC: Theory of Cryptography Conference"},"type":"conference","_id":"1179"},{"acknowledgement":"Joël Alwen, Chethan Kamath, and Krzysztof Pietrzak’s research is partially supported by an ERC starting grant (259668-PSPC). Vladimir Kolmogorov is partially supported by an ERC consolidator grant (616160-DOICV). Binyi Chen was partially supported by NSF grants CNS-1423566 and CNS-1514526, and a gift from the Gareatis Foundation. Stefano Tessaro was partially supported by NSF grants CNS-1423566, CNS-1528178, a Hellman Fellowship, and the Glen and Susanne Culler Chair.\r\n\r\nThis work was done in part while the authors were visiting the Simons Institute for the Theory of Computing, supported by the Simons Foundation and by the DIMACS/Simons Collaboration in Cryptography through NSF grant CNS-1523467.","oa":1,"publisher":"Springer","quality_controlled":"1","year":"2016","day":"28","page":"358 - 387","date_created":"2018-12-11T11:50:51Z","doi":"10.1007/978-3-662-49896-5_13","date_published":"2016-04-28T00:00:00Z","project":[{"name":"Provable Security for Physical Cryptography","grant_number":"259668","_id":"258C570E-B435-11E9-9278-68D0E5697425","call_identifier":"FP7"},{"_id":"25FBA906-B435-11E9-9278-68D0E5697425","call_identifier":"FP7","name":"Discrete Optimization in Computer Vision: Theory and Practice","grant_number":"616160"}],"citation":{"chicago":"Alwen, Joel F, Binyi Chen, Chethan Kamath Hosdurg, Vladimir Kolmogorov, Krzysztof Z Pietrzak, and Stefano Tessaro. “On the Complexity of Scrypt and Proofs of Space in the Parallel Random Oracle Model,” 9666:358–87. Springer, 2016. https://doi.org/10.1007/978-3-662-49896-5_13.","ista":"Alwen JF, Chen B, Kamath Hosdurg C, Kolmogorov V, Pietrzak KZ, Tessaro S. 2016. On the complexity of scrypt and proofs of space in the parallel random oracle model. EUROCRYPT: Theory and Applications of Cryptographic Techniques, LNCS, vol. 9666, 358–387.","mla":"Alwen, Joel F., et al. On the Complexity of Scrypt and Proofs of Space in the Parallel Random Oracle Model. Vol. 9666, Springer, 2016, pp. 358–87, doi:10.1007/978-3-662-49896-5_13.","short":"J.F. Alwen, B. Chen, C. Kamath Hosdurg, V. Kolmogorov, K.Z. Pietrzak, S. Tessaro, in:, Springer, 2016, pp. 358–387.","ieee":"J. F. Alwen, B. Chen, C. Kamath Hosdurg, V. Kolmogorov, K. Z. Pietrzak, and S. Tessaro, “On the complexity of scrypt and proofs of space in the parallel random oracle model,” presented at the EUROCRYPT: Theory and Applications of Cryptographic Techniques, Vienna, Austria, 2016, vol. 9666, pp. 358–387.","ama":"Alwen JF, Chen B, Kamath Hosdurg C, Kolmogorov V, Pietrzak KZ, Tessaro S. On the complexity of scrypt and proofs of space in the parallel random oracle model. In: Vol 9666. Springer; 2016:358-387. doi:10.1007/978-3-662-49896-5_13","apa":"Alwen, J. F., Chen, B., Kamath Hosdurg, C., Kolmogorov, V., Pietrzak, K. Z., & Tessaro, S. (2016). On the complexity of scrypt and proofs of space in the parallel random oracle model (Vol. 9666, pp. 358–387). Presented at the EUROCRYPT: Theory and Applications of Cryptographic Techniques, Vienna, Austria: Springer. https://doi.org/10.1007/978-3-662-49896-5_13"},"user_id":"3E5EF7F0-F248-11E8-B48F-1D18A9856A87","publist_id":"6103","author":[{"full_name":"Alwen, Joel F","last_name":"Alwen","id":"2A8DFA8C-F248-11E8-B48F-1D18A9856A87","first_name":"Joel F"},{"first_name":"Binyi","full_name":"Chen, Binyi","last_name":"Chen"},{"id":"4BD3F30E-F248-11E8-B48F-1D18A9856A87","first_name":"Chethan","full_name":"Kamath Hosdurg, Chethan","last_name":"Kamath Hosdurg"},{"last_name":"Kolmogorov","full_name":"Kolmogorov, Vladimir","first_name":"Vladimir","id":"3D50B0BA-F248-11E8-B48F-1D18A9856A87"},{"last_name":"Pietrzak","orcid":"0000-0002-9139-1654","full_name":"Pietrzak, Krzysztof Z","first_name":"Krzysztof Z","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87"},{"first_name":"Stefano","full_name":"Tessaro, Stefano","last_name":"Tessaro"}],"title":"On the complexity of scrypt and proofs of space in the parallel random oracle model","abstract":[{"lang":"eng","text":"We study the time-and memory-complexities of the problem of computing labels of (multiple) randomly selected challenge-nodes in a directed acyclic graph. The w-bit label of a node is the hash of the labels of its parents, and the hash function is modeled as a random oracle. Specific instances of this problem underlie both proofs of space [Dziembowski et al. CRYPTO’15] as well as popular memory-hard functions like scrypt. As our main tool, we introduce the new notion of a probabilistic parallel entangled pebbling game, a new type of combinatorial pebbling game on a graph, which is closely related to the labeling game on the same graph. As a first application of our framework, we prove that for scrypt, when the underlying hash function is invoked n times, the cumulative memory complexity (CMC) (a notion recently introduced by Alwen and Serbinenko (STOC’15) to capture amortized memory-hardness for parallel adversaries) is at least Ω(w · (n/ log(n))2). This bound holds for adversaries that can store many natural functions of the labels (e.g., linear combinations), but still not arbitrary functions thereof. We then introduce and study a combinatorial quantity, and show how a sufficiently small upper bound on it (which we conjecture) extends our CMC bound for scrypt to hold against arbitrary adversaries. We also show that such an upper bound solves the main open problem for proofs-of-space protocols: namely, establishing that the time complexity of computing the label of a random node in a graph on n nodes (given an initial kw-bit state) reduces tightly to the time complexity for black pebbling on the same graph (given an initial k-node pebbling)."}],"oa_version":"Submitted Version","main_file_link":[{"open_access":"1","url":"https://eprint.iacr.org/2016/100"}],"alternative_title":["LNCS"],"scopus_import":1,"intvolume":" 9666","month":"04","publication_status":"published","language":[{"iso":"eng"}],"ec_funded":1,"volume":9666,"_id":"1231","conference":{"end_date":"2016-05-12","location":"Vienna, Austria","start_date":"2016-05-08","name":"EUROCRYPT: Theory and Applications of Cryptographic Techniques"},"type":"conference","status":"public","date_updated":"2021-01-12T06:49:15Z","department":[{"_id":"KrPi"},{"_id":"VlKo"}]},{"language":[{"iso":"eng"}],"publication_status":"published","volume":9562,"ec_funded":1,"oa_version":"Submitted Version","abstract":[{"text":"About three decades ago it was realized that implementing private channels between parties which can be adaptively corrupted requires an encryption scheme that is secure against selective opening attacks. Whether standard (IND-CPA) security implies security against selective opening attacks has been a major open question since. The only known reduction from selective opening to IND-CPA security loses an exponential factor. A polynomial reduction is only known for the very special case where the distribution considered in the selective opening security experiment is a product distribution, i.e., the messages are sampled independently from each other. In this paper we give a reduction whose loss is quantified via the dependence graph (where message dependencies correspond to edges) of the underlying message distribution. In particular, for some concrete distributions including Markov distributions, our reduction is polynomial.","lang":"eng"}],"month":"01","intvolume":" 9562","alternative_title":["LNCS"],"scopus_import":1,"main_file_link":[{"open_access":"1","url":"https://eprint.iacr.org/2015/853"}],"date_updated":"2021-01-12T06:49:16Z","department":[{"_id":"KrPi"}],"_id":"1233","status":"public","type":"conference","conference":{"end_date":"2016-01-13","location":"Tel Aviv, Israel","start_date":"2016-01-10","name":"TCC: Theory of Cryptography Conference"},"day":"01","year":"2016","doi":"10.1007/978-3-662-49096-9_12","date_published":"2016-01-01T00:00:00Z","date_created":"2018-12-11T11:50:51Z","page":"282 - 305","acknowledgement":"G. Fuchsbauer and K. Pietrzak are supported by the European Research Council, ERC Starting Grant (259668-PSPC). F. Heuer is funded by a Sofja Kovalevskaja Award of the Alexander von Humboldt Foundation and DFG SPP 1736, Algorithms for BIG DATA. E. Kiltz is supported by a Sofja Kovalevskaja Award of the Alexander von Humboldt Foundation, the German Israel Foundation, and ERC Project ERCC (FP7/615074).","publisher":"Springer","quality_controlled":"1","oa":1,"user_id":"3E5EF7F0-F248-11E8-B48F-1D18A9856A87","citation":{"chicago":"Fuchsbauer, Georg, Felix Heuer, Eike Kiltz, and Krzysztof Z Pietrzak. “Standard Security Does Imply Security against Selective Opening for Markov Distributions,” 9562:282–305. Springer, 2016. https://doi.org/10.1007/978-3-662-49096-9_12.","ista":"Fuchsbauer G, Heuer F, Kiltz E, Pietrzak KZ. 2016. Standard security does imply security against selective opening for markov distributions. TCC: Theory of Cryptography Conference, LNCS, vol. 9562, 282–305.","mla":"Fuchsbauer, Georg, et al. Standard Security Does Imply Security against Selective Opening for Markov Distributions. Vol. 9562, Springer, 2016, pp. 282–305, doi:10.1007/978-3-662-49096-9_12.","short":"G. Fuchsbauer, F. Heuer, E. Kiltz, K.Z. Pietrzak, in:, Springer, 2016, pp. 282–305.","ieee":"G. Fuchsbauer, F. Heuer, E. Kiltz, and K. Z. Pietrzak, “Standard security does imply security against selective opening for markov distributions,” presented at the TCC: Theory of Cryptography Conference, Tel Aviv, Israel, 2016, vol. 9562, pp. 282–305.","ama":"Fuchsbauer G, Heuer F, Kiltz E, Pietrzak KZ. Standard security does imply security against selective opening for markov distributions. In: Vol 9562. Springer; 2016:282-305. doi:10.1007/978-3-662-49096-9_12","apa":"Fuchsbauer, G., Heuer, F., Kiltz, E., & Pietrzak, K. Z. (2016). Standard security does imply security against selective opening for markov distributions (Vol. 9562, pp. 282–305). Presented at the TCC: Theory of Cryptography Conference, Tel Aviv, Israel: Springer. https://doi.org/10.1007/978-3-662-49096-9_12"},"title":"Standard security does imply security against selective opening for markov distributions","author":[{"id":"46B4C3EE-F248-11E8-B48F-1D18A9856A87","first_name":"Georg","last_name":"Fuchsbauer","full_name":"Fuchsbauer, Georg"},{"last_name":"Heuer","full_name":"Heuer, Felix","first_name":"Felix"},{"full_name":"Kiltz, Eike","last_name":"Kiltz","first_name":"Eike"},{"id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","first_name":"Krzysztof Z","last_name":"Pietrzak","orcid":"0000-0002-9139-1654","full_name":"Pietrzak, Krzysztof Z"}],"publist_id":"6100","project":[{"call_identifier":"FP7","_id":"258C570E-B435-11E9-9278-68D0E5697425","grant_number":"259668","name":"Provable Security for Physical Cryptography"}]},{"intvolume":" 9815","month":"08","main_file_link":[{"url":"http://eprint.iacr.org/2016/115","open_access":"1"}],"oa":1,"scopus_import":1,"quality_controlled":"1","alternative_title":["LNCS"],"publisher":"Springer","oa_version":"Preprint","abstract":[{"text":"A memory-hard function (MHF) f is equipped with a space cost σ and time cost τ parameter such that repeatedly computing fσ,τ on an application specific integrated circuit (ASIC) is not economically advantageous relative to a general purpose computer. Technically we would like that any (generalized) circuit for evaluating an iMHF fσ,τ has area × time (AT) complexity at Θ(σ2 ∗ τ). A data-independent MHF (iMHF) has the added property that it can be computed with almost optimal memory and time complexity by an algorithm which accesses memory in a pattern independent of the input value. Such functions can be specified by fixing a directed acyclic graph (DAG) G on n = Θ(σ ∗ τ) nodes representing its computation graph. In this work we develop new tools for analyzing iMHFs. First we define and motivate a new complexity measure capturing the amount of energy (i.e. electricity) required to compute a function. We argue that, in practice, this measure is at least as important as the more traditional AT-complexity. Next we describe an algorithm A for repeatedly evaluating an iMHF based on an arbitrary DAG G. We upperbound both its energy and AT complexities per instance evaluated in terms of a certain combinatorial property of G. Next we instantiate our attack for several general classes of DAGs which include those underlying many of the most important iMHF candidates in the literature. In particular, we obtain the following results which hold for all choices of parameters σ and τ (and thread-count) such that n = σ ∗ τ. -The Catena-Dragonfly function of [FLW13] has AT and energy complexities O(n1.67). -The Catena-Butterfly function of [FLW13] has complexities is O(n1.67). -The Double-Buffer and the Linear functions of [CGBS16] both have complexities in O(n1.67). -The Argon2i function of [BDK15] (winner of the Password Hashing Competition [PHC]) has complexities O(n7/4 log(n)). -The Single-Buffer function of [CGBS16] has complexities O(n7/4 log(n)). -Any iMHF can be computed by an algorithm with complexities O(n2/ log1 −ε(n)) for all ε > 0. In particular when τ = 1 this shows that the goal of constructing an iMHF with AT-complexity Θ(σ2 ∗ τ ) is unachievable. Along the way we prove a lemma upper-bounding the depth-robustness of any DAG which may prove to be of independent interest.","lang":"eng"}],"date_created":"2018-12-11T11:51:36Z","date_published":"2016-08-01T00:00:00Z","doi":"10.1007/978-3-662-53008-5_9","volume":9815,"page":"241 - 271","language":[{"iso":"eng"}],"day":"01","year":"2016","publication_status":"published","status":"public","conference":{"start_date":"2016-08-14","end_date":"2016-08-18","location":"Santa Barbara, CA, USA","name":"CRYPTO: International Cryptology Conference"},"type":"conference","_id":"1365","department":[{"_id":"KrPi"}],"title":"Efficiently computing data-independent memory-hard functions","publist_id":"5876","author":[{"id":"2A8DFA8C-F248-11E8-B48F-1D18A9856A87","first_name":"Joel F","last_name":"Alwen","full_name":"Alwen, Joel F"},{"full_name":"Blocki, Jeremiah","last_name":"Blocki","first_name":"Jeremiah"}],"user_id":"3E5EF7F0-F248-11E8-B48F-1D18A9856A87","citation":{"short":"J.F. Alwen, J. Blocki, in:, Springer, 2016, pp. 241–271.","ieee":"J. F. Alwen and J. Blocki, “Efficiently computing data-independent memory-hard functions,” presented at the CRYPTO: International Cryptology Conference, Santa Barbara, CA, USA, 2016, vol. 9815, pp. 241–271.","ama":"Alwen JF, Blocki J. Efficiently computing data-independent memory-hard functions. In: Vol 9815. Springer; 2016:241-271. doi:10.1007/978-3-662-53008-5_9","apa":"Alwen, J. F., & Blocki, J. (2016). Efficiently computing data-independent memory-hard functions (Vol. 9815, pp. 241–271). Presented at the CRYPTO: International Cryptology Conference, Santa Barbara, CA, USA: Springer. https://doi.org/10.1007/978-3-662-53008-5_9","mla":"Alwen, Joel F., and Jeremiah Blocki. Efficiently Computing Data-Independent Memory-Hard Functions. Vol. 9815, Springer, 2016, pp. 241–71, doi:10.1007/978-3-662-53008-5_9.","ista":"Alwen JF, Blocki J. 2016. Efficiently computing data-independent memory-hard functions. CRYPTO: International Cryptology Conference, LNCS, vol. 9815, 241–271.","chicago":"Alwen, Joel F, and Jeremiah Blocki. “Efficiently Computing Data-Independent Memory-Hard Functions,” 9815:241–71. Springer, 2016. https://doi.org/10.1007/978-3-662-53008-5_9."},"date_updated":"2021-01-12T06:50:11Z"},{"project":[{"call_identifier":"FP7","_id":"258C570E-B435-11E9-9278-68D0E5697425","name":"Provable Security for Physical Cryptography","grant_number":"259668"}],"publist_id":"5872","author":[{"id":"3E0BFE38-F248-11E8-B48F-1D18A9856A87","first_name":"Peter","last_name":"Gazi","full_name":"Gazi, Peter"},{"full_name":"Tessaro, Stefano","last_name":"Tessaro","first_name":"Stefano"}],"title":"Provably robust sponge-based PRNGs and KDFs","citation":{"mla":"Gazi, Peter, and Stefano Tessaro. Provably Robust Sponge-Based PRNGs and KDFs. Vol. 9665, Springer, 2016, pp. 87–116, doi:10.1007/978-3-662-49890-3_4.","ama":"Gazi P, Tessaro S. Provably robust sponge-based PRNGs and KDFs. In: Vol 9665. Springer; 2016:87-116. doi:10.1007/978-3-662-49890-3_4","apa":"Gazi, P., & Tessaro, S. (2016). Provably robust sponge-based PRNGs and KDFs (Vol. 9665, pp. 87–116). Presented at the EUROCRYPT: Theory and Applications of Cryptographic Techniques, Vienna, Austria: Springer. https://doi.org/10.1007/978-3-662-49890-3_4","ieee":"P. Gazi and S. Tessaro, “Provably robust sponge-based PRNGs and KDFs,” presented at the EUROCRYPT: Theory and Applications of Cryptographic Techniques, Vienna, Austria, 2016, vol. 9665, pp. 87–116.","short":"P. Gazi, S. Tessaro, in:, Springer, 2016, pp. 87–116.","chicago":"Gazi, Peter, and Stefano Tessaro. “Provably Robust Sponge-Based PRNGs and KDFs,” 9665:87–116. Springer, 2016. https://doi.org/10.1007/978-3-662-49890-3_4.","ista":"Gazi P, Tessaro S. 2016. Provably robust sponge-based PRNGs and KDFs. EUROCRYPT: Theory and Applications of Cryptographic Techniques, LNCS, vol. 9665, 87–116."},"user_id":"3E5EF7F0-F248-11E8-B48F-1D18A9856A87","quality_controlled":"1","publisher":"Springer","oa":1,"page":"87 - 116","doi":"10.1007/978-3-662-49890-3_4","date_published":"2016-05-01T00:00:00Z","date_created":"2018-12-11T11:51:36Z","year":"2016","day":"01","type":"conference","conference":{"start_date":"2016-05-08","end_date":"2016-05-12","location":"Vienna, Austria","name":"EUROCRYPT: Theory and Applications of Cryptographic Techniques"},"status":"public","_id":"1366","department":[{"_id":"KrPi"}],"date_updated":"2021-01-12T06:50:11Z","scopus_import":1,"alternative_title":["LNCS"],"main_file_link":[{"url":"https://eprint.iacr.org/2016/169/20160219:201940","open_access":"1"}],"month":"05","intvolume":" 9665","abstract":[{"lang":"eng","text":"We study the problem of devising provably secure PRNGs with input based on the sponge paradigm. Such constructions are very appealing, as efficient software/hardware implementations of SHA-3 can easily be translated into a PRNG in a nearly black-box way. The only existing sponge-based construction, proposed by Bertoni et al. (CHES 2010), fails to achieve the security notion of robustness recently considered by Dodis et al. (CCS 2013), for two reasons: (1) The construction is deterministic, and thus there are high-entropy input distributions on which the construction fails to extract random bits, and (2) The construction is not forward secure, and presented solutions aiming at restoring forward security have not been rigorously analyzed. We propose a seeded variant of Bertoni et al.’s PRNG with input which we prove secure in the sense of robustness, delivering in particular concrete security bounds. On the way, we make what we believe to be an important conceptual contribution, developing a variant of the security framework of Dodis et al. tailored at the ideal permutation model that captures PRNG security in settings where the weakly random inputs are provided from a large class of possible adversarial samplers which are also allowed to query the random permutation. As a further application of our techniques, we also present an efficient sponge-based key-derivation function (which can be instantiated from SHA-3 in a black-box fashion), which we also prove secure when fed with samples from permutation-dependent distributions."}],"oa_version":"Preprint","volume":9665,"ec_funded":1,"publication_status":"published","language":[{"iso":"eng"}]},{"user_id":"3E5EF7F0-F248-11E8-B48F-1D18A9856A87","citation":{"mla":"Abe, Masayuki, et al. “Structure Preserving Signatures and Commitments to Group Elements.” Journal of Cryptology, vol. 29, no. 2, Springer, 2016, pp. 363–421, doi:10.1007/s00145-014-9196-7.","ieee":"M. Abe, G. Fuchsbauer, J. Groth, K. Haralambiev, and M. Ohkubo, “Structure preserving signatures and commitments to group elements,” Journal of Cryptology, vol. 29, no. 2. Springer, pp. 363–421, 2016.","short":"M. Abe, G. Fuchsbauer, J. Groth, K. Haralambiev, M. Ohkubo, Journal of Cryptology 29 (2016) 363–421.","ama":"Abe M, Fuchsbauer G, Groth J, Haralambiev K, Ohkubo M. Structure preserving signatures and commitments to group elements. Journal of Cryptology. 2016;29(2):363-421. doi:10.1007/s00145-014-9196-7","apa":"Abe, M., Fuchsbauer, G., Groth, J., Haralambiev, K., & Ohkubo, M. (2016). Structure preserving signatures and commitments to group elements. Journal of Cryptology. Springer. https://doi.org/10.1007/s00145-014-9196-7","chicago":"Abe, Masayuki, Georg Fuchsbauer, Jens Groth, Kristiyan Haralambiev, and Miyako Ohkubo. “Structure Preserving Signatures and Commitments to Group Elements.” Journal of Cryptology. Springer, 2016. https://doi.org/10.1007/s00145-014-9196-7.","ista":"Abe M, Fuchsbauer G, Groth J, Haralambiev K, Ohkubo M. 2016. Structure preserving signatures and commitments to group elements. Journal of Cryptology. 29(2), 363–421."},"date_updated":"2021-01-12T06:51:49Z","title":"Structure preserving signatures and commitments to group elements","department":[{"_id":"KrPi"}],"publist_id":"5579","author":[{"last_name":"Abe","full_name":"Abe, Masayuki","first_name":"Masayuki"},{"last_name":"Fuchsbauer","full_name":"Fuchsbauer, Georg","first_name":"Georg","id":"46B4C3EE-F248-11E8-B48F-1D18A9856A87"},{"first_name":"Jens","full_name":"Groth, Jens","last_name":"Groth"},{"full_name":"Haralambiev, Kristiyan","last_name":"Haralambiev","first_name":"Kristiyan"},{"first_name":"Miyako","last_name":"Ohkubo","full_name":"Ohkubo, Miyako"}],"_id":"1592","status":"public","type":"journal_article","language":[{"iso":"eng"}],"publication":"Journal of Cryptology","day":"01","publication_status":"published","year":"2016","date_created":"2018-12-11T11:52:54Z","doi":"10.1007/s00145-014-9196-7","date_published":"2016-04-01T00:00:00Z","volume":29,"issue":"2","page":"363 - 421","acknowledgement":"The authors would like to thank the anonymous reviewers of this paper. We also would like to express our appreciation to the program committee and the anonymous reviewers for CRYPTO 2010. The first author thanks Sherman S. M. Chow for his comment on group signatures in Sect. 7.1.","oa_version":"None","abstract":[{"lang":"eng","text":"A modular approach to constructing cryptographic protocols leads to simple designs but often inefficient instantiations. On the other hand, ad hoc constructions may yield efficient protocols at the cost of losing conceptual simplicity. We suggest a new design paradigm, structure-preserving cryptography, that provides a way to construct modular protocols with reasonable efficiency while retaining conceptual simplicity. A cryptographic scheme over a bilinear group is called structure-preserving if its public inputs and outputs consist of elements from the bilinear groups and their consistency can be verified by evaluating pairing-product equations. As structure-preserving schemes smoothly interoperate with each other, they are useful as building blocks in modular design of cryptographic applications. This paper introduces structure-preserving commitment and signature schemes over bilinear groups with several desirable properties. The commitment schemes include homomorphic, trapdoor and length-reducing commitments to group elements, and the structure-preserving signature schemes are the first ones that yield constant-size signatures on multiple group elements. A structure-preserving signature scheme is called automorphic if the public keys lie in the message space, which cannot be achieved by compressing inputs via a cryptographic hash function, as this would destroy the mathematical structure we are trying to preserve. Automorphic signatures can be used for building certification chains underlying privacy-preserving protocols. Among a vast number of applications of structure-preserving protocols, we present an efficient round-optimal blind-signature scheme and a group signature scheme with an efficient and concurrently secure protocol for enrolling new members."}],"intvolume":" 29","month":"04","quality_controlled":"1","scopus_import":1,"publisher":"Springer"},{"related_material":{"record":[{"relation":"earlier_version","status":"public","id":"1647"}]},"volume":9841,"ec_funded":1,"publication_status":"published","language":[{"iso":"eng"}],"alternative_title":["LNCS"],"scopus_import":1,"main_file_link":[{"url":"https://eprint.iacr.org/2016/662","open_access":"1"}],"month":"08","intvolume":" 9841","abstract":[{"text":"At Crypto 2015 Fuchsbauer, Hanser and Slamanig (FHS) presented the first standard-model construction of efficient roundoptimal blind signatures that does not require complexity leveraging. It is conceptually simple and builds on the primitive of structure-preserving signatures on equivalence classes (SPS-EQ). FHS prove the unforgeability of their scheme assuming EUF-CMA security of the SPS-EQ scheme and hardness of a version of the DH inversion problem. Blindness under adversarially chosen keys is proven under an interactive variant of the DDH assumption. We propose a variant of their scheme whose blindness can be proven under a non-interactive assumption, namely a variant of the bilinear DDH assumption. We moreover prove its unforgeability assuming only unforgeability of the underlying SPS-EQ but no additional assumptions as needed for the FHS scheme.","lang":"eng"}],"oa_version":"Submitted Version","department":[{"_id":"KrPi"}],"date_updated":"2023-02-23T10:08:16Z","type":"conference","conference":{"name":"SCN: Security and Cryptography for Networks","start_date":"2016-08-31","end_date":"2016-09-02","location":"Amalfi, Italy"},"status":"public","_id":"1225","page":"391 - 408","date_published":"2016-08-11T00:00:00Z","doi":"10.1007/978-3-319-44618-9_21","date_created":"2018-12-11T11:50:49Z","year":"2016","day":"11","quality_controlled":"1","publisher":"Springer","oa":1,"author":[{"id":"46B4C3EE-F248-11E8-B48F-1D18A9856A87","first_name":"Georg","last_name":"Fuchsbauer","full_name":"Fuchsbauer, Georg"},{"first_name":"Christian","full_name":"Hanser, Christian","last_name":"Hanser"},{"id":"4BD3F30E-F248-11E8-B48F-1D18A9856A87","first_name":"Chethan","full_name":"Kamath Hosdurg, Chethan","last_name":"Kamath Hosdurg"},{"first_name":"Daniel","full_name":"Slamanig, Daniel","last_name":"Slamanig"}],"publist_id":"6109","title":"Practical round-optimal blind signatures in the standard model from weaker assumptions","citation":{"chicago":"Fuchsbauer, Georg, Christian Hanser, Chethan Kamath Hosdurg, and Daniel Slamanig. “Practical Round-Optimal Blind Signatures in the Standard Model from Weaker Assumptions,” 9841:391–408. Springer, 2016. https://doi.org/10.1007/978-3-319-44618-9_21.","ista":"Fuchsbauer G, Hanser C, Kamath Hosdurg C, Slamanig D. 2016. Practical round-optimal blind signatures in the standard model from weaker assumptions. SCN: Security and Cryptography for Networks, LNCS, vol. 9841, 391–408.","mla":"Fuchsbauer, Georg, et al. Practical Round-Optimal Blind Signatures in the Standard Model from Weaker Assumptions. Vol. 9841, Springer, 2016, pp. 391–408, doi:10.1007/978-3-319-44618-9_21.","ieee":"G. Fuchsbauer, C. Hanser, C. Kamath Hosdurg, and D. Slamanig, “Practical round-optimal blind signatures in the standard model from weaker assumptions,” presented at the SCN: Security and Cryptography for Networks, Amalfi, Italy, 2016, vol. 9841, pp. 391–408.","short":"G. Fuchsbauer, C. Hanser, C. Kamath Hosdurg, D. Slamanig, in:, Springer, 2016, pp. 391–408.","ama":"Fuchsbauer G, Hanser C, Kamath Hosdurg C, Slamanig D. Practical round-optimal blind signatures in the standard model from weaker assumptions. In: Vol 9841. Springer; 2016:391-408. doi:10.1007/978-3-319-44618-9_21","apa":"Fuchsbauer, G., Hanser, C., Kamath Hosdurg, C., & Slamanig, D. (2016). Practical round-optimal blind signatures in the standard model from weaker assumptions (Vol. 9841, pp. 391–408). Presented at the SCN: Security and Cryptography for Networks, Amalfi, Italy: Springer. https://doi.org/10.1007/978-3-319-44618-9_21"},"user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","project":[{"_id":"258C570E-B435-11E9-9278-68D0E5697425","call_identifier":"FP7","name":"Provable Security for Physical Cryptography","grant_number":"259668"},{"call_identifier":"H2020","_id":"258AA5B2-B435-11E9-9278-68D0E5697425","grant_number":"682815","name":"Teaching Old Crypto New Tricks"}]},{"has_accepted_license":"1","year":"2016","day":"08","page":"121 - 145","date_published":"2016-01-08T00:00:00Z","doi":"10.1007/978-3-662-48797-6_6","date_created":"2018-12-11T11:53:16Z","publisher":"Springer","quality_controlled":"1","oa":1,"citation":{"chicago":"Okamoto, Tatsuaki, Krzysztof Z Pietrzak, Brent Waters, and Daniel Wichs. “New Realizations of Somewhere Statistically Binding Hashing and Positional Accumulators,” 9452:121–45. Springer, 2016. https://doi.org/10.1007/978-3-662-48797-6_6.","ista":"Okamoto T, Pietrzak KZ, Waters B, Wichs D. 2016. New realizations of somewhere statistically binding hashing and positional accumulators. ASIACRYPT: Theory and Application of Cryptology and Information Security, LNCS, vol. 9452, 121–145.","mla":"Okamoto, Tatsuaki, et al. New Realizations of Somewhere Statistically Binding Hashing and Positional Accumulators. Vol. 9452, Springer, 2016, pp. 121–45, doi:10.1007/978-3-662-48797-6_6.","apa":"Okamoto, T., Pietrzak, K. Z., Waters, B., & Wichs, D. (2016). New realizations of somewhere statistically binding hashing and positional accumulators (Vol. 9452, pp. 121–145). Presented at the ASIACRYPT: Theory and Application of Cryptology and Information Security, Auckland, New Zealand: Springer. https://doi.org/10.1007/978-3-662-48797-6_6","ama":"Okamoto T, Pietrzak KZ, Waters B, Wichs D. New realizations of somewhere statistically binding hashing and positional accumulators. In: Vol 9452. Springer; 2016:121-145. doi:10.1007/978-3-662-48797-6_6","ieee":"T. Okamoto, K. Z. Pietrzak, B. Waters, and D. Wichs, “New realizations of somewhere statistically binding hashing and positional accumulators,” presented at the ASIACRYPT: Theory and Application of Cryptology and Information Security, Auckland, New Zealand, 2016, vol. 9452, pp. 121–145.","short":"T. Okamoto, K.Z. Pietrzak, B. Waters, D. Wichs, in:, Springer, 2016, pp. 121–145."},"user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","author":[{"last_name":"Okamoto","full_name":"Okamoto, Tatsuaki","first_name":"Tatsuaki"},{"first_name":"Krzysztof Z","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","last_name":"Pietrzak","orcid":"0000-0002-9139-1654","full_name":"Pietrzak, Krzysztof Z"},{"first_name":"Brent","full_name":"Waters, Brent","last_name":"Waters"},{"full_name":"Wichs, Daniel","last_name":"Wichs","first_name":"Daniel"}],"publist_id":"5497","title":"New realizations of somewhere statistically binding hashing and positional accumulators","project":[{"call_identifier":"FP7","_id":"258C570E-B435-11E9-9278-68D0E5697425","name":"Provable Security for Physical Cryptography","grant_number":"259668"}],"publication_status":"published","file":[{"checksum":"a57711cb660c5b17b42bb47275a00180","file_id":"4923","access_level":"open_access","relation":"main_file","content_type":"application/pdf","date_created":"2018-12-12T10:12:05Z","file_name":"IST-2016-677-v1+1_869.pdf","creator":"system","date_updated":"2020-07-14T12:45:08Z","file_size":580088}],"language":[{"iso":"eng"}],"volume":9452,"ec_funded":1,"abstract":[{"lang":"eng","text":"A somewhere statistically binding (SSB) hash, introduced by Hubáček and Wichs (ITCS ’15), can be used to hash a long string x to a short digest y = H hk (x) using a public hashing-key hk. Furthermore, there is a way to set up the hash key hk to make it statistically binding on some arbitrary hidden position i, meaning that: (1) the digest y completely determines the i’th bit (or symbol) of x so that all pre-images of y have the same value in the i’th position, (2) it is computationally infeasible to distinguish the position i on which hk is statistically binding from any other position i’. Lastly, the hash should have a local opening property analogous to Merkle-Tree hashing, meaning that given x and y = H hk (x) it should be possible to create a short proof π that certifies the value of the i’th bit (or symbol) of x without having to provide the entire input x. A similar primitive called a positional accumulator, introduced by Koppula, Lewko and Waters (STOC ’15) further supports dynamic updates of the hashed value. These tools, which are interesting in their own right, also serve as one of the main technical components in several recent works building advanced applications from indistinguishability obfuscation (iO).\r\n\r\nThe prior constructions of SSB hashing and positional accumulators required fully homomorphic encryption (FHE) and iO respectively. In this work, we give new constructions of these tools based on well studied number-theoretic assumptions such as DDH, Phi-Hiding and DCR, as well as a general construction from lossy/injective functions."}],"oa_version":"Submitted Version","scopus_import":1,"alternative_title":["LNCS"],"month":"01","intvolume":" 9452","date_updated":"2021-01-12T06:52:16Z","ddc":["000"],"department":[{"_id":"KrPi"}],"file_date_updated":"2020-07-14T12:45:08Z","_id":"1653","type":"conference","conference":{"name":"ASIACRYPT: Theory and Application of Cryptology and Information Security","start_date":"2015-11-29","location":"Auckland, New Zealand","end_date":"2015-12-03"},"status":"public","pubrep_id":"677"},{"acknowledgement":"This work was partly funded by the European Research Council under ERC Starting Grant 259668-PSPC and ERC Advanced Grant 321310-PERCY.\r\n","publisher":"Springer","quality_controlled":"1","oa":1,"has_accepted_license":"1","year":"2016","day":"01","publication":"Computational Complexity","page":"567 - 605","doi":"10.1007/s00037-015-0120-9","date_published":"2016-09-01T00:00:00Z","date_created":"2018-12-11T11:52:16Z","project":[{"name":"Provable Security for Physical Cryptography","grant_number":"259668","_id":"258C570E-B435-11E9-9278-68D0E5697425","call_identifier":"FP7"}],"citation":{"ista":"Krenn S, Pietrzak KZ, Wadia A, Wichs D. 2016. A counterexample to the chain rule for conditional HILL entropy. Computational Complexity. 25(3), 567–605.","chicago":"Krenn, Stephan, Krzysztof Z Pietrzak, Akshay Wadia, and Daniel Wichs. “A Counterexample to the Chain Rule for Conditional HILL Entropy.” Computational Complexity. Springer, 2016. https://doi.org/10.1007/s00037-015-0120-9.","ieee":"S. Krenn, K. Z. Pietrzak, A. Wadia, and D. Wichs, “A counterexample to the chain rule for conditional HILL entropy,” Computational Complexity, vol. 25, no. 3. Springer, pp. 567–605, 2016.","short":"S. Krenn, K.Z. Pietrzak, A. Wadia, D. Wichs, Computational Complexity 25 (2016) 567–605.","ama":"Krenn S, Pietrzak KZ, Wadia A, Wichs D. A counterexample to the chain rule for conditional HILL entropy. Computational Complexity. 2016;25(3):567-605. doi:10.1007/s00037-015-0120-9","apa":"Krenn, S., Pietrzak, K. Z., Wadia, A., & Wichs, D. (2016). A counterexample to the chain rule for conditional HILL entropy. Computational Complexity. Springer. https://doi.org/10.1007/s00037-015-0120-9","mla":"Krenn, Stephan, et al. “A Counterexample to the Chain Rule for Conditional HILL Entropy.” Computational Complexity, vol. 25, no. 3, Springer, 2016, pp. 567–605, doi:10.1007/s00037-015-0120-9."},"user_id":"3E5EF7F0-F248-11E8-B48F-1D18A9856A87","publist_id":"5715","author":[{"first_name":"Stephan","id":"329FCCF0-F248-11E8-B48F-1D18A9856A87","full_name":"Krenn, Stephan","orcid":"0000-0003-2835-9093","last_name":"Krenn"},{"first_name":"Krzysztof Z","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","last_name":"Pietrzak","full_name":"Pietrzak, Krzysztof Z","orcid":"0000-0002-9139-1654"},{"full_name":"Wadia, Akshay","last_name":"Wadia","first_name":"Akshay"},{"full_name":"Wichs, Daniel","last_name":"Wichs","first_name":"Daniel"}],"title":"A counterexample to the chain rule for conditional HILL entropy","abstract":[{"lang":"eng","text":"Most entropy notions H(.) like Shannon or min-entropy satisfy a chain rule stating that for random variables X,Z, and A we have H(X|Z,A)≥H(X|Z)−|A|. That is, by conditioning on A the entropy of X can decrease by at most the bitlength |A| of A. Such chain rules are known to hold for some computational entropy notions like Yao’s and unpredictability-entropy. For HILL entropy, the computational analogue of min-entropy, the chain rule is of special interest and has found many applications, including leakage-resilient cryptography, deterministic encryption, and memory delegation. These applications rely on restricted special cases of the chain rule. Whether the chain rule for conditional HILL entropy holds in general was an open problem for which we give a strong negative answer: we construct joint distributions (X,Z,A), where A is a distribution over a single bit, such that the HILL entropy H HILL (X|Z) is large but H HILL (X|Z,A) is basically zero.\r\n\r\nOur counterexample just makes the minimal assumption that NP⊈P/poly. Under the stronger assumption that injective one-way function exist, we can make all the distributions efficiently samplable.\r\n\r\nFinally, we show that some more sophisticated cryptographic objects like lossy functions can be used to sample a distribution constituting a counterexample to the chain rule making only a single invocation to the underlying object."}],"oa_version":"Submitted Version","scopus_import":1,"month":"09","intvolume":" 25","publication_status":"published","file":[{"creator":"system","date_updated":"2020-07-14T12:44:56Z","file_size":483258,"date_created":"2018-12-12T10:13:29Z","file_name":"IST-2017-766-v1+1_678.pdf","access_level":"open_access","relation":"main_file","content_type":"application/pdf","checksum":"7659296174fa75f5f0364f31f46f4bcf","file_id":"5012"}],"language":[{"iso":"eng"}],"volume":25,"issue":"3","related_material":{"record":[{"id":"2940","status":"public","relation":"earlier_version"}]},"ec_funded":1,"_id":"1479","type":"journal_article","tmp":{"legal_code_url":"https://creativecommons.org/licenses/by/4.0/legalcode","image":"/images/cc_by.png","name":"Creative Commons Attribution 4.0 International Public License (CC-BY 4.0)","short":"CC BY (4.0)"},"status":"public","pubrep_id":"766","date_updated":"2023-02-23T11:05:09Z","ddc":["004"],"file_date_updated":"2020-07-14T12:44:56Z","department":[{"_id":"KrPi"}]},{"publist_id":"6105","author":[{"id":"40297222-F248-11E8-B48F-1D18A9856A87","first_name":"Hamza M","last_name":"Abusalah","full_name":"Abusalah, Hamza M"},{"first_name":"Georg","id":"46B4C3EE-F248-11E8-B48F-1D18A9856A87","full_name":"Fuchsbauer, Georg","last_name":"Fuchsbauer"},{"full_name":"Pietrzak, Krzysztof Z","orcid":"0000-0002-9139-1654","last_name":"Pietrzak","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","first_name":"Krzysztof Z"}],"title":"Offline witness encryption","citation":{"chicago":"Abusalah, Hamza M, Georg Fuchsbauer, and Krzysztof Z Pietrzak. “Offline Witness Encryption,” 9696:285–303. Springer, 2016. https://doi.org/10.1007/978-3-319-39555-5_16.","ista":"Abusalah HM, Fuchsbauer G, Pietrzak KZ. 2016. Offline witness encryption. ACNS: Applied Cryptography and Network Security, LNCS, vol. 9696, 285–303.","mla":"Abusalah, Hamza M., et al. Offline Witness Encryption. Vol. 9696, Springer, 2016, pp. 285–303, doi:10.1007/978-3-319-39555-5_16.","apa":"Abusalah, H. M., Fuchsbauer, G., & Pietrzak, K. Z. (2016). Offline witness encryption (Vol. 9696, pp. 285–303). Presented at the ACNS: Applied Cryptography and Network Security, Guildford, UK: Springer. https://doi.org/10.1007/978-3-319-39555-5_16","ama":"Abusalah HM, Fuchsbauer G, Pietrzak KZ. Offline witness encryption. In: Vol 9696. Springer; 2016:285-303. doi:10.1007/978-3-319-39555-5_16","ieee":"H. M. Abusalah, G. Fuchsbauer, and K. Z. Pietrzak, “Offline witness encryption,” presented at the ACNS: Applied Cryptography and Network Security, Guildford, UK, 2016, vol. 9696, pp. 285–303.","short":"H.M. Abusalah, G. Fuchsbauer, K.Z. Pietrzak, in:, Springer, 2016, pp. 285–303."},"user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","project":[{"grant_number":"259668","name":"Provable Security for Physical Cryptography","call_identifier":"FP7","_id":"258C570E-B435-11E9-9278-68D0E5697425"},{"grant_number":"682815","name":"Teaching Old Crypto New Tricks","call_identifier":"H2020","_id":"258AA5B2-B435-11E9-9278-68D0E5697425"}],"page":"285 - 303","date_created":"2018-12-11T11:50:50Z","date_published":"2016-06-09T00:00:00Z","doi":"10.1007/978-3-319-39555-5_16","year":"2016","has_accepted_license":"1","day":"09","oa":1,"publisher":"Springer","quality_controlled":"1","acknowledgement":"Research supported by the European Research Council, ERC starting grant (259668-PSPC) and ERC consolidator grant (682815 - TOCNeT).","file_date_updated":"2020-07-14T12:44:39Z","department":[{"_id":"KrPi"}],"date_updated":"2023-09-07T12:30:22Z","ddc":["005","600"],"conference":{"name":"ACNS: Applied Cryptography and Network Security","start_date":"2016-06-19","end_date":"2016-06-22","location":"Guildford, UK"},"type":"conference","pubrep_id":"765","status":"public","_id":"1229","ec_funded":1,"volume":9696,"related_material":{"record":[{"relation":"dissertation_contains","status":"public","id":"83"}]},"publication_status":"published","language":[{"iso":"eng"}],"file":[{"relation":"main_file","access_level":"open_access","content_type":"application/pdf","checksum":"34fa9ce681da845a1ba945ba3dc57867","file_id":"5273","creator":"system","file_size":515000,"date_updated":"2020-07-14T12:44:39Z","file_name":"IST-2017-765-v1+1_838.pdf","date_created":"2018-12-12T10:17:20Z"}],"alternative_title":["LNCS"],"scopus_import":1,"intvolume":" 9696","month":"06","abstract":[{"text":"Witness encryption (WE) was introduced by Garg et al. [GGSW13]. A WE scheme is defined for some NP language L and lets a sender encrypt messages relative to instances x. A ciphertext for x can be decrypted using w witnessing x ∈ L, but hides the message if x ∈ L. Garg et al. construct WE from multilinear maps and give another construction [GGH+13b] using indistinguishability obfuscation (iO) for circuits. Due to the reliance on such heavy tools, WE can cur- rently hardly be implemented on powerful hardware and will unlikely be realizable on constrained devices like smart cards any time soon. We construct a WE scheme where encryption is done by simply computing a Naor-Yung ciphertext (two CPA encryptions and a NIZK proof). To achieve this, our scheme has a setup phase, which outputs public parameters containing an obfuscated circuit (only required for decryption), two encryption keys and a common reference string (used for encryption). This setup need only be run once, and the parame- ters can be used for arbitrary many encryptions. Our scheme can also be turned into a functional WE scheme, where a message is encrypted w.r.t. a statement and a function f, and decryption with a witness w yields f (m, w). Our construction is inspired by the functional encryption scheme by Garg et al. and we prove (selective) security assuming iO and statistically simulation-sound NIZK. We give a construction of the latter in bilinear groups and combining it with ElGamal encryption, our ciphertexts are of size 1.3 kB at a 128-bit security level and can be computed on a smart card.","lang":"eng"}],"oa_version":"Submitted Version"},{"abstract":[{"lang":"eng","text":"A constrained pseudorandom function F: K × X → Y for a family T ⊆ 2X of subsets of X is a function where for any key k ∈ K and set S ∈ T one can efficiently compute a constrained key kS which allows to evaluate F (k, ·) on all inputs x ∈ S, while even given this key, the outputs on all inputs x ∉ S look random. At Asiacrypt’13 Boneh and Waters gave a construction which supports the most general set family so far. Its keys kc are defined for sets decided by boolean circuits C and enable evaluation of the PRF on any x ∈ X where C(x) = 1. In their construction the PRF input length and the size of the circuits C for which constrained keys can be computed must be fixed beforehand during key generation. We construct a constrained PRF that has an unbounded input length and whose constrained keys can be defined for any set recognized by a Turing machine. The only a priori bound we make is on the description size of the machines. We prove our construction secure assuming publiccoin differing-input obfuscation. As applications of our constrained PRF we build a broadcast encryption scheme where the number of potential receivers need not be fixed at setup (in particular, the length of the keys is independent of the number of parties) and the first identity-based non-interactive key exchange protocol with no bound on the number of parties that can agree on a shared key."}],"oa_version":"Submitted Version","scopus_import":1,"alternative_title":["LNCS"],"intvolume":" 9610","month":"02","publication_status":"published","language":[{"iso":"eng"}],"file":[{"date_created":"2018-12-12T10:08:05Z","file_name":"IST-2017-764-v1+1_279.pdf","date_updated":"2020-07-14T12:44:41Z","file_size":495176,"creator":"system","checksum":"3851cee49933ae13b1272e516f213e13","file_id":"4664","content_type":"application/pdf","access_level":"open_access","relation":"main_file"}],"ec_funded":1,"volume":9610,"related_material":{"record":[{"id":"83","status":"public","relation":"dissertation_contains"}]},"_id":"1236","conference":{"start_date":"2016-02-29","location":"San Francisco, CA, USA","end_date":"2016-03-04","name":"CT-RSA: Topics in Cryptology"},"type":"conference","pubrep_id":"764","status":"public","date_updated":"2023-09-07T12:30:22Z","ddc":["005","600"],"department":[{"_id":"KrPi"}],"file_date_updated":"2020-07-14T12:44:41Z","acknowledgement":"Supported by the European Research Council, ERC Starting Grant (259668-PSPC).","oa":1,"quality_controlled":"1","publisher":"Springer","year":"2016","has_accepted_license":"1","day":"02","page":"413 - 428","date_created":"2018-12-11T11:50:52Z","doi":"10.1007/978-3-319-29485-8_24","date_published":"2016-02-02T00:00:00Z","project":[{"_id":"258C570E-B435-11E9-9278-68D0E5697425","call_identifier":"FP7","grant_number":"259668","name":"Provable Security for Physical Cryptography"}],"citation":{"mla":"Abusalah, Hamza M., et al. Constrained PRFs for Unbounded Inputs. Vol. 9610, Springer, 2016, pp. 413–28, doi:10.1007/978-3-319-29485-8_24.","ama":"Abusalah HM, Fuchsbauer G, Pietrzak KZ. Constrained PRFs for unbounded inputs. In: Vol 9610. Springer; 2016:413-428. doi:10.1007/978-3-319-29485-8_24","apa":"Abusalah, H. M., Fuchsbauer, G., & Pietrzak, K. Z. (2016). Constrained PRFs for unbounded inputs (Vol. 9610, pp. 413–428). Presented at the CT-RSA: Topics in Cryptology, San Francisco, CA, USA: Springer. https://doi.org/10.1007/978-3-319-29485-8_24","ieee":"H. M. Abusalah, G. Fuchsbauer, and K. Z. Pietrzak, “Constrained PRFs for unbounded inputs,” presented at the CT-RSA: Topics in Cryptology, San Francisco, CA, USA, 2016, vol. 9610, pp. 413–428.","short":"H.M. Abusalah, G. Fuchsbauer, K.Z. Pietrzak, in:, Springer, 2016, pp. 413–428.","chicago":"Abusalah, Hamza M, Georg Fuchsbauer, and Krzysztof Z Pietrzak. “Constrained PRFs for Unbounded Inputs,” 9610:413–28. Springer, 2016. https://doi.org/10.1007/978-3-319-29485-8_24.","ista":"Abusalah HM, Fuchsbauer G, Pietrzak KZ. 2016. Constrained PRFs for unbounded inputs. CT-RSA: Topics in Cryptology, LNCS, vol. 9610, 413–428."},"user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","publist_id":"6097","author":[{"last_name":"Abusalah","full_name":"Abusalah, Hamza M","id":"40297222-F248-11E8-B48F-1D18A9856A87","first_name":"Hamza M"},{"last_name":"Fuchsbauer","full_name":"Fuchsbauer, Georg","id":"46B4C3EE-F248-11E8-B48F-1D18A9856A87","first_name":"Georg"},{"last_name":"Pietrzak","orcid":"0000-0002-9139-1654","full_name":"Pietrzak, Krzysztof Z","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","first_name":"Krzysztof Z"}],"title":"Constrained PRFs for unbounded inputs"},{"date_updated":"2023-09-07T12:30:22Z","department":[{"_id":"KrPi"}],"_id":"1235","status":"public","conference":{"location":"Guildford, UK","end_date":"2016-06-22","start_date":"2016-06-19","name":"ACNS: Applied Cryptography and Network Security"},"type":"conference","language":[{"iso":"eng"}],"publication_status":"published","ec_funded":1,"related_material":{"record":[{"relation":"dissertation_contains","id":"83","status":"public"}]},"volume":9696,"oa_version":"Submitted Version","abstract":[{"text":"A constrained pseudorandom function (CPRF) F: K×X → Y for a family T of subsets of χ is a function where for any key k ∈ K and set S ∈ T one can efficiently compute a short constrained key kS, which allows to evaluate F(k, ·) on all inputs x ∈ S, while the outputs on all inputs x /∈ S look random even given kS. Abusalah et al. recently constructed the first constrained PRF for inputs of arbitrary length whose sets S are decided by Turing machines. They use their CPRF to build broadcast encryption and the first ID-based non-interactive key exchange for an unbounded number of users. Their constrained keys are obfuscated circuits and are therefore large. In this work we drastically reduce the key size and define a constrained key for a Turing machine M as a short signature on M. For this, we introduce a new signature primitive with constrained signing keys that let one only sign certain messages, while forging a signature on others is hard even when knowing the coins for key generation.","lang":"eng"}],"intvolume":" 9696","month":"01","main_file_link":[{"open_access":"1","url":"https://eprint.iacr.org/2016/279.pdf"}],"scopus_import":1,"alternative_title":["LNCS"],"user_id":"3E5EF7F0-F248-11E8-B48F-1D18A9856A87","citation":{"ieee":"H. M. Abusalah and G. Fuchsbauer, “Constrained PRFs for unbounded inputs with short keys,” presented at the ACNS: Applied Cryptography and Network Security, Guildford, UK, 2016, vol. 9696, pp. 445–463.","short":"H.M. Abusalah, G. Fuchsbauer, in:, Springer, 2016, pp. 445–463.","apa":"Abusalah, H. M., & Fuchsbauer, G. (2016). Constrained PRFs for unbounded inputs with short keys (Vol. 9696, pp. 445–463). Presented at the ACNS: Applied Cryptography and Network Security, Guildford, UK: Springer. https://doi.org/10.1007/978-3-319-39555-5_24","ama":"Abusalah HM, Fuchsbauer G. Constrained PRFs for unbounded inputs with short keys. In: Vol 9696. Springer; 2016:445-463. doi:10.1007/978-3-319-39555-5_24","mla":"Abusalah, Hamza M., and Georg Fuchsbauer. Constrained PRFs for Unbounded Inputs with Short Keys. Vol. 9696, Springer, 2016, pp. 445–63, doi:10.1007/978-3-319-39555-5_24.","ista":"Abusalah HM, Fuchsbauer G. 2016. Constrained PRFs for unbounded inputs with short keys. ACNS: Applied Cryptography and Network Security, LNCS, vol. 9696, 445–463.","chicago":"Abusalah, Hamza M, and Georg Fuchsbauer. “Constrained PRFs for Unbounded Inputs with Short Keys,” 9696:445–63. Springer, 2016. https://doi.org/10.1007/978-3-319-39555-5_24."},"title":"Constrained PRFs for unbounded inputs with short keys","author":[{"first_name":"Hamza M","id":"40297222-F248-11E8-B48F-1D18A9856A87","last_name":"Abusalah","full_name":"Abusalah, Hamza M"},{"last_name":"Fuchsbauer","full_name":"Fuchsbauer, Georg","id":"46B4C3EE-F248-11E8-B48F-1D18A9856A87","first_name":"Georg"}],"publist_id":"6098","project":[{"name":"Provable Security for Physical Cryptography","grant_number":"259668","_id":"258C570E-B435-11E9-9278-68D0E5697425","call_identifier":"FP7"},{"call_identifier":"H2020","_id":"258AA5B2-B435-11E9-9278-68D0E5697425","name":"Teaching Old Crypto New Tricks","grant_number":"682815"}],"day":"01","year":"2016","date_created":"2018-12-11T11:50:52Z","doi":"10.1007/978-3-319-39555-5_24","date_published":"2016-01-01T00:00:00Z","page":"445 - 463","acknowledgement":"H. Abusalah—Research supported by the European Research Council, ERC starting grant (259668-PSPC) and ERC consolidator grant (682815 - TOCNeT).","oa":1,"quality_controlled":"1","publisher":"Springer"},{"_id":"1474","type":"conference","conference":{"end_date":"2015-07-17","location":"Verona, Italy","start_date":"2015-07-13","name":"CSF: Computer Security Foundations"},"project":[{"name":"Provable Security for Physical Cryptography","grant_number":"259668","call_identifier":"FP7","_id":"258C570E-B435-11E9-9278-68D0E5697425"}],"status":"public","citation":{"mla":"Ferrara, Anna, et al. Policy Privacy in Cryptographic Access Control. IEEE, 2015, pp. 46–60, doi:10.1109/CSF.2015.11.","short":"A. Ferrara, G. Fuchsbauer, B. Liu, B. Warinschi, in:, IEEE, 2015, pp. 46–60.","ieee":"A. Ferrara, G. Fuchsbauer, B. Liu, and B. Warinschi, “Policy privacy in cryptographic access control,” presented at the CSF: Computer Security Foundations, Verona, Italy, 2015, pp. 46–60.","apa":"Ferrara, A., Fuchsbauer, G., Liu, B., & Warinschi, B. (2015). Policy privacy in cryptographic access control (pp. 46–60). Presented at the CSF: Computer Security Foundations, Verona, Italy: IEEE. https://doi.org/10.1109/CSF.2015.11","ama":"Ferrara A, Fuchsbauer G, Liu B, Warinschi B. Policy privacy in cryptographic access control. In: IEEE; 2015:46-60. doi:10.1109/CSF.2015.11","chicago":"Ferrara, Anna, Georg Fuchsbauer, Bin Liu, and Bogdan Warinschi. “Policy Privacy in Cryptographic Access Control,” 46–60. IEEE, 2015. https://doi.org/10.1109/CSF.2015.11.","ista":"Ferrara A, Fuchsbauer G, Liu B, Warinschi B. 2015. Policy privacy in cryptographic access control. CSF: Computer Security Foundations, 46–60."},"date_updated":"2021-01-12T06:50:59Z","user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","author":[{"full_name":"Ferrara, Anna","last_name":"Ferrara","first_name":"Anna"},{"id":"46B4C3EE-F248-11E8-B48F-1D18A9856A87","first_name":"Georg","full_name":"Fuchsbauer, Georg","last_name":"Fuchsbauer"},{"full_name":"Liu, Bin","last_name":"Liu","first_name":"Bin"},{"first_name":"Bogdan","last_name":"Warinschi","full_name":"Warinschi, Bogdan"}],"publist_id":"5722","article_processing_charge":"No","department":[{"_id":"KrPi"}],"title":"Policy privacy in cryptographic access control","abstract":[{"lang":"eng","text":"Cryptographic access control offers selective access to encrypted data via a combination of key management and functionality-rich cryptographic schemes, such as attribute-based encryption. Using this approach, publicly available meta-data may inadvertently leak information on the access policy that is enforced by cryptography, which renders cryptographic access control unusable in settings where this information is highly sensitive. We begin to address this problem by presenting rigorous definitions for policy privacy in cryptographic access control. For concreteness we set our results in the model of Role-Based Access Control (RBAC), where we identify and formalize several different flavors of privacy, however, our framework should serve as inspiration for other models of access control. Based on our insights we propose a new system which significantly improves on the privacy properties of state-of-the-art constructions. Our design is based on a novel type of privacy-preserving attribute-based encryption, which we introduce and show how to instantiate. We present our results in the context of a cryptographic RBAC system by Ferrara et al. (CSF'13), which uses cryptography to control read access to files, while write access is still delegated to trusted monitors. We give an extension of the construction that permits cryptographic control over write access. Our construction assumes that key management uses out-of-band channels between the policy enforcer and the users but eliminates completely the need for monitoring read/write access to the data."}],"oa_version":"Submitted Version","publisher":"IEEE","quality_controlled":"1","main_file_link":[{"url":"http://epubs.surrey.ac.uk/808055/","open_access":"1"}],"oa":1,"month":"09","year":"2015","publication_status":"published","day":"04","language":[{"iso":"eng"}],"page":"46-60","doi":"10.1109/CSF.2015.11","date_published":"2015-09-04T00:00:00Z","date_created":"2018-12-11T11:52:14Z","ec_funded":1},{"file":[{"date_created":"2018-12-12T10:15:17Z","file_name":"IST-2016-679-v1+1_180.pdf","creator":"system","date_updated":"2020-07-14T12:45:08Z","file_size":450665,"file_id":"5136","checksum":"3c5093bda5783c89beaacabf1aa0e60e","access_level":"open_access","relation":"main_file","content_type":"application/pdf"}],"language":[{"iso":"eng"}],"publication_identifier":{"isbn":["978-3-662-46496-0"]},"publication_status":"published","volume":9015,"ec_funded":1,"oa_version":"Submitted Version","abstract":[{"text":"A pseudorandom function (PRF) is a keyed function F : K × X → Y where, for a random key k ∈ K, the function F(k, ·) is indistinguishable from a uniformly random function, given black-box access. A key-homomorphic PRF has the additional feature that for any keys k, k' and any input x, we have F(k+k', x) = F(k, x)⊕F(k', x) for some group operations +,⊕ on K and Y, respectively. A constrained PRF for a family of setsS ⊆ P(X) has the property that, given any key k and set S ∈ S, one can efficiently compute a “constrained” key kS that enables evaluation of F(k, x) on all inputs x ∈ S, while the values F(k, x) for x /∈ S remain pseudorandom even given kS. In this paper we construct PRFs that are simultaneously constrained and key homomorphic, where the homomorphic property holds even for constrained keys. We first show that the multilinear map-based bit-fixing and circuit-constrained PRFs of Boneh and Waters (Asiacrypt 2013) can be modified to also be keyhomomorphic. We then show that the LWE-based key-homomorphic PRFs of Banerjee and Peikert (Crypto 2014) are essentially already prefix-constrained PRFs, using a (non-obvious) definition of constrained keys and associated group operation. Moreover, the constrained keys themselves are pseudorandom, and the constraining and evaluation functions can all be computed in low depth. As an application of key-homomorphic constrained PRFs,we construct a proxy re-encryption schemewith fine-grained access control. This scheme allows storing encrypted data on an untrusted server, where each file can be encrypted relative to some attributes, so that only parties whose constrained keys match the attributes can decrypt. Moreover, the server can re-key (arbitrary subsets of) the ciphertexts without learning anything about the plaintexts, thus permitting efficient and finegrained revocation.","lang":"eng"}],"month":"03","intvolume":" 9015","scopus_import":"1","alternative_title":["LNCS"],"main_file_link":[{"url":"https://eprint.iacr.org/2015/180","open_access":"1"}],"ddc":["000","004"],"date_updated":"2022-02-03T08:41:46Z","department":[{"_id":"KrPi"}],"file_date_updated":"2020-07-14T12:45:08Z","_id":"1646","status":"public","pubrep_id":"679","type":"conference","conference":{"name":"TCC: Theory of Cryptography Conference","start_date":"2015-03-23","end_date":"2015-03-25","location":"Warsaw, Poland"},"day":"01","publication":"12th Theory of Cryptography Conference","has_accepted_license":"1","year":"2015","doi":"10.1007/978-3-662-46497-7_2","date_published":"2015-03-01T00:00:00Z","date_created":"2018-12-11T11:53:14Z","page":"31 - 60","quality_controlled":"1","publisher":"Springer Nature","oa":1,"user_id":"8b945eb4-e2f2-11eb-945a-df72226e66a9","citation":{"ista":"Banerjee A, Fuchsbauer G, Peikert C, Pietrzak KZ, Stevens S. 2015. Key-homomorphic constrained pseudorandom functions. 12th Theory of Cryptography Conference. TCC: Theory of Cryptography Conference, LNCS, vol. 9015, 31–60.","chicago":"Banerjee, Abishek, Georg Fuchsbauer, Chris Peikert, Krzysztof Z Pietrzak, and Sophie Stevens. “Key-Homomorphic Constrained Pseudorandom Functions.” In 12th Theory of Cryptography Conference, 9015:31–60. Springer Nature, 2015. https://doi.org/10.1007/978-3-662-46497-7_2.","ieee":"A. Banerjee, G. Fuchsbauer, C. Peikert, K. Z. Pietrzak, and S. Stevens, “Key-homomorphic constrained pseudorandom functions,” in 12th Theory of Cryptography Conference, Warsaw, Poland, 2015, vol. 9015, pp. 31–60.","short":"A. Banerjee, G. Fuchsbauer, C. Peikert, K.Z. Pietrzak, S. Stevens, in:, 12th Theory of Cryptography Conference, Springer Nature, 2015, pp. 31–60.","ama":"Banerjee A, Fuchsbauer G, Peikert C, Pietrzak KZ, Stevens S. Key-homomorphic constrained pseudorandom functions. In: 12th Theory of Cryptography Conference. Vol 9015. Springer Nature; 2015:31-60. doi:10.1007/978-3-662-46497-7_2","apa":"Banerjee, A., Fuchsbauer, G., Peikert, C., Pietrzak, K. Z., & Stevens, S. (2015). Key-homomorphic constrained pseudorandom functions. In 12th Theory of Cryptography Conference (Vol. 9015, pp. 31–60). Warsaw, Poland: Springer Nature. https://doi.org/10.1007/978-3-662-46497-7_2","mla":"Banerjee, Abishek, et al. “Key-Homomorphic Constrained Pseudorandom Functions.” 12th Theory of Cryptography Conference, vol. 9015, Springer Nature, 2015, pp. 31–60, doi:10.1007/978-3-662-46497-7_2."},"title":"Key-homomorphic constrained pseudorandom functions","author":[{"first_name":"Abishek","full_name":"Banerjee, Abishek","last_name":"Banerjee"},{"last_name":"Fuchsbauer","full_name":"Fuchsbauer, Georg","id":"46B4C3EE-F248-11E8-B48F-1D18A9856A87","first_name":"Georg"},{"first_name":"Chris","last_name":"Peikert","full_name":"Peikert, Chris"},{"last_name":"Pietrzak","orcid":"0000-0002-9139-1654","full_name":"Pietrzak, Krzysztof Z","first_name":"Krzysztof Z","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87"},{"full_name":"Stevens, Sophie","last_name":"Stevens","first_name":"Sophie"}],"publist_id":"5505","article_processing_charge":"No","project":[{"_id":"258C570E-B435-11E9-9278-68D0E5697425","call_identifier":"FP7","grant_number":"259668","name":"Provable Security for Physical Cryptography"}]},{"page":"601 - 620","doi":"10.1007/978-3-662-47989-6_29","date_published":"2015-08-01T00:00:00Z","date_created":"2018-12-11T11:53:14Z","has_accepted_license":"1","year":"2015","day":"01","publisher":"Springer","quality_controlled":"1","oa":1,"publist_id":"5502","author":[{"id":"46B4C3EE-F248-11E8-B48F-1D18A9856A87","first_name":"Georg","full_name":"Fuchsbauer, Georg","last_name":"Fuchsbauer"},{"full_name":"Jafargholi, Zahra","last_name":"Jafargholi","first_name":"Zahra"},{"first_name":"Krzysztof Z","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","last_name":"Pietrzak","full_name":"Pietrzak, Krzysztof Z","orcid":"0000-0002-9139-1654"}],"title":"A quasipolynomial reduction for generalized selective decryption on trees","citation":{"ista":"Fuchsbauer G, Jafargholi Z, Pietrzak KZ. 2015. A quasipolynomial reduction for generalized selective decryption on trees. CRYPTO: International Cryptology Conference, LNCS, vol. 9215, 601–620.","chicago":"Fuchsbauer, Georg, Zahra Jafargholi, and Krzysztof Z Pietrzak. “A Quasipolynomial Reduction for Generalized Selective Decryption on Trees,” 9215:601–20. Springer, 2015. https://doi.org/10.1007/978-3-662-47989-6_29.","short":"G. Fuchsbauer, Z. Jafargholi, K.Z. Pietrzak, in:, Springer, 2015, pp. 601–620.","ieee":"G. Fuchsbauer, Z. Jafargholi, and K. Z. Pietrzak, “A quasipolynomial reduction for generalized selective decryption on trees,” presented at the CRYPTO: International Cryptology Conference, Santa Barbara, CA, USA, 2015, vol. 9215, pp. 601–620.","ama":"Fuchsbauer G, Jafargholi Z, Pietrzak KZ. A quasipolynomial reduction for generalized selective decryption on trees. In: Vol 9215. Springer; 2015:601-620. doi:10.1007/978-3-662-47989-6_29","apa":"Fuchsbauer, G., Jafargholi, Z., & Pietrzak, K. Z. (2015). A quasipolynomial reduction for generalized selective decryption on trees (Vol. 9215, pp. 601–620). Presented at the CRYPTO: International Cryptology Conference, Santa Barbara, CA, USA: Springer. https://doi.org/10.1007/978-3-662-47989-6_29","mla":"Fuchsbauer, Georg, et al. A Quasipolynomial Reduction for Generalized Selective Decryption on Trees. Vol. 9215, Springer, 2015, pp. 601–20, doi:10.1007/978-3-662-47989-6_29."},"user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","project":[{"grant_number":"259668","name":"Provable Security for Physical Cryptography","call_identifier":"FP7","_id":"258C570E-B435-11E9-9278-68D0E5697425"}],"volume":9215,"ec_funded":1,"publication_status":"published","file":[{"content_type":"application/pdf","access_level":"open_access","relation":"main_file","file_id":"5015","checksum":"99b76b3263d5082554d0a9cbdeca3a22","date_updated":"2020-07-14T12:45:08Z","file_size":505618,"creator":"system","date_created":"2018-12-12T10:13:31Z","file_name":"IST-2016-674-v1+1_389.pdf"}],"language":[{"iso":"eng"}],"alternative_title":["LNCS"],"scopus_import":1,"month":"08","intvolume":" 9215","abstract":[{"text":"Generalized Selective Decryption (GSD), introduced by Panjwani [TCC’07], is a game for a symmetric encryption scheme Enc that captures the difficulty of proving adaptive security of certain protocols, most notably the Logical Key Hierarchy (LKH) multicast encryption protocol. In the GSD game there are n keys k1,..., kn, which the adversary may adaptively corrupt (learn); moreover, it can ask for encryptions Encki (kj) of keys under other keys. The adversary’s task is to distinguish keys (which it cannot trivially compute) from random. Proving the hardness of GSD assuming only IND-CPA security of Enc is surprisingly hard. Using “complexity leveraging” loses a factor exponential in n, which makes the proof practically meaningless. We can think of the GSD game as building a graph on n vertices, where we add an edge i → j when the adversary asks for an encryption of kj under ki. If restricted to graphs of depth ℓ, Panjwani gave a reduction that loses only a factor exponential in ℓ (not n). To date, this is the only non-trivial result known for GSD. In this paper we give almost-polynomial reductions for large classes of graphs. Most importantly, we prove the security of the GSD game restricted to trees losing only a quasi-polynomial factor n3 log n+5. Trees are an important special case capturing real-world protocols like the LKH protocol. Our new bound improves upon Panjwani’s on some LKH variants proposed in the literature where the underlying tree is not balanced. Our proof builds on ideas from the “nested hybrids” technique recently introduced by Fuchsbauer et al. [Asiacrypt’14] for proving the adaptive security of constrained PRFs.","lang":"eng"}],"oa_version":"Submitted Version","department":[{"_id":"KrPi"}],"file_date_updated":"2020-07-14T12:45:08Z","date_updated":"2021-01-12T06:52:14Z","ddc":["004"],"type":"conference","tmp":{"legal_code_url":"https://creativecommons.org/licenses/by/4.0/legalcode","image":"/images/cc_by.png","name":"Creative Commons Attribution 4.0 International Public License (CC-BY 4.0)","short":"CC BY (4.0)"},"conference":{"location":"Santa Barbara, CA, USA","end_date":"2015-08-20","start_date":"2015-08-16","name":"CRYPTO: International Cryptology Conference"},"status":"public","pubrep_id":"674","_id":"1648"},{"project":[{"call_identifier":"FP7","_id":"258C570E-B435-11E9-9278-68D0E5697425","name":"Provable Security for Physical Cryptography","grant_number":"259668"}],"user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","citation":{"chicago":"Benhamouda, Fabrice, Stephan Krenn, Vadim Lyubashevsky, and Krzysztof Z Pietrzak. “Efficient Zero-Knowledge Proofs for Commitments from Learning with Errors over Rings.” Lecture Notes in Computer Science. Springer, 2015. https://doi.org/10.1007/978-3-319-24174-6_16.","ista":"Benhamouda F, Krenn S, Lyubashevsky V, Pietrzak KZ. 2015. Efficient zero-knowledge proofs for commitments from learning with errors over rings. 9326, 305–325.","mla":"Benhamouda, Fabrice, et al. Efficient Zero-Knowledge Proofs for Commitments from Learning with Errors over Rings. Vol. 9326, Springer, 2015, pp. 305–25, doi:10.1007/978-3-319-24174-6_16.","ama":"Benhamouda F, Krenn S, Lyubashevsky V, Pietrzak KZ. Efficient zero-knowledge proofs for commitments from learning with errors over rings. 2015;9326:305-325. doi:10.1007/978-3-319-24174-6_16","apa":"Benhamouda, F., Krenn, S., Lyubashevsky, V., & Pietrzak, K. Z. (2015). Efficient zero-knowledge proofs for commitments from learning with errors over rings. Presented at the ESORICS: European Symposium on Research in Computer Security, Vienna, Austria: Springer. https://doi.org/10.1007/978-3-319-24174-6_16","short":"F. Benhamouda, S. Krenn, V. Lyubashevsky, K.Z. Pietrzak, 9326 (2015) 305–325.","ieee":"F. Benhamouda, S. Krenn, V. Lyubashevsky, and K. Z. Pietrzak, “Efficient zero-knowledge proofs for commitments from learning with errors over rings,” vol. 9326. Springer, pp. 305–325, 2015."},"title":"Efficient zero-knowledge proofs for commitments from learning with errors over rings","author":[{"first_name":"Fabrice","full_name":"Benhamouda, Fabrice","last_name":"Benhamouda"},{"first_name":"Stephan","last_name":"Krenn","full_name":"Krenn, Stephan"},{"full_name":"Lyubashevsky, Vadim","last_name":"Lyubashevsky","first_name":"Vadim"},{"full_name":"Pietrzak, Krzysztof Z","orcid":"0000-0002-9139-1654","last_name":"Pietrzak","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","first_name":"Krzysztof Z"}],"publist_id":"5501","quality_controlled":"1","publisher":"Springer","oa":1,"day":"01","has_accepted_license":"1","year":"2015","doi":"10.1007/978-3-319-24174-6_16","date_published":"2015-01-01T00:00:00Z","date_created":"2018-12-11T11:53:15Z","page":"305 - 325","series_title":"Lecture Notes in Computer Science","_id":"1649","status":"public","pubrep_id":"678","type":"conference","conference":{"name":"ESORICS: European Symposium on Research in Computer Security","location":"Vienna, Austria","end_date":"2015-09-25","start_date":"2015-09-21"},"tmp":{"legal_code_url":"https://creativecommons.org/licenses/by-nc/4.0/legalcode","image":"/images/cc_by_nc.png","name":"Creative Commons Attribution-NonCommercial 4.0 International (CC BY-NC 4.0)","short":"CC BY-NC (4.0)"},"ddc":["000","004"],"date_updated":"2021-01-12T06:52:14Z","department":[{"_id":"KrPi"}],"file_date_updated":"2020-07-14T12:45:08Z","oa_version":"Published Version","abstract":[{"text":"We extend a commitment scheme based on the learning with errors over rings (RLWE) problem, and present efficient companion zeroknowledge proofs of knowledge. Our scheme maps elements from the ring (or equivalently, n elements from ","lang":"eng"}],"month":"01","intvolume":" 9326","alternative_title":["LNCS"],"scopus_import":1,"file":[{"relation":"main_file","access_level":"open_access","content_type":"application/pdf","checksum":"6eac4a485b2aa644b2d3f753ed0b280b","file_id":"4883","creator":"system","file_size":494239,"date_updated":"2020-07-14T12:45:08Z","file_name":"IST-2016-678-v1+1_889.pdf","date_created":"2018-12-12T10:11:28Z"}],"language":[{"iso":"eng"}],"publication_status":"published","volume":9326,"license":"https://creativecommons.org/licenses/by-nc/4.0/","ec_funded":1},{"alternative_title":["LNCS"],"scopus_import":1,"main_file_link":[{"url":"http://eprint.iacr.org/2015/315","open_access":"1"}],"month":"01","intvolume":" 9063","abstract":[{"lang":"eng","text":"Increasing the computational complexity of evaluating a hash function, both for the honest users as well as for an adversary, is a useful technique employed for example in password-based cryptographic schemes to impede brute-force attacks, and also in so-called proofs of work (used in protocols like Bitcoin) to show that a certain amount of computation was performed by a legitimate user. A natural approach to adjust the complexity of a hash function is to iterate it c times, for some parameter c, in the hope that any query to the scheme requires c evaluations of the underlying hash function. However, results by Dodis et al. (Crypto 2012) imply that plain iteration falls short of achieving this goal, and designing schemes which provably have such a desirable property remained an open problem. This paper formalizes explicitly what it means for a given scheme to amplify the query complexity of a hash function. In the random oracle model, the goal of a secure query-complexity amplifier (QCA) scheme is captured as transforming, in the sense of indifferentiability, a random oracle allowing R queries (for the adversary) into one provably allowing only r < R queries. Turned around, this means that making r queries to the scheme requires at least R queries to the actual random oracle. Second, a new scheme, called collision-free iteration, is proposed and proven to achieve c-fold QCA for both the honest parties and the adversary, for any fixed parameter c."}],"oa_version":"Submitted Version","volume":9063,"ec_funded":1,"publication_status":"published","language":[{"iso":"eng"}],"type":"conference","conference":{"end_date":"2015-05-05","location":"Lugano, Switzerland","start_date":"2015-05-02","name":"ICITS: International Conference on Information Theoretic Security"},"status":"public","_id":"1644","department":[{"_id":"KrPi"}],"date_updated":"2021-01-12T06:52:13Z","quality_controlled":"1","publisher":"Springer","oa":1,"page":"159 - 180","doi":"10.1007/978-3-319-17470-9_10","date_published":"2015-01-01T00:00:00Z","date_created":"2018-12-11T11:53:13Z","year":"2015","day":"01","project":[{"name":"Provable Security for Physical Cryptography","grant_number":"259668","call_identifier":"FP7","_id":"258C570E-B435-11E9-9278-68D0E5697425"}],"author":[{"full_name":"Demay, Grégory","last_name":"Demay","first_name":"Grégory"},{"full_name":"Gazi, Peter","last_name":"Gazi","id":"3E0BFE38-F248-11E8-B48F-1D18A9856A87","first_name":"Peter"},{"first_name":"Ueli","last_name":"Maurer","full_name":"Maurer, Ueli"},{"last_name":"Tackmann","full_name":"Tackmann, Björn","first_name":"Björn"}],"publist_id":"5507","title":"Query-complexity amplification for random oracles","citation":{"ista":"Demay G, Gazi P, Maurer U, Tackmann B. 2015. Query-complexity amplification for random oracles. ICITS: International Conference on Information Theoretic Security, LNCS, vol. 9063, 159–180.","chicago":"Demay, Grégory, Peter Gazi, Ueli Maurer, and Björn Tackmann. “Query-Complexity Amplification for Random Oracles,” 9063:159–80. Springer, 2015. https://doi.org/10.1007/978-3-319-17470-9_10.","ieee":"G. Demay, P. Gazi, U. Maurer, and B. Tackmann, “Query-complexity amplification for random oracles,” presented at the ICITS: International Conference on Information Theoretic Security, Lugano, Switzerland, 2015, vol. 9063, pp. 159–180.","short":"G. Demay, P. Gazi, U. Maurer, B. Tackmann, in:, Springer, 2015, pp. 159–180.","ama":"Demay G, Gazi P, Maurer U, Tackmann B. Query-complexity amplification for random oracles. In: Vol 9063. Springer; 2015:159-180. doi:10.1007/978-3-319-17470-9_10","apa":"Demay, G., Gazi, P., Maurer, U., & Tackmann, B. (2015). Query-complexity amplification for random oracles (Vol. 9063, pp. 159–180). Presented at the ICITS: International Conference on Information Theoretic Security, Lugano, Switzerland: Springer. https://doi.org/10.1007/978-3-319-17470-9_10","mla":"Demay, Grégory, et al. Query-Complexity Amplification for Random Oracles. Vol. 9063, Springer, 2015, pp. 159–80, doi:10.1007/978-3-319-17470-9_10."},"user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87"},{"language":[{"iso":"eng"}],"publication_status":"published","volume":9216,"related_material":{"record":[{"id":"1225","status":"public","relation":"later_version"}]},"ec_funded":1,"oa_version":"Submitted Version","abstract":[{"text":"Round-optimal blind signatures are notoriously hard to construct in the standard model, especially in the malicious-signer model, where blindness must hold under adversarially chosen keys. This is substantiated by several impossibility results. The only construction that can be termed theoretically efficient, by Garg and Gupta (Eurocrypt’14), requires complexity leveraging, inducing an exponential security loss. We present a construction of practically efficient round-optimal blind signatures in the standard model. It is conceptually simple and builds on the recent structure-preserving signatures on equivalence classes (SPSEQ) from Asiacrypt’14. While the traditional notion of blindness follows from standard assumptions, we prove blindness under adversarially chosen keys under an interactive variant of DDH. However, we neither require non-uniform assumptions nor complexity leveraging. We then show how to extend our construction to partially blind signatures and to blind signatures on message vectors, which yield a construction of one-show anonymous credentials à la “anonymous credentials light” (CCS’13) in the standard model. Furthermore, we give the first SPS-EQ construction under noninteractive assumptions and show how SPS-EQ schemes imply conventional structure-preserving signatures, which allows us to apply optimality results for the latter to SPS-EQ.","lang":"eng"}],"month":"08","intvolume":" 9216","alternative_title":["LNCS"],"scopus_import":1,"main_file_link":[{"open_access":"1","url":"https://eprint.iacr.org/2015/626.pdf"}],"date_updated":"2023-02-21T16:44:51Z","department":[{"_id":"KrPi"}],"_id":"1647","status":"public","type":"conference","conference":{"name":"CRYPTO: International Cryptology Conference","end_date":"2015-08-20","location":"Santa Barbara, CA, United States","start_date":"2015-08-16"},"day":"01","year":"2015","doi":"10.1007/978-3-662-48000-7_12","date_published":"2015-08-01T00:00:00Z","date_created":"2018-12-11T11:53:14Z","page":"233 - 253","publisher":"Springer","quality_controlled":"1","oa":1,"user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","citation":{"chicago":"Fuchsbauer, Georg, Christian Hanser, and Daniel Slamanig. “Practical Round-Optimal Blind Signatures in the Standard Model,” 9216:233–53. Springer, 2015. https://doi.org/10.1007/978-3-662-48000-7_12.","ista":"Fuchsbauer G, Hanser C, Slamanig D. 2015. Practical round-optimal blind signatures in the standard model. CRYPTO: International Cryptology Conference, LNCS, vol. 9216, 233–253.","mla":"Fuchsbauer, Georg, et al. Practical Round-Optimal Blind Signatures in the Standard Model. Vol. 9216, Springer, 2015, pp. 233–53, doi:10.1007/978-3-662-48000-7_12.","ama":"Fuchsbauer G, Hanser C, Slamanig D. Practical round-optimal blind signatures in the standard model. In: Vol 9216. Springer; 2015:233-253. doi:10.1007/978-3-662-48000-7_12","apa":"Fuchsbauer, G., Hanser, C., & Slamanig, D. (2015). Practical round-optimal blind signatures in the standard model (Vol. 9216, pp. 233–253). Presented at the CRYPTO: International Cryptology Conference, Santa Barbara, CA, United States: Springer. https://doi.org/10.1007/978-3-662-48000-7_12","short":"G. Fuchsbauer, C. Hanser, D. Slamanig, in:, Springer, 2015, pp. 233–253.","ieee":"G. Fuchsbauer, C. Hanser, and D. Slamanig, “Practical round-optimal blind signatures in the standard model,” presented at the CRYPTO: International Cryptology Conference, Santa Barbara, CA, United States, 2015, vol. 9216, pp. 233–253."},"title":"Practical round-optimal blind signatures in the standard model","publist_id":"5503","author":[{"full_name":"Fuchsbauer, Georg","last_name":"Fuchsbauer","first_name":"Georg","id":"46B4C3EE-F248-11E8-B48F-1D18A9856A87"},{"first_name":"Christian","last_name":"Hanser","full_name":"Hanser, Christian"},{"last_name":"Slamanig","full_name":"Slamanig, Daniel","first_name":"Daniel"}],"article_processing_charge":"No","project":[{"grant_number":"259668","name":"Provable Security for Physical Cryptography","_id":"258C570E-B435-11E9-9278-68D0E5697425","call_identifier":"FP7"}]},{"department":[{"_id":"KrPi"}],"title":"Secret-key cryptography from ideal primitives: A systematic verview","publist_id":"5506","author":[{"last_name":"Gazi","full_name":"Gazi, Peter","id":"3E0BFE38-F248-11E8-B48F-1D18A9856A87","first_name":"Peter"},{"full_name":"Tessaro, Stefano","last_name":"Tessaro","first_name":"Stefano"}],"user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","citation":{"ama":"Gazi P, Tessaro S. Secret-key cryptography from ideal primitives: A systematic verview. In: 2015 IEEE Information Theory Workshop. IEEE; 2015. doi:10.1109/ITW.2015.7133163","apa":"Gazi, P., & Tessaro, S. (2015). Secret-key cryptography from ideal primitives: A systematic verview. In 2015 IEEE Information Theory Workshop. Jerusalem, Israel: IEEE. https://doi.org/10.1109/ITW.2015.7133163","short":"P. Gazi, S. Tessaro, in:, 2015 IEEE Information Theory Workshop, IEEE, 2015.","ieee":"P. Gazi and S. Tessaro, “Secret-key cryptography from ideal primitives: A systematic verview,” in 2015 IEEE Information Theory Workshop, Jerusalem, Israel, 2015.","mla":"Gazi, Peter, and Stefano Tessaro. “Secret-Key Cryptography from Ideal Primitives: A Systematic Verview.” 2015 IEEE Information Theory Workshop, 7133163, IEEE, 2015, doi:10.1109/ITW.2015.7133163.","ista":"Gazi P, Tessaro S. 2015. Secret-key cryptography from ideal primitives: A systematic verview. 2015 IEEE Information Theory Workshop. ITW 2015: IEEE Information Theory Workshop, 7133163.","chicago":"Gazi, Peter, and Stefano Tessaro. “Secret-Key Cryptography from Ideal Primitives: A Systematic Verview.” In 2015 IEEE Information Theory Workshop. IEEE, 2015. https://doi.org/10.1109/ITW.2015.7133163."},"date_updated":"2021-01-12T06:52:13Z","status":"public","project":[{"call_identifier":"FP7","_id":"258C570E-B435-11E9-9278-68D0E5697425","grant_number":"259668","name":"Provable Security for Physical Cryptography"}],"type":"conference","conference":{"name":"ITW 2015: IEEE Information Theory Workshop","start_date":"2015-04-26","location":"Jerusalem, Israel","end_date":"2015-05-01"},"article_number":"7133163","_id":"1645","doi":"10.1109/ITW.2015.7133163","date_published":"2015-06-24T00:00:00Z","date_created":"2018-12-11T11:53:13Z","ec_funded":1,"day":"24","publication":"2015 IEEE Information Theory Workshop","language":[{"iso":"eng"}],"year":"2015","publication_status":"published","month":"06","publisher":"IEEE","scopus_import":1,"quality_controlled":"1","oa_version":"None","abstract":[{"text":"Secret-key constructions are often proved secure in a model where one or more underlying components are replaced by an idealized oracle accessible to the attacker. This model gives rise to information-theoretic security analyses, and several advances have been made in this area over the last few years. This paper provides a systematic overview of what is achievable in this model, and how existing works fit into this view.","lang":"eng"}]},{"type":"conference","conference":{"location":"Auckland, New Zealand","end_date":"2015-12-03","start_date":"2015-11-29","name":"ASIACRYPT: Theory and Application of Cryptology and Information Security"},"status":"public","pubrep_id":"676","series_title":"Lecture Notes in Computer Science","_id":"1654","file_date_updated":"2020-07-14T12:45:08Z","department":[{"_id":"KrPi"}],"date_updated":"2021-01-12T06:52:16Z","ddc":["004","005"],"scopus_import":1,"alternative_title":["LNCS"],"month":"12","intvolume":" 9453","abstract":[{"text":"HMAC and its variant NMAC are the most popular approaches to deriving a MAC (and more generally, a PRF) from a cryptographic hash function. Despite nearly two decades of research, their exact security still remains far from understood in many different contexts. Indeed, recent works have re-surfaced interest for {\\em generic} attacks, i.e., attacks that treat the compression function of the underlying hash function as a black box.\r\n\r\nGeneric security can be proved in a model where the underlying compression function is modeled as a random function -- yet, to date, the question of proving tight, non-trivial bounds on the generic security of HMAC/NMAC even as a PRF remains a challenging open question.\r\n\r\nIn this paper, we ask the question of whether a small modification to HMAC and NMAC can allow us to exactly characterize the security of the resulting constructions, while only incurring little penalty with respect to efficiency. To this end, we present simple variants of NMAC and HMAC, for which we prove tight bounds on the generic PRF security, expressed in terms of numbers of construction and compression function queries necessary to break the construction. All of our constructions are obtained via a (near) {\\em black-box} modification of NMAC and HMAC, which can be interpreted as an initial step of key-dependent message pre-processing.\r\n\r\nWhile our focus is on PRF security, a further attractive feature of our new constructions is that they clearly defeat all recent generic attacks against properties such as state recovery and universal forgery. These exploit properties of the so-called ``functional graph'' which are not directly accessible in our new constructions. ","lang":"eng"}],"oa_version":"Submitted Version","volume":9453,"ec_funded":1,"publication_status":"published","file":[{"content_type":"application/pdf","access_level":"open_access","relation":"main_file","checksum":"d1e53203db2d8573a560995ccdffac62","file_id":"4732","date_updated":"2020-07-14T12:45:08Z","file_size":512071,"creator":"system","date_created":"2018-12-12T10:09:09Z","file_name":"IST-2016-676-v1+1_881.pdf"}],"language":[{"iso":"eng"}],"project":[{"name":"Provable Security for Physical Cryptography","grant_number":"259668","_id":"258C570E-B435-11E9-9278-68D0E5697425","call_identifier":"FP7"}],"author":[{"full_name":"Gazi, Peter","last_name":"Gazi","first_name":"Peter","id":"3E0BFE38-F248-11E8-B48F-1D18A9856A87"},{"id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","first_name":"Krzysztof Z","orcid":"0000-0002-9139-1654","full_name":"Pietrzak, Krzysztof Z","last_name":"Pietrzak"},{"first_name":"Stefano","last_name":"Tessaro","full_name":"Tessaro, Stefano"}],"publist_id":"5496","title":"Generic security of NMAC and HMAC with input whitening","citation":{"mla":"Gazi, Peter, et al. Generic Security of NMAC and HMAC with Input Whitening. Vol. 9453, Springer, 2015, pp. 85–109, doi:10.1007/978-3-662-48800-3_4.","apa":"Gazi, P., Pietrzak, K. Z., & Tessaro, S. (2015). Generic security of NMAC and HMAC with input whitening. Presented at the ASIACRYPT: Theory and Application of Cryptology and Information Security, Auckland, New Zealand: Springer. https://doi.org/10.1007/978-3-662-48800-3_4","ama":"Gazi P, Pietrzak KZ, Tessaro S. Generic security of NMAC and HMAC with input whitening. 2015;9453:85-109. doi:10.1007/978-3-662-48800-3_4","short":"P. Gazi, K.Z. Pietrzak, S. Tessaro, 9453 (2015) 85–109.","ieee":"P. Gazi, K. Z. Pietrzak, and S. Tessaro, “Generic security of NMAC and HMAC with input whitening,” vol. 9453. Springer, pp. 85–109, 2015.","chicago":"Gazi, Peter, Krzysztof Z Pietrzak, and Stefano Tessaro. “Generic Security of NMAC and HMAC with Input Whitening.” Lecture Notes in Computer Science. Springer, 2015. https://doi.org/10.1007/978-3-662-48800-3_4.","ista":"Gazi P, Pietrzak KZ, Tessaro S. 2015. Generic security of NMAC and HMAC with input whitening. 9453, 85–109."},"user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","publisher":"Springer","quality_controlled":"1","oa":1,"page":"85 - 109","doi":"10.1007/978-3-662-48800-3_4","date_published":"2015-12-30T00:00:00Z","date_created":"2018-12-11T11:53:17Z","has_accepted_license":"1","year":"2015","day":"30"},{"publication_status":"published","file":[{"date_created":"2018-12-12T10:08:32Z","file_name":"IST-2016-675-v1+1_384.pdf","creator":"system","date_updated":"2020-07-14T12:45:08Z","file_size":525503,"file_id":"4693","checksum":"e808c7eecb631336fc9f9bf2e8d4ecae","access_level":"open_access","relation":"main_file","content_type":"application/pdf"}],"language":[{"iso":"eng"}],"volume":9134,"ec_funded":1,"abstract":[{"text":"We consider the task of deriving a key with high HILL entropy (i.e., being computationally indistinguishable from a key with high min-entropy) from an unpredictable source.\r\n\r\nPrevious to this work, the only known way to transform unpredictability into a key that was ϵ indistinguishable from having min-entropy was via pseudorandomness, for example by Goldreich-Levin (GL) hardcore bits. This approach has the inherent limitation that from a source with k bits of unpredictability entropy one can derive a key of length (and thus HILL entropy) at most k−2log(1/ϵ) bits. In many settings, e.g. when dealing with biometric data, such a 2log(1/ϵ) bit entropy loss in not an option. Our main technical contribution is a theorem that states that in the high entropy regime, unpredictability implies HILL entropy. Concretely, any variable K with |K|−d bits of unpredictability entropy has the same amount of so called metric entropy (against real-valued, deterministic distinguishers), which is known to imply the same amount of HILL entropy. The loss in circuit size in this argument is exponential in the entropy gap d, and thus this result only applies for small d (i.e., where the size of distinguishers considered is exponential in d).\r\n\r\nTo overcome the above restriction, we investigate if it’s possible to first “condense” unpredictability entropy and make the entropy gap small. We show that any source with k bits of unpredictability can be condensed into a source of length k with k−3 bits of unpredictability entropy. Our condenser simply “abuses" the GL construction and derives a k bit key from a source with k bits of unpredicatibily. The original GL theorem implies nothing when extracting that many bits, but we show that in this regime, GL still behaves like a “condenser" for unpredictability. This result comes with two caveats (1) the loss in circuit size is exponential in k and (2) we require that the source we start with has no HILL entropy (equivalently, one can efficiently check if a guess is correct). We leave it as an intriguing open problem to overcome these restrictions or to prove they’re inherent.","lang":"eng"}],"oa_version":"Published Version","alternative_title":["LNCS"],"scopus_import":1,"month":"06","intvolume":" 9134","date_updated":"2021-01-12T06:52:15Z","ddc":["000","005"],"file_date_updated":"2020-07-14T12:45:08Z","department":[{"_id":"KrPi"}],"_id":"1650","type":"conference","tmp":{"legal_code_url":"https://creativecommons.org/licenses/by/4.0/legalcode","image":"/images/cc_by.png","name":"Creative Commons Attribution 4.0 International Public License (CC-BY 4.0)","short":"CC BY (4.0)"},"conference":{"name":"ICALP: Automata, Languages and Programming","start_date":"2015-07-06","location":"Kyoto, Japan","end_date":"2015-07-10"},"status":"public","pubrep_id":"675","has_accepted_license":"1","year":"2015","day":"20","page":"1046 - 1057","doi":"10.1007/978-3-662-47672-7_85","date_published":"2015-06-20T00:00:00Z","date_created":"2018-12-11T11:53:15Z","quality_controlled":"1","publisher":"Springer","oa":1,"citation":{"ista":"Skórski M, Golovnev A, Pietrzak KZ. 2015. Condensed unpredictability . ICALP: Automata, Languages and Programming, LNCS, vol. 9134, 1046–1057.","chicago":"Skórski, Maciej, Alexander Golovnev, and Krzysztof Z Pietrzak. “Condensed Unpredictability ,” 9134:1046–57. Springer, 2015. https://doi.org/10.1007/978-3-662-47672-7_85.","apa":"Skórski, M., Golovnev, A., & Pietrzak, K. Z. (2015). Condensed unpredictability (Vol. 9134, pp. 1046–1057). Presented at the ICALP: Automata, Languages and Programming, Kyoto, Japan: Springer. https://doi.org/10.1007/978-3-662-47672-7_85","ama":"Skórski M, Golovnev A, Pietrzak KZ. Condensed unpredictability . In: Vol 9134. Springer; 2015:1046-1057. doi:10.1007/978-3-662-47672-7_85","ieee":"M. Skórski, A. Golovnev, and K. Z. Pietrzak, “Condensed unpredictability ,” presented at the ICALP: Automata, Languages and Programming, Kyoto, Japan, 2015, vol. 9134, pp. 1046–1057.","short":"M. Skórski, A. Golovnev, K.Z. Pietrzak, in:, Springer, 2015, pp. 1046–1057.","mla":"Skórski, Maciej, et al. Condensed Unpredictability . Vol. 9134, Springer, 2015, pp. 1046–57, doi:10.1007/978-3-662-47672-7_85."},"user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","author":[{"first_name":"Maciej","last_name":"Skórski","full_name":"Skórski, Maciej"},{"full_name":"Golovnev, Alexander","last_name":"Golovnev","first_name":"Alexander"},{"first_name":"Krzysztof Z","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","last_name":"Pietrzak","orcid":"0000-0002-9139-1654","full_name":"Pietrzak, Krzysztof Z"}],"publist_id":"5500","title":"Condensed unpredictability ","project":[{"_id":"258C570E-B435-11E9-9278-68D0E5697425","call_identifier":"FP7","name":"Provable Security for Physical Cryptography","grant_number":"259668"}]},{"year":"2015","day":"17","publication":"Public-Key Cryptography - PKC 2015","page":"101 - 124","doi":"10.1007/978-3-662-46447-2_5","date_published":"2015-03-17T00:00:00Z","date_created":"2018-12-11T11:53:15Z","acknowledgement":"Work done as an intern in Microsoft Research Redmond and as a student at Brown University, where supported by NSF grant 0964379. Supported by the European Research Council, ERC Starting Grant (259668-PSPC).","publisher":"Springer","quality_controlled":"1","oa":1,"citation":{"mla":"Baldimtsi, Foteini, et al. “Anonymous Transferable E-Cash.” Public-Key Cryptography - PKC 2015, vol. 9020, Springer, 2015, pp. 101–24, doi:10.1007/978-3-662-46447-2_5.","ieee":"F. Baldimtsi, M. Chase, G. Fuchsbauer, and M. Kohlweiss, “Anonymous transferable e-cash,” in Public-Key Cryptography - PKC 2015, Gaithersburg, MD, United States, 2015, vol. 9020, pp. 101–124.","short":"F. Baldimtsi, M. Chase, G. Fuchsbauer, M. Kohlweiss, in:, Public-Key Cryptography - PKC 2015, Springer, 2015, pp. 101–124.","apa":"Baldimtsi, F., Chase, M., Fuchsbauer, G., & Kohlweiss, M. (2015). Anonymous transferable e-cash. In Public-Key Cryptography - PKC 2015 (Vol. 9020, pp. 101–124). Gaithersburg, MD, United States: Springer. https://doi.org/10.1007/978-3-662-46447-2_5","ama":"Baldimtsi F, Chase M, Fuchsbauer G, Kohlweiss M. Anonymous transferable e-cash. In: Public-Key Cryptography - PKC 2015. Vol 9020. Springer; 2015:101-124. doi:10.1007/978-3-662-46447-2_5","chicago":"Baldimtsi, Foteini, Melissa Chase, Georg Fuchsbauer, and Markulf Kohlweiss. “Anonymous Transferable E-Cash.” In Public-Key Cryptography - PKC 2015, 9020:101–24. Springer, 2015. https://doi.org/10.1007/978-3-662-46447-2_5.","ista":"Baldimtsi F, Chase M, Fuchsbauer G, Kohlweiss M. 2015. Anonymous transferable e-cash. Public-Key Cryptography - PKC 2015. PKC: Public Key Crypography, LNCS, vol. 9020, 101–124."},"user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","publist_id":"5499","author":[{"full_name":"Baldimtsi, Foteini","last_name":"Baldimtsi","first_name":"Foteini"},{"first_name":"Melissa","last_name":"Chase","full_name":"Chase, Melissa"},{"last_name":"Fuchsbauer","full_name":"Fuchsbauer, Georg","id":"46B4C3EE-F248-11E8-B48F-1D18A9856A87","first_name":"Georg"},{"full_name":"Kohlweiss, Markulf","last_name":"Kohlweiss","first_name":"Markulf"}],"article_processing_charge":"No","title":"Anonymous transferable e-cash","project":[{"call_identifier":"FP7","_id":"258C570E-B435-11E9-9278-68D0E5697425","grant_number":"259668","name":"Provable Security for Physical Cryptography"}],"publication_identifier":{"isbn":["978-3-662-46446-5"]},"publication_status":"published","language":[{"iso":"eng"}],"volume":9020,"ec_funded":1,"abstract":[{"lang":"eng","text":"Cryptographic e-cash allows off-line electronic transactions between a bank, users and merchants in a secure and anonymous fashion. A plethora of e-cash constructions has been proposed in the literature; however, these traditional e-cash schemes only allow coins to be transferred once between users and merchants. Ideally, we would like users to be able to transfer coins between each other multiple times before deposit, as happens with physical cash. “Transferable” e-cash schemes are the solution to this problem. Unfortunately, the currently proposed schemes are either completely impractical or do not achieve the desirable anonymity properties without compromises, such as assuming the existence of a trusted “judge” who can trace all coins and users in the system. This paper presents the first efficient and fully anonymous transferable e-cash scheme without any trusted third parties. We start by revising the security and anonymity properties of transferable e-cash to capture issues that were previously overlooked. For our construction we use the recently proposed malleable signatures by Chase et al. to allow the secure and anonymous transfer of coins, combined with a new efficient double-spending detection mechanism. Finally, we discuss an instantiation of our construction."}],"oa_version":"Published Version","scopus_import":"1","alternative_title":["LNCS"],"main_file_link":[{"open_access":"1","url":"https://doi.org/10.1007/978-3-662-46447-2_5"}],"month":"03","intvolume":" 9020","date_updated":"2022-05-23T10:08:37Z","department":[{"_id":"KrPi"}],"_id":"1651","type":"conference","conference":{"start_date":"2015-03-30","location":"Gaithersburg, MD, United States","end_date":"2015-04-01","name":"PKC: Public Key Crypography"},"status":"public"},{"_id":"1652","project":[{"call_identifier":"FP7","_id":"258C570E-B435-11E9-9278-68D0E5697425","grant_number":"259668","name":"Provable Security for Physical Cryptography"}],"status":"public","conference":{"name":"STOC: Symposium on the Theory of Computing","location":"Portland, OR, United States","end_date":"2015-06-17","start_date":"2015-06-14"},"type":"conference","user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","citation":{"ieee":"J. F. Alwen and V. Serbinenko, “High parallel complexity graphs and memory-hard functions,” in Proceedings of the 47th annual ACM symposium on Theory of computing, Portland, OR, United States, 2015, pp. 595–603.","short":"J.F. Alwen, V. Serbinenko, in:, Proceedings of the 47th Annual ACM Symposium on Theory of Computing, ACM, 2015, pp. 595–603.","ama":"Alwen JF, Serbinenko V. High parallel complexity graphs and memory-hard functions. In: Proceedings of the 47th Annual ACM Symposium on Theory of Computing. ACM; 2015:595-603. doi:10.1145/2746539.2746622","apa":"Alwen, J. F., & Serbinenko, V. (2015). High parallel complexity graphs and memory-hard functions. In Proceedings of the 47th annual ACM symposium on Theory of computing (pp. 595–603). Portland, OR, United States: ACM. https://doi.org/10.1145/2746539.2746622","mla":"Alwen, Joel F., and Vladimir Serbinenko. “High Parallel Complexity Graphs and Memory-Hard Functions.” Proceedings of the 47th Annual ACM Symposium on Theory of Computing, ACM, 2015, pp. 595–603, doi:10.1145/2746539.2746622.","ista":"Alwen JF, Serbinenko V. 2015. High parallel complexity graphs and memory-hard functions. Proceedings of the 47th annual ACM symposium on Theory of computing. STOC: Symposium on the Theory of Computing, 595–603.","chicago":"Alwen, Joel F, and Vladimir Serbinenko. “High Parallel Complexity Graphs and Memory-Hard Functions.” In Proceedings of the 47th Annual ACM Symposium on Theory of Computing, 595–603. ACM, 2015. https://doi.org/10.1145/2746539.2746622."},"date_updated":"2021-01-12T06:52:16Z","title":"High parallel complexity graphs and memory-hard functions","department":[{"_id":"KrPi"}],"author":[{"last_name":"Alwen","full_name":"Alwen, Joel F","id":"2A8DFA8C-F248-11E8-B48F-1D18A9856A87","first_name":"Joel F"},{"full_name":"Serbinenko, Vladimir","last_name":"Serbinenko","first_name":"Vladimir"}],"publist_id":"5498","oa_version":"Submitted Version","abstract":[{"lang":"eng","text":"We develop new theoretical tools for proving lower-bounds on the (amortized) complexity of certain functions in models of parallel computation. We apply the tools to construct a class of functions with high amortized memory complexity in the parallel Random Oracle Model (pROM); a variant of the standard ROM allowing for batches of simultaneous queries. In particular we obtain a new, more robust, type of Memory-Hard Functions (MHF); a security primitive which has recently been gaining acceptance in practice as an effective means of countering brute-force attacks on security relevant functions. Along the way we also demonstrate an important shortcoming of previous definitions of MHFs and give a new definition addressing the problem. The tools we develop represent an adaptation of the powerful pebbling paradigm (initially introduced by Hewitt and Paterson [HP70] and Cook [Coo73]) to a simple and intuitive parallel setting. We define a simple pebbling game Gp over graphs which aims to abstract parallel computation in an intuitive way. As a conceptual contribution we define a measure of pebbling complexity for graphs called cumulative complexity (CC) and show how it overcomes a crucial shortcoming (in the parallel setting) exhibited by more traditional complexity measures used in the past. As a main technical contribution we give an explicit construction of a constant in-degree family of graphs whose CC in Gp approaches maximality to within a polylogarithmic factor for any graph of equal size (analogous to the graphs of Tarjan et. al. [PTC76, LT82] for sequential pebbling games). Finally, for a given graph G and related function fG, we derive a lower-bound on the amortized memory complexity of fG in the pROM in terms of the CC of G in the game Gp."}],"month":"06","main_file_link":[{"open_access":"1","url":"http://eprint.iacr.org/2014/238"}],"oa":1,"scopus_import":1,"publisher":"ACM","quality_controlled":"1","publication":"Proceedings of the 47th annual ACM symposium on Theory of computing","language":[{"iso":"eng"}],"day":"01","year":"2015","publication_status":"published","ec_funded":1,"date_created":"2018-12-11T11:53:16Z","date_published":"2015-06-01T00:00:00Z","doi":"10.1145/2746539.2746622","page":"595 - 603"},{"project":[{"name":"Provable Security for Physical Cryptography","grant_number":"259668","_id":"258C570E-B435-11E9-9278-68D0E5697425","call_identifier":"FP7"}],"publist_id":"5476","author":[{"first_name":"Joel F","id":"2A8DFA8C-F248-11E8-B48F-1D18A9856A87","full_name":"Alwen, Joel F","last_name":"Alwen"},{"full_name":"Ostrovsky, Rafail","last_name":"Ostrovsky","first_name":"Rafail"},{"first_name":"Hongsheng","last_name":"Zhou","full_name":"Zhou, Hongsheng"},{"full_name":"Zikas, Vassilis","last_name":"Zikas","first_name":"Vassilis"}],"article_processing_charge":"No","title":"Incoercible multi-party computation and universally composable receipt-free voting","citation":{"mla":"Alwen, Joel F., et al. “Incoercible Multi-Party Computation and Universally Composable Receipt-Free Voting.” Advances in Cryptology - CRYPTO 2015, vol. 9216, Springer, 2015, pp. 763–80, doi:10.1007/978-3-662-48000-7_37.","apa":"Alwen, J. F., Ostrovsky, R., Zhou, H., & Zikas, V. (2015). Incoercible multi-party computation and universally composable receipt-free voting. In Advances in Cryptology - CRYPTO 2015 (Vol. 9216, pp. 763–780). Santa Barbara, CA, United States: Springer. https://doi.org/10.1007/978-3-662-48000-7_37","ama":"Alwen JF, Ostrovsky R, Zhou H, Zikas V. Incoercible multi-party computation and universally composable receipt-free voting. In: Advances in Cryptology - CRYPTO 2015. Vol 9216. Lecture Notes in Computer Science. Springer; 2015:763-780. doi:10.1007/978-3-662-48000-7_37","ieee":"J. F. Alwen, R. Ostrovsky, H. Zhou, and V. Zikas, “Incoercible multi-party computation and universally composable receipt-free voting,” in Advances in Cryptology - CRYPTO 2015, Santa Barbara, CA, United States, 2015, vol. 9216, pp. 763–780.","short":"J.F. Alwen, R. Ostrovsky, H. Zhou, V. Zikas, in:, Advances in Cryptology - CRYPTO 2015, Springer, 2015, pp. 763–780.","chicago":"Alwen, Joel F, Rafail Ostrovsky, Hongsheng Zhou, and Vassilis Zikas. “Incoercible Multi-Party Computation and Universally Composable Receipt-Free Voting.” In Advances in Cryptology - CRYPTO 2015, 9216:763–80. Lecture Notes in Computer Science. Springer, 2015. https://doi.org/10.1007/978-3-662-48000-7_37.","ista":"Alwen JF, Ostrovsky R, Zhou H, Zikas V. 2015. Incoercible multi-party computation and universally composable receipt-free voting. Advances in Cryptology - CRYPTO 2015. CRYPTO: International Cryptology ConferenceLecture Notes in Computer Science, LNCS, vol. 9216, 763–780."},"user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","quality_controlled":"1","publisher":"Springer","oa":1,"acknowledgement":"Joël Alwen was supported by the ERC starting grant (259668-PSPC). Rafail Ostrovsky was supported in part by NSF grants 09165174, 1065276, 1118126 and 1136174, US-Israel BSF grant 2008411, OKAWA Foundation Research Award, IBM Faculty Research Award, Xerox Faculty Research Award, B. John Garrick Foundation Award, Teradata Research Award, Lockheed-Martin Corporation Research Award, and the Defense Advanced Research Projects Agency through the U.S. Office of Naval Research under Contract N00014 -11 -1-0392. The views expressed are those of the author and do not reflect the official policy or position of the Department of Defense or the U.S. Government. Vassilis Zikas was supported in part by the Swiss National Science Foundation (SNF) via the Ambizione grant PZ00P-2142549.","page":"763 - 780","doi":"10.1007/978-3-662-48000-7_37","date_published":"2015-08-01T00:00:00Z","date_created":"2018-12-11T11:53:23Z","has_accepted_license":"1","year":"2015","day":"01","publication":"Advances in Cryptology - CRYPTO 2015","type":"conference","conference":{"location":"Santa Barbara, CA, United States","end_date":"2015-08-20","start_date":"2015-08-16","name":"CRYPTO: International Cryptology Conference"},"status":"public","_id":"1672","series_title":"Lecture Notes in Computer Science","file_date_updated":"2020-07-14T12:45:11Z","department":[{"_id":"KrPi"}],"date_updated":"2022-06-07T09:51:55Z","ddc":["000"],"alternative_title":["LNCS"],"scopus_import":"1","month":"08","intvolume":" 9216","abstract":[{"lang":"eng","text":"Composable notions of incoercibility aim to forbid a coercer from using anything beyond the coerced parties’ inputs and outputs to catch them when they try to deceive him. Existing definitions are restricted to weak coercion types, and/or are not universally composable. Furthermore, they often make too strong assumptions on the knowledge of coerced parties—e.g., they assume they known the identities and/or the strategies of other coerced parties, or those of corrupted parties— which makes them unsuitable for applications of incoercibility such as e-voting, where colluding adversarial parties may attempt to coerce honest voters, e.g., by offering them money for a promised vote, and use their own view to check that the voter keeps his end of the bargain. In this work we put forward the first universally composable notion of incoercible multi-party computation, which satisfies the above intuition and does not assume collusions among coerced parties or knowledge of the corrupted set. We define natural notions of UC incoercibility corresponding to standard coercion-types, i.e., receipt-freeness and resistance to full-active coercion. Importantly, our suggested notion has the unique property that it builds on top of the well studied UC framework by Canetti instead of modifying it. This guarantees backwards compatibility, and allows us to inherit results from the rich UC literature. We then present MPC protocols which realize our notions of UC incoercibility given access to an arguably minimal setup—namely honestly generate tamper-proof hardware performing a very simple cryptographic operation—e.g., a smart card. This is, to our knowledge, the first proposed construction of an MPC protocol (for more than two parties) that is incoercibly secure and universally composable, and therefore the first construction of a universally composable receipt-free e-voting protocol."}],"oa_version":"Submitted Version","volume":9216,"ec_funded":1,"publication_identifier":{"eisbn":["978-3-662-48000-7"],"isbn":["978-3-662-47999-5"]},"publication_status":"published","file":[{"content_type":"application/pdf","relation":"main_file","access_level":"open_access","file_id":"7853","checksum":"5b6649e80d1f781a8910f7cce6427f78","file_size":397363,"date_updated":"2020-07-14T12:45:11Z","creator":"dernst","file_name":"2015_CRYPTO_Alwen.pdf","date_created":"2020-05-15T08:55:29Z"}],"language":[{"iso":"eng"}]},{"quality_controlled":"1","publisher":"Springer","oa":1,"day":"15","has_accepted_license":"1","year":"2015","date_published":"2015-08-15T00:00:00Z","doi":"10.1007/978-3-319-22174-8_5","date_created":"2018-12-11T11:53:22Z","page":"81 - 98","project":[{"call_identifier":"FP7","_id":"258C570E-B435-11E9-9278-68D0E5697425","name":"Provable Security for Physical Cryptography","grant_number":"259668"}],"user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","citation":{"ista":"Pietrzak KZ, Skórski M. 2015. The chain rule for HILL pseudoentropy, revisited. 9230, 81–98.","chicago":"Pietrzak, Krzysztof Z, and Maciej Skórski. “The Chain Rule for HILL Pseudoentropy, Revisited.” Lecture Notes in Computer Science. Springer, 2015. https://doi.org/10.1007/978-3-319-22174-8_5.","ieee":"K. Z. Pietrzak and M. Skórski, “The chain rule for HILL pseudoentropy, revisited,” vol. 9230. Springer, pp. 81–98, 2015.","short":"K.Z. Pietrzak, M. Skórski, 9230 (2015) 81–98.","ama":"Pietrzak KZ, Skórski M. The chain rule for HILL pseudoentropy, revisited. 2015;9230:81-98. doi:10.1007/978-3-319-22174-8_5","apa":"Pietrzak, K. Z., & Skórski, M. (2015). The chain rule for HILL pseudoentropy, revisited. Presented at the LATINCRYPT: Cryptology and Information Security in Latin America, Guadalajara, Mexico: Springer. https://doi.org/10.1007/978-3-319-22174-8_5","mla":"Pietrzak, Krzysztof Z., and Maciej Skórski. The Chain Rule for HILL Pseudoentropy, Revisited. Vol. 9230, Springer, 2015, pp. 81–98, doi:10.1007/978-3-319-22174-8_5."},"title":"The chain rule for HILL pseudoentropy, revisited","author":[{"first_name":"Krzysztof Z","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","last_name":"Pietrzak","full_name":"Pietrzak, Krzysztof Z","orcid":"0000-0002-9139-1654"},{"first_name":"Maciej","last_name":"Skórski","full_name":"Skórski, Maciej"}],"publist_id":"5480","oa_version":"Submitted Version","abstract":[{"lang":"eng","text":"Computational notions of entropy (a.k.a. pseudoentropy) have found many applications, including leakage-resilient cryptography, deterministic encryption or memory delegation. The most important tools to argue about pseudoentropy are chain rules, which quantify by how much (in terms of quantity and quality) the pseudoentropy of a given random variable X decreases when conditioned on some other variable Z (think for example of X as a secret key and Z as information leaked by a side-channel). In this paper we give a very simple and modular proof of the chain rule for HILL pseudoentropy, improving best known parameters. Our version allows for increasing the acceptable length of leakage in applications up to a constant factor compared to the best previous bounds. As a contribution of independent interest, we provide a comprehensive study of all known versions of the chain rule, comparing their worst-case strength and limitations."}],"month":"08","intvolume":" 9230","scopus_import":1,"alternative_title":["LNCS"],"file":[{"access_level":"open_access","relation":"main_file","content_type":"application/pdf","checksum":"8cd4215b83efba720e8cf27c23ff4781","file_id":"5351","creator":"system","date_updated":"2020-07-14T12:45:11Z","file_size":443340,"date_created":"2018-12-12T10:18:29Z","file_name":"IST-2016-669-v1+1_599.pdf"}],"language":[{"iso":"eng"}],"publication_status":"published","volume":9230,"ec_funded":1,"series_title":"Lecture Notes in Computer Science","_id":"1669","status":"public","pubrep_id":"669","type":"conference","conference":{"end_date":"2015-08-26","location":"Guadalajara, Mexico","start_date":"2015-08-23","name":"LATINCRYPT: Cryptology and Information Security in Latin America"},"ddc":["005"],"date_updated":"2021-01-12T06:52:24Z","file_date_updated":"2020-07-14T12:45:11Z","department":[{"_id":"KrPi"}]},{"abstract":[{"lang":"eng","text":"This paper studies the concrete security of PRFs and MACs obtained by keying hash functions based on the sponge paradigm. One such hash function is KECCAK, selected as NIST’s new SHA-3 standard. In contrast to other approaches like HMAC, the exact security of keyed sponges is not well understood. Indeed, recent security analyses delivered concrete security bounds which are far from existing attacks. This paper aims to close this gap. We prove (nearly) exact bounds on the concrete PRF security of keyed sponges using a random permutation. These bounds are tight for the most relevant ranges of parameters, i.e., for messages of length (roughly) l ≤ min{2n/4, 2r} blocks, where n is the state size and r is the desired output length; and for l ≤ q queries (to the construction or the underlying permutation). Moreover, we also improve standard-model bounds. As an intermediate step of independent interest, we prove tight bounds on the PRF security of the truncated CBC-MAC construction, which operates as plain CBC-MAC, but only returns a prefix of the output."}],"oa_version":"Submitted Version","scopus_import":1,"alternative_title":["LNCS"],"intvolume":" 9215","month":"08","publication_status":"published","language":[{"iso":"eng"}],"file":[{"content_type":"application/pdf","relation":"main_file","access_level":"open_access","checksum":"17d854227b3b753fd34f5d29e5b5a32e","file_id":"4827","file_size":592296,"date_updated":"2020-07-14T12:45:11Z","creator":"system","file_name":"IST-2016-673-v1+1_053.pdf","date_created":"2018-12-12T10:10:38Z"}],"ec_funded":1,"volume":9215,"_id":"1671","conference":{"location":"Santa Barbara, CA, United States","end_date":"2015-08-20","start_date":"2015-08-16","name":"CRYPTO: International Cryptology Conference"},"type":"conference","pubrep_id":"673","status":"public","date_updated":"2021-01-12T06:52:25Z","ddc":["004","005"],"file_date_updated":"2020-07-14T12:45:11Z","department":[{"_id":"KrPi"}],"oa":1,"quality_controlled":"1","publisher":"Springer","year":"2015","has_accepted_license":"1","day":"01","page":"368 - 387","date_created":"2018-12-11T11:53:23Z","date_published":"2015-08-01T00:00:00Z","doi":"10.1007/978-3-662-47989-6_18","project":[{"grant_number":"259668","name":"Provable Security for Physical Cryptography","call_identifier":"FP7","_id":"258C570E-B435-11E9-9278-68D0E5697425"}],"citation":{"ista":"Gazi P, Pietrzak KZ, Tessaro S. 2015. The exact PRF security of truncation: Tight bounds for keyed sponges and truncated CBC. CRYPTO: International Cryptology Conference, LNCS, vol. 9215, 368–387.","chicago":"Gazi, Peter, Krzysztof Z Pietrzak, and Stefano Tessaro. “The Exact PRF Security of Truncation: Tight Bounds for Keyed Sponges and Truncated CBC,” 9215:368–87. Springer, 2015. https://doi.org/10.1007/978-3-662-47989-6_18.","ieee":"P. Gazi, K. Z. Pietrzak, and S. Tessaro, “The exact PRF security of truncation: Tight bounds for keyed sponges and truncated CBC,” presented at the CRYPTO: International Cryptology Conference, Santa Barbara, CA, United States, 2015, vol. 9215, pp. 368–387.","short":"P. Gazi, K.Z. Pietrzak, S. Tessaro, in:, Springer, 2015, pp. 368–387.","ama":"Gazi P, Pietrzak KZ, Tessaro S. The exact PRF security of truncation: Tight bounds for keyed sponges and truncated CBC. In: Vol 9215. Springer; 2015:368-387. doi:10.1007/978-3-662-47989-6_18","apa":"Gazi, P., Pietrzak, K. Z., & Tessaro, S. (2015). The exact PRF security of truncation: Tight bounds for keyed sponges and truncated CBC (Vol. 9215, pp. 368–387). Presented at the CRYPTO: International Cryptology Conference, Santa Barbara, CA, United States: Springer. https://doi.org/10.1007/978-3-662-47989-6_18","mla":"Gazi, Peter, et al. The Exact PRF Security of Truncation: Tight Bounds for Keyed Sponges and Truncated CBC. Vol. 9215, Springer, 2015, pp. 368–87, doi:10.1007/978-3-662-47989-6_18."},"user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","publist_id":"5478","author":[{"full_name":"Gazi, Peter","last_name":"Gazi","first_name":"Peter","id":"3E0BFE38-F248-11E8-B48F-1D18A9856A87"},{"last_name":"Pietrzak","full_name":"Pietrzak, Krzysztof Z","orcid":"0000-0002-9139-1654","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","first_name":"Krzysztof Z"},{"first_name":"Stefano","full_name":"Tessaro, Stefano","last_name":"Tessaro"}],"title":"The exact PRF security of truncation: Tight bounds for keyed sponges and truncated CBC"},{"department":[{"_id":"KrPi"}],"date_updated":"2020-08-11T10:09:26Z","type":"conference","conference":{"start_date":"2015-03-08","end_date":"2015-03-11","location":"Istanbul, Turkey","name":"FSE: Fast Software Encryption"},"status":"public","_id":"1668","series_title":"Lecture Notes in Computer Science","volume":9054,"ec_funded":1,"publication_status":"published","language":[{"iso":"eng"}],"alternative_title":["LNCS"],"scopus_import":1,"main_file_link":[{"url":"http://eprint.iacr.org/2015/397","open_access":"1"}],"month":"08","intvolume":" 9054","abstract":[{"lang":"eng","text":"We revisit the security (as a pseudorandom permutation) of cascading-based constructions for block-cipher key-length extension. Previous works typically considered the extreme case where the adversary is given the entire codebook of the construction, the only complexity measure being the number qe of queries to the underlying ideal block cipher, representing adversary’s secret-key-independent computation. Here, we initiate a systematic study of the more natural case of an adversary restricted to adaptively learning a number qc of plaintext/ciphertext pairs that is less than the entire codebook. For any such qc, we aim to determine the highest number of block-cipher queries qe the adversary can issue without being able to successfully distinguish the construction (under a secret key) from a random permutation.\r\nMore concretely, we show the following results for key-length extension schemes using a block cipher with n-bit blocks and κ-bit keys:\r\nPlain cascades of length ℓ=2r+1 are secure whenever qcqre≪2r(κ+n), qc≪2κ and qe≪22κ. The bound for r=1 also applies to two-key triple encryption (as used within Triple DES).\r\nThe r-round XOR-cascade is secure as long as qcqre≪2r(κ+n), matching an attack by Gaži (CRYPTO 2013).\r\nWe fully characterize the security of Gaži and Tessaro’s two-call "}],"oa_version":"Submitted Version","publist_id":"5481","author":[{"full_name":"Gazi, Peter","last_name":"Gazi","id":"3E0BFE38-F248-11E8-B48F-1D18A9856A87","first_name":"Peter"},{"first_name":"Jooyoung","last_name":"Lee","full_name":"Lee, Jooyoung"},{"first_name":"Yannick","full_name":"Seurin, Yannick","last_name":"Seurin"},{"first_name":"John","last_name":"Steinberger","full_name":"Steinberger, John"},{"full_name":"Tessaro, Stefano","last_name":"Tessaro","first_name":"Stefano"}],"title":"Relaxing full-codebook security: A refined analysis of key-length extension schemes","citation":{"chicago":"Gazi, Peter, Jooyoung Lee, Yannick Seurin, John Steinberger, and Stefano Tessaro. “Relaxing Full-Codebook Security: A Refined Analysis of Key-Length Extension Schemes.” Lecture Notes in Computer Science. Springer, 2015. https://doi.org/10.1007/978-3-662-48116-5_16.","ista":"Gazi P, Lee J, Seurin Y, Steinberger J, Tessaro S. 2015. Relaxing full-codebook security: A refined analysis of key-length extension schemes. 9054, 319–341.","mla":"Gazi, Peter, et al. Relaxing Full-Codebook Security: A Refined Analysis of Key-Length Extension Schemes. Vol. 9054, Springer, 2015, pp. 319–41, doi:10.1007/978-3-662-48116-5_16.","ieee":"P. Gazi, J. Lee, Y. Seurin, J. Steinberger, and S. Tessaro, “Relaxing full-codebook security: A refined analysis of key-length extension schemes,” vol. 9054. Springer, pp. 319–341, 2015.","short":"P. Gazi, J. Lee, Y. Seurin, J. Steinberger, S. Tessaro, 9054 (2015) 319–341.","apa":"Gazi, P., Lee, J., Seurin, Y., Steinberger, J., & Tessaro, S. (2015). Relaxing full-codebook security: A refined analysis of key-length extension schemes. Presented at the FSE: Fast Software Encryption, Istanbul, Turkey: Springer. https://doi.org/10.1007/978-3-662-48116-5_16","ama":"Gazi P, Lee J, Seurin Y, Steinberger J, Tessaro S. Relaxing full-codebook security: A refined analysis of key-length extension schemes. 2015;9054:319-341. doi:10.1007/978-3-662-48116-5_16"},"user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","project":[{"name":"Provable Security for Physical Cryptography","grant_number":"259668","_id":"258C570E-B435-11E9-9278-68D0E5697425","call_identifier":"FP7"}],"page":"319 - 341","doi":"10.1007/978-3-662-48116-5_16","date_published":"2015-08-12T00:00:00Z","date_created":"2018-12-11T11:53:22Z","year":"2015","day":"12","publisher":"Springer","quality_controlled":"1","oa":1}]