---
_id: '10407'
abstract:
- lang: eng
text: Digital hardware Trojans are integrated circuits whose implementation differ
from the specification in an arbitrary and malicious way. For example, the circuit
can differ from its specified input/output behavior after some fixed number of
queries (known as “time bombs”) or on some particular input (known as “cheat codes”).
To detect such Trojans, countermeasures using multiparty computation (MPC) or
verifiable computation (VC) have been proposed. On a high level, to realize a
circuit with specification F one has more sophisticated circuits F⋄ manufactured
(where F⋄ specifies a MPC or VC of F ), and then embeds these F⋄ ’s into
a master circuit which must be trusted but is relatively simple compared to F
. Those solutions impose a significant overhead as F⋄ is much more complex
than F , also the master circuits are not exactly trivial. In this work, we
show that in restricted settings, where F has no evolving state and is queried
on independent inputs, we can achieve a relaxed security notion using very simple
constructions. In particular, we do not change the specification of the circuit
at all (i.e., F=F⋄ ). Moreover the master circuit basically just queries a subset
of its manufactured circuits and checks if they’re all the same. The security
we achieve guarantees that, if the manufactured circuits are initially tested
on up to T inputs, the master circuit will catch Trojans that try to deviate on
significantly more than a 1/T fraction of the inputs. This bound is optimal for
the type of construction considered, and we provably achieve it using a construction
where 12 instantiations of F need to be embedded into the master. We also discuss
an extremely simple construction with just 2 instantiations for which we conjecture
that it already achieves the optimal bound.
alternative_title:
- LNCS
article_processing_charge: No
author:
- first_name: Suvradip
full_name: Chakraborty, Suvradip
id: B9CD0494-D033-11E9-B219-A439E6697425
last_name: Chakraborty
- first_name: Stefan
full_name: Dziembowski, Stefan
last_name: Dziembowski
- first_name: Małgorzata
full_name: Gałązka, Małgorzata
last_name: Gałązka
- first_name: Tomasz
full_name: Lizurej, Tomasz
last_name: Lizurej
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
- first_name: Michelle X
full_name: Yeo, Michelle X
id: 2D82B818-F248-11E8-B48F-1D18A9856A87
last_name: Yeo
citation:
ama: 'Chakraborty S, Dziembowski S, Gałązka M, Lizurej T, Pietrzak KZ, Yeo MX. Trojan-resilience
without cryptography. In: Vol 13043. Springer Nature; 2021:397-428. doi:10.1007/978-3-030-90453-1_14'
apa: 'Chakraborty, S., Dziembowski, S., Gałązka, M., Lizurej, T., Pietrzak, K. Z.,
& Yeo, M. X. (2021). Trojan-resilience without cryptography (Vol. 13043, pp.
397–428). Presented at the TCC: Theory of Cryptography Conference, Raleigh, NC,
United States: Springer Nature. https://doi.org/10.1007/978-3-030-90453-1_14'
chicago: Chakraborty, Suvradip, Stefan Dziembowski, Małgorzata Gałązka, Tomasz Lizurej,
Krzysztof Z Pietrzak, and Michelle X Yeo. “Trojan-Resilience without Cryptography,”
13043:397–428. Springer Nature, 2021. https://doi.org/10.1007/978-3-030-90453-1_14.
ieee: 'S. Chakraborty, S. Dziembowski, M. Gałązka, T. Lizurej, K. Z. Pietrzak, and
M. X. Yeo, “Trojan-resilience without cryptography,” presented at the TCC: Theory
of Cryptography Conference, Raleigh, NC, United States, 2021, vol. 13043, pp.
397–428.'
ista: 'Chakraborty S, Dziembowski S, Gałązka M, Lizurej T, Pietrzak KZ, Yeo MX.
2021. Trojan-resilience without cryptography. TCC: Theory of Cryptography Conference,
LNCS, vol. 13043, 397–428.'
mla: Chakraborty, Suvradip, et al. Trojan-Resilience without Cryptography.
Vol. 13043, Springer Nature, 2021, pp. 397–428, doi:10.1007/978-3-030-90453-1_14.
short: S. Chakraborty, S. Dziembowski, M. Gałązka, T. Lizurej, K.Z. Pietrzak, M.X.
Yeo, in:, Springer Nature, 2021, pp. 397–428.
conference:
end_date: 2021-11-11
location: Raleigh, NC, United States
name: 'TCC: Theory of Cryptography Conference'
start_date: 2021-11-08
date_created: 2021-12-05T23:01:42Z
date_published: 2021-11-04T00:00:00Z
date_updated: 2023-08-14T13:07:46Z
day: '04'
department:
- _id: KrPi
doi: 10.1007/978-3-030-90453-1_14
ec_funded: 1
external_id:
isi:
- '000728364000014'
intvolume: ' 13043'
isi: 1
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://eprint.iacr.org/2021/1224
month: '11'
oa: 1
oa_version: Preprint
page: 397-428
project:
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
call_identifier: H2020
grant_number: '682815'
name: Teaching Old Crypto New Tricks
publication_identifier:
eissn:
- 1611-3349
isbn:
- 9-783-0309-0452-4
issn:
- 0302-9743
publication_status: published
publisher: Springer Nature
quality_controlled: '1'
scopus_import: '1'
status: public
title: Trojan-resilience without cryptography
type: conference
user_id: 4359f0d1-fa6c-11eb-b949-802e58b17ae8
volume: 13043
year: '2021'
...
---
_id: '10408'
abstract:
- lang: eng
text: 'Key trees are often the best solution in terms of transmission cost and storage
requirements for managing keys in a setting where a group needs to share a secret
key, while being able to efficiently rotate the key material of users (in order
to recover from a potential compromise, or to add or remove users). Applications
include multicast encryption protocols like LKH (Logical Key Hierarchies) or group
messaging like the current IETF proposal TreeKEM. A key tree is a (typically balanced)
binary tree, where each node is identified with a key: leaf nodes hold users’
secret keys while the root is the shared group key. For a group of size N, each
user just holds log(N) keys (the keys on the path from its leaf to the root)
and its entire key material can be rotated by broadcasting 2log(N) ciphertexts
(encrypting each fresh key on the path under the keys of its parents). In this
work we consider the natural setting where we have many groups with partially
overlapping sets of users, and ask if we can find solutions where the cost of
rotating a key is better than in the trivial one where we have a separate key
tree for each group. We show that in an asymptotic setting (where the number m
of groups is fixed while the number N of users grows) there exist more general
key graphs whose cost converges to the cost of a single group, thus saving a factor
linear in the number of groups over the trivial solution. As our asymptotic “solution”
converges very slowly and performs poorly on concrete examples, we propose an
algorithm that uses a natural heuristic to compute a key graph for any given group
structure. Our algorithm combines two greedy algorithms, and is thus very efficient:
it first converts the group structure into a “lattice graph”, which is then turned
into a key graph by repeatedly applying the algorithm for constructing a Huffman
code. To better understand how far our proposal is from an optimal solution, we
prove lower bounds on the update cost of continuous group-key agreement and multicast
encryption in a symbolic model admitting (asymmetric) encryption, pseudorandom
generators, and secret sharing as building blocks.'
acknowledgement: B. Auerbach, M.A. Baig and K. Pietrzak—received funding from the
European Research Council (ERC) under the European Union’s Horizon 2020 research
and innovation programme (682815 - TOCNeT); Karen Klein was supported in part by
ERC CoG grant 724307 and conducted part of this work at IST Austria, funded by the
ERC under the European Union’s Horizon 2020 research and innovation programme (682815
- TOCNeT); Guillermo Pascual-Perez was funded by the European Union’s Horizon 2020
research and innovation programme under the Marie Skłodowska-Curie Grant Agreement
No. 665385; Michael Walter conducted part of this work at IST Austria, funded by
the ERC under the European Union’s Horizon 2020 research and innovation programme
(682815 - TOCNeT).
alternative_title:
- LNCS
article_processing_charge: No
author:
- first_name: Joel F
full_name: Alwen, Joel F
id: 2A8DFA8C-F248-11E8-B48F-1D18A9856A87
last_name: Alwen
- first_name: Benedikt
full_name: Auerbach, Benedikt
id: D33D2B18-E445-11E9-ABB7-15F4E5697425
last_name: Auerbach
orcid: 0000-0002-7553-6606
- first_name: Mirza Ahad
full_name: Baig, Mirza Ahad
id: 3EDE6DE4-AA5A-11E9-986D-341CE6697425
last_name: Baig
- first_name: Miguel
full_name: Cueto Noval, Miguel
id: ffc563a3-f6e0-11ea-865d-e3cce03d17cc
last_name: Cueto Noval
- first_name: Karen
full_name: Klein, Karen
id: 3E83A2F8-F248-11E8-B48F-1D18A9856A87
last_name: Klein
- first_name: Guillermo
full_name: Pascual Perez, Guillermo
id: 2D7ABD02-F248-11E8-B48F-1D18A9856A87
last_name: Pascual Perez
orcid: 0000-0001-8630-415X
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
- first_name: Michael
full_name: Walter, Michael
id: 488F98B0-F248-11E8-B48F-1D18A9856A87
last_name: Walter
orcid: 0000-0003-3186-2482
citation:
ama: 'Alwen JF, Auerbach B, Baig MA, et al. Grafting key trees: Efficient key management
for overlapping groups. In: 19th International Conference. Vol 13044. Springer
Nature; 2021:222-253. doi:10.1007/978-3-030-90456-2_8'
apa: 'Alwen, J. F., Auerbach, B., Baig, M. A., Cueto Noval, M., Klein, K., Pascual
Perez, G., … Walter, M. (2021). Grafting key trees: Efficient key management for
overlapping groups. In 19th International Conference (Vol. 13044, pp. 222–253).
Raleigh, NC, United States: Springer Nature. https://doi.org/10.1007/978-3-030-90456-2_8'
chicago: 'Alwen, Joel F, Benedikt Auerbach, Mirza Ahad Baig, Miguel Cueto Noval,
Karen Klein, Guillermo Pascual Perez, Krzysztof Z Pietrzak, and Michael Walter.
“Grafting Key Trees: Efficient Key Management for Overlapping Groups.” In 19th
International Conference, 13044:222–53. Springer Nature, 2021. https://doi.org/10.1007/978-3-030-90456-2_8.'
ieee: 'J. F. Alwen et al., “Grafting key trees: Efficient key management
for overlapping groups,” in 19th International Conference, Raleigh, NC,
United States, 2021, vol. 13044, pp. 222–253.'
ista: 'Alwen JF, Auerbach B, Baig MA, Cueto Noval M, Klein K, Pascual Perez G, Pietrzak
KZ, Walter M. 2021. Grafting key trees: Efficient key management for overlapping
groups. 19th International Conference. TCC: Theory of Cryptography, LNCS, vol.
13044, 222–253.'
mla: 'Alwen, Joel F., et al. “Grafting Key Trees: Efficient Key Management for Overlapping
Groups.” 19th International Conference, vol. 13044, Springer Nature, 2021,
pp. 222–53, doi:10.1007/978-3-030-90456-2_8.'
short: J.F. Alwen, B. Auerbach, M.A. Baig, M. Cueto Noval, K. Klein, G. Pascual
Perez, K.Z. Pietrzak, M. Walter, in:, 19th International Conference, Springer
Nature, 2021, pp. 222–253.
conference:
end_date: 2021-11-11
location: Raleigh, NC, United States
name: 'TCC: Theory of Cryptography'
start_date: 2021-11-08
date_created: 2021-12-05T23:01:42Z
date_published: 2021-11-04T00:00:00Z
date_updated: 2023-08-14T13:19:39Z
day: '04'
department:
- _id: KrPi
doi: 10.1007/978-3-030-90456-2_8
ec_funded: 1
external_id:
isi:
- '000728363700008'
intvolume: ' 13044'
isi: 1
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://eprint.iacr.org/2021/1158
month: '11'
oa: 1
oa_version: Preprint
page: 222-253
project:
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
call_identifier: H2020
grant_number: '682815'
name: Teaching Old Crypto New Tricks
- _id: 2564DBCA-B435-11E9-9278-68D0E5697425
call_identifier: H2020
grant_number: '665385'
name: International IST Doctoral Program
publication: 19th International Conference
publication_identifier:
eisbn:
- 978-3-030-90456-2
eissn:
- 1611-3349
isbn:
- 9-783-0309-0455-5
issn:
- 0302-9743
publication_status: published
publisher: Springer Nature
quality_controlled: '1'
scopus_import: '1'
status: public
title: 'Grafting key trees: Efficient key management for overlapping groups'
type: conference
user_id: 4359f0d1-fa6c-11eb-b949-802e58b17ae8
volume: 13044
year: '2021'
...
---
_id: '10409'
abstract:
- lang: eng
text: We show that Yao’s garbling scheme is adaptively indistinguishable for the
class of Boolean circuits of size S and treewidth w with only a SO(w) loss
in security. For instance, circuits with constant treewidth are as a result adaptively
indistinguishable with only a polynomial loss. This (partially) complements a
negative result of Applebaum et al. (Crypto 2013), which showed (assuming one-way
functions) that Yao’s garbling scheme cannot be adaptively simulatable. As main
technical contributions, we introduce a new pebble game that abstracts out our
security reduction and then present a pebbling strategy for this game where the
number of pebbles used is roughly O(δwlog(S)) , δ being the fan-out of the
circuit. The design of the strategy relies on separators, a graph-theoretic notion
with connections to circuit complexity. with only a SO(w) loss in security.
For instance, circuits with constant treewidth are as a result adaptively indistinguishable
with only a polynomial loss. This (partially) complements a negative result of
Applebaum et al. (Crypto 2013), which showed (assuming one-way functions) that
Yao’s garbling scheme cannot be adaptively simulatable. As main technical contributions,
we introduce a new pebble game that abstracts out our security reduction and then
present a pebbling strategy for this game where the number of pebbles used is
roughly O(δwlog(S)) , δ being the fan-out of the circuit. The design of the
strategy relies on separators, a graph-theoretic notion with connections to circuit
complexity.
acknowledgement: We are grateful to Daniel Wichs for helpful discussions on the landscape
of adaptive security of Yao’s garbling. We would also like to thank Crypto 2021
and TCC 2021 reviewers for their detailed review and suggestions, which helped improve
presentation considerably.
alternative_title:
- LNCS
article_processing_charge: No
author:
- first_name: Chethan
full_name: Kamath Hosdurg, Chethan
id: 4BD3F30E-F248-11E8-B48F-1D18A9856A87
last_name: Kamath Hosdurg
- first_name: Karen
full_name: Klein, Karen
id: 3E83A2F8-F248-11E8-B48F-1D18A9856A87
last_name: Klein
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
citation:
ama: 'Kamath Hosdurg C, Klein K, Pietrzak KZ. On treewidth, separators and Yao’s
garbling. In: 19th International Conference. Vol 13043. Springer Nature;
2021:486-517. doi:10.1007/978-3-030-90453-1_17'
apa: 'Kamath Hosdurg, C., Klein, K., & Pietrzak, K. Z. (2021). On treewidth,
separators and Yao’s garbling. In 19th International Conference (Vol. 13043,
pp. 486–517). Raleigh, NC, United States: Springer Nature. https://doi.org/10.1007/978-3-030-90453-1_17'
chicago: Kamath Hosdurg, Chethan, Karen Klein, and Krzysztof Z Pietrzak. “On Treewidth,
Separators and Yao’s Garbling.” In 19th International Conference, 13043:486–517.
Springer Nature, 2021. https://doi.org/10.1007/978-3-030-90453-1_17.
ieee: C. Kamath Hosdurg, K. Klein, and K. Z. Pietrzak, “On treewidth, separators
and Yao’s garbling,” in 19th International Conference, Raleigh, NC, United
States, 2021, vol. 13043, pp. 486–517.
ista: 'Kamath Hosdurg C, Klein K, Pietrzak KZ. 2021. On treewidth, separators and
Yao’s garbling. 19th International Conference. TCC: Theory of Cryptography, LNCS,
vol. 13043, 486–517.'
mla: Kamath Hosdurg, Chethan, et al. “On Treewidth, Separators and Yao’s Garbling.”
19th International Conference, vol. 13043, Springer Nature, 2021, pp. 486–517,
doi:10.1007/978-3-030-90453-1_17.
short: C. Kamath Hosdurg, K. Klein, K.Z. Pietrzak, in:, 19th International Conference,
Springer Nature, 2021, pp. 486–517.
conference:
end_date: 2021-11-11
location: Raleigh, NC, United States
name: 'TCC: Theory of Cryptography'
start_date: 2021-11-08
date_created: 2021-12-05T23:01:43Z
date_published: 2021-11-04T00:00:00Z
date_updated: 2023-08-17T06:21:38Z
day: '04'
department:
- _id: KrPi
doi: 10.1007/978-3-030-90453-1_17
ec_funded: 1
external_id:
isi:
- '000728364000017'
isi: 1
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://eprint.iacr.org/2021/926
month: '11'
oa: 1
oa_version: Preprint
page: 486-517
project:
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
call_identifier: H2020
grant_number: '682815'
name: Teaching Old Crypto New Tricks
publication: 19th International Conference
publication_identifier:
eissn:
- 1611-3349
isbn:
- 9-783-0309-0452-4
issn:
- 0302-9743
publication_status: published
publisher: Springer Nature
quality_controlled: '1'
related_material:
record:
- id: '10044'
relation: earlier_version
status: public
scopus_import: '1'
status: public
title: On treewidth, separators and Yao’s garbling
type: conference
user_id: 4359f0d1-fa6c-11eb-b949-802e58b17ae8
volume: '13043 '
year: '2021'
...
---
_id: '10609'
abstract:
- lang: eng
text: "We study Multi-party computation (MPC) in the setting of subversion, where
the adversary tampers with the machines of honest parties. Our goal is to construct
actively secure MPC protocols where parties are corrupted adaptively by an adversary
(as in the standard adaptive security setting), and in addition, honest parties’
machines are compromised.\r\nThe idea of reverse firewalls (RF) was introduced
at EUROCRYPT’15 by Mironov and Stephens-Davidowitz as an approach to protecting
protocols against corruption of honest parties’ devices. Intuitively, an RF for
a party P is an external entity that sits between P and the outside world
and whose scope is to sanitize P ’s incoming and outgoing messages in the face
of subversion of their computer. Mironov and Stephens-Davidowitz constructed a
protocol for passively-secure two-party computation. At CRYPTO’20, Chakraborty,
Dziembowski and Nielsen constructed a protocol for secure computation with firewalls
that improved on this result, both by extending it to multi-party computation
protocol, and considering active security in the presence of static corruptions.
In this paper, we initiate the study of RF for MPC in the adaptive setting. We
put forward a definition for adaptively secure MPC in the reverse firewall setting,
explore relationships among the security notions, and then construct reverse firewalls
for MPC in this stronger setting of adaptive security. We also resolve the open
question of Chakraborty, Dziembowski and Nielsen by removing the need for a trusted
setup in constructing RF for MPC. Towards this end, we construct reverse firewalls
for adaptively secure augmented coin tossing and adaptively secure zero-knowledge
protocols and obtain a constant round adaptively secure MPC protocol in the reverse
firewall setting without setup. Along the way, we propose a new multi-party adaptively
secure coin tossing protocol in the plain model, that is of independent interest."
alternative_title:
- LNCS
article_processing_charge: No
author:
- first_name: Suvradip
full_name: Chakraborty, Suvradip
id: B9CD0494-D033-11E9-B219-A439E6697425
last_name: Chakraborty
- first_name: Chaya
full_name: Ganesh, Chaya
last_name: Ganesh
- first_name: Mahak
full_name: Pancholi, Mahak
last_name: Pancholi
- first_name: Pratik
full_name: Sarkar, Pratik
last_name: Sarkar
citation:
ama: 'Chakraborty S, Ganesh C, Pancholi M, Sarkar P. Reverse firewalls for adaptively
secure MPC without setup. In: 27th International Conference on the Theory and
Application of Cryptology and Information Security. Vol 13091. Springer Nature;
2021:335-364. doi:10.1007/978-3-030-92075-3_12'
apa: 'Chakraborty, S., Ganesh, C., Pancholi, M., & Sarkar, P. (2021). Reverse
firewalls for adaptively secure MPC without setup. In 27th International Conference
on the Theory and Application of Cryptology and Information Security (Vol.
13091, pp. 335–364). Virtual, Singapore: Springer Nature. https://doi.org/10.1007/978-3-030-92075-3_12'
chicago: Chakraborty, Suvradip, Chaya Ganesh, Mahak Pancholi, and Pratik Sarkar.
“Reverse Firewalls for Adaptively Secure MPC without Setup.” In 27th International
Conference on the Theory and Application of Cryptology and Information Security,
13091:335–64. Springer Nature, 2021. https://doi.org/10.1007/978-3-030-92075-3_12.
ieee: S. Chakraborty, C. Ganesh, M. Pancholi, and P. Sarkar, “Reverse firewalls
for adaptively secure MPC without setup,” in 27th International Conference
on the Theory and Application of Cryptology and Information Security, Virtual,
Singapore, 2021, vol. 13091, pp. 335–364.
ista: 'Chakraborty S, Ganesh C, Pancholi M, Sarkar P. 2021. Reverse firewalls for
adaptively secure MPC without setup. 27th International Conference on the Theory
and Application of Cryptology and Information Security. ASIACRYPT: International
Conference on Cryptology in Asia, LNCS, vol. 13091, 335–364.'
mla: Chakraborty, Suvradip, et al. “Reverse Firewalls for Adaptively Secure MPC
without Setup.” 27th International Conference on the Theory and Application
of Cryptology and Information Security, vol. 13091, Springer Nature, 2021,
pp. 335–64, doi:10.1007/978-3-030-92075-3_12.
short: S. Chakraborty, C. Ganesh, M. Pancholi, P. Sarkar, in:, 27th International
Conference on the Theory and Application of Cryptology and Information Security,
Springer Nature, 2021, pp. 335–364.
conference:
end_date: 2021-12-10
location: Virtual, Singapore
name: 'ASIACRYPT: International Conference on Cryptology in Asia'
start_date: 2021-12-06
date_created: 2022-01-09T23:01:27Z
date_published: 2021-12-01T00:00:00Z
date_updated: 2023-08-17T06:34:41Z
day: '01'
department:
- _id: KrPi
doi: 10.1007/978-3-030-92075-3_12
ec_funded: 1
external_id:
isi:
- '000927876200012'
intvolume: ' 13091'
isi: 1
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://eprint.iacr.org/2021/1262
month: '12'
oa: 1
oa_version: Preprint
page: 335-364
project:
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
call_identifier: H2020
grant_number: '682815'
name: Teaching Old Crypto New Tricks
publication: 27th International Conference on the Theory and Application of Cryptology
and Information Security
publication_identifier:
eisbn:
- 978-3-030-92075-3
eissn:
- 1611-3349
isbn:
- 978-3-030-92074-6
issn:
- 0302-9743
publication_status: published
publisher: Springer Nature
quality_controlled: '1'
scopus_import: '1'
status: public
title: Reverse firewalls for adaptively secure MPC without setup
type: conference
user_id: 4359f0d1-fa6c-11eb-b949-802e58b17ae8
volume: 13091
year: '2021'
...
---
_id: '10041'
abstract:
- lang: eng
text: Yao’s garbling scheme is one of the most fundamental cryptographic constructions.
Lindell and Pinkas (Journal of Cryptograhy 2009) gave a formal proof of security
in the selective setting where the adversary chooses the challenge inputs before
seeing the garbled circuit assuming secure symmetric-key encryption (and hence
one-way functions). This was followed by results, both positive and negative,
concerning its security in the, stronger, adaptive setting. Applebaum et al. (Crypto
2013) showed that it cannot satisfy adaptive security as is, due to a simple incompressibility
argument. Jafargholi and Wichs (TCC 2017) considered a natural adaptation of Yao’s
scheme (where the output mapping is sent in the online phase, together with the
garbled input) that circumvents this negative result, and proved that it is adaptively
secure, at least for shallow circuits. In particular, they showed that for the
class of circuits of depth δ , the loss in security is at most exponential in δ
. The above results all concern the simulation-based notion of security. In this
work, we show that the upper bound of Jafargholi and Wichs is basically optimal
in a strong sense. As our main result, we show that there exists a family of Boolean
circuits, one for each depth δ∈N , such that any black-box reduction proving
the adaptive indistinguishability of the natural adaptation of Yao’s scheme from
any symmetric-key encryption has to lose a factor that is exponential in δ√
. Since indistinguishability is a weaker notion than simulation, our bound also
applies to adaptive simulation. To establish our results, we build on the recent
approach of Kamath et al. (Eprint 2021), which uses pebbling lower bounds in conjunction
with oracle separations to prove fine-grained lower bounds on loss in cryptographic
security.
acknowledgement: We would like to thank the anonymous reviewers of Crypto’21 whose
detailed comments helped us considerably improve the presentation of the paper.
alternative_title:
- LCNS
article_processing_charge: No
author:
- first_name: Chethan
full_name: Kamath Hosdurg, Chethan
id: 4BD3F30E-F248-11E8-B48F-1D18A9856A87
last_name: Kamath Hosdurg
- first_name: Karen
full_name: Klein, Karen
id: 3E83A2F8-F248-11E8-B48F-1D18A9856A87
last_name: Klein
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
- first_name: Daniel
full_name: Wichs, Daniel
last_name: Wichs
citation:
ama: 'Kamath Hosdurg C, Klein K, Pietrzak KZ, Wichs D. Limits on the Adaptive Security
of Yao’s Garbling. In: 41st Annual International Cryptology Conference, Part
II . Vol 12826. Cham: Springer Nature; 2021:486-515. doi:10.1007/978-3-030-84245-1_17'
apa: 'Kamath Hosdurg, C., Klein, K., Pietrzak, K. Z., & Wichs, D. (2021). Limits
on the Adaptive Security of Yao’s Garbling. In 41st Annual International Cryptology
Conference, Part II (Vol. 12826, pp. 486–515). Cham: Springer Nature. https://doi.org/10.1007/978-3-030-84245-1_17'
chicago: 'Kamath Hosdurg, Chethan, Karen Klein, Krzysztof Z Pietrzak, and Daniel
Wichs. “Limits on the Adaptive Security of Yao’s Garbling.” In 41st Annual
International Cryptology Conference, Part II , 12826:486–515. Cham: Springer
Nature, 2021. https://doi.org/10.1007/978-3-030-84245-1_17.'
ieee: C. Kamath Hosdurg, K. Klein, K. Z. Pietrzak, and D. Wichs, “Limits on the
Adaptive Security of Yao’s Garbling,” in 41st Annual International Cryptology
Conference, Part II , Virtual, 2021, vol. 12826, pp. 486–515.
ista: 'Kamath Hosdurg C, Klein K, Pietrzak KZ, Wichs D. 2021. Limits on the Adaptive
Security of Yao’s Garbling. 41st Annual International Cryptology Conference, Part
II . CRYPTO: Annual International Cryptology Conference, LCNS, vol. 12826, 486–515.'
mla: Kamath Hosdurg, Chethan, et al. “Limits on the Adaptive Security of Yao’s Garbling.”
41st Annual International Cryptology Conference, Part II , vol. 12826,
Springer Nature, 2021, pp. 486–515, doi:10.1007/978-3-030-84245-1_17.
short: C. Kamath Hosdurg, K. Klein, K.Z. Pietrzak, D. Wichs, in:, 41st Annual International
Cryptology Conference, Part II , Springer Nature, Cham, 2021, pp. 486–515.
conference:
end_date: 2021-08-20
location: Virtual
name: 'CRYPTO: Annual International Cryptology Conference'
start_date: 2021-08-16
date_created: 2021-09-23T14:06:15Z
date_published: 2021-08-11T00:00:00Z
date_updated: 2023-09-07T13:32:11Z
day: '11'
department:
- _id: KrPi
doi: 10.1007/978-3-030-84245-1_17
ec_funded: 1
intvolume: ' 12826'
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://eprint.iacr.org/2021/945
month: '08'
oa: 1
oa_version: Preprint
page: 486-515
place: Cham
project:
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
call_identifier: H2020
grant_number: '682815'
name: Teaching Old Crypto New Tricks
publication: '41st Annual International Cryptology Conference, Part II '
publication_identifier:
eisbn:
- 978-3-030-84245-1
eissn:
- 1611-3349
isbn:
- 978-3-030-84244-4
issn:
- 0302-9743
publication_status: published
publisher: Springer Nature
quality_controlled: '1'
related_material:
record:
- id: '10035'
relation: dissertation_contains
status: public
status: public
title: Limits on the Adaptive Security of Yao’s Garbling
type: conference
user_id: c635000d-4b10-11ee-a964-aac5a93f6ac1
volume: 12826
year: '2021'
...
---
_id: '10049'
abstract:
- lang: eng
text: While messaging systems with strong security guarantees are widely used in
practice, designing a protocol that scales efficiently to large groups and enjoys
similar security guarantees remains largely open. The two existing proposals to
date are ART (Cohn-Gordon et al., CCS18) and TreeKEM (IETF, The Messaging Layer
Security Protocol, draft). TreeKEM is the currently considered candidate by the
IETF MLS working group, but dynamic group operations (i.e. adding and removing
users) can cause efficiency issues. In this paper we formalize and analyze a variant
of TreeKEM which we term Tainted TreeKEM (TTKEM for short). The basic idea underlying
TTKEM was suggested by Millican (MLS mailing list, February 2018). This version
is more efficient than TreeKEM for some natural distributions of group operations,
we quantify this through simulations.Our second contribution is two security proofs
for TTKEM which establish post compromise and forward secrecy even against adaptive
attackers. The security loss (to the underlying PKE) in the Random Oracle Model
is a polynomial factor, and a quasipolynomial one in the Standard Model. Our proofs
can be adapted to TreeKEM as well. Before our work no security proof for any TreeKEM-like
protocol establishing tight security against an adversary who can adaptively choose
the sequence of operations was known. We also are the first to prove (or even
formalize) active security where the server can arbitrarily deviate from the protocol
specification. Proving fully active security – where also the users can arbitrarily
deviate – remains open.
acknowledgement: The first three authors contributed equally to this work. Funded
by the European Research Council (ERC) under the European Union’s Horizon2020 research
and innovation programme (682815-TOCNeT). Funded by the European Union’s Horizon
2020 research and innovation programme under the Marie Skłodowska-Curie Grant Agreement
No.665385.
article_processing_charge: No
author:
- first_name: Karen
full_name: Klein, Karen
id: 3E83A2F8-F248-11E8-B48F-1D18A9856A87
last_name: Klein
- first_name: Guillermo
full_name: Pascual Perez, Guillermo
id: 2D7ABD02-F248-11E8-B48F-1D18A9856A87
last_name: Pascual Perez
orcid: 0000-0001-8630-415X
- first_name: Michael
full_name: Walter, Michael
id: 488F98B0-F248-11E8-B48F-1D18A9856A87
last_name: Walter
orcid: 0000-0003-3186-2482
- first_name: Chethan
full_name: Kamath Hosdurg, Chethan
id: 4BD3F30E-F248-11E8-B48F-1D18A9856A87
last_name: Kamath Hosdurg
- first_name: Margarita
full_name: Capretto, Margarita
last_name: Capretto
- first_name: Miguel
full_name: Cueto Noval, Miguel
id: ffc563a3-f6e0-11ea-865d-e3cce03d17cc
last_name: Cueto Noval
- first_name: Ilia
full_name: Markov, Ilia
id: D0CF4148-C985-11E9-8066-0BDEE5697425
last_name: Markov
- first_name: Michelle X
full_name: Yeo, Michelle X
id: 2D82B818-F248-11E8-B48F-1D18A9856A87
last_name: Yeo
- first_name: Joel F
full_name: Alwen, Joel F
id: 2A8DFA8C-F248-11E8-B48F-1D18A9856A87
last_name: Alwen
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
citation:
ama: 'Klein K, Pascual Perez G, Walter M, et al. Keep the dirt: tainted TreeKEM,
adaptively and actively secure continuous group key agreement. In: 2021 IEEE
Symposium on Security and Privacy . IEEE; 2021:268-284. doi:10.1109/sp40001.2021.00035'
apa: 'Klein, K., Pascual Perez, G., Walter, M., Kamath Hosdurg, C., Capretto, M.,
Cueto Noval, M., … Pietrzak, K. Z. (2021). Keep the dirt: tainted TreeKEM, adaptively
and actively secure continuous group key agreement. In 2021 IEEE Symposium
on Security and Privacy (pp. 268–284). San Francisco, CA, United States:
IEEE. https://doi.org/10.1109/sp40001.2021.00035'
chicago: 'Klein, Karen, Guillermo Pascual Perez, Michael Walter, Chethan Kamath
Hosdurg, Margarita Capretto, Miguel Cueto Noval, Ilia Markov, Michelle X Yeo,
Joel F Alwen, and Krzysztof Z Pietrzak. “Keep the Dirt: Tainted TreeKEM, Adaptively
and Actively Secure Continuous Group Key Agreement.” In 2021 IEEE Symposium
on Security and Privacy , 268–84. IEEE, 2021. https://doi.org/10.1109/sp40001.2021.00035.'
ieee: 'K. Klein et al., “Keep the dirt: tainted TreeKEM, adaptively and actively
secure continuous group key agreement,” in 2021 IEEE Symposium on Security
and Privacy , San Francisco, CA, United States, 2021, pp. 268–284.'
ista: 'Klein K, Pascual Perez G, Walter M, Kamath Hosdurg C, Capretto M, Cueto Noval
M, Markov I, Yeo MX, Alwen JF, Pietrzak KZ. 2021. Keep the dirt: tainted TreeKEM,
adaptively and actively secure continuous group key agreement. 2021 IEEE Symposium
on Security and Privacy . SP: Symposium on Security and Privacy, 268–284.'
mla: 'Klein, Karen, et al. “Keep the Dirt: Tainted TreeKEM, Adaptively and Actively
Secure Continuous Group Key Agreement.” 2021 IEEE Symposium on Security and
Privacy , IEEE, 2021, pp. 268–84, doi:10.1109/sp40001.2021.00035.'
short: K. Klein, G. Pascual Perez, M. Walter, C. Kamath Hosdurg, M. Capretto, M.
Cueto Noval, I. Markov, M.X. Yeo, J.F. Alwen, K.Z. Pietrzak, in:, 2021 IEEE Symposium
on Security and Privacy , IEEE, 2021, pp. 268–284.
conference:
end_date: 2021-05-27
location: San Francisco, CA, United States
name: 'SP: Symposium on Security and Privacy'
start_date: 2021-05-24
date_created: 2021-09-27T13:46:27Z
date_published: 2021-08-26T00:00:00Z
date_updated: 2023-09-07T13:32:11Z
day: '26'
department:
- _id: KrPi
- _id: DaAl
doi: 10.1109/sp40001.2021.00035
ec_funded: 1
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://eprint.iacr.org/2019/1489
month: '08'
oa: 1
oa_version: Preprint
page: 268-284
project:
- _id: 2564DBCA-B435-11E9-9278-68D0E5697425
call_identifier: H2020
grant_number: '665385'
name: International IST Doctoral Program
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
call_identifier: H2020
grant_number: '682815'
name: Teaching Old Crypto New Tricks
publication: '2021 IEEE Symposium on Security and Privacy '
publication_status: published
publisher: IEEE
quality_controlled: '1'
related_material:
record:
- id: '10035'
relation: dissertation_contains
status: public
status: public
title: 'Keep the dirt: tainted TreeKEM, adaptively and actively secure continuous
group key agreement'
type: conference
user_id: 8b945eb4-e2f2-11eb-945a-df72226e66a9
year: '2021'
...
---
_id: '10044'
abstract:
- lang: eng
text: We show that Yao’s garbling scheme is adaptively indistinguishable for the
class of Boolean circuits of size S and treewidth w with only a S^O(w) loss in
security. For instance, circuits with constant treewidth are as a result adaptively
indistinguishable with only a polynomial loss. This (partially) complements a
negative result of Applebaum et al. (Crypto 2013), which showed (assuming one-way
functions) that Yao’s garbling scheme cannot be adaptively simulatable. As main
technical contributions, we introduce a new pebble game that abstracts out our
security reduction and then present a pebbling strategy for this game where the
number of pebbles used is roughly O(d w log(S)), d being the fan-out of the circuit.
The design of the strategy relies on separators, a graph-theoretic notion with
connections to circuit complexity.
acknowledgement: 'We would like to thank Daniel Wichs for helpful discussions on the
landscape of adaptive security of Yao’s garbling. '
article_number: 2021/926
article_processing_charge: No
author:
- first_name: Chethan
full_name: Kamath Hosdurg, Chethan
id: 4BD3F30E-F248-11E8-B48F-1D18A9856A87
last_name: Kamath Hosdurg
- first_name: Karen
full_name: Klein, Karen
id: 3E83A2F8-F248-11E8-B48F-1D18A9856A87
last_name: Klein
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
citation:
ama: 'Kamath Hosdurg C, Klein K, Pietrzak KZ. On treewidth, separators and Yao’s
garbling. In: 19th Theory of Cryptography Conference 2021. International
Association for Cryptologic Research; 2021.'
apa: 'Kamath Hosdurg, C., Klein, K., & Pietrzak, K. Z. (2021). On treewidth,
separators and Yao’s garbling. In 19th Theory of Cryptography Conference 2021.
Raleigh, NC, United States: International Association for Cryptologic Research.'
chicago: Kamath Hosdurg, Chethan, Karen Klein, and Krzysztof Z Pietrzak. “On Treewidth,
Separators and Yao’s Garbling.” In 19th Theory of Cryptography Conference 2021.
International Association for Cryptologic Research, 2021.
ieee: C. Kamath Hosdurg, K. Klein, and K. Z. Pietrzak, “On treewidth, separators
and Yao’s garbling,” in 19th Theory of Cryptography Conference 2021, Raleigh,
NC, United States, 2021.
ista: 'Kamath Hosdurg C, Klein K, Pietrzak KZ. 2021. On treewidth, separators and
Yao’s garbling. 19th Theory of Cryptography Conference 2021. TCC: Theory of Cryptography
Conference, 2021/926.'
mla: Kamath Hosdurg, Chethan, et al. “On Treewidth, Separators and Yao’s Garbling.”
19th Theory of Cryptography Conference 2021, 2021/926, International Association
for Cryptologic Research, 2021.
short: C. Kamath Hosdurg, K. Klein, K.Z. Pietrzak, in:, 19th Theory of Cryptography
Conference 2021, International Association for Cryptologic Research, 2021.
conference:
end_date: 2021-11-11
location: Raleigh, NC, United States
name: 'TCC: Theory of Cryptography Conference'
start_date: 2021-11-08
date_created: 2021-09-24T12:01:34Z
date_published: 2021-07-08T00:00:00Z
date_updated: 2023-09-07T13:32:11Z
day: '08'
department:
- _id: KrPi
ec_funded: 1
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://eprint.iacr.org/2021/926
month: '07'
oa: 1
oa_version: Preprint
project:
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
call_identifier: H2020
grant_number: '682815'
name: Teaching Old Crypto New Tricks
publication: 19th Theory of Cryptography Conference 2021
publication_status: published
publisher: International Association for Cryptologic Research
quality_controlled: '1'
related_material:
record:
- id: '10409'
relation: later_version
status: public
- id: '10035'
relation: dissertation_contains
status: public
status: public
title: On treewidth, separators and Yao's garbling
type: conference
user_id: 8b945eb4-e2f2-11eb-945a-df72226e66a9
year: '2021'
...
---
_id: '10035'
abstract:
- lang: eng
text: 'Many security definitions come in two flavors: a stronger “adaptive” flavor,
where the adversary can arbitrarily make various choices during the course of
the attack, and a weaker “selective” flavor where the adversary must commit to
some or all of their choices a-priori. For example, in the context of identity-based
encryption, selective security requires the adversary to decide on the identity
of the attacked party at the very beginning of the game whereas adaptive security
allows the attacker to first see the master public key and some secret keys before
making this choice. Often, it appears to be much easier to achieve selective security
than it is to achieve adaptive security. A series of several recent works shows
how to cleverly achieve adaptive security in several such scenarios including
generalized selective decryption [Pan07][FJP15], constrained PRFs [FKPR14], and
Yao’s garbled circuits [JW16]. Although the above works expressed vague intuition
that they share a common technique, the connection was never made precise. In
this work we present a new framework (published at Crypto ’17 [JKK+17a]) that
connects all of these works and allows us to present them in a unified and simplified
fashion. Having the framework in place, we show how to achieve adaptive security
for proxy re-encryption schemes (published at PKC ’19 [FKKP19]) and provide the
first adaptive security proofs for continuous group key agreement protocols (published
at S&P ’21 [KPW+21]). Questioning optimality of our framework, we then show that
currently used proof techniques cannot lead to significantly better security guarantees
for "graph-building" games (published at TCC ’21 [KKPW21a]). These games cover
generalized selective decryption, as well as the security of prominent constructions
for constrained PRFs, continuous group key agreement, and proxy re-encryption.
Finally, we revisit the adaptive security of Yao’s garbled circuits and extend
the analysis of Jafargholi and Wichs in two directions: While they prove adaptive
security only for a modified construction with increased online complexity, we
provide the first positive results for the original construction by Yao (published
at TCC ’21 [KKP21a]). On the negative side, we prove that the results of Jafargholi
and Wichs are essentially optimal by showing that no black-box reduction can provide
a significantly better security bound (published at Crypto ’21 [KKPW21c]).'
acknowledgement: "I want to acknowledge the funding by the European Research Council
(ERC) under the European Union’s Horizon 2020 research and innovation programme
(682815 - TOCNeT).\r\n"
alternative_title:
- ISTA Thesis
article_processing_charge: No
author:
- first_name: Karen
full_name: Klein, Karen
id: 3E83A2F8-F248-11E8-B48F-1D18A9856A87
last_name: Klein
citation:
ama: Klein K. On the adaptive security of graph-based games. 2021. doi:10.15479/at:ista:10035
apa: Klein, K. (2021). On the adaptive security of graph-based games. Institute
of Science and Technology Austria. https://doi.org/10.15479/at:ista:10035
chicago: Klein, Karen. “On the Adaptive Security of Graph-Based Games.” Institute
of Science and Technology Austria, 2021. https://doi.org/10.15479/at:ista:10035.
ieee: K. Klein, “On the adaptive security of graph-based games,” Institute of Science
and Technology Austria, 2021.
ista: Klein K. 2021. On the adaptive security of graph-based games. Institute of
Science and Technology Austria.
mla: Klein, Karen. On the Adaptive Security of Graph-Based Games. Institute
of Science and Technology Austria, 2021, doi:10.15479/at:ista:10035.
short: K. Klein, On the Adaptive Security of Graph-Based Games, Institute of Science
and Technology Austria, 2021.
date_created: 2021-09-23T07:31:44Z
date_published: 2021-09-23T00:00:00Z
date_updated: 2023-10-17T09:24:07Z
day: '23'
ddc:
- '519'
degree_awarded: PhD
department:
- _id: GradSch
- _id: KrPi
doi: 10.15479/at:ista:10035
ec_funded: 1
file:
- access_level: open_access
checksum: 73a44345c683e81f3e765efbf86fdcc5
content_type: application/pdf
creator: cchlebak
date_created: 2021-10-04T12:22:33Z
date_updated: 2021-10-04T12:22:33Z
file_id: '10082'
file_name: thesis_pdfa.pdf
file_size: 2104726
relation: main_file
success: 1
- access_level: closed
checksum: 7b80df30a0e686c3ef6a56d4e1c59e29
content_type: application/x-zip-compressed
creator: cchlebak
date_created: 2021-10-05T07:04:37Z
date_updated: 2022-03-10T12:15:18Z
file_id: '10085'
file_name: thesis_final (1).zip
file_size: 9538359
relation: source_file
file_date_updated: 2022-03-10T12:15:18Z
has_accepted_license: '1'
language:
- iso: eng
license: https://creativecommons.org/licenses/by/4.0/
month: '09'
oa: 1
oa_version: Published Version
page: '276'
project:
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
call_identifier: H2020
grant_number: '682815'
name: Teaching Old Crypto New Tricks
publication_identifier:
issn:
- 2663-337X
publication_status: published
publisher: Institute of Science and Technology Austria
related_material:
record:
- id: '10044'
relation: part_of_dissertation
status: public
- id: '10049'
relation: part_of_dissertation
status: public
- id: '637'
relation: part_of_dissertation
status: public
- id: '10041'
relation: part_of_dissertation
status: public
- id: '6430'
relation: part_of_dissertation
status: public
- id: '10048'
relation: part_of_dissertation
status: public
status: public
supervisor:
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
title: On the adaptive security of graph-based games
tmp:
image: /images/cc_by.png
legal_code_url: https://creativecommons.org/licenses/by/4.0/legalcode
name: Creative Commons Attribution 4.0 International Public License (CC-BY 4.0)
short: CC BY (4.0)
type: dissertation
user_id: c635000d-4b10-11ee-a964-aac5a93f6ac1
year: '2021'
...
---
_id: '10410'
abstract:
- lang: eng
text: The security of cryptographic primitives and protocols against adversaries
that are allowed to make adaptive choices (e.g., which parties to corrupt or which
queries to make) is notoriously difficult to establish. A broad theoretical framework
was introduced by Jafargholi et al. [Crypto’17] for this purpose. In this paper
we initiate the study of lower bounds on loss in adaptive security for certain
cryptographic protocols considered in the framework. We prove lower bounds that
almost match the upper bounds (proven using the framework) for proxy re-encryption,
prefix-constrained PRFs and generalized selective decryption, a security game
that captures the security of certain group messaging and broadcast encryption
schemes. Those primitives have in common that their security game involves an
underlying graph that can be adaptively built by the adversary. Some of our lower
bounds only apply to a restricted class of black-box reductions which we term
“oblivious” (the existing upper bounds are of this restricted type), some apply
to the broader but still restricted class of non-rewinding reductions, while our
lower bound for proxy re-encryption applies to all black-box reductions. The fact
that some of our lower bounds seem to crucially rely on obliviousness or at least
a non-rewinding reduction hints to the exciting possibility that the existing
upper bounds can be improved by using more sophisticated reductions. Our main
conceptual contribution is a two-player multi-stage game called the Builder-Pebbler
Game. We can translate bounds on the winning probabilities for various instantiations
of this game into cryptographic lower bounds for the above-mentioned primitives
using oracle separation techniques.
acknowledgement: C. Kamath—Supported by Azrieli International Postdoctoral Fellowship.
Most of the work was done while the author was at Northeastern University and Charles
University, funded by the IARPA grant IARPA/2019-19-020700009 and project PRIMUS/17/SCI/9,
respectively. K. Klein—Supported in part by ERC CoG grant 724307. Most of the work
was done while the author was at IST Austria funded by the European Research Council
(ERC) under the European Union’s Horizon 2020 research and innovation programme
(682815 - TOCNeT). K. Pietrzak—Funded by the European Research Council (ERC) under
the European Union’s Horizon 2020 research and innovation programme (682815 - TOCNeT).
alternative_title:
- LNCS
article_processing_charge: No
author:
- first_name: Chethan
full_name: Kamath Hosdurg, Chethan
id: 4BD3F30E-F248-11E8-B48F-1D18A9856A87
last_name: Kamath Hosdurg
- first_name: Karen
full_name: Klein, Karen
id: 3E83A2F8-F248-11E8-B48F-1D18A9856A87
last_name: Klein
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
- first_name: Michael
full_name: Walter, Michael
id: 488F98B0-F248-11E8-B48F-1D18A9856A87
last_name: Walter
orcid: 0000-0003-3186-2482
citation:
ama: 'Kamath Hosdurg C, Klein K, Pietrzak KZ, Walter M. The cost of adaptivity in
security games on graphs. In: 19th International Conference. Vol 13043.
Springer Nature; 2021:550-581. doi:10.1007/978-3-030-90453-1_19'
apa: 'Kamath Hosdurg, C., Klein, K., Pietrzak, K. Z., & Walter, M. (2021). The
cost of adaptivity in security games on graphs. In 19th International Conference
(Vol. 13043, pp. 550–581). Raleigh, NC, United States: Springer Nature. https://doi.org/10.1007/978-3-030-90453-1_19'
chicago: Kamath Hosdurg, Chethan, Karen Klein, Krzysztof Z Pietrzak, and Michael
Walter. “The Cost of Adaptivity in Security Games on Graphs.” In 19th International
Conference, 13043:550–81. Springer Nature, 2021. https://doi.org/10.1007/978-3-030-90453-1_19.
ieee: C. Kamath Hosdurg, K. Klein, K. Z. Pietrzak, and M. Walter, “The cost of adaptivity
in security games on graphs,” in 19th International Conference, Raleigh,
NC, United States, 2021, vol. 13043, pp. 550–581.
ista: 'Kamath Hosdurg C, Klein K, Pietrzak KZ, Walter M. 2021. The cost of adaptivity
in security games on graphs. 19th International Conference. TCC: Theory of Cryptography,
LNCS, vol. 13043, 550–581.'
mla: Kamath Hosdurg, Chethan, et al. “The Cost of Adaptivity in Security Games on
Graphs.” 19th International Conference, vol. 13043, Springer Nature, 2021,
pp. 550–81, doi:10.1007/978-3-030-90453-1_19.
short: C. Kamath Hosdurg, K. Klein, K.Z. Pietrzak, M. Walter, in:, 19th International
Conference, Springer Nature, 2021, pp. 550–581.
conference:
end_date: 2021-11-11
location: Raleigh, NC, United States
name: 'TCC: Theory of Cryptography'
start_date: 2021-11-08
date_created: 2021-12-05T23:01:43Z
date_published: 2021-11-04T00:00:00Z
date_updated: 2023-10-17T09:24:07Z
day: '04'
department:
- _id: KrPi
doi: 10.1007/978-3-030-90453-1_19
ec_funded: 1
external_id:
isi:
- '000728364000019'
intvolume: ' 13043'
isi: 1
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://ia.cr/2021/059
month: '11'
oa: 1
oa_version: Preprint
page: 550-581
project:
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
call_identifier: H2020
grant_number: '682815'
name: Teaching Old Crypto New Tricks
publication: 19th International Conference
publication_identifier:
eissn:
- 1611-3349
isbn:
- 9-783-0309-0452-4
issn:
- 0302-9743
publication_status: published
publisher: Springer Nature
quality_controlled: '1'
related_material:
record:
- id: '10048'
relation: earlier_version
status: public
scopus_import: '1'
status: public
title: The cost of adaptivity in security games on graphs
type: conference
user_id: 4359f0d1-fa6c-11eb-b949-802e58b17ae8
volume: 13043
year: '2021'
...
---
_id: '10048'
abstract:
- lang: eng
text: "The security of cryptographic primitives and protocols against adversaries
that are allowed to make adaptive choices (e.g., which parties to corrupt or which
queries to make) is notoriously difficult to establish. A broad theoretical\r\nframework
was introduced by Jafargholi et al. [Crypto’17] for this purpose. In this paper
we initiate the study of lower bounds on loss in adaptive security for certain
cryptographic protocols considered in the framework. We prove lower\r\nbounds
that almost match the upper bounds (proven using the framework) for proxy re-encryption,
prefix-constrained PRFs and generalized selective decryption, a security game
that captures the security of certain group messaging and\r\nbroadcast encryption
schemes. Those primitives have in common that their security game involves an
underlying graph that can be adaptively built by the adversary. Some of our lower
bounds only apply to a restricted class of black-box reductions which we term
“oblivious” (the existing upper bounds are of this restricted type), some apply
to the broader but still restricted class of non-rewinding reductions, while our
lower bound for proxy re-encryption applies to all black-box reductions. The fact
that some of our lower bounds seem to crucially rely on obliviousness or at least
a non-rewinding reduction hints to the exciting possibility that the existing
upper bounds can be improved by using more sophisticated reductions. Our main
conceptual contribution is a two-player multi-stage game called the Builder-Pebbler
Game. We can translate bounds on the winning probabilities for various instantiations
of this game into cryptographic lower bounds for the above-mentioned primitives
using oracle separation techniques.\r\n"
article_processing_charge: No
author:
- first_name: Chethan
full_name: Kamath Hosdurg, Chethan
id: 4BD3F30E-F248-11E8-B48F-1D18A9856A87
last_name: Kamath Hosdurg
- first_name: Karen
full_name: Klein, Karen
id: 3E83A2F8-F248-11E8-B48F-1D18A9856A87
last_name: Klein
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
- first_name: Michael
full_name: Walter, Michael
id: 488F98B0-F248-11E8-B48F-1D18A9856A87
last_name: Walter
orcid: 0000-0003-3186-2482
citation:
ama: 'Kamath Hosdurg C, Klein K, Pietrzak KZ, Walter M. The cost of adaptivity in
security games on graphs. In: 19th Theory of Cryptography Conference 2021.
International Association for Cryptologic Research; 2021.'
apa: 'Kamath Hosdurg, C., Klein, K., Pietrzak, K. Z., & Walter, M. (2021). The
cost of adaptivity in security games on graphs. In 19th Theory of Cryptography
Conference 2021. Raleigh, NC, United States: International Association for
Cryptologic Research.'
chicago: Kamath Hosdurg, Chethan, Karen Klein, Krzysztof Z Pietrzak, and Michael
Walter. “The Cost of Adaptivity in Security Games on Graphs.” In 19th Theory
of Cryptography Conference 2021. International Association for Cryptologic
Research, 2021.
ieee: C. Kamath Hosdurg, K. Klein, K. Z. Pietrzak, and M. Walter, “The cost of adaptivity
in security games on graphs,” in 19th Theory of Cryptography Conference 2021,
Raleigh, NC, United States, 2021.
ista: 'Kamath Hosdurg C, Klein K, Pietrzak KZ, Walter M. 2021. The cost of adaptivity
in security games on graphs. 19th Theory of Cryptography Conference 2021. TCC:
Theory of Cryptography Conference.'
mla: Kamath Hosdurg, Chethan, et al. “The Cost of Adaptivity in Security Games on
Graphs.” 19th Theory of Cryptography Conference 2021, International Association
for Cryptologic Research, 2021.
short: C. Kamath Hosdurg, K. Klein, K.Z. Pietrzak, M. Walter, in:, 19th Theory of
Cryptography Conference 2021, International Association for Cryptologic Research,
2021.
conference:
end_date: 2021-11-11
location: Raleigh, NC, United States
name: 'TCC: Theory of Cryptography Conference'
start_date: 2021-11-08
date_created: 2021-09-27T12:52:05Z
date_published: 2021-07-08T00:00:00Z
date_updated: 2023-10-17T09:24:08Z
day: '08'
department:
- _id: KrPi
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://ia.cr/2021/059
month: '07'
oa: 1
oa_version: Preprint
publication: 19th Theory of Cryptography Conference 2021
publication_status: published
publisher: International Association for Cryptologic Research
quality_controlled: '1'
related_material:
record:
- id: '10410'
relation: later_version
status: public
- id: '10035'
relation: dissertation_contains
status: public
status: public
title: The cost of adaptivity in security games on graphs
type: conference
user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87
year: '2021'
...
---
_id: '9969'
abstract:
- lang: eng
text: 'Payment channel networks are a promising approach to improve the scalability
of cryptocurrencies: they allow to perform transactions in a peer-to-peer fashion,
along multihop routes in the network, without requiring consensus on the blockchain.
However, during the discovery of cost-efficient routes for the transaction, critical
information may be revealed about the transacting entities. This paper initiates
the study of privacy-preserving route discovery mechanisms for payment channel
networks. In particular, we present LightPIR, an approach which allows a client
to learn the shortest (or cheapest in terms of fees) path between two nodes without
revealing any information about the endpoints of the transaction to the servers.
The two main observations which allow for an efficient solution in LightPIR are
that: (1) surprisingly, hub labelling algorithms – which were developed to preprocess
“street network like” graphs so one can later efficiently compute shortest paths
– also perform well for the graphs underlying payment channel networks, and that
(2) hub labelling algorithms can be conveniently combined with private information
retrieval. LightPIR relies on a simple hub labeling heuristic on top of existing
hub labeling algorithms which leverages the specific topological features of cryptocurrency
networks to further minimize storage and bandwidth overheads. In a case study
considering the Lightning network, we show that our approach is an order of magnitude
more efficient compared to a privacy-preserving baseline based on using private
information retrieval on a database that stores all pairs shortest paths.'
article_processing_charge: No
author:
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
- first_name: Iosif
full_name: Salem, Iosif
last_name: Salem
- first_name: Stefan
full_name: Schmid, Stefan
last_name: Schmid
- first_name: Michelle X
full_name: Yeo, Michelle X
id: 2D82B818-F248-11E8-B48F-1D18A9856A87
last_name: Yeo
citation:
ama: 'Pietrzak KZ, Salem I, Schmid S, Yeo MX. LightPIR: Privacy-preserving route
discovery for payment channel networks. In: IEEE; 2021. doi:10.23919/IFIPNetworking52078.2021.9472205'
apa: 'Pietrzak, K. Z., Salem, I., Schmid, S., & Yeo, M. X. (2021). LightPIR:
Privacy-preserving route discovery for payment channel networks. Presented at
the 2021 IFIP Networking Conference (IFIP Networking), Espoo and Helsinki, Finland:
IEEE. https://doi.org/10.23919/IFIPNetworking52078.2021.9472205'
chicago: 'Pietrzak, Krzysztof Z, Iosif Salem, Stefan Schmid, and Michelle X Yeo.
“LightPIR: Privacy-Preserving Route Discovery for Payment Channel Networks.” IEEE,
2021. https://doi.org/10.23919/IFIPNetworking52078.2021.9472205.'
ieee: 'K. Z. Pietrzak, I. Salem, S. Schmid, and M. X. Yeo, “LightPIR: Privacy-preserving
route discovery for payment channel networks,” presented at the 2021 IFIP Networking
Conference (IFIP Networking), Espoo and Helsinki, Finland, 2021.'
ista: 'Pietrzak KZ, Salem I, Schmid S, Yeo MX. 2021. LightPIR: Privacy-preserving
route discovery for payment channel networks. 2021 IFIP Networking Conference
(IFIP Networking).'
mla: 'Pietrzak, Krzysztof Z., et al. LightPIR: Privacy-Preserving Route Discovery
for Payment Channel Networks. IEEE, 2021, doi:10.23919/IFIPNetworking52078.2021.9472205.'
short: K.Z. Pietrzak, I. Salem, S. Schmid, M.X. Yeo, in:, IEEE, 2021.
conference:
end_date: 2021-06-24
location: Espoo and Helsinki, Finland
name: 2021 IFIP Networking Conference (IFIP Networking)
start_date: 2021-06-21
date_created: 2021-08-29T22:01:16Z
date_published: 2021-06-21T00:00:00Z
date_updated: 2023-11-30T10:54:50Z
day: '21'
department:
- _id: KrPi
doi: 10.23919/IFIPNetworking52078.2021.9472205
ec_funded: 1
external_id:
arxiv:
- '2104.04293'
isi:
- '000853016800008'
isi: 1
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://arxiv.org/abs/2104.04293
month: '06'
oa: 1
oa_version: Submitted Version
project:
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
call_identifier: H2020
grant_number: '682815'
name: Teaching Old Crypto New Tricks
publication_identifier:
eisbn:
- 978-3-9031-7639-3
eissn:
- 1861-2288
isbn:
- 978-1-6654-4501-6
publication_status: published
publisher: IEEE
quality_controlled: '1'
related_material:
record:
- id: '14506'
relation: dissertation_contains
status: public
scopus_import: '1'
status: public
title: 'LightPIR: Privacy-preserving route discovery for payment channel networks'
type: conference
user_id: 4359f0d1-fa6c-11eb-b949-802e58b17ae8
year: '2021'
...
---
_id: '8322'
abstract:
- lang: eng
text: "Reverse firewalls were introduced at Eurocrypt 2015 by Miro-nov and Stephens-Davidowitz,
as a method for protecting cryptographic protocols against attacks on the devices
of the honest parties. In a nutshell: a reverse firewall is placed outside of
a device and its goal is to “sanitize” the messages sent by it, in such a way
that a malicious device cannot leak its secrets to the outside world. It is typically
assumed that the cryptographic devices are attacked in a “functionality-preserving
way” (i.e. informally speaking, the functionality of the protocol remains unchanged
under this attacks). In their paper, Mironov and Stephens-Davidowitz construct
a protocol for passively-secure two-party computations with firewalls, leaving
extension of this result to stronger models as an open question.\r\nIn this paper,
we address this problem by constructing a protocol for secure computation with
firewalls that has two main advantages over the original protocol from Eurocrypt
2015. Firstly, it is a multiparty computation protocol (i.e. it works for an arbitrary
number n of the parties, and not just for 2). Secondly, it is secure in much stronger
corruption settings, namely in the active corruption model. More precisely: we
consider an adversary that can fully corrupt up to \U0001D45B−1 parties, while
the remaining parties are corrupt in a functionality-preserving way.\r\nOur core
techniques are: malleable commitments and malleable non-interactive zero-knowledge,
which in particular allow us to create a novel protocol for multiparty augmented
coin-tossing into the well with reverse firewalls (that is based on a protocol
of Lindell from Crypto 2001)."
acknowledgement: We would like to thank the anonymous reviewers for their helpful
comments and suggestions. The work was initiated while the first author was in IIT
Madras, India. Part of this work was done while the author was visiting the University
of Warsaw. This project has received funding from the European Research Council
(ERC) under the European Union’s Horizon 2020 research and innovation programme
(682815 - TOCNeT) and from the Foundation for Polish Science under grant TEAM/2016-1/4
founded within the UE 2014–2020 Smart Growth Operational Program. The last author
was supported by the Independent Research Fund Denmark project BETHE and the Concordium
Blockchain Research Center, Aarhus University, Denmark.
alternative_title:
- LNCS
article_processing_charge: No
author:
- first_name: Suvradip
full_name: Chakraborty, Suvradip
id: B9CD0494-D033-11E9-B219-A439E6697425
last_name: Chakraborty
- first_name: Stefan
full_name: Dziembowski, Stefan
last_name: Dziembowski
- first_name: Jesper Buus
full_name: Nielsen, Jesper Buus
last_name: Nielsen
citation:
ama: 'Chakraborty S, Dziembowski S, Nielsen JB. Reverse firewalls for actively secure MPCs.
In: Advances in Cryptology – CRYPTO 2020. Vol 12171. Springer Nature; 2020:732-762.
doi:10.1007/978-3-030-56880-1_26'
apa: 'Chakraborty, S., Dziembowski, S., & Nielsen, J. B. (2020). Reverse firewalls for actively secure MPCs.
In Advances in Cryptology – CRYPTO 2020 (Vol. 12171, pp. 732–762). Santa
Barbara, CA, United States: Springer Nature. https://doi.org/10.1007/978-3-030-56880-1_26'
chicago: Chakraborty, Suvradip, Stefan Dziembowski, and Jesper Buus Nielsen. “Reverse Firewalls for Actively Secure MPCs.”
In Advances in Cryptology – CRYPTO 2020, 12171:732–62. Springer Nature,
2020. https://doi.org/10.1007/978-3-030-56880-1_26.
ieee: S. Chakraborty, S. Dziembowski, and J. B. Nielsen, “Reverse firewalls for actively secure MPCs,”
in Advances in Cryptology – CRYPTO 2020, Santa Barbara, CA, United States,
2020, vol. 12171, pp. 732–762.
ista: 'Chakraborty S, Dziembowski S, Nielsen JB. 2020. Reverse firewalls for actively secure MPCs.
Advances in Cryptology – CRYPTO 2020. CRYPTO: Annual International Cryptology
Conference, LNCS, vol. 12171, 732–762.'
mla: Chakraborty, Suvradip, et al. “Reverse Firewalls for Actively Secure MPCs.”
Advances in Cryptology – CRYPTO 2020, vol. 12171, Springer Nature, 2020,
pp. 732–62, doi:10.1007/978-3-030-56880-1_26.
short: S. Chakraborty, S. Dziembowski, J.B. Nielsen, in:, Advances in Cryptology
– CRYPTO 2020, Springer Nature, 2020, pp. 732–762.
conference:
end_date: 2020-08-21
location: Santa Barbara, CA, United States
name: 'CRYPTO: Annual International Cryptology Conference'
start_date: 2020-08-17
date_created: 2020-08-30T22:01:12Z
date_published: 2020-08-10T00:00:00Z
date_updated: 2021-01-12T08:18:08Z
day: '10'
department:
- _id: KrPi
doi: 10.1007/978-3-030-56880-1_26
ec_funded: 1
intvolume: ' 12171'
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://eprint.iacr.org/2019/1317
month: '08'
oa: 1
oa_version: Preprint
page: 732-762
project:
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
call_identifier: H2020
grant_number: '682815'
name: Teaching Old Crypto New Tricks
publication: Advances in Cryptology – CRYPTO 2020
publication_identifier:
eissn:
- '16113349'
isbn:
- '9783030568795'
issn:
- '03029743'
publication_status: published
publisher: Springer Nature
quality_controlled: '1'
scopus_import: '1'
status: public
title: Reverse firewalls for actively secure MPCs
type: conference
user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87
volume: 12171
year: '2020'
...
---
_id: '8339'
abstract:
- lang: eng
text: "Discrete Gaussian distributions over lattices are central to lattice-based
cryptography, and to the computational and mathematical aspects of lattices more
broadly. The literature contains a wealth of useful theorems about the behavior
of discrete Gaussians under convolutions and related operations. Yet despite their
structural similarities, most of these theorems are formally incomparable, and
their proofs tend to be monolithic and written nearly “from scratch,” making them
unnecessarily hard to verify, understand, and extend.\r\nIn this work we present
a modular framework for analyzing linear operations on discrete Gaussian distributions.
The framework abstracts away the particulars of Gaussians, and usually reduces
proofs to the choice of appropriate linear transformations and elementary linear
algebra. To showcase the approach, we establish several general properties of
discrete Gaussians, and show how to obtain all prior convolution theorems (along
with some new ones) as straightforward corollaries. As another application, we
describe a self-reduction for Learning With Errors (LWE) that uses a fixed number
of samples to generate an unlimited number of additional ones (having somewhat
larger error). The distinguishing features of our reduction are its simple analysis
in our framework, and its exclusive use of discrete Gaussians without any loss
in parameters relative to a prior mixed discrete-and-continuous approach.\r\nAs
a contribution of independent interest, for subgaussian random matrices we prove
a singular value concentration bound with explicitly stated constants, and we
give tighter heuristics for specific distributions that are commonly used for
generating lattice trapdoors. These bounds yield improvements in the concrete
bit-security estimates for trapdoor lattice cryptosystems."
alternative_title:
- LNCS
article_processing_charge: No
author:
- first_name: Nicholas
full_name: Genise, Nicholas
last_name: Genise
- first_name: Daniele
full_name: Micciancio, Daniele
last_name: Micciancio
- first_name: Chris
full_name: Peikert, Chris
last_name: Peikert
- first_name: Michael
full_name: Walter, Michael
id: 488F98B0-F248-11E8-B48F-1D18A9856A87
last_name: Walter
orcid: 0000-0003-3186-2482
citation:
ama: 'Genise N, Micciancio D, Peikert C, Walter M. Improved discrete Gaussian and
subgaussian analysis for lattice cryptography. In: 23rd IACR International
Conference on the Practice and Theory of Public-Key Cryptography. Vol 12110.
Springer Nature; 2020:623-651. doi:10.1007/978-3-030-45374-9_21'
apa: 'Genise, N., Micciancio, D., Peikert, C., & Walter, M. (2020). Improved
discrete Gaussian and subgaussian analysis for lattice cryptography. In 23rd
IACR International Conference on the Practice and Theory of Public-Key Cryptography
(Vol. 12110, pp. 623–651). Edinburgh, United Kingdom: Springer Nature. https://doi.org/10.1007/978-3-030-45374-9_21'
chicago: Genise, Nicholas, Daniele Micciancio, Chris Peikert, and Michael Walter.
“Improved Discrete Gaussian and Subgaussian Analysis for Lattice Cryptography.”
In 23rd IACR International Conference on the Practice and Theory of Public-Key
Cryptography, 12110:623–51. Springer Nature, 2020. https://doi.org/10.1007/978-3-030-45374-9_21.
ieee: N. Genise, D. Micciancio, C. Peikert, and M. Walter, “Improved discrete Gaussian
and subgaussian analysis for lattice cryptography,” in 23rd IACR International
Conference on the Practice and Theory of Public-Key Cryptography, Edinburgh,
United Kingdom, 2020, vol. 12110, pp. 623–651.
ista: 'Genise N, Micciancio D, Peikert C, Walter M. 2020. Improved discrete Gaussian
and subgaussian analysis for lattice cryptography. 23rd IACR International Conference
on the Practice and Theory of Public-Key Cryptography. PKC: Public-Key Cryptography,
LNCS, vol. 12110, 623–651.'
mla: Genise, Nicholas, et al. “Improved Discrete Gaussian and Subgaussian Analysis
for Lattice Cryptography.” 23rd IACR International Conference on the Practice
and Theory of Public-Key Cryptography, vol. 12110, Springer Nature, 2020,
pp. 623–51, doi:10.1007/978-3-030-45374-9_21.
short: N. Genise, D. Micciancio, C. Peikert, M. Walter, in:, 23rd IACR International
Conference on the Practice and Theory of Public-Key Cryptography, Springer Nature,
2020, pp. 623–651.
conference:
end_date: 2020-05-07
location: Edinburgh, United Kingdom
name: 'PKC: Public-Key Cryptography'
start_date: 2020-05-04
date_created: 2020-09-06T22:01:13Z
date_published: 2020-05-15T00:00:00Z
date_updated: 2023-02-23T13:31:06Z
day: '15'
department:
- _id: KrPi
doi: 10.1007/978-3-030-45374-9_21
ec_funded: 1
intvolume: ' 12110'
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://eprint.iacr.org/2020/337
month: '05'
oa: 1
oa_version: Preprint
page: 623-651
project:
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
call_identifier: H2020
grant_number: '682815'
name: Teaching Old Crypto New Tricks
publication: 23rd IACR International Conference on the Practice and Theory of Public-Key
Cryptography
publication_identifier:
eissn:
- '16113349'
isbn:
- '9783030453732'
issn:
- '03029743'
publication_status: published
publisher: Springer Nature
quality_controlled: '1'
scopus_import: '1'
status: public
title: Improved discrete Gaussian and subgaussian analysis for lattice cryptography
type: conference
user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87
volume: 12110
year: '2020'
...
---
_id: '8987'
abstract:
- lang: eng
text: "Currently several projects aim at designing and implementing protocols for
privacy preserving automated contact tracing to help fight the current pandemic.
Those proposal are quite similar, and in their most basic form basically propose
an app for mobile phones which broadcasts frequently changing pseudorandom identifiers
via (low energy) Bluetooth, and at the same time, the app stores IDs broadcast
by phones in its proximity. Only if a user is tested positive, they upload either
the beacons they did broadcast (which is the case in decentralized proposals as
DP-3T, east and west coast PACT or Covid watch) or received (as in Popp-PT or
ROBERT) during the last two weeks or so.\r\n\r\nVaudenay [eprint 2020/399] observes
that this basic scheme (he considers the DP-3T proposal) succumbs to relay and
even replay attacks, and proposes more complex interactive schemes which prevent
those attacks without giving up too many privacy aspects. Unfortunately interaction
is problematic for this application for efficiency and security reasons. The countermeasures
that have been suggested so far are either not practical or give up on key privacy
aspects. We propose a simple non-interactive variant of the basic protocol that\r\n(security)
Provably prevents replay and (if location data is available) relay attacks.\r\n(privacy)
The data of all parties (even jointly) reveals no information on the location
or time where encounters happened.\r\n(efficiency) The broadcasted message can
fit into 128 bits and uses only basic crypto (commitments and secret key authentication).\r\n\r\nTowards
this end we introduce the concept of “delayed authentication”, which basically
is a message authentication code where verification can be done in two steps,
where the first doesn’t require the key, and the second doesn’t require the message."
article_processing_charge: No
author:
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
citation:
ama: 'Pietrzak KZ. Delayed authentication: Preventing replay and relay attacks in
private contact tracing. In: Progress in Cryptology. Vol 12578. LNCS. Springer
Nature; 2020:3-15. doi:10.1007/978-3-030-65277-7_1'
apa: 'Pietrzak, K. Z. (2020). Delayed authentication: Preventing replay and relay
attacks in private contact tracing. In Progress in Cryptology (Vol. 12578,
pp. 3–15). Bangalore, India: Springer Nature. https://doi.org/10.1007/978-3-030-65277-7_1'
chicago: 'Pietrzak, Krzysztof Z. “Delayed Authentication: Preventing Replay and
Relay Attacks in Private Contact Tracing.” In Progress in Cryptology, 12578:3–15.
LNCS. Springer Nature, 2020. https://doi.org/10.1007/978-3-030-65277-7_1.'
ieee: 'K. Z. Pietrzak, “Delayed authentication: Preventing replay and relay attacks
in private contact tracing,” in Progress in Cryptology, Bangalore, India,
2020, vol. 12578, pp. 3–15.'
ista: 'Pietrzak KZ. 2020. Delayed authentication: Preventing replay and relay attacks
in private contact tracing. Progress in Cryptology. INDOCRYPT: International Conference
on Cryptology in IndiaLNCS vol. 12578, 3–15.'
mla: 'Pietrzak, Krzysztof Z. “Delayed Authentication: Preventing Replay and Relay
Attacks in Private Contact Tracing.” Progress in Cryptology, vol. 12578,
Springer Nature, 2020, pp. 3–15, doi:10.1007/978-3-030-65277-7_1.'
short: K.Z. Pietrzak, in:, Progress in Cryptology, Springer Nature, 2020, pp. 3–15.
conference:
end_date: 2020-12-16
location: Bangalore, India
name: 'INDOCRYPT: International Conference on Cryptology in India'
start_date: 2020-12-13
date_created: 2021-01-03T23:01:23Z
date_published: 2020-12-08T00:00:00Z
date_updated: 2023-08-24T11:08:58Z
day: '08'
department:
- _id: KrPi
doi: 10.1007/978-3-030-65277-7_1
ec_funded: 1
external_id:
isi:
- '000927592800001'
intvolume: ' 12578'
isi: 1
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://eprint.iacr.org/2020/418
month: '12'
oa: 1
oa_version: Preprint
page: 3-15
project:
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
call_identifier: H2020
grant_number: '682815'
name: Teaching Old Crypto New Tricks
publication: Progress in Cryptology
publication_identifier:
eissn:
- '16113349'
isbn:
- '9783030652760'
issn:
- '03029743'
publication_status: published
publisher: Springer Nature
quality_controlled: '1'
scopus_import: '1'
series_title: LNCS
status: public
title: 'Delayed authentication: Preventing replay and relay attacks in private contact
tracing'
type: conference
user_id: 4359f0d1-fa6c-11eb-b949-802e58b17ae8
volume: 12578
year: '2020'
...
---
_id: '7966'
abstract:
- lang: eng
text: "For 1≤m≤n, we consider a natural m-out-of-n multi-instance scenario for a
public-key encryption (PKE) scheme. An adversary, given n independent instances
of PKE, wins if he breaks at least m out of the n instances. In this work, we
are interested in the scaling factor of PKE schemes, SF, which measures how well
the difficulty of breaking m out of the n instances scales in m. That is, a scaling
factor SF=ℓ indicates that breaking m out of n instances is at least ℓ times more
difficult than breaking one single instance. A PKE scheme with small scaling factor
hence provides an ideal target for mass surveillance. In fact, the Logjam attack
(CCS 2015) implicitly exploited, among other things, an almost constant scaling
factor of ElGamal over finite fields (with shared group parameters).\r\n\r\nFor
Hashed ElGamal over elliptic curves, we use the generic group model to argue that
the scaling factor depends on the scheme's granularity. In low granularity, meaning
each public key contains its independent group parameter, the scheme has optimal
scaling factor SF=m; In medium and high granularity, meaning all public keys share
the same group parameter, the scheme still has a reasonable scaling factor SF=√m.
Our findings underline that instantiating ElGamal over elliptic curves should
be preferred to finite fields in a multi-instance scenario.\r\n\r\nAs our main
technical contribution, we derive new generic-group lower bounds of Ω(√(mp)) on
the difficulty of solving both the m-out-of-n Gap Discrete Logarithm and the m-out-of-n
Gap Computational Diffie-Hellman problem over groups of prime order p, extending
a recent result by Yun (EUROCRYPT 2015). We establish the lower bound by studying
the hardness of a related computational problem which we call the search-by-hypersurface
problem."
alternative_title:
- LNCS
article_processing_charge: No
author:
- first_name: Benedikt
full_name: Auerbach, Benedikt
id: D33D2B18-E445-11E9-ABB7-15F4E5697425
last_name: Auerbach
orcid: 0000-0002-7553-6606
- first_name: Federico
full_name: Giacon, Federico
last_name: Giacon
- first_name: Eike
full_name: Kiltz, Eike
last_name: Kiltz
citation:
ama: 'Auerbach B, Giacon F, Kiltz E. Everybody’s a target: Scalability in public-key
encryption. In: Advances in Cryptology – EUROCRYPT 2020. Vol 12107. Springer
Nature; 2020:475-506. doi:10.1007/978-3-030-45727-3_16'
apa: 'Auerbach, B., Giacon, F., & Kiltz, E. (2020). Everybody’s a target: Scalability
in public-key encryption. In Advances in Cryptology – EUROCRYPT 2020 (Vol.
12107, pp. 475–506). Springer Nature. https://doi.org/10.1007/978-3-030-45727-3_16'
chicago: 'Auerbach, Benedikt, Federico Giacon, and Eike Kiltz. “Everybody’s a Target:
Scalability in Public-Key Encryption.” In Advances in Cryptology – EUROCRYPT
2020, 12107:475–506. Springer Nature, 2020. https://doi.org/10.1007/978-3-030-45727-3_16.'
ieee: 'B. Auerbach, F. Giacon, and E. Kiltz, “Everybody’s a target: Scalability
in public-key encryption,” in Advances in Cryptology – EUROCRYPT 2020,
2020, vol. 12107, pp. 475–506.'
ista: 'Auerbach B, Giacon F, Kiltz E. 2020. Everybody’s a target: Scalability in
public-key encryption. Advances in Cryptology – EUROCRYPT 2020. EUROCRYPT: Theory
and Applications of Cryptographic Techniques, LNCS, vol. 12107, 475–506.'
mla: 'Auerbach, Benedikt, et al. “Everybody’s a Target: Scalability in Public-Key
Encryption.” Advances in Cryptology – EUROCRYPT 2020, vol. 12107, Springer
Nature, 2020, pp. 475–506, doi:10.1007/978-3-030-45727-3_16.'
short: B. Auerbach, F. Giacon, E. Kiltz, in:, Advances in Cryptology – EUROCRYPT
2020, Springer Nature, 2020, pp. 475–506.
conference:
end_date: 2020-05-15
name: 'EUROCRYPT: Theory and Applications of Cryptographic Techniques'
start_date: 2020-05-11
date_created: 2020-06-15T07:13:37Z
date_published: 2020-05-01T00:00:00Z
date_updated: 2023-09-05T15:06:40Z
day: '01'
department:
- _id: KrPi
doi: 10.1007/978-3-030-45727-3_16
ec_funded: 1
external_id:
isi:
- '000828688000016'
intvolume: ' 12107'
isi: 1
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://eprint.iacr.org/2019/364
month: '05'
oa: 1
oa_version: Submitted Version
page: 475-506
project:
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
call_identifier: H2020
grant_number: '682815'
name: Teaching Old Crypto New Tricks
publication: Advances in Cryptology – EUROCRYPT 2020
publication_identifier:
eissn:
- 1611-3349
isbn:
- '9783030457266'
- '9783030457273'
issn:
- 0302-9743
publication_status: published
publisher: Springer Nature
quality_controlled: '1'
status: public
title: 'Everybody’s a target: Scalability in public-key encryption'
type: conference
user_id: c635000d-4b10-11ee-a964-aac5a93f6ac1
volume: 12107
year: '2020'
...
---
_id: '7896'
abstract:
- lang: eng
text: "A search problem lies in the complexity class FNP if a solution to the given
instance of the problem can be verified efficiently. The complexity class TFNP
consists of all search problems in FNP that are total in the sense that a solution
is guaranteed to exist. TFNP contains a host of interesting problems from fields
such as algorithmic game theory, computational topology, number theory and combinatorics.
Since TFNP is a semantic class, it is unlikely to have a complete problem. Instead,
one studies its syntactic subclasses which are defined based on the combinatorial
principle used to argue totality. Of particular interest is the subclass PPAD,
which contains important problems\r\nlike computing Nash equilibrium for bimatrix
games and computational counterparts of several fixed-point theorems as complete.
In the thesis, we undertake the study of averagecase hardness of TFNP, and in
particular its subclass PPAD.\r\nAlmost nothing was known about average-case hardness
of PPAD before a series of recent results showed how to achieve it using a cryptographic
primitive called program obfuscation.\r\nHowever, it is currently not known how
to construct program obfuscation from standard cryptographic assumptions. Therefore,
it is desirable to relax the assumption under which average-case hardness of PPAD
can be shown. In the thesis we take a step in this direction. First, we show that
assuming the (average-case) hardness of a numbertheoretic\r\nproblem related to
factoring of integers, which we call Iterated-Squaring, PPAD is hard-on-average
in the random-oracle model. Then we strengthen this result to show that the average-case
hardness of PPAD reduces to the (adaptive) soundness of the Fiat-Shamir Transform,
a well-known technique used to compile a public-coin interactive protocol into
a non-interactive one. As a corollary, we obtain average-case hardness for PPAD
in the random-oracle model assuming the worst-case hardness of #SAT. Moreover,
the above results can all be strengthened to obtain average-case hardness for
the class CLS ⊆ PPAD.\r\nOur main technical contribution is constructing incrementally-verifiable
procedures for computing Iterated-Squaring and #SAT. By incrementally-verifiable,
we mean that every intermediate state of the computation includes a proof of its
correctness, and the proof can be updated and verified in polynomial time. Previous
constructions of such procedures relied on strong, non-standard assumptions. Instead,
we introduce a technique called recursive proof-merging to obtain the same from
weaker assumptions. "
alternative_title:
- ISTA Thesis
article_processing_charge: No
author:
- first_name: Chethan
full_name: Kamath Hosdurg, Chethan
id: 4BD3F30E-F248-11E8-B48F-1D18A9856A87
last_name: Kamath Hosdurg
citation:
ama: Kamath Hosdurg C. On the average-case hardness of total search problems. 2020.
doi:10.15479/AT:ISTA:7896
apa: Kamath Hosdurg, C. (2020). On the average-case hardness of total search
problems. Institute of Science and Technology Austria. https://doi.org/10.15479/AT:ISTA:7896
chicago: Kamath Hosdurg, Chethan. “On the Average-Case Hardness of Total Search
Problems.” Institute of Science and Technology Austria, 2020. https://doi.org/10.15479/AT:ISTA:7896.
ieee: C. Kamath Hosdurg, “On the average-case hardness of total search problems,”
Institute of Science and Technology Austria, 2020.
ista: Kamath Hosdurg C. 2020. On the average-case hardness of total search problems.
Institute of Science and Technology Austria.
mla: Kamath Hosdurg, Chethan. On the Average-Case Hardness of Total Search Problems.
Institute of Science and Technology Austria, 2020, doi:10.15479/AT:ISTA:7896.
short: C. Kamath Hosdurg, On the Average-Case Hardness of Total Search Problems,
Institute of Science and Technology Austria, 2020.
date_created: 2020-05-26T14:08:55Z
date_published: 2020-05-25T00:00:00Z
date_updated: 2023-09-07T13:15:55Z
day: '25'
ddc:
- '000'
degree_awarded: PhD
department:
- _id: KrPi
doi: 10.15479/AT:ISTA:7896
ec_funded: 1
file:
- access_level: open_access
checksum: b39e2e1c376f5819b823fb7077491c64
content_type: application/pdf
creator: dernst
date_created: 2020-05-26T14:08:13Z
date_updated: 2020-07-14T12:48:04Z
file_id: '7897'
file_name: 2020_Thesis_Kamath.pdf
file_size: 1622742
relation: main_file
- access_level: closed
checksum: 8b26ba729c1a85ac6bea775f5d73cdc7
content_type: application/x-zip-compressed
creator: dernst
date_created: 2020-05-26T14:08:23Z
date_updated: 2020-07-14T12:48:04Z
file_id: '7898'
file_name: Thesis_Kamath.zip
file_size: 15301529
relation: source_file
file_date_updated: 2020-07-14T12:48:04Z
has_accepted_license: '1'
language:
- iso: eng
month: '05'
oa: 1
oa_version: Published Version
page: '126'
project:
- _id: 258C570E-B435-11E9-9278-68D0E5697425
call_identifier: FP7
grant_number: '259668'
name: Provable Security for Physical Cryptography
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
call_identifier: H2020
grant_number: '682815'
name: Teaching Old Crypto New Tricks
publication_identifier:
issn:
- 2663-337X
publication_status: published
publisher: Institute of Science and Technology Austria
related_material:
record:
- id: '6677'
relation: part_of_dissertation
status: public
status: public
supervisor:
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
title: On the average-case hardness of total search problems
tmp:
image: /images/cc_by.png
legal_code_url: https://creativecommons.org/licenses/by/4.0/legalcode
name: Creative Commons Attribution 4.0 International Public License (CC-BY 4.0)
short: CC BY (4.0)
type: dissertation
user_id: c635000d-4b10-11ee-a964-aac5a93f6ac1
year: '2020'
...
---
_id: '5887'
abstract:
- lang: eng
text: 'Cryptographic security is usually defined as a guarantee that holds except
when a bad event with negligible probability occurs, and nothing is guaranteed
in that bad case. However, in settings where such failure can happen with substantial
probability, one needs to provide guarantees even for the bad case. A typical
example is where a (possibly weak) password is used instead of a secure cryptographic
key to protect a session, the bad event being that the adversary correctly guesses
the password. In a situation with multiple such sessions, a per-session guarantee
is desired: any session for which the password has not been guessed remains secure,
independently of whether other sessions have been compromised. A new formalism
for stating such gracefully degrading security guarantees is introduced and applied
to analyze the examples of password-based message authentication and password-based
encryption. While a natural per-message guarantee is achieved for authentication,
the situation of password-based encryption is more delicate: a per-session confidentiality
guarantee only holds against attackers for which the distribution of password-guessing
effort over the sessions is known in advance. In contrast, for more general attackers
without such a restriction, a strong, composable notion of security cannot be
achieved.'
article_processing_charge: No
article_type: original
author:
- first_name: Gregory
full_name: Demay, Gregory
last_name: Demay
- first_name: Peter
full_name: Gazi, Peter
id: 3E0BFE38-F248-11E8-B48F-1D18A9856A87
last_name: Gazi
- first_name: Ueli
full_name: Maurer, Ueli
last_name: Maurer
- first_name: Bjorn
full_name: Tackmann, Bjorn
last_name: Tackmann
citation:
ama: 'Demay G, Gazi P, Maurer U, Tackmann B. Per-session security: Password-based
cryptography revisited. Journal of Computer Security. 2019;27(1):75-111.
doi:10.3233/JCS-181131'
apa: 'Demay, G., Gazi, P., Maurer, U., & Tackmann, B. (2019). Per-session security:
Password-based cryptography revisited. Journal of Computer Security. IOS
Press. https://doi.org/10.3233/JCS-181131'
chicago: 'Demay, Gregory, Peter Gazi, Ueli Maurer, and Bjorn Tackmann. “Per-Session
Security: Password-Based Cryptography Revisited.” Journal of Computer Security.
IOS Press, 2019. https://doi.org/10.3233/JCS-181131.'
ieee: 'G. Demay, P. Gazi, U. Maurer, and B. Tackmann, “Per-session security: Password-based
cryptography revisited,” Journal of Computer Security, vol. 27, no. 1.
IOS Press, pp. 75–111, 2019.'
ista: 'Demay G, Gazi P, Maurer U, Tackmann B. 2019. Per-session security: Password-based
cryptography revisited. Journal of Computer Security. 27(1), 75–111.'
mla: 'Demay, Gregory, et al. “Per-Session Security: Password-Based Cryptography
Revisited.” Journal of Computer Security, vol. 27, no. 1, IOS Press, 2019,
pp. 75–111, doi:10.3233/JCS-181131.'
short: G. Demay, P. Gazi, U. Maurer, B. Tackmann, Journal of Computer Security 27
(2019) 75–111.
date_created: 2019-01-27T22:59:10Z
date_published: 2019-01-01T00:00:00Z
date_updated: 2021-01-12T08:05:08Z
day: '1'
department:
- _id: KrPi
doi: 10.3233/JCS-181131
ec_funded: 1
intvolume: ' 27'
issue: '1'
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://eprint.iacr.org/2016/166
month: '01'
oa: 1
oa_version: Preprint
page: 75-111
project:
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
call_identifier: H2020
grant_number: '682815'
name: Teaching Old Crypto New Tricks
publication: Journal of Computer Security
publication_identifier:
issn:
- 0926227X
publication_status: published
publisher: IOS Press
quality_controlled: '1'
scopus_import: '1'
status: public
title: 'Per-session security: Password-based cryptography revisited'
type: journal_article
user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87
volume: 27
year: '2019'
...
---
_id: '6528'
abstract:
- lang: eng
text: We construct a verifiable delay function (VDF) by showing how the Rivest-Shamir-Wagner
time-lock puzzle can be made publicly verifiable. Concretely, we give a statistically
sound public-coin protocol to prove that a tuple (N,x,T,y) satisfies y=x2T (mod
N) where the prover doesn’t know the factorization of N and its running time is
dominated by solving the puzzle, that is, compute x2T, which is conjectured to
require T sequential squarings. To get a VDF we make this protocol non-interactive
using the Fiat-Shamir heuristic.The motivation for this work comes from the Chia
blockchain design, which uses a VDF as akey ingredient. For typical parameters
(T≤2 40, N= 2048), our proofs are of size around 10K B, verification cost around
three RSA exponentiations and computing the proof is 8000 times faster than solving
the puzzle even without any parallelism.
alternative_title:
- LIPIcs
article_number: '60'
article_processing_charge: No
author:
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
citation:
ama: 'Pietrzak KZ. Simple verifiable delay functions. In: 10th Innovations in
Theoretical Computer Science Conference. Vol 124. Schloss Dagstuhl - Leibniz-Zentrum
für Informatik; 2019. doi:10.4230/LIPICS.ITCS.2019.60'
apa: 'Pietrzak, K. Z. (2019). Simple verifiable delay functions. In 10th Innovations
in Theoretical Computer Science Conference (Vol. 124). San Diego, CA, United
States: Schloss Dagstuhl - Leibniz-Zentrum für Informatik. https://doi.org/10.4230/LIPICS.ITCS.2019.60'
chicago: Pietrzak, Krzysztof Z. “Simple Verifiable Delay Functions.” In 10th
Innovations in Theoretical Computer Science Conference, Vol. 124. Schloss
Dagstuhl - Leibniz-Zentrum für Informatik, 2019. https://doi.org/10.4230/LIPICS.ITCS.2019.60.
ieee: K. Z. Pietrzak, “Simple verifiable delay functions,” in 10th Innovations
in Theoretical Computer Science Conference, San Diego, CA, United States,
2019, vol. 124.
ista: 'Pietrzak KZ. 2019. Simple verifiable delay functions. 10th Innovations in
Theoretical Computer Science Conference. ITCS 2019: Innovations in Theoretical
Computer Science, LIPIcs, vol. 124, 60.'
mla: Pietrzak, Krzysztof Z. “Simple Verifiable Delay Functions.” 10th Innovations
in Theoretical Computer Science Conference, vol. 124, 60, Schloss Dagstuhl
- Leibniz-Zentrum für Informatik, 2019, doi:10.4230/LIPICS.ITCS.2019.60.
short: K.Z. Pietrzak, in:, 10th Innovations in Theoretical Computer Science Conference,
Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 2019.
conference:
end_date: 2019-01-12
location: San Diego, CA, United States
name: 'ITCS 2019: Innovations in Theoretical Computer Science'
start_date: 2019-01-10
date_created: 2019-06-06T14:12:36Z
date_published: 2019-01-10T00:00:00Z
date_updated: 2021-01-12T08:07:53Z
day: '10'
ddc:
- '000'
department:
- _id: KrPi
doi: 10.4230/LIPICS.ITCS.2019.60
ec_funded: 1
file:
- access_level: open_access
checksum: f0ae1bb161431d9db3dea5ace082bfb5
content_type: application/pdf
creator: dernst
date_created: 2019-06-06T14:22:04Z
date_updated: 2020-07-14T12:47:33Z
file_id: '6529'
file_name: 2019_LIPIcs_Pietrzak.pdf
file_size: 558770
relation: main_file
file_date_updated: 2020-07-14T12:47:33Z
has_accepted_license: '1'
intvolume: ' 124'
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://eprint.iacr.org/2018/627
month: '01'
oa: 1
oa_version: Published Version
project:
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
call_identifier: H2020
grant_number: '682815'
name: Teaching Old Crypto New Tricks
publication: 10th Innovations in Theoretical Computer Science Conference
publication_identifier:
isbn:
- 978-3-95977-095-8
issn:
- 1868-8969
publication_status: published
publisher: Schloss Dagstuhl - Leibniz-Zentrum für Informatik
quality_controlled: '1'
scopus_import: 1
status: public
title: Simple verifiable delay functions
tmp:
image: /images/cc_by.png
legal_code_url: https://creativecommons.org/licenses/by/4.0/legalcode
name: Creative Commons Attribution 4.0 International Public License (CC-BY 4.0)
short: CC BY (4.0)
type: conference
user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87
volume: 124
year: '2019'
...
---
_id: '6726'
abstract:
- lang: eng
text: Randomness is an essential part of any secure cryptosystem, but many constructions
rely on distributions that are not uniform. This is particularly true for lattice
based cryptosystems, which more often than not make use of discrete Gaussian distributions
over the integers. For practical purposes it is crucial to evaluate the impact
that approximation errors have on the security of a scheme to provide the best
possible trade-off between security and performance. Recent years have seen surprising
results allowing to use relatively low precision while maintaining high levels
of security. A key insight in these results is that sampling a distribution with
low relative error can provide very strong security guarantees. Since floating
point numbers provide guarantees on the relative approximation error, they seem
a suitable tool in this setting, but it is not obvious which sampling algorithms
can actually profit from them. While previous works have shown that inversion
sampling can be adapted to provide a low relative error (Pöppelmann et al., CHES
2014; Prest, ASIACRYPT 2017), other works have called into question if this is
possible for other sampling techniques (Zheng et al., Eprint report 2018/309).
In this work, we consider all sampling algorithms that are popular in the cryptographic
setting and analyze the relationship of floating point precision and the resulting
relative error. We show that all of the algorithms either natively achieve a low
relative error or can be adapted to do so.
article_processing_charge: No
author:
- first_name: Michael
full_name: Walter, Michael
id: 488F98B0-F248-11E8-B48F-1D18A9856A87
last_name: Walter
orcid: 0000-0003-3186-2482
citation:
ama: 'Walter M. Sampling the integers with low relative error. In: Buchmann J, Nitaj
A, Rachidi T, eds. Progress in Cryptology – AFRICACRYPT 2019. Vol 11627.
LNCS. Cham: Springer Nature; 2019:157-180. doi:10.1007/978-3-030-23696-0_9'
apa: 'Walter, M. (2019). Sampling the integers with low relative error. In J. Buchmann,
A. Nitaj, & T. Rachidi (Eds.), Progress in Cryptology – AFRICACRYPT 2019
(Vol. 11627, pp. 157–180). Cham: Springer Nature. https://doi.org/10.1007/978-3-030-23696-0_9'
chicago: 'Walter, Michael. “Sampling the Integers with Low Relative Error.” In Progress
in Cryptology – AFRICACRYPT 2019, edited by J Buchmann, A Nitaj, and T Rachidi,
11627:157–80. LNCS. Cham: Springer Nature, 2019. https://doi.org/10.1007/978-3-030-23696-0_9.'
ieee: 'M. Walter, “Sampling the integers with low relative error,” in Progress
in Cryptology – AFRICACRYPT 2019, vol. 11627, J. Buchmann, A. Nitaj, and T.
Rachidi, Eds. Cham: Springer Nature, 2019, pp. 157–180.'
ista: 'Walter M. 2019.Sampling the integers with low relative error. In: Progress
in Cryptology – AFRICACRYPT 2019. vol. 11627, 157–180.'
mla: Walter, Michael. “Sampling the Integers with Low Relative Error.” Progress
in Cryptology – AFRICACRYPT 2019, edited by J Buchmann et al., vol. 11627,
Springer Nature, 2019, pp. 157–80, doi:10.1007/978-3-030-23696-0_9.
short: M. Walter, in:, J. Buchmann, A. Nitaj, T. Rachidi (Eds.), Progress in Cryptology
– AFRICACRYPT 2019, Springer Nature, Cham, 2019, pp. 157–180.
conference:
end_date: 2019-07-11
location: Rabat, Morocco
name: 'AFRICACRYPT: International Conference on Cryptology in Africa'
start_date: 2019-07-09
date_created: 2019-07-29T12:25:31Z
date_published: 2019-06-29T00:00:00Z
date_updated: 2023-02-23T12:50:15Z
day: '29'
department:
- _id: KrPi
doi: 10.1007/978-3-030-23696-0_9
ec_funded: 1
editor:
- first_name: J
full_name: Buchmann, J
last_name: Buchmann
- first_name: A
full_name: Nitaj, A
last_name: Nitaj
- first_name: T
full_name: Rachidi, T
last_name: Rachidi
intvolume: ' 11627'
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://eprint.iacr.org/2019/068
month: '06'
oa: 1
oa_version: Preprint
page: 157-180
place: Cham
project:
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
call_identifier: H2020
grant_number: '682815'
name: Teaching Old Crypto New Tricks
publication: Progress in Cryptology – AFRICACRYPT 2019
publication_identifier:
eisbn:
- 978-3-0302-3696-0
isbn:
- 978-3-0302-3695-3
issn:
- 0302-9743
- 1611-3349
publication_status: published
publisher: Springer Nature
quality_controlled: '1'
scopus_import: '1'
series_title: LNCS
status: public
title: Sampling the integers with low relative error
type: book_chapter
user_id: 8b945eb4-e2f2-11eb-945a-df72226e66a9
volume: 11627
year: '2019'
...
---
_id: '7136'
abstract:
- lang: eng
text: "It is well established that the notion of min-entropy fails to satisfy the
\\emph{chain rule} of the form H(X,Y)=H(X|Y)+H(Y), known for Shannon Entropy.
Such a property would help to analyze how min-entropy is split among smaller blocks.
Problems of this kind arise for example when constructing extractors and dispersers.\r\nWe
show that any sequence of variables exhibits a very strong strong block-source
structure (conditional distributions of blocks are nearly flat) when we \\emph{spoil
few correlated bits}. This implies, conditioned on the spoiled bits, that \\emph{splitting-recombination
properties} hold. In particular, we have many nice properties that min-entropy
doesn't obey in general, for example strong chain rules, \"information can't hurt\"
inequalities, equivalences of average and worst-case conditional entropy definitions
and others. Quantitatively, for any sequence X1,…,Xt of random variables over
an alphabet X we prove that, when conditioned on m=t⋅O(loglog|X|+loglog(1/ϵ)+logt)
bits of auxiliary information, all conditional distributions of the form Xi|X2019 IEEE International Symposium on Information Theory. IEEE; 2019. doi:10.1109/isit.2019.8849240'
apa: 'Skórski, M. (2019). Strong chain rules for min-entropy under few bits spoiled.
In 2019 IEEE International Symposium on Information Theory. Paris, France:
IEEE. https://doi.org/10.1109/isit.2019.8849240'
chicago: Skórski, Maciej. “Strong Chain Rules for Min-Entropy under Few Bits Spoiled.”
In 2019 IEEE International Symposium on Information Theory. IEEE, 2019.
https://doi.org/10.1109/isit.2019.8849240.
ieee: M. Skórski, “Strong chain rules for min-entropy under few bits spoiled,” in
2019 IEEE International Symposium on Information Theory, Paris, France,
2019.
ista: 'Skórski M. 2019. Strong chain rules for min-entropy under few bits spoiled.
2019 IEEE International Symposium on Information Theory. ISIT: International Symposium
on Information Theory, 8849240.'
mla: Skórski, Maciej. “Strong Chain Rules for Min-Entropy under Few Bits Spoiled.”
2019 IEEE International Symposium on Information Theory, 8849240, IEEE,
2019, doi:10.1109/isit.2019.8849240.
short: M. Skórski, in:, 2019 IEEE International Symposium on Information Theory,
IEEE, 2019.
conference:
end_date: 2019-07-12
location: Paris, France
name: 'ISIT: International Symposium on Information Theory'
start_date: 2019-07-07
date_created: 2019-11-28T10:19:21Z
date_published: 2019-07-01T00:00:00Z
date_updated: 2023-09-06T11:15:41Z
day: '01'
department:
- _id: KrPi
doi: 10.1109/isit.2019.8849240
external_id:
arxiv:
- '1702.08476'
isi:
- '000489100301043'
isi: 1
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://arxiv.org/abs/1702.08476
month: '07'
oa: 1
oa_version: Preprint
publication: 2019 IEEE International Symposium on Information Theory
publication_identifier:
isbn:
- '9781538692912'
publication_status: published
publisher: IEEE
quality_controlled: '1'
scopus_import: '1'
status: public
title: Strong chain rules for min-entropy under few bits spoiled
type: conference
user_id: c635000d-4b10-11ee-a964-aac5a93f6ac1
year: '2019'
...
---
_id: '7411'
abstract:
- lang: eng
text: "Proofs of sequential work (PoSW) are proof systems where a prover, upon receiving
a statement χ and a time parameter T computes a proof ϕ(χ,T) which is efficiently
and publicly verifiable. The proof can be computed in T sequential steps, but
not much less, even by a malicious party having large parallelism. A PoSW thus
serves as a proof that T units of time have passed since χ\r\n\r\nwas received.\r\n\r\nPoSW
were introduced by Mahmoody, Moran and Vadhan [MMV11], a simple and practical
construction was only recently proposed by Cohen and Pietrzak [CP18].\r\n\r\nIn
this work we construct a new simple PoSW in the random permutation model which
is almost as simple and efficient as [CP18] but conceptually very different. Whereas
the structure underlying [CP18] is a hash tree, our construction is based on skip
lists and has the interesting property that computing the PoSW is a reversible
computation.\r\nThe fact that the construction is reversible can potentially be
used for new applications like constructing proofs of replication. We also show
how to “embed” the sloth function of Lenstra and Weselowski [LW17] into our PoSW
to get a PoSW where one additionally can verify correctness of the output much
more efficiently than recomputing it (though recent constructions of “verifiable
delay functions” subsume most of the applications this construction was aiming
at)."
alternative_title:
- LNCS
article_processing_charge: No
author:
- first_name: Hamza M
full_name: Abusalah, Hamza M
id: 40297222-F248-11E8-B48F-1D18A9856A87
last_name: Abusalah
- first_name: Chethan
full_name: Kamath Hosdurg, Chethan
id: 4BD3F30E-F248-11E8-B48F-1D18A9856A87
last_name: Kamath Hosdurg
- first_name: Karen
full_name: Klein, Karen
id: 3E83A2F8-F248-11E8-B48F-1D18A9856A87
last_name: Klein
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
- first_name: Michael
full_name: Walter, Michael
id: 488F98B0-F248-11E8-B48F-1D18A9856A87
last_name: Walter
orcid: 0000-0003-3186-2482
citation:
ama: 'Abusalah HM, Kamath Hosdurg C, Klein K, Pietrzak KZ, Walter M. Reversible
proofs of sequential work. In: Advances in Cryptology – EUROCRYPT 2019.
Vol 11477. Springer International Publishing; 2019:277-291. doi:10.1007/978-3-030-17656-3_10'
apa: 'Abusalah, H. M., Kamath Hosdurg, C., Klein, K., Pietrzak, K. Z., & Walter,
M. (2019). Reversible proofs of sequential work. In Advances in Cryptology
– EUROCRYPT 2019 (Vol. 11477, pp. 277–291). Darmstadt, Germany: Springer International
Publishing. https://doi.org/10.1007/978-3-030-17656-3_10'
chicago: Abusalah, Hamza M, Chethan Kamath Hosdurg, Karen Klein, Krzysztof Z Pietrzak,
and Michael Walter. “Reversible Proofs of Sequential Work.” In Advances in
Cryptology – EUROCRYPT 2019, 11477:277–91. Springer International Publishing,
2019. https://doi.org/10.1007/978-3-030-17656-3_10.
ieee: H. M. Abusalah, C. Kamath Hosdurg, K. Klein, K. Z. Pietrzak, and M. Walter,
“Reversible proofs of sequential work,” in Advances in Cryptology – EUROCRYPT
2019, Darmstadt, Germany, 2019, vol. 11477, pp. 277–291.
ista: Abusalah HM, Kamath Hosdurg C, Klein K, Pietrzak KZ, Walter M. 2019. Reversible
proofs of sequential work. Advances in Cryptology – EUROCRYPT 2019. International
Conference on the Theory and Applications of Cryptographic Techniques, LNCS, vol.
11477, 277–291.
mla: Abusalah, Hamza M., et al. “Reversible Proofs of Sequential Work.” Advances
in Cryptology – EUROCRYPT 2019, vol. 11477, Springer International Publishing,
2019, pp. 277–91, doi:10.1007/978-3-030-17656-3_10.
short: H.M. Abusalah, C. Kamath Hosdurg, K. Klein, K.Z. Pietrzak, M. Walter, in:,
Advances in Cryptology – EUROCRYPT 2019, Springer International Publishing, 2019,
pp. 277–291.
conference:
end_date: 2019-05-23
location: Darmstadt, Germany
name: International Conference on the Theory and Applications of Cryptographic Techniques
start_date: 2019-05-19
date_created: 2020-01-30T09:26:14Z
date_published: 2019-04-24T00:00:00Z
date_updated: 2023-09-06T15:26:06Z
day: '24'
department:
- _id: KrPi
doi: 10.1007/978-3-030-17656-3_10
ec_funded: 1
external_id:
isi:
- '000483516200010'
intvolume: ' 11477'
isi: 1
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://eprint.iacr.org/2019/252
month: '04'
oa: 1
oa_version: Submitted Version
page: 277-291
project:
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
call_identifier: H2020
grant_number: '682815'
name: Teaching Old Crypto New Tricks
publication: Advances in Cryptology – EUROCRYPT 2019
publication_identifier:
eissn:
- 1611-3349
isbn:
- '9783030176556'
- '9783030176563'
issn:
- 0302-9743
publication_status: published
publisher: Springer International Publishing
quality_controlled: '1'
scopus_import: '1'
status: public
title: Reversible proofs of sequential work
type: conference
user_id: c635000d-4b10-11ee-a964-aac5a93f6ac1
volume: 11477
year: '2019'
...
---
_id: '6677'
abstract:
- lang: eng
text: "The Fiat-Shamir heuristic transforms a public-coin interactive proof into
a non-interactive argument, by replacing the verifier with a cryptographic hash
function that is applied to the protocol’s transcript. Constructing hash functions
for which this transformation is sound is a central and long-standing open question
in cryptography.\r\n\r\nWe show that solving the END−OF−METERED−LINE problem is
no easier than breaking the soundness of the Fiat-Shamir transformation when applied
to the sumcheck protocol. In particular, if the transformed protocol is sound,
then any hard problem in #P gives rise to a hard distribution in the class CLS,
which is contained in PPAD. Our result opens up the possibility of sampling moderately-sized
games for which it is hard to find a Nash equilibrium, by reducing the inversion
of appropriately chosen one-way functions to #SAT.\r\n\r\nOur main technical contribution
is a stateful incrementally verifiable procedure that, given a SAT instance over
n variables, counts the number of satisfying assignments. This is accomplished
via an exponential sequence of small steps, each computable in time poly(n). Incremental
verifiability means that each intermediate state includes a sumcheck-based proof
of its correctness, and the proof can be updated and verified in time poly(n)."
article_processing_charge: No
author:
- first_name: Arka Rai
full_name: Choudhuri, Arka Rai
last_name: Choudhuri
- first_name: Pavel
full_name: Hubáček, Pavel
last_name: Hubáček
- first_name: Chethan
full_name: Kamath Hosdurg, Chethan
id: 4BD3F30E-F248-11E8-B48F-1D18A9856A87
last_name: Kamath Hosdurg
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
- first_name: Alon
full_name: Rosen, Alon
last_name: Rosen
- first_name: Guy N.
full_name: Rothblum, Guy N.
last_name: Rothblum
citation:
ama: 'Choudhuri AR, Hubáček P, Kamath Hosdurg C, Pietrzak KZ, Rosen A, Rothblum
GN. Finding a Nash equilibrium is no easier than breaking Fiat-Shamir. In: Proceedings
of the 51st Annual ACM SIGACT Symposium on Theory of Computing - STOC 2019.
ACM Press; 2019:1103-1114. doi:10.1145/3313276.3316400'
apa: 'Choudhuri, A. R., Hubáček, P., Kamath Hosdurg, C., Pietrzak, K. Z., Rosen,
A., & Rothblum, G. N. (2019). Finding a Nash equilibrium is no easier than
breaking Fiat-Shamir. In Proceedings of the 51st Annual ACM SIGACT Symposium
on Theory of Computing - STOC 2019 (pp. 1103–1114). Phoenix, AZ, United States:
ACM Press. https://doi.org/10.1145/3313276.3316400'
chicago: Choudhuri, Arka Rai, Pavel Hubáček, Chethan Kamath Hosdurg, Krzysztof Z
Pietrzak, Alon Rosen, and Guy N. Rothblum. “Finding a Nash Equilibrium Is No Easier
than Breaking Fiat-Shamir.” In Proceedings of the 51st Annual ACM SIGACT Symposium
on Theory of Computing - STOC 2019, 1103–14. ACM Press, 2019. https://doi.org/10.1145/3313276.3316400.
ieee: A. R. Choudhuri, P. Hubáček, C. Kamath Hosdurg, K. Z. Pietrzak, A. Rosen,
and G. N. Rothblum, “Finding a Nash equilibrium is no easier than breaking Fiat-Shamir,”
in Proceedings of the 51st Annual ACM SIGACT Symposium on Theory of Computing
- STOC 2019, Phoenix, AZ, United States, 2019, pp. 1103–1114.
ista: 'Choudhuri AR, Hubáček P, Kamath Hosdurg C, Pietrzak KZ, Rosen A, Rothblum
GN. 2019. Finding a Nash equilibrium is no easier than breaking Fiat-Shamir. Proceedings
of the 51st Annual ACM SIGACT Symposium on Theory of Computing - STOC 2019. STOC:
Symposium on Theory of Computing, 1103–1114.'
mla: Choudhuri, Arka Rai, et al. “Finding a Nash Equilibrium Is No Easier than Breaking
Fiat-Shamir.” Proceedings of the 51st Annual ACM SIGACT Symposium on Theory
of Computing - STOC 2019, ACM Press, 2019, pp. 1103–14, doi:10.1145/3313276.3316400.
short: A.R. Choudhuri, P. Hubáček, C. Kamath Hosdurg, K.Z. Pietrzak, A. Rosen, G.N.
Rothblum, in:, Proceedings of the 51st Annual ACM SIGACT Symposium on Theory of
Computing - STOC 2019, ACM Press, 2019, pp. 1103–1114.
conference:
end_date: 2019-06-26
location: Phoenix, AZ, United States
name: 'STOC: Symposium on Theory of Computing'
start_date: 2019-06-23
date_created: 2019-07-24T09:20:53Z
date_published: 2019-06-01T00:00:00Z
date_updated: 2023-09-07T13:15:55Z
day: '01'
department:
- _id: KrPi
doi: 10.1145/3313276.3316400
ec_funded: 1
external_id:
isi:
- '000523199100100'
isi: 1
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://eprint.iacr.org/2019/549
month: '06'
oa: 1
oa_version: Preprint
page: 1103-1114
project:
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
call_identifier: H2020
grant_number: '682815'
name: Teaching Old Crypto New Tricks
publication: Proceedings of the 51st Annual ACM SIGACT Symposium on Theory of Computing -
STOC 2019
publication_identifier:
isbn:
- '9781450367059'
publication_status: published
publisher: ACM Press
quality_controlled: '1'
related_material:
record:
- id: '7896'
relation: dissertation_contains
status: public
scopus_import: '1'
status: public
title: Finding a Nash equilibrium is no easier than breaking Fiat-Shamir
type: conference
user_id: 4359f0d1-fa6c-11eb-b949-802e58b17ae8
year: '2019'
...
---
_id: '6430'
abstract:
- lang: eng
text: "A proxy re-encryption (PRE) scheme is a public-key encryption scheme that
allows the holder of a key pk to derive a re-encryption key for any other key
\U0001D45D\U0001D458′. This re-encryption key lets anyone transform ciphertexts
under pk into ciphertexts under \U0001D45D\U0001D458′ without having to know the
underlying message, while transformations from \U0001D45D\U0001D458′ to pk should
not be possible (unidirectional). Security is defined in a multi-user setting
against an adversary that gets the users’ public keys and can ask for re-encryption
keys and can corrupt users by requesting their secret keys. Any ciphertext that
the adversary cannot trivially decrypt given the obtained secret and re-encryption
keys should be secure.\r\n\r\nAll existing security proofs for PRE only show selective
security, where the adversary must first declare the users it wants to corrupt.
This can be lifted to more meaningful adaptive security by guessing the set of
corrupted users among the n users, which loses a factor exponential in Open image
in new window , rendering the result meaningless already for moderate Open image
in new window .\r\n\r\nJafargholi et al. (CRYPTO’17) proposed a framework that
in some cases allows to give adaptive security proofs for schemes which were previously
only known to be selectively secure, while avoiding the exponential loss that
results from guessing the adaptive choices made by an adversary. We apply their
framework to PREs that satisfy some natural additional properties. Concretely,
we give a more fine-grained reduction for several unidirectional PREs, proving
adaptive security at a much smaller loss. The loss depends on the graph of users
whose edges represent the re-encryption keys queried by the adversary. For trees
and chains the loss is quasi-polynomial in the size and for general graphs it
is exponential in their depth and indegree (instead of their size as for previous
reductions). Fortunately, trees and low-depth graphs cover many, if not most,
interesting applications.\r\n\r\nOur results apply e.g. to the bilinear-map based
PRE schemes by Ateniese et al. (NDSS’05 and CT-RSA’09), Gentry’s FHE-based scheme
(STOC’09) and the LWE-based scheme by Chandran et al. (PKC’14)."
alternative_title:
- LNCS
article_processing_charge: No
author:
- first_name: Georg
full_name: Fuchsbauer, Georg
id: 46B4C3EE-F248-11E8-B48F-1D18A9856A87
last_name: Fuchsbauer
- first_name: Chethan
full_name: Kamath Hosdurg, Chethan
id: 4BD3F30E-F248-11E8-B48F-1D18A9856A87
last_name: Kamath Hosdurg
- first_name: Karen
full_name: Klein, Karen
id: 3E83A2F8-F248-11E8-B48F-1D18A9856A87
last_name: Klein
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
citation:
ama: 'Fuchsbauer G, Kamath Hosdurg C, Klein K, Pietrzak KZ. Adaptively secure proxy
re-encryption. In: Vol 11443. Springer Nature; 2019:317-346. doi:10.1007/978-3-030-17259-6_11'
apa: 'Fuchsbauer, G., Kamath Hosdurg, C., Klein, K., & Pietrzak, K. Z. (2019).
Adaptively secure proxy re-encryption (Vol. 11443, pp. 317–346). Presented at
the PKC: Public-Key Cryptograhy, Beijing, China: Springer Nature. https://doi.org/10.1007/978-3-030-17259-6_11'
chicago: Fuchsbauer, Georg, Chethan Kamath Hosdurg, Karen Klein, and Krzysztof Z
Pietrzak. “Adaptively Secure Proxy Re-Encryption,” 11443:317–46. Springer Nature,
2019. https://doi.org/10.1007/978-3-030-17259-6_11.
ieee: 'G. Fuchsbauer, C. Kamath Hosdurg, K. Klein, and K. Z. Pietrzak, “Adaptively
secure proxy re-encryption,” presented at the PKC: Public-Key Cryptograhy, Beijing,
China, 2019, vol. 11443, pp. 317–346.'
ista: 'Fuchsbauer G, Kamath Hosdurg C, Klein K, Pietrzak KZ. 2019. Adaptively secure
proxy re-encryption. PKC: Public-Key Cryptograhy, LNCS, vol. 11443, 317–346.'
mla: Fuchsbauer, Georg, et al. Adaptively Secure Proxy Re-Encryption. Vol.
11443, Springer Nature, 2019, pp. 317–46, doi:10.1007/978-3-030-17259-6_11.
short: G. Fuchsbauer, C. Kamath Hosdurg, K. Klein, K.Z. Pietrzak, in:, Springer
Nature, 2019, pp. 317–346.
conference:
end_date: 2019-04-17
location: Beijing, China
name: 'PKC: Public-Key Cryptograhy'
start_date: 2019-04-14
date_created: 2019-05-13T08:13:46Z
date_published: 2019-04-06T00:00:00Z
date_updated: 2023-09-08T11:33:20Z
day: '06'
department:
- _id: KrPi
doi: 10.1007/978-3-030-17259-6_11
ec_funded: 1
intvolume: ' 11443'
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://eprint.iacr.org/2018/426
month: '04'
oa: 1
oa_version: Preprint
page: 317-346
project:
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
call_identifier: H2020
grant_number: '682815'
name: Teaching Old Crypto New Tricks
publication_identifier:
eissn:
- '16113349'
isbn:
- '9783030172589'
issn:
- '03029743'
publication_status: published
publisher: Springer Nature
quality_controlled: '1'
related_material:
record:
- id: '10035'
relation: dissertation_contains
status: public
scopus_import: '1'
status: public
title: Adaptively secure proxy re-encryption
type: conference
user_id: c635000d-4b10-11ee-a964-aac5a93f6ac1
volume: 11443
year: '2019'
...
---
_id: '10286'
abstract:
- lang: eng
text: 'In this paper, we evaluate clock signals generated in ring oscillators and
self-timed rings and the way their jitter can be transformed into random numbers.
We show that counting the periods of the jittery clock signal produces random
numbers of significantly better quality than the methods in which the jittery
signal is simply sampled (the case in almost all current methods). Moreover, we
use the counter values to characterize and continuously monitor the source of
randomness. However, instead of using the widely used statistical variance, we
propose to use Allan variance to do so. There are two main advantages: Allan variance
is insensitive to low frequency noises such as flicker noise that are known to
be autocorrelated and significantly less circuitry is required for its computation
than that used to compute commonly used variance. We also show that it is essential
to use a differential principle of randomness extraction from the jitter based
on the use of two identical oscillators to avoid autocorrelations originating
from external and internal global jitter sources and that this fact is valid for
both kinds of rings. Last but not least, we propose a method of statistical testing
based on high order Markov model to show the reduced dependencies when the proposed
randomness extraction is applied.'
article_processing_charge: No
article_type: original
author:
- first_name: Elie Noumon
full_name: Allini, Elie Noumon
last_name: Allini
- first_name: Maciej
full_name: Skórski, Maciej
id: EC09FA6A-02D0-11E9-8223-86B7C91467DD
last_name: Skórski
- first_name: Oto
full_name: Petura, Oto
last_name: Petura
- first_name: Florent
full_name: Bernard, Florent
last_name: Bernard
- first_name: Marek
full_name: Laban, Marek
last_name: Laban
- first_name: Viktor
full_name: Fischer, Viktor
last_name: Fischer
citation:
ama: Allini EN, Skórski M, Petura O, Bernard F, Laban M, Fischer V. Evaluation and
monitoring of free running oscillators serving as source of randomness. IACR
Transactions on Cryptographic Hardware and Embedded Systems. 2018;2018(3):214-242.
doi:10.13154/tches.v2018.i3.214-242
apa: Allini, E. N., Skórski, M., Petura, O., Bernard, F., Laban, M., & Fischer,
V. (2018). Evaluation and monitoring of free running oscillators serving as source
of randomness. IACR Transactions on Cryptographic Hardware and Embedded Systems.
International Association for Cryptologic Research. https://doi.org/10.13154/tches.v2018.i3.214-242
chicago: Allini, Elie Noumon, Maciej Skórski, Oto Petura, Florent Bernard, Marek
Laban, and Viktor Fischer. “Evaluation and Monitoring of Free Running Oscillators
Serving as Source of Randomness.” IACR Transactions on Cryptographic Hardware
and Embedded Systems. International Association for Cryptologic Research,
2018. https://doi.org/10.13154/tches.v2018.i3.214-242.
ieee: E. N. Allini, M. Skórski, O. Petura, F. Bernard, M. Laban, and V. Fischer,
“Evaluation and monitoring of free running oscillators serving as source of randomness,”
IACR Transactions on Cryptographic Hardware and Embedded Systems, vol.
2018, no. 3. International Association for Cryptologic Research, pp. 214–242,
2018.
ista: Allini EN, Skórski M, Petura O, Bernard F, Laban M, Fischer V. 2018. Evaluation
and monitoring of free running oscillators serving as source of randomness. IACR
Transactions on Cryptographic Hardware and Embedded Systems. 2018(3), 214–242.
mla: Allini, Elie Noumon, et al. “Evaluation and Monitoring of Free Running Oscillators
Serving as Source of Randomness.” IACR Transactions on Cryptographic Hardware
and Embedded Systems, vol. 2018, no. 3, International Association for Cryptologic
Research, 2018, pp. 214–42, doi:10.13154/tches.v2018.i3.214-242.
short: E.N. Allini, M. Skórski, O. Petura, F. Bernard, M. Laban, V. Fischer, IACR
Transactions on Cryptographic Hardware and Embedded Systems 2018 (2018) 214–242.
date_created: 2021-11-14T23:01:25Z
date_published: 2018-01-01T00:00:00Z
date_updated: 2021-11-15T10:48:49Z
day: '01'
ddc:
- '000'
department:
- _id: KrPi
doi: 10.13154/tches.v2018.i3.214-242
file:
- access_level: open_access
checksum: b816b848f046c48a8357700d9305dce5
content_type: application/pdf
creator: cchlebak
date_created: 2021-11-15T10:27:29Z
date_updated: 2021-11-15T10:27:29Z
file_id: '10289'
file_name: 2018_IACR_Allini.pdf
file_size: 955755
relation: main_file
success: 1
file_date_updated: 2021-11-15T10:27:29Z
has_accepted_license: '1'
intvolume: ' 2018'
issue: '3'
language:
- iso: eng
month: '01'
oa: 1
oa_version: Published Version
page: 214-242
publication: IACR Transactions on Cryptographic Hardware and Embedded Systems
publication_identifier:
eissn:
- 2569-2925
publication_status: published
publisher: International Association for Cryptologic Research
quality_controlled: '1'
scopus_import: '1'
status: public
title: Evaluation and monitoring of free running oscillators serving as source of
randomness
tmp:
image: /images/cc_by.png
legal_code_url: https://creativecommons.org/licenses/by/4.0/legalcode
name: Creative Commons Attribution 4.0 International Public License (CC-BY 4.0)
short: CC BY (4.0)
type: journal_article
user_id: 8b945eb4-e2f2-11eb-945a-df72226e66a9
volume: 2018
year: '2018'
...
---
_id: '7407'
abstract:
- lang: eng
text: 'Proofs of space (PoS) [Dziembowski et al., CRYPTO''15] are proof systems
where a prover can convince a verifier that he "wastes" disk space. PoS were introduced
as a more ecological and economical replacement for proofs of work which are currently
used to secure blockchains like Bitcoin. In this work we investigate extensions
of PoS which allow the prover to embed useful data into the dedicated space, which
later can be recovered. Our first contribution is a security proof for the original
PoS from CRYPTO''15 in the random oracle model (the original proof only applied
to a restricted class of adversaries which can store a subset of the data an honest
prover would store). When this PoS is instantiated with recent constructions of
maximally depth robust graphs, our proof implies basically optimal security. As
a second contribution we show three different extensions of this PoS where useful
data can be embedded into the space required by the prover. Our security proof
for the PoS extends (non-trivially) to these constructions. We discuss how some
of these variants can be used as proofs of catalytic space (PoCS), a notion we
put forward in this work, and which basically is a PoS where most of the space
required by the prover can be used to backup useful data. Finally we discuss how
one of the extensions is a candidate construction for a proof of replication (PoR),
a proof system recently suggested in the Filecoin whitepaper. '
alternative_title:
- LIPIcs
article_processing_charge: No
author:
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
citation:
ama: 'Pietrzak KZ. Proofs of catalytic space. In: 10th Innovations in Theoretical
Computer Science Conference (ITCS 2019). Vol 124. Schloss Dagstuhl - Leibniz-Zentrum
für Informatik; 2018:59:1-59:25. doi:10.4230/LIPICS.ITCS.2019.59'
apa: 'Pietrzak, K. Z. (2018). Proofs of catalytic space. In 10th Innovations
in Theoretical Computer Science Conference (ITCS 2019) (Vol. 124, p. 59:1-59:25).
San Diego, CA, United States: Schloss Dagstuhl - Leibniz-Zentrum für Informatik.
https://doi.org/10.4230/LIPICS.ITCS.2019.59'
chicago: Pietrzak, Krzysztof Z. “Proofs of Catalytic Space.” In 10th Innovations
in Theoretical Computer Science Conference (ITCS 2019), 124:59:1-59:25. Schloss
Dagstuhl - Leibniz-Zentrum für Informatik, 2018. https://doi.org/10.4230/LIPICS.ITCS.2019.59.
ieee: K. Z. Pietrzak, “Proofs of catalytic space,” in 10th Innovations in Theoretical
Computer Science Conference (ITCS 2019), San Diego, CA, United States, 2018,
vol. 124, p. 59:1-59:25.
ista: 'Pietrzak KZ. 2018. Proofs of catalytic space. 10th Innovations in Theoretical
Computer Science Conference (ITCS 2019). ITCS: Innovations in theoretical Computer
Science Conference, LIPIcs, vol. 124, 59:1-59:25.'
mla: Pietrzak, Krzysztof Z. “Proofs of Catalytic Space.” 10th Innovations in
Theoretical Computer Science Conference (ITCS 2019), vol. 124, Schloss Dagstuhl
- Leibniz-Zentrum für Informatik, 2018, p. 59:1-59:25, doi:10.4230/LIPICS.ITCS.2019.59.
short: K.Z. Pietrzak, in:, 10th Innovations in Theoretical Computer Science Conference
(ITCS 2019), Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 2018, p. 59:1-59:25.
conference:
end_date: 2019-01-12
location: San Diego, CA, United States
name: 'ITCS: Innovations in theoretical Computer Science Conference'
start_date: 2019-01-10
date_created: 2020-01-30T09:16:05Z
date_published: 2018-12-31T00:00:00Z
date_updated: 2021-01-12T08:13:26Z
day: '31'
ddc:
- '000'
department:
- _id: KrPi
doi: 10.4230/LIPICS.ITCS.2019.59
ec_funded: 1
file:
- access_level: open_access
checksum: 5cebb7f7849a3beda898f697d755dd96
content_type: application/pdf
creator: dernst
date_created: 2020-02-04T08:17:52Z
date_updated: 2020-07-14T12:47:57Z
file_id: '7443'
file_name: 2018_LIPIcs_Pietrzak.pdf
file_size: 822884
relation: main_file
file_date_updated: 2020-07-14T12:47:57Z
has_accepted_license: '1'
intvolume: ' 124'
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://eprint.iacr.org/2018/194
month: '12'
oa: 1
oa_version: Published Version
page: 59:1-59:25
project:
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
call_identifier: H2020
grant_number: '682815'
name: Teaching Old Crypto New Tricks
publication: 10th Innovations in Theoretical Computer Science Conference (ITCS 2019)
publication_identifier:
isbn:
- 978-3-95977-095-8
issn:
- 1868-8969
publication_status: published
publisher: Schloss Dagstuhl - Leibniz-Zentrum für Informatik
quality_controlled: '1'
scopus_import: 1
status: public
title: Proofs of catalytic space
tmp:
image: /images/cc_by.png
legal_code_url: https://creativecommons.org/licenses/by/4.0/legalcode
name: Creative Commons Attribution 4.0 International Public License (CC-BY 4.0)
short: CC BY (4.0)
type: conference
user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87
volume: 124
year: '2018'
...
---
_id: '83'
abstract:
- lang: eng
text: "A proof system is a protocol between a prover and a verifier over a common
input in which an honest prover convinces the verifier of the validity of true
statements. Motivated by the success of decentralized cryptocurrencies, exemplified
by Bitcoin, the focus of this thesis will be on proof systems which found applications
in some sustainable alternatives to Bitcoin, such as the Spacemint and Chia cryptocurrencies.
In particular, we focus on proofs of space and proofs of sequential work.\r\nProofs
of space (PoSpace) were suggested as more ecological, economical, and egalitarian
alternative to the energy-wasteful proof-of-work mining of Bitcoin. However, the
state-of-the-art constructions of PoSpace are based on sophisticated graph pebbling
lower bounds, and are therefore complex. Moreover, when these PoSpace are used
in cryptocurrencies like Spacemint, miners can only start mining after ensuring
that a commitment to their space is already added in a special transaction to
the blockchain. Proofs of sequential work (PoSW) are proof systems in which a
prover, upon receiving a statement x and a time parameter T, computes a proof
which convinces the verifier that T time units had passed since x was received.
Whereas Spacemint assumes synchrony to retain some interesting Bitcoin dynamics,
Chia requires PoSW with unique proofs, i.e., PoSW in which it is hard to come
up with more than one accepting proof for any true statement. In this thesis we
construct simple and practically-efficient PoSpace and PoSW. When using our PoSpace
in cryptocurrencies, miners can start mining on the fly, like in Bitcoin, and
unlike current constructions of PoSW, which either achieve efficient verification
of sequential work, or faster-than-recomputing verification of correctness of
proofs, but not both at the same time, ours achieve the best of these two worlds."
alternative_title:
- ISTA Thesis
article_processing_charge: No
author:
- first_name: Hamza M
full_name: Abusalah, Hamza M
id: 40297222-F248-11E8-B48F-1D18A9856A87
last_name: Abusalah
citation:
ama: Abusalah HM. Proof systems for sustainable decentralized cryptocurrencies.
2018. doi:10.15479/AT:ISTA:TH_1046
apa: Abusalah, H. M. (2018). Proof systems for sustainable decentralized cryptocurrencies.
Institute of Science and Technology Austria. https://doi.org/10.15479/AT:ISTA:TH_1046
chicago: Abusalah, Hamza M. “Proof Systems for Sustainable Decentralized Cryptocurrencies.”
Institute of Science and Technology Austria, 2018. https://doi.org/10.15479/AT:ISTA:TH_1046.
ieee: H. M. Abusalah, “Proof systems for sustainable decentralized cryptocurrencies,”
Institute of Science and Technology Austria, 2018.
ista: Abusalah HM. 2018. Proof systems for sustainable decentralized cryptocurrencies.
Institute of Science and Technology Austria.
mla: Abusalah, Hamza M. Proof Systems for Sustainable Decentralized Cryptocurrencies.
Institute of Science and Technology Austria, 2018, doi:10.15479/AT:ISTA:TH_1046.
short: H.M. Abusalah, Proof Systems for Sustainable Decentralized Cryptocurrencies,
Institute of Science and Technology Austria, 2018.
date_created: 2018-12-11T11:44:32Z
date_published: 2018-09-05T00:00:00Z
date_updated: 2023-09-07T12:30:23Z
day: '05'
ddc:
- '004'
degree_awarded: PhD
department:
- _id: KrPi
doi: 10.15479/AT:ISTA:TH_1046
ec_funded: 1
file:
- access_level: open_access
checksum: c4b5f7d111755d1396787f41886fc674
content_type: application/pdf
creator: dernst
date_created: 2019-04-09T06:43:41Z
date_updated: 2020-07-14T12:48:11Z
file_id: '6245'
file_name: 2018_Thesis_Abusalah.pdf
file_size: 876241
relation: main_file
- access_level: closed
checksum: 0f382ac56b471c48fd907d63eb87dafe
content_type: application/x-gzip
creator: dernst
date_created: 2019-04-09T06:43:41Z
date_updated: 2020-07-14T12:48:11Z
file_id: '6246'
file_name: 2018_Thesis_Abusalah_source.tar.gz
file_size: 2029190
relation: source_file
file_date_updated: 2020-07-14T12:48:11Z
has_accepted_license: '1'
language:
- iso: eng
month: '09'
oa: 1
oa_version: Published Version
page: '59'
project:
- _id: 258C570E-B435-11E9-9278-68D0E5697425
call_identifier: FP7
grant_number: '259668'
name: Provable Security for Physical Cryptography
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
call_identifier: H2020
grant_number: '682815'
name: Teaching Old Crypto New Tricks
publication_identifier:
issn:
- 2663-337X
publication_status: published
publisher: Institute of Science and Technology Austria
publist_id: '7971'
pubrep_id: '1046'
related_material:
record:
- id: '1229'
relation: part_of_dissertation
status: public
- id: '1235'
relation: part_of_dissertation
status: public
- id: '1236'
relation: part_of_dissertation
status: public
- id: '559'
relation: part_of_dissertation
status: public
status: public
supervisor:
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
title: Proof systems for sustainable decentralized cryptocurrencies
type: dissertation
user_id: c635000d-4b10-11ee-a964-aac5a93f6ac1
year: '2018'
...
---
_id: '108'
abstract:
- lang: eng
text: Universal hashing found a lot of applications in computer science. In cryptography
the most important fact about universal families is the so called Leftover Hash
Lemma, proved by Impagliazzo, Levin and Luby. In the language of modern cryptography
it states that almost universal families are good extractors. In this work we
provide a somewhat surprising characterization in the opposite direction. Namely,
every extractor with sufficiently good parameters yields a universal family on
a noticeable fraction of its inputs. Our proof technique is based on tools from
extremal graph theory applied to the \'collision graph\' induced by the extractor,
and may be of independent interest. We discuss possible applications to the theory
of randomness extractors and non-malleable codes.
alternative_title:
- ISIT Proceedings
article_processing_charge: No
author:
- first_name: Marciej
full_name: Obremski, Marciej
last_name: Obremski
- first_name: Maciej
full_name: Skorski, Maciej
id: EC09FA6A-02D0-11E9-8223-86B7C91467DD
last_name: Skorski
citation:
ama: 'Obremski M, Skórski M. Inverted leftover hash lemma. In: Vol 2018. IEEE; 2018.
doi:10.1109/ISIT.2018.8437654'
apa: 'Obremski, M., & Skórski, M. (2018). Inverted leftover hash lemma (Vol.
2018). Presented at the ISIT: International Symposium on Information Theory, Vail,
CO, USA: IEEE. https://doi.org/10.1109/ISIT.2018.8437654'
chicago: Obremski, Marciej, and Maciej Skórski. “Inverted Leftover Hash Lemma,”
Vol. 2018. IEEE, 2018. https://doi.org/10.1109/ISIT.2018.8437654.
ieee: 'M. Obremski and M. Skórski, “Inverted leftover hash lemma,” presented at
the ISIT: International Symposium on Information Theory, Vail, CO, USA, 2018,
vol. 2018.'
ista: 'Obremski M, Skórski M. 2018. Inverted leftover hash lemma. ISIT: International
Symposium on Information Theory, ISIT Proceedings, vol. 2018.'
mla: Obremski, Marciej, and Maciej Skórski. Inverted Leftover Hash Lemma.
Vol. 2018, IEEE, 2018, doi:10.1109/ISIT.2018.8437654.
short: M. Obremski, M. Skórski, in:, IEEE, 2018.
conference:
end_date: 2018-06-22
location: Vail, CO, USA
name: 'ISIT: International Symposium on Information Theory'
start_date: '2018-06-17 '
date_created: 2018-12-11T11:44:40Z
date_published: 2018-08-16T00:00:00Z
date_updated: 2023-09-13T08:23:18Z
day: '16'
department:
- _id: KrPi
doi: 10.1109/ISIT.2018.8437654
external_id:
isi:
- '000448139300368'
intvolume: ' 2018'
isi: 1
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://eprint.iacr.org/2017/507
month: '08'
oa: 1
oa_version: Submitted Version
publication_status: published
publisher: IEEE
publist_id: '7946'
quality_controlled: '1'
scopus_import: '1'
status: public
title: Inverted leftover hash lemma
type: conference
user_id: c635000d-4b10-11ee-a964-aac5a93f6ac1
volume: 2018
year: '2018'
...
---
_id: '107'
abstract:
- lang: eng
text: 'We introduce the notion of “non-malleable codes” which relaxes the notion
of error correction and error detection. Informally, a code is non-malleable if
the message contained in a modified codeword is either the original message, or
a completely unrelated value. In contrast to error correction and error detection,
non-malleability can be achieved for very rich classes of modifications. We construct
an efficient code that is non-malleable with respect to modifications that affect
each bit of the codeword arbitrarily (i.e., leave it untouched, flip it, or set
it to either 0 or 1), but independently of the value of the other bits of the
codeword. Using the probabilistic method, we also show a very strong and general
statement: there exists a non-malleable code for every “small enough” family F
of functions via which codewords can be modified. Although this probabilistic
method argument does not directly yield efficient constructions, it gives us efficient
non-malleable codes in the random-oracle model for very general classes of tampering
functions—e.g., functions where every bit in the tampered codeword can depend
arbitrarily on any 99% of the bits in the original codeword. As an application
of non-malleable codes, we show that they provide an elegant algorithmic solution
to the task of protecting functionalities implemented in hardware (e.g., signature
cards) against “tampering attacks.” In such attacks, the secret state of a physical
system is tampered, in the hopes that future interaction with the modified system
will reveal some secret information. This problem was previously studied in the
work of Gennaro et al. in 2004 under the name “algorithmic tamper proof security”
(ATP). We show that non-malleable codes can be used to achieve important improvements
over the prior work. In particular, we show that any functionality can be made
secure against a large class of tampering attacks, simply by encoding the secret
state with a non-malleable code while it is stored in memory.'
article_number: '20'
article_processing_charge: No
article_type: original
author:
- first_name: Stefan
full_name: Dziembowski, Stefan
last_name: Dziembowski
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
- first_name: Daniel
full_name: Wichs, Daniel
last_name: Wichs
citation:
ama: Dziembowski S, Pietrzak KZ, Wichs D. Non-malleable codes. Journal of the
ACM. 2018;65(4). doi:10.1145/3178432
apa: Dziembowski, S., Pietrzak, K. Z., & Wichs, D. (2018). Non-malleable codes.
Journal of the ACM. ACM. https://doi.org/10.1145/3178432
chicago: Dziembowski, Stefan, Krzysztof Z Pietrzak, and Daniel Wichs. “Non-Malleable
Codes.” Journal of the ACM. ACM, 2018. https://doi.org/10.1145/3178432.
ieee: S. Dziembowski, K. Z. Pietrzak, and D. Wichs, “Non-malleable codes,” Journal
of the ACM, vol. 65, no. 4. ACM, 2018.
ista: Dziembowski S, Pietrzak KZ, Wichs D. 2018. Non-malleable codes. Journal of
the ACM. 65(4), 20.
mla: Dziembowski, Stefan, et al. “Non-Malleable Codes.” Journal of the ACM,
vol. 65, no. 4, 20, ACM, 2018, doi:10.1145/3178432.
short: S. Dziembowski, K.Z. Pietrzak, D. Wichs, Journal of the ACM 65 (2018).
date_created: 2018-12-11T11:44:40Z
date_published: 2018-08-01T00:00:00Z
date_updated: 2023-09-13T09:05:17Z
day: '01'
department:
- _id: KrPi
doi: 10.1145/3178432
ec_funded: 1
external_id:
isi:
- '000442938200004'
intvolume: ' 65'
isi: 1
issue: '4'
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://eprint.iacr.org/2009/608
month: '08'
oa: 1
oa_version: Preprint
project:
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
call_identifier: H2020
grant_number: '682815'
name: Teaching Old Crypto New Tricks
- _id: 258C570E-B435-11E9-9278-68D0E5697425
call_identifier: FP7
grant_number: '259668'
name: Provable Security for Physical Cryptography
publication: Journal of the ACM
publication_status: published
publisher: ACM
publist_id: '7947'
quality_controlled: '1'
scopus_import: '1'
status: public
title: Non-malleable codes
type: journal_article
user_id: c635000d-4b10-11ee-a964-aac5a93f6ac1
volume: 65
year: '2018'
...
---
_id: '193'
abstract:
- lang: eng
text: 'We show attacks on five data-independent memory-hard functions (iMHF) that
were submitted to the password hashing competition (PHC). Informally, an MHF is
a function which cannot be evaluated on dedicated hardware, like ASICs, at significantly
lower hardware and/or energy cost than evaluating a single instance on a standard
single-core architecture. Data-independent means the memory access pattern of
the function is independent of the input; this makes iMHFs harder to construct
than data-dependent ones, but the latter can be attacked by various side-channel
attacks. Following [Alwen-Blocki''16], we capture the evaluation of an iMHF as
a directed acyclic graph (DAG). The cumulative parallel pebbling complexity of
this DAG is a measure for the hardware cost of evaluating the iMHF on an ASIC.
Ideally, one would like the complexity of a DAG underlying an iMHF to be as close
to quadratic in the number of nodes of the graph as possible. Instead, we show
that (the DAGs underlying) the following iMHFs are far from this bound: Rig.v2,
TwoCats and Gambit each having an exponent no more than 1.75. Moreover, we show
that the complexity of the iMHF modes of the PHC finalists Pomelo and Lyra2 have
exponents at most 1.83 and 1.67 respectively. To show this we investigate a combinatorial
property of each underlying DAG (called its depth-robustness. By establishing
upper bounds on this property we are then able to apply the general technique
of [Alwen-Block''16] for analyzing the hardware costs of an iMHF.'
acknowledgement: Leonid Reyzin was supported in part by IST Austria and by US NSF
grants 1012910, 1012798, and 1422965; this research was performed while he was visiting
IST Austria.
article_processing_charge: No
author:
- first_name: Joel F
full_name: Alwen, Joel F
id: 2A8DFA8C-F248-11E8-B48F-1D18A9856A87
last_name: Alwen
- first_name: Peter
full_name: Gazi, Peter
last_name: Gazi
- first_name: Chethan
full_name: Kamath Hosdurg, Chethan
id: 4BD3F30E-F248-11E8-B48F-1D18A9856A87
last_name: Kamath Hosdurg
- first_name: Karen
full_name: Klein, Karen
id: 3E83A2F8-F248-11E8-B48F-1D18A9856A87
last_name: Klein
- first_name: Georg F
full_name: Osang, Georg F
id: 464B40D6-F248-11E8-B48F-1D18A9856A87
last_name: Osang
orcid: 0000-0002-8882-5116
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
- first_name: Lenoid
full_name: Reyzin, Lenoid
last_name: Reyzin
- first_name: Michal
full_name: Rolinek, Michal
id: 3CB3BC06-F248-11E8-B48F-1D18A9856A87
last_name: Rolinek
- first_name: Michal
full_name: Rybar, Michal
id: 2B3E3DE8-F248-11E8-B48F-1D18A9856A87
last_name: Rybar
citation:
ama: 'Alwen JF, Gazi P, Kamath Hosdurg C, et al. On the memory hardness of data
independent password hashing functions. In: Proceedings of the 2018 on Asia
Conference on Computer and Communication Security. ACM; 2018:51-65. doi:10.1145/3196494.3196534'
apa: 'Alwen, J. F., Gazi, P., Kamath Hosdurg, C., Klein, K., Osang, G. F., Pietrzak,
K. Z., … Rybar, M. (2018). On the memory hardness of data independent password
hashing functions. In Proceedings of the 2018 on Asia Conference on Computer
and Communication Security (pp. 51–65). Incheon, Republic of Korea: ACM. https://doi.org/10.1145/3196494.3196534'
chicago: Alwen, Joel F, Peter Gazi, Chethan Kamath Hosdurg, Karen Klein, Georg F
Osang, Krzysztof Z Pietrzak, Lenoid Reyzin, Michal Rolinek, and Michal Rybar.
“On the Memory Hardness of Data Independent Password Hashing Functions.” In Proceedings
of the 2018 on Asia Conference on Computer and Communication Security, 51–65.
ACM, 2018. https://doi.org/10.1145/3196494.3196534.
ieee: J. F. Alwen et al., “On the memory hardness of data independent password
hashing functions,” in Proceedings of the 2018 on Asia Conference on Computer
and Communication Security, Incheon, Republic of Korea, 2018, pp. 51–65.
ista: 'Alwen JF, Gazi P, Kamath Hosdurg C, Klein K, Osang GF, Pietrzak KZ, Reyzin
L, Rolinek M, Rybar M. 2018. On the memory hardness of data independent password
hashing functions. Proceedings of the 2018 on Asia Conference on Computer and
Communication Security. ASIACCS: Asia Conference on Computer and Communications
Security , 51–65.'
mla: Alwen, Joel F., et al. “On the Memory Hardness of Data Independent Password
Hashing Functions.” Proceedings of the 2018 on Asia Conference on Computer
and Communication Security, ACM, 2018, pp. 51–65, doi:10.1145/3196494.3196534.
short: J.F. Alwen, P. Gazi, C. Kamath Hosdurg, K. Klein, G.F. Osang, K.Z. Pietrzak,
L. Reyzin, M. Rolinek, M. Rybar, in:, Proceedings of the 2018 on Asia Conference
on Computer and Communication Security, ACM, 2018, pp. 51–65.
conference:
end_date: 2018-06-08
location: Incheon, Republic of Korea
name: 'ASIACCS: Asia Conference on Computer and Communications Security '
start_date: 2018-06-04
date_created: 2018-12-11T11:45:07Z
date_published: 2018-06-01T00:00:00Z
date_updated: 2023-09-13T09:13:12Z
day: '01'
department:
- _id: KrPi
- _id: HeEd
- _id: VlKo
doi: 10.1145/3196494.3196534
ec_funded: 1
external_id:
isi:
- '000516620100005'
isi: 1
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://eprint.iacr.org/2016/783
month: '06'
oa: 1
oa_version: Submitted Version
page: 51 - 65
project:
- _id: 25FBA906-B435-11E9-9278-68D0E5697425
call_identifier: FP7
grant_number: '616160'
name: 'Discrete Optimization in Computer Vision: Theory and Practice'
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
call_identifier: H2020
grant_number: '682815'
name: Teaching Old Crypto New Tricks
publication: Proceedings of the 2018 on Asia Conference on Computer and Communication
Security
publication_status: published
publisher: ACM
publist_id: '7723'
quality_controlled: '1'
scopus_import: '1'
status: public
title: On the memory hardness of data independent password hashing functions
type: conference
user_id: c635000d-4b10-11ee-a964-aac5a93f6ac1
year: '2018'
...
---
_id: '300'
abstract:
- lang: eng
text: We introduce a formal quantitative notion of “bit security” for a general
type of cryptographic games (capturing both decision and search problems), aimed
at capturing the intuition that a cryptographic primitive with k-bit security
is as hard to break as an ideal cryptographic function requiring a brute force
attack on a k-bit key space. Our new definition matches the notion of bit security
commonly used by cryptographers and cryptanalysts when studying search (e.g.,
key recovery) problems, where the use of the traditional definition is well established.
However, it produces a quantitatively different metric in the case of decision
(indistinguishability) problems, where the use of (a straightforward generalization
of) the traditional definition is more problematic and leads to a number of paradoxical
situations or mismatches between theoretical/provable security and practical/common
sense intuition. Key to our new definition is to consider adversaries that may
explicitly declare failure of the attack. We support and justify the new definition
by proving a number of technical results, including tight reductions between several
standard cryptographic problems, a new hybrid theorem that preserves bit security,
and an application to the security analysis of indistinguishability primitives
making use of (approximate) floating point numbers. This is the first result showing
that (standard precision) 53-bit floating point numbers can be used to achieve
100-bit security in the context of cryptographic primitives with general indistinguishability-based
security definitions. Previous results of this type applied only to search problems,
or special types of decision problems.
acknowledgement: Research supported in part by the Defense Advanced Research Projects
Agency (DARPA) and the U.S. Army Research Office under the SafeWare program. Opinions,
findings and conclusions or recommendations expressed in this material are those
of the author(s) and do not necessarily reflect the views, position or policy of
the Government. The second author was also supported by the European Research Council,
ERC consolidator grant (682815 - TOCNeT).
alternative_title:
- LNCS
article_processing_charge: No
author:
- first_name: Daniele
full_name: Micciancio, Daniele
last_name: Micciancio
- first_name: Michael
full_name: Walter, Michael
id: 488F98B0-F248-11E8-B48F-1D18A9856A87
last_name: Walter
orcid: 0000-0003-3186-2482
citation:
ama: 'Micciancio D, Walter M. On the bit security of cryptographic primitives. In:
Vol 10820. Springer; 2018:3-28. doi:10.1007/978-3-319-78381-9_1'
apa: 'Micciancio, D., & Walter, M. (2018). On the bit security of cryptographic
primitives (Vol. 10820, pp. 3–28). Presented at the Eurocrypt: Advances in Cryptology,
Tel Aviv, Israel: Springer. https://doi.org/10.1007/978-3-319-78381-9_1'
chicago: Micciancio, Daniele, and Michael Walter. “On the Bit Security of Cryptographic
Primitives,” 10820:3–28. Springer, 2018. https://doi.org/10.1007/978-3-319-78381-9_1.
ieee: 'D. Micciancio and M. Walter, “On the bit security of cryptographic primitives,”
presented at the Eurocrypt: Advances in Cryptology, Tel Aviv, Israel, 2018, vol.
10820, pp. 3–28.'
ista: 'Micciancio D, Walter M. 2018. On the bit security of cryptographic primitives.
Eurocrypt: Advances in Cryptology, LNCS, vol. 10820, 3–28.'
mla: Micciancio, Daniele, and Michael Walter. On the Bit Security of Cryptographic
Primitives. Vol. 10820, Springer, 2018, pp. 3–28, doi:10.1007/978-3-319-78381-9_1.
short: D. Micciancio, M. Walter, in:, Springer, 2018, pp. 3–28.
conference:
end_date: 2018-05-03
location: Tel Aviv, Israel
name: 'Eurocrypt: Advances in Cryptology'
start_date: 2018-04-29
date_created: 2018-12-11T11:45:42Z
date_published: 2018-03-31T00:00:00Z
date_updated: 2023-09-13T09:12:04Z
day: '31'
department:
- _id: KrPi
doi: 10.1007/978-3-319-78381-9_1
ec_funded: 1
external_id:
isi:
- '000517097500001'
intvolume: ' 10820'
isi: 1
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://eprint.iacr.org/2018/077
month: '03'
oa: 1
oa_version: Submitted Version
page: 3 - 28
project:
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
call_identifier: H2020
grant_number: '682815'
name: Teaching Old Crypto New Tricks
publication_status: published
publisher: Springer
publist_id: '7581'
quality_controlled: '1'
scopus_import: '1'
status: public
title: On the bit security of cryptographic primitives
type: conference
user_id: c635000d-4b10-11ee-a964-aac5a93f6ac1
volume: 10820
year: '2018'
...
---
_id: '302'
abstract:
- lang: eng
text: At ITCS 2013, Mahmoody, Moran and Vadhan [MMV13] introduce and construct publicly
verifiable proofs of sequential work, which is a protocol for proving that one
spent sequential computational work related to some statement. The original motivation
for such proofs included non-interactive time-stamping and universally verifiable
CPU benchmarks. A more recent application, and our main motivation, are blockchain
designs, where proofs of sequential work can be used – in combination with proofs
of space – as a more ecological and economical substitute for proofs of work which
are currently used to secure Bitcoin and other cryptocurrencies. The construction
proposed by [MMV13] is based on a hash function and can be proven secure in the
random oracle model, or assuming inherently sequential hash-functions, which is
a new standard model assumption introduced in their work. In a proof of sequential
work, a prover gets a “statement” χ, a time parameter N and access to a hash-function
H, which for the security proof is modelled as a random oracle. Correctness requires
that an honest prover can make a verifier accept making only N queries to H, while
soundness requires that any prover who makes the verifier accept must have made
(almost) N sequential queries to H. Thus a solution constitutes a proof that N
time passed since χ was received. Solutions must be publicly verifiable in time
at most polylogarithmic in N. The construction of [MMV13] is based on “depth-robust”
graphs, and as a consequence has rather poor concrete parameters. But the major
drawback is that the prover needs not just N time, but also N space to compute
a proof. In this work we propose a proof of sequential work which is much simpler,
more efficient and achieves much better concrete bounds. Most importantly, the
space required can be as small as log (N) (but we get better soundness using slightly
more memory than that). An open problem stated by [MMV13] that our construction
does not solve either is achieving a “unique” proof, where even a cheating prover
can only generate a single accepting proof. This property would be extremely useful
for applications to blockchains.
alternative_title:
- LNCS
article_processing_charge: No
author:
- first_name: Bram
full_name: Cohen, Bram
last_name: Cohen
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
citation:
ama: 'Cohen B, Pietrzak KZ. Simple proofs of sequential work. In: Vol 10821. Springer;
2018:451-467. doi:10.1007/978-3-319-78375-8_15'
apa: 'Cohen, B., & Pietrzak, K. Z. (2018). Simple proofs of sequential work
(Vol. 10821, pp. 451–467). Presented at the Eurocrypt: Advances in Cryptology,
Tel Aviv, Israel: Springer. https://doi.org/10.1007/978-3-319-78375-8_15'
chicago: Cohen, Bram, and Krzysztof Z Pietrzak. “Simple Proofs of Sequential Work,”
10821:451–67. Springer, 2018. https://doi.org/10.1007/978-3-319-78375-8_15.
ieee: 'B. Cohen and K. Z. Pietrzak, “Simple proofs of sequential work,” presented
at the Eurocrypt: Advances in Cryptology, Tel Aviv, Israel, 2018, vol. 10821,
pp. 451–467.'
ista: 'Cohen B, Pietrzak KZ. 2018. Simple proofs of sequential work. Eurocrypt:
Advances in Cryptology, LNCS, vol. 10821, 451–467.'
mla: Cohen, Bram, and Krzysztof Z. Pietrzak. Simple Proofs of Sequential Work.
Vol. 10821, Springer, 2018, pp. 451–67, doi:10.1007/978-3-319-78375-8_15.
short: B. Cohen, K.Z. Pietrzak, in:, Springer, 2018, pp. 451–467.
conference:
end_date: 2018-05-03
location: Tel Aviv, Israel
name: 'Eurocrypt: Advances in Cryptology'
start_date: 2018-04-29
date_created: 2018-12-11T11:45:42Z
date_published: 2018-05-29T00:00:00Z
date_updated: 2023-09-18T09:29:33Z
day: '29'
department:
- _id: KrPi
doi: 10.1007/978-3-319-78375-8_15
ec_funded: 1
external_id:
isi:
- '000517098700015'
intvolume: ' 10821'
isi: 1
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://eprint.iacr.org/2018/183.pdf
month: '05'
oa: 1
oa_version: Submitted Version
page: 451 - 467
project:
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
call_identifier: H2020
grant_number: '682815'
name: Teaching Old Crypto New Tricks
publication_status: published
publisher: Springer
publist_id: '7579'
quality_controlled: '1'
scopus_import: '1'
status: public
title: Simple proofs of sequential work
type: conference
user_id: c635000d-4b10-11ee-a964-aac5a93f6ac1
volume: 10821
year: '2018'
...
---
_id: '298'
abstract:
- lang: eng
text: "Memory-hard functions (MHF) are functions whose evaluation cost is dominated
by memory cost. MHFs are egalitarian, in the sense that evaluating them on dedicated
hardware (like FPGAs or ASICs) is not much cheaper than on off-the-shelf hardware
(like x86 CPUs). MHFs have interesting cryptographic applications, most notably
to password hashing and securing blockchains.\r\n\r\nAlwen and Serbinenko [STOC’15]
define the cumulative memory complexity (cmc) of a function as the sum (over all
time-steps) of the amount of memory required to compute the function. They advocate
that a good MHF must have high cmc. Unlike previous notions, cmc takes into account
that dedicated hardware might exploit amortization and parallelism. Still, cmc
has been critizised as insufficient, as it fails to capture possible time-memory
trade-offs; as memory cost doesn’t scale linearly, functions with the same cmc
could still have very different actual hardware cost.\r\n\r\nIn this work we address
this problem, and introduce the notion of sustained-memory complexity, which requires
that any algorithm evaluating the function must use a large amount of memory for
many steps. We construct functions (in the parallel random oracle model) whose
sustained-memory complexity is almost optimal: our function can be evaluated using
n steps and O(n/log(n)) memory, in each step making one query to the (fixed-input
length) random oracle, while any algorithm that can make arbitrary many parallel
queries to the random oracle, still needs Ω(n/log(n)) memory for Ω(n) steps.\r\n\r\nAs
has been done for various notions (including cmc) before, we reduce the task of
constructing an MHFs with high sustained-memory complexity to proving pebbling
lower bounds on DAGs. Our main technical contribution is the construction is a
family of DAGs on n nodes with constant indegree with high “sustained-space complexity”,
meaning that any parallel black-pebbling strategy requires Ω(n/log(n)) pebbles
for at least Ω(n) steps.\r\n\r\nAlong the way we construct a family of maximally
“depth-robust” DAGs with maximum indegree O(logn) , improving upon the construction
of Mahmoody et al. [ITCS’13] which had maximum indegree O(log2n⋅"
alternative_title:
- LNCS
article_processing_charge: No
author:
- first_name: Joel F
full_name: Alwen, Joel F
id: 2A8DFA8C-F248-11E8-B48F-1D18A9856A87
last_name: Alwen
- first_name: Jeremiah
full_name: Blocki, Jeremiah
last_name: Blocki
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
citation:
ama: 'Alwen JF, Blocki J, Pietrzak KZ. Sustained space complexity. In: Vol 10821.
Springer; 2018:99-130. doi:10.1007/978-3-319-78375-8_4'
apa: 'Alwen, J. F., Blocki, J., & Pietrzak, K. Z. (2018). Sustained space complexity
(Vol. 10821, pp. 99–130). Presented at the Eurocrypt 2018: Advances in Cryptology,
Tel Aviv, Israel: Springer. https://doi.org/10.1007/978-3-319-78375-8_4'
chicago: Alwen, Joel F, Jeremiah Blocki, and Krzysztof Z Pietrzak. “Sustained Space
Complexity,” 10821:99–130. Springer, 2018. https://doi.org/10.1007/978-3-319-78375-8_4.
ieee: 'J. F. Alwen, J. Blocki, and K. Z. Pietrzak, “Sustained space complexity,”
presented at the Eurocrypt 2018: Advances in Cryptology, Tel Aviv, Israel, 2018,
vol. 10821, pp. 99–130.'
ista: 'Alwen JF, Blocki J, Pietrzak KZ. 2018. Sustained space complexity. Eurocrypt
2018: Advances in Cryptology, LNCS, vol. 10821, 99–130.'
mla: Alwen, Joel F., et al. Sustained Space Complexity. Vol. 10821, Springer,
2018, pp. 99–130, doi:10.1007/978-3-319-78375-8_4.
short: J.F. Alwen, J. Blocki, K.Z. Pietrzak, in:, Springer, 2018, pp. 99–130.
conference:
end_date: 2018-05-03
location: Tel Aviv, Israel
name: 'Eurocrypt 2018: Advances in Cryptology'
start_date: 2018-04-29
date_created: 2018-12-11T11:45:41Z
date_published: 2018-03-31T00:00:00Z
date_updated: 2023-09-19T09:59:30Z
day: '31'
department:
- _id: KrPi
doi: 10.1007/978-3-319-78375-8_4
ec_funded: 1
external_id:
arxiv:
- '1705.05313'
isi:
- '000517098700004'
intvolume: ' 10821'
isi: 1
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://arxiv.org/abs/1705.05313
month: '03'
oa: 1
oa_version: Preprint
page: 99 - 130
project:
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
call_identifier: H2020
grant_number: '682815'
name: Teaching Old Crypto New Tricks
publication_status: published
publisher: Springer
publist_id: '7583'
quality_controlled: '1'
scopus_import: '1'
status: public
title: Sustained space complexity
type: conference
user_id: c635000d-4b10-11ee-a964-aac5a93f6ac1
volume: 10821
year: '2018'
...
---
_id: '5980'
abstract:
- lang: eng
text: The problem of private set-intersection (PSI) has been traditionally treated
as an instance of the more general problem of multi-party computation (MPC). Consequently,
in order to argue security, or compose these protocols one has to rely on the
general theory that was developed for the purpose of MPC. The pursuit of efficient
protocols, however, has resulted in designs that exploit properties pertaining
to PSI. In almost all practical applications where a PSI protocol is deployed,
it is expected to be executed multiple times, possibly on related inputs. In this
work we initiate a dedicated study of PSI in the multi-interaction (MI) setting.
In this model a server sets up the common system parameters and executes set-intersection
multiple times with potentially different clients. We discuss a few attacks that
arise when protocols are naïvely composed in this manner and, accordingly, craft
security definitions for the MI setting and study their inter-relation. Finally,
we suggest a set of protocols that are MI-secure, at the same time almost as efficient
as their parent, stand-alone, protocols.
article_processing_charge: No
author:
- first_name: Sanjit
full_name: Chatterjee, Sanjit
last_name: Chatterjee
- first_name: Chethan
full_name: Kamath Hosdurg, Chethan
id: 4BD3F30E-F248-11E8-B48F-1D18A9856A87
last_name: Kamath Hosdurg
- first_name: Vikas
full_name: Kumar, Vikas
last_name: Kumar
citation:
ama: Chatterjee S, Kamath Hosdurg C, Kumar V. Private set-intersection with common
set-up. American Institute of Mathematical Sciences. 2018;12(1):17-47.
doi:10.3934/amc.2018002
apa: Chatterjee, S., Kamath Hosdurg, C., & Kumar, V. (2018). Private set-intersection
with common set-up. American Institute of Mathematical Sciences. AIMS.
https://doi.org/10.3934/amc.2018002
chicago: Chatterjee, Sanjit, Chethan Kamath Hosdurg, and Vikas Kumar. “Private Set-Intersection
with Common Set-Up.” American Institute of Mathematical Sciences. AIMS,
2018. https://doi.org/10.3934/amc.2018002.
ieee: S. Chatterjee, C. Kamath Hosdurg, and V. Kumar, “Private set-intersection
with common set-up,” American Institute of Mathematical Sciences, vol.
12, no. 1. AIMS, pp. 17–47, 2018.
ista: Chatterjee S, Kamath Hosdurg C, Kumar V. 2018. Private set-intersection with
common set-up. American Institute of Mathematical Sciences. 12(1), 17–47.
mla: Chatterjee, Sanjit, et al. “Private Set-Intersection with Common Set-Up.” American
Institute of Mathematical Sciences, vol. 12, no. 1, AIMS, 2018, pp. 17–47,
doi:10.3934/amc.2018002.
short: S. Chatterjee, C. Kamath Hosdurg, V. Kumar, American Institute of Mathematical
Sciences 12 (2018) 17–47.
date_created: 2019-02-13T13:49:41Z
date_published: 2018-02-01T00:00:00Z
date_updated: 2023-09-19T14:27:59Z
day: '01'
department:
- _id: KrPi
doi: 10.3934/amc.2018002
external_id:
isi:
- '000430950400002'
intvolume: ' 12'
isi: 1
issue: '1'
language:
- iso: eng
month: '02'
oa_version: None
page: 17-47
publication: American Institute of Mathematical Sciences
publication_status: published
publisher: AIMS
quality_controlled: '1'
scopus_import: '1'
status: public
title: Private set-intersection with common set-up
type: journal_article
user_id: c635000d-4b10-11ee-a964-aac5a93f6ac1
volume: 12
year: '2018'
...
---
_id: '6941'
abstract:
- lang: eng
text: "Bitcoin has become the most successful cryptocurrency ever deployed, and
its most distinctive feature is that it is decentralized. Its underlying protocol
(Nakamoto consensus) achieves this by using proof of work, which has the drawback
that it causes the consumption of vast amounts of energy to maintain the ledger.
Moreover, Bitcoin mining dynamics have become less distributed over time.\r\n\r\nTowards
addressing these issues, we propose SpaceMint, a cryptocurrency based on proofs
of space instead of proofs of work. Miners in SpaceMint dedicate disk space rather
than computation. We argue that SpaceMint’s design solves or alleviates several
of Bitcoin’s issues: most notably, its large energy consumption. SpaceMint also
rewards smaller miners fairly according to their contribution to the network,
thus incentivizing more distributed participation.\r\n\r\nThis paper adapts proof
of space to enable its use in cryptocurrency, studies the attacks that can arise
against a Bitcoin-like blockchain that uses proof of space, and proposes a new
blockchain format and transaction types to address these attacks. Our prototype
shows that initializing 1 TB for mining takes about a day (a one-off setup cost),
and miners spend on average just a fraction of a second per block mined. Finally,
we provide a game-theoretic analysis modeling SpaceMint as an extensive game (the
canonical game-theoretic notion for games that take place over time) and show
that this stylized game satisfies a strong equilibrium notion, thereby arguing
for SpaceMint ’s stability and consensus."
alternative_title:
- LNCS
article_processing_charge: No
author:
- first_name: Sunoo
full_name: Park, Sunoo
last_name: Park
- first_name: Albert
full_name: Kwon, Albert
last_name: Kwon
- first_name: Georg
full_name: Fuchsbauer, Georg
id: 46B4C3EE-F248-11E8-B48F-1D18A9856A87
last_name: Fuchsbauer
- first_name: Peter
full_name: Gazi, Peter
id: 3E0BFE38-F248-11E8-B48F-1D18A9856A87
last_name: Gazi
- first_name: Joel F
full_name: Alwen, Joel F
id: 2A8DFA8C-F248-11E8-B48F-1D18A9856A87
last_name: Alwen
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
citation:
ama: 'Park S, Kwon A, Fuchsbauer G, Gazi P, Alwen JF, Pietrzak KZ. SpaceMint: A
cryptocurrency based on proofs of space. In: 22nd International Conference
on Financial Cryptography and Data Security. Vol 10957. Springer Nature; 2018:480-499.
doi:10.1007/978-3-662-58387-6_26'
apa: 'Park, S., Kwon, A., Fuchsbauer, G., Gazi, P., Alwen, J. F., & Pietrzak,
K. Z. (2018). SpaceMint: A cryptocurrency based on proofs of space. In 22nd
International Conference on Financial Cryptography and Data Security (Vol.
10957, pp. 480–499). Nieuwpoort, Curacao: Springer Nature. https://doi.org/10.1007/978-3-662-58387-6_26'
chicago: 'Park, Sunoo, Albert Kwon, Georg Fuchsbauer, Peter Gazi, Joel F Alwen,
and Krzysztof Z Pietrzak. “SpaceMint: A Cryptocurrency Based on Proofs of Space.”
In 22nd International Conference on Financial Cryptography and Data Security,
10957:480–99. Springer Nature, 2018. https://doi.org/10.1007/978-3-662-58387-6_26.'
ieee: 'S. Park, A. Kwon, G. Fuchsbauer, P. Gazi, J. F. Alwen, and K. Z. Pietrzak,
“SpaceMint: A cryptocurrency based on proofs of space,” in 22nd International
Conference on Financial Cryptography and Data Security, Nieuwpoort, Curacao,
2018, vol. 10957, pp. 480–499.'
ista: 'Park S, Kwon A, Fuchsbauer G, Gazi P, Alwen JF, Pietrzak KZ. 2018. SpaceMint:
A cryptocurrency based on proofs of space. 22nd International Conference on Financial
Cryptography and Data Security. FC: Financial Cryptography and Data Security,
LNCS, vol. 10957, 480–499.'
mla: 'Park, Sunoo, et al. “SpaceMint: A Cryptocurrency Based on Proofs of Space.”
22nd International Conference on Financial Cryptography and Data Security,
vol. 10957, Springer Nature, 2018, pp. 480–99, doi:10.1007/978-3-662-58387-6_26.'
short: S. Park, A. Kwon, G. Fuchsbauer, P. Gazi, J.F. Alwen, K.Z. Pietrzak, in:,
22nd International Conference on Financial Cryptography and Data Security, Springer
Nature, 2018, pp. 480–499.
conference:
end_date: 2018-03-02
location: Nieuwpoort, Curacao
name: 'FC: Financial Cryptography and Data Security'
start_date: 2018-02-26
date_created: 2019-10-14T06:35:38Z
date_published: 2018-12-07T00:00:00Z
date_updated: 2023-09-19T15:02:13Z
day: '07'
department:
- _id: KrPi
doi: 10.1007/978-3-662-58387-6_26
ec_funded: 1
external_id:
isi:
- '000540656400026'
intvolume: ' 10957'
isi: 1
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://eprint.iacr.org/2015/528
month: '12'
oa: 1
oa_version: Submitted Version
page: 480-499
project:
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
call_identifier: H2020
grant_number: '682815'
name: Teaching Old Crypto New Tricks
publication: 22nd International Conference on Financial Cryptography and Data Security
publication_identifier:
eissn:
- 1611-3349
isbn:
- '9783662583869'
- '9783662583876'
issn:
- 0302-9743
publication_status: published
publisher: Springer Nature
quality_controlled: '1'
scopus_import: '1'
status: public
title: 'SpaceMint: A cryptocurrency based on proofs of space'
type: conference
user_id: c635000d-4b10-11ee-a964-aac5a93f6ac1
volume: 10957
year: '2018'
...
---
_id: '1175'
abstract:
- lang: eng
text: We study space complexity and time-space trade-offs with a focus not on peak
memory usage but on overall memory consumption throughout the computation. Such
a cumulative space measure was introduced for the computational model of parallel
black pebbling by [Alwen and Serbinenko ’15] as a tool for obtaining results in
cryptography. We consider instead the non- deterministic black-white pebble game
and prove optimal cumulative space lower bounds and trade-offs, where in order
to minimize pebbling time the space has to remain large during a significant fraction
of the pebbling. We also initiate the study of cumulative space in proof complexity,
an area where other space complexity measures have been extensively studied during
the last 10–15 years. Using and extending the connection between proof complexity
and pebble games in [Ben-Sasson and Nordström ’08, ’11] we obtain several strong
cumulative space results for (even parallel versions of) the resolution proof
system, and outline some possible future directions of study of this, in our opinion,
natural and interesting space measure.
alternative_title:
- LIPIcs
author:
- first_name: Joel F
full_name: Alwen, Joel F
id: 2A8DFA8C-F248-11E8-B48F-1D18A9856A87
last_name: Alwen
- first_name: Susanna
full_name: De Rezende, Susanna
last_name: De Rezende
- first_name: Jakob
full_name: Nordstrom, Jakob
last_name: Nordstrom
- first_name: Marc
full_name: Vinyals, Marc
last_name: Vinyals
citation:
ama: 'Alwen JF, De Rezende S, Nordstrom J, Vinyals M. Cumulative space in black-white
pebbling and resolution. In: Papadimitriou C, ed. Vol 67. Schloss Dagstuhl - Leibniz-Zentrum
für Informatik; 2017:38:1-38-21. doi:10.4230/LIPIcs.ITCS.2017.38'
apa: 'Alwen, J. F., De Rezende, S., Nordstrom, J., & Vinyals, M. (2017). Cumulative
space in black-white pebbling and resolution. In C. Papadimitriou (Ed.) (Vol.
67, p. 38:1-38-21). Presented at the ITCS: Innovations in Theoretical Computer
Science, Berkeley, CA, United States: Schloss Dagstuhl - Leibniz-Zentrum für Informatik.
https://doi.org/10.4230/LIPIcs.ITCS.2017.38'
chicago: Alwen, Joel F, Susanna De Rezende, Jakob Nordstrom, and Marc Vinyals. “Cumulative
Space in Black-White Pebbling and Resolution.” edited by Christos Papadimitriou,
67:38:1-38-21. Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 2017. https://doi.org/10.4230/LIPIcs.ITCS.2017.38.
ieee: 'J. F. Alwen, S. De Rezende, J. Nordstrom, and M. Vinyals, “Cumulative space
in black-white pebbling and resolution,” presented at the ITCS: Innovations in
Theoretical Computer Science, Berkeley, CA, United States, 2017, vol. 67, p. 38:1-38-21.'
ista: 'Alwen JF, De Rezende S, Nordstrom J, Vinyals M. 2017. Cumulative space in
black-white pebbling and resolution. ITCS: Innovations in Theoretical Computer
Science, LIPIcs, vol. 67, 38:1-38-21.'
mla: Alwen, Joel F., et al. Cumulative Space in Black-White Pebbling and Resolution.
Edited by Christos Papadimitriou, vol. 67, Schloss Dagstuhl - Leibniz-Zentrum
für Informatik, 2017, p. 38:1-38-21, doi:10.4230/LIPIcs.ITCS.2017.38.
short: J.F. Alwen, S. De Rezende, J. Nordstrom, M. Vinyals, in:, C. Papadimitriou
(Ed.), Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 2017, p. 38:1-38-21.
conference:
end_date: 2017-01-11
location: Berkeley, CA, United States
name: 'ITCS: Innovations in Theoretical Computer Science'
start_date: 2017-01-09
date_created: 2018-12-11T11:50:33Z
date_published: 2017-01-01T00:00:00Z
date_updated: 2021-01-12T06:48:51Z
day: '01'
ddc:
- '005'
- '600'
department:
- _id: KrPi
doi: 10.4230/LIPIcs.ITCS.2017.38
editor:
- first_name: Christos
full_name: Papadimitriou, Christos
last_name: Papadimitriou
file:
- access_level: open_access
checksum: dbc94810be07c2fb1945d5c2a6130e6c
content_type: application/pdf
creator: system
date_created: 2018-12-12T10:17:11Z
date_updated: 2020-07-14T12:44:37Z
file_id: '5263'
file_name: IST-2018-927-v1+1_LIPIcs-ITCS-2017-38.pdf
file_size: 557769
relation: main_file
file_date_updated: 2020-07-14T12:44:37Z
has_accepted_license: '1'
intvolume: ' 67'
language:
- iso: eng
month: '01'
oa: 1
oa_version: Published Version
page: 38:1-38-21
publication_identifier:
issn:
- '18688969'
publication_status: published
publisher: Schloss Dagstuhl - Leibniz-Zentrum für Informatik
publist_id: '6179'
pubrep_id: '927'
quality_controlled: '1'
scopus_import: 1
status: public
title: Cumulative space in black-white pebbling and resolution
tmp:
image: /images/cc_by.png
legal_code_url: https://creativecommons.org/licenses/by/4.0/legalcode
name: Creative Commons Attribution 4.0 International Public License (CC-BY 4.0)
short: CC BY (4.0)
type: conference
user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87
volume: 67
year: '2017'
...
---
_id: '605'
abstract:
- lang: eng
text: 'Position based cryptography (PBC), proposed in the seminal work of Chandran,
Goyal, Moriarty, and Ostrovsky (SIAM J. Computing, 2014), aims at constructing
cryptographic schemes in which the identity of the user is his geographic position.
Chandran et al. construct PBC schemes for secure positioning and position-based
key agreement in the bounded-storage model (Maurer, J. Cryptology, 1992). Apart
from bounded memory, their security proofs need a strong additional restriction
on the power of the adversary: he cannot compute joint functions of his inputs.
Removing this assumption is left as an open problem. We show that an answer to
this question would resolve a long standing open problem in multiparty communication
complexity: finding a function that is hard to compute with low communication
complexity in the simultaneous message model, but easy to compute in the fully
adaptive model. On a more positive side: we also show some implications in the
other direction, i.e.: we prove that lower bounds on the communication complexity
of certain multiparty problems imply existence of PBC primitives. Using this result
we then show two attractive ways to “bypass” our hardness result: the first uses
the random oracle model, the second weakens the locality requirement in the bounded-storage
model to online computability. The random oracle construction is arguably one
of the simplest proposed so far in this area. Our results indicate that constructing
improved provably secure protocols for PBC requires a better understanding of
multiparty communication complexity. This is yet another example where negative
results in one area (in our case: lower bounds in multiparty communication complexity)
can be used to construct secure cryptographic schemes.'
alternative_title:
- LNCS
author:
- first_name: Joshua
full_name: Brody, Joshua
last_name: Brody
- first_name: Stefan
full_name: Dziembowski, Stefan
last_name: Dziembowski
- first_name: Sebastian
full_name: Faust, Sebastian
last_name: Faust
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
citation:
ama: 'Brody J, Dziembowski S, Faust S, Pietrzak KZ. Position based cryptography
and multiparty communication complexity. In: Kalai Y, Reyzin L, eds. Vol 10677.
Springer; 2017:56-81. doi:10.1007/978-3-319-70500-2_3'
apa: 'Brody, J., Dziembowski, S., Faust, S., & Pietrzak, K. Z. (2017). Position
based cryptography and multiparty communication complexity. In Y. Kalai &
L. Reyzin (Eds.) (Vol. 10677, pp. 56–81). Presented at the TCC: Theory of Cryptography
Conference, Baltimore, MD, United States: Springer. https://doi.org/10.1007/978-3-319-70500-2_3'
chicago: Brody, Joshua, Stefan Dziembowski, Sebastian Faust, and Krzysztof Z Pietrzak.
“Position Based Cryptography and Multiparty Communication Complexity.” edited
by Yael Kalai and Leonid Reyzin, 10677:56–81. Springer, 2017. https://doi.org/10.1007/978-3-319-70500-2_3.
ieee: 'J. Brody, S. Dziembowski, S. Faust, and K. Z. Pietrzak, “Position based cryptography
and multiparty communication complexity,” presented at the TCC: Theory of Cryptography
Conference, Baltimore, MD, United States, 2017, vol. 10677, pp. 56–81.'
ista: 'Brody J, Dziembowski S, Faust S, Pietrzak KZ. 2017. Position based cryptography
and multiparty communication complexity. TCC: Theory of Cryptography Conference,
LNCS, vol. 10677, 56–81.'
mla: Brody, Joshua, et al. Position Based Cryptography and Multiparty Communication
Complexity. Edited by Yael Kalai and Leonid Reyzin, vol. 10677, Springer,
2017, pp. 56–81, doi:10.1007/978-3-319-70500-2_3.
short: J. Brody, S. Dziembowski, S. Faust, K.Z. Pietrzak, in:, Y. Kalai, L. Reyzin
(Eds.), Springer, 2017, pp. 56–81.
conference:
end_date: 2017-11-15
location: Baltimore, MD, United States
name: 'TCC: Theory of Cryptography Conference'
start_date: 2017-11-12
date_created: 2018-12-11T11:47:27Z
date_published: 2017-11-05T00:00:00Z
date_updated: 2021-01-12T08:05:53Z
day: '05'
department:
- _id: KrPi
doi: 10.1007/978-3-319-70500-2_3
ec_funded: 1
editor:
- first_name: Yael
full_name: Kalai, Yael
last_name: Kalai
- first_name: Leonid
full_name: Reyzin, Leonid
last_name: Reyzin
intvolume: ' 10677'
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://eprint.iacr.org/2016/536
month: '11'
oa: 1
oa_version: Submitted Version
page: 56 - 81
project:
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
call_identifier: H2020
grant_number: '682815'
name: Teaching Old Crypto New Tricks
publication_identifier:
isbn:
- 978-331970499-9
publication_status: published
publisher: Springer
publist_id: '7200'
quality_controlled: '1'
scopus_import: 1
status: public
title: Position based cryptography and multiparty communication complexity
type: conference
user_id: 3E5EF7F0-F248-11E8-B48F-1D18A9856A87
volume: 10677
year: '2017'
...
---
_id: '609'
abstract:
- lang: eng
text: Several cryptographic schemes and applications are based on functions that
are both reasonably efficient to compute and moderately hard to invert, including
client puzzles for Denial-of-Service protection, password protection via salted
hashes, or recent proof-of-work blockchain systems. Despite their wide use, a
definition of this concept has not yet been distilled and formalized explicitly.
Instead, either the applications are proven directly based on the assumptions
underlying the function, or some property of the function is proven, but the security
of the application is argued only informally. The goal of this work is to provide
a (universal) definition that decouples the efforts of designing new moderately
hard functions and of building protocols based on them, serving as an interface
between the two. On a technical level, beyond the mentioned definitions, we instantiate
the model for four different notions of hardness. We extend the work of Alwen
and Serbinenko (STOC 2015) by providing a general tool for proving security for
the first notion of memory-hard functions that allows for provably secure applications.
The tool allows us to recover all of the graph-theoretic techniques developed
for proving security under the older, non-composable, notion of security used
by Alwen and Serbinenko. As an application of our definition of moderately hard
functions, we prove the security of two different schemes for proofs of effort
(PoE). We also formalize and instantiate the concept of a non-interactive proof
of effort (niPoE), in which the proof is not bound to a particular communication
context but rather any bit-string chosen by the prover.
alternative_title:
- LNCS
author:
- first_name: Joel F
full_name: Alwen, Joel F
id: 2A8DFA8C-F248-11E8-B48F-1D18A9856A87
last_name: Alwen
- first_name: Björn
full_name: Tackmann, Björn
last_name: Tackmann
citation:
ama: 'Alwen JF, Tackmann B. Moderately hard functions: Definition, instantiations,
and applications. In: Kalai Y, Reyzin L, eds. Vol 10677. Springer; 2017:493-526.
doi:10.1007/978-3-319-70500-2_17'
apa: 'Alwen, J. F., & Tackmann, B. (2017). Moderately hard functions: Definition,
instantiations, and applications. In Y. Kalai & L. Reyzin (Eds.) (Vol. 10677,
pp. 493–526). Presented at the TCC: Theory of Cryptography, Baltimore, MD, United
States: Springer. https://doi.org/10.1007/978-3-319-70500-2_17'
chicago: 'Alwen, Joel F, and Björn Tackmann. “Moderately Hard Functions: Definition,
Instantiations, and Applications.” edited by Yael Kalai and Leonid Reyzin, 10677:493–526.
Springer, 2017. https://doi.org/10.1007/978-3-319-70500-2_17.'
ieee: 'J. F. Alwen and B. Tackmann, “Moderately hard functions: Definition, instantiations,
and applications,” presented at the TCC: Theory of Cryptography, Baltimore, MD,
United States, 2017, vol. 10677, pp. 493–526.'
ista: 'Alwen JF, Tackmann B. 2017. Moderately hard functions: Definition, instantiations,
and applications. TCC: Theory of Cryptography, LNCS, vol. 10677, 493–526.'
mla: 'Alwen, Joel F., and Björn Tackmann. Moderately Hard Functions: Definition,
Instantiations, and Applications. Edited by Yael Kalai and Leonid Reyzin,
vol. 10677, Springer, 2017, pp. 493–526, doi:10.1007/978-3-319-70500-2_17.'
short: J.F. Alwen, B. Tackmann, in:, Y. Kalai, L. Reyzin (Eds.), Springer, 2017,
pp. 493–526.
conference:
end_date: 2017-11-15
location: Baltimore, MD, United States
name: 'TCC: Theory of Cryptography'
start_date: 2017-11-12
date_created: 2018-12-11T11:47:28Z
date_published: 2017-11-05T00:00:00Z
date_updated: 2021-01-12T08:06:04Z
day: '05'
department:
- _id: KrPi
doi: 10.1007/978-3-319-70500-2_17
editor:
- first_name: Yael
full_name: Kalai, Yael
last_name: Kalai
- first_name: Leonid
full_name: Reyzin, Leonid
last_name: Reyzin
intvolume: ' 10677'
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://eprint.iacr.org/2017/945
month: '11'
oa: 1
oa_version: Submitted Version
page: 493 - 526
publication_identifier:
isbn:
- 978-331970499-9
publication_status: published
publisher: Springer
publist_id: '7196'
quality_controlled: '1'
scopus_import: 1
status: public
title: 'Moderately hard functions: Definition, instantiations, and applications'
type: conference
user_id: 3E5EF7F0-F248-11E8-B48F-1D18A9856A87
volume: 10677
year: '2017'
...
---
_id: '635'
abstract:
- lang: eng
text: Memory-hard functions (MHFs) are hash algorithms whose evaluation cost is
dominated by memory cost. As memory, unlike computation, costs about the same
across different platforms, MHFs cannot be evaluated at significantly lower cost
on dedicated hardware like ASICs. MHFs have found widespread applications including
password hashing, key derivation, and proofs-of-work. This paper focuses on scrypt,
a simple candidate MHF designed by Percival, and described in RFC 7914. It has
been used within a number of cryptocurrencies (e.g., Litecoin and Dogecoin) and
has been an inspiration for Argon2d, one of the winners of the recent password-hashing
competition. Despite its popularity, no rigorous lower bounds on its memory complexity
are known. We prove that scrypt is optimally memory-hard, i.e., its cumulative
memory complexity (cmc) in the parallel random oracle model is Ω(n2w), where w
and n are the output length and number of invocations of the underlying hash function,
respectively. High cmc is a strong security target for MHFs introduced by Alwen
and Serbinenko (STOC’15) which implies high memory cost even for adversaries who
can amortize the cost over many evaluations and evaluate the underlying hash functions
many times in parallel. Our proof is the first showing optimal memory-hardness
for any MHF. Our result improves both quantitatively and qualitatively upon the
recent work by Alwen et al. (EUROCRYPT’16) who proved a weaker lower bound of
Ω(n2w/ log2 n) for a restricted class of adversaries.
alternative_title:
- LNCS
author:
- first_name: Joel F
full_name: Alwen, Joel F
id: 2A8DFA8C-F248-11E8-B48F-1D18A9856A87
last_name: Alwen
- first_name: Binchi
full_name: Chen, Binchi
last_name: Chen
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
- first_name: Leonid
full_name: Reyzin, Leonid
last_name: Reyzin
- first_name: Stefano
full_name: Tessaro, Stefano
last_name: Tessaro
citation:
ama: 'Alwen JF, Chen B, Pietrzak KZ, Reyzin L, Tessaro S. Scrypt is maximally memory
hard. In: Coron J-S, Buus Nielsen J, eds. Vol 10212. Springer; 2017:33-62. doi:10.1007/978-3-319-56617-7_2'
apa: 'Alwen, J. F., Chen, B., Pietrzak, K. Z., Reyzin, L., & Tessaro, S. (2017).
Scrypt is maximally memory hard. In J.-S. Coron & J. Buus Nielsen (Eds.) (Vol.
10212, pp. 33–62). Presented at the EUROCRYPT: Theory and Applications of Cryptographic
Techniques, Paris, France: Springer. https://doi.org/10.1007/978-3-319-56617-7_2'
chicago: Alwen, Joel F, Binchi Chen, Krzysztof Z Pietrzak, Leonid Reyzin, and Stefano
Tessaro. “Scrypt Is Maximally Memory Hard.” edited by Jean-Sébastien Coron and
Jesper Buus Nielsen, 10212:33–62. Springer, 2017. https://doi.org/10.1007/978-3-319-56617-7_2.
ieee: 'J. F. Alwen, B. Chen, K. Z. Pietrzak, L. Reyzin, and S. Tessaro, “Scrypt
is maximally memory hard,” presented at the EUROCRYPT: Theory and Applications
of Cryptographic Techniques, Paris, France, 2017, vol. 10212, pp. 33–62.'
ista: 'Alwen JF, Chen B, Pietrzak KZ, Reyzin L, Tessaro S. 2017. Scrypt is maximally
memory hard. EUROCRYPT: Theory and Applications of Cryptographic Techniques, LNCS,
vol. 10212, 33–62.'
mla: Alwen, Joel F., et al. Scrypt Is Maximally Memory Hard. Edited by Jean-Sébastien
Coron and Jesper Buus Nielsen, vol. 10212, Springer, 2017, pp. 33–62, doi:10.1007/978-3-319-56617-7_2.
short: J.F. Alwen, B. Chen, K.Z. Pietrzak, L. Reyzin, S. Tessaro, in:, J.-S. Coron,
J. Buus Nielsen (Eds.), Springer, 2017, pp. 33–62.
conference:
end_date: 2017-05-04
location: Paris, France
name: 'EUROCRYPT: Theory and Applications of Cryptographic Techniques'
start_date: 2017-04-30
date_created: 2018-12-11T11:47:37Z
date_published: 2017-01-01T00:00:00Z
date_updated: 2021-01-12T08:07:10Z
day: '01'
department:
- _id: KrPi
doi: 10.1007/978-3-319-56617-7_2
ec_funded: 1
editor:
- first_name: Jean-Sébastien
full_name: Coron, Jean-Sébastien
last_name: Coron
- first_name: Jesper
full_name: Buus Nielsen, Jesper
last_name: Buus Nielsen
intvolume: ' 10212'
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://eprint.iacr.org/2016/989
month: '01'
oa: 1
oa_version: Submitted Version
page: 33 - 62
project:
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
call_identifier: H2020
grant_number: '682815'
name: Teaching Old Crypto New Tricks
publication_identifier:
isbn:
- 978-331956616-0
publication_status: published
publisher: Springer
publist_id: '7154'
quality_controlled: '1'
scopus_import: 1
status: public
title: Scrypt is maximally memory hard
type: conference
user_id: 4435EBFC-F248-11E8-B48F-1D18A9856A87
volume: 10212
year: '2017'
...
---
_id: '640'
abstract:
- lang: eng
text: 'Data-independent Memory Hard Functions (iMHFS) are finding a growing number
of applications in security; especially in the domain of password hashing. An
important property of a concrete iMHF is specified by fixing a directed acyclic
graph (DAG) Gn on n nodes. The quality of that iMHF is then captured by the following
two pebbling complexities of Gn: – The parallel cumulative pebbling complexity
Π∥cc(Gn) must be as high as possible (to ensure that the amortized cost of computing
the function on dedicated hardware is dominated by the cost of memory). – The
sequential space-time pebbling complexity Πst(Gn) should be as close as possible
to Π∥cc(Gn) (to ensure that using many cores in parallel and amortizing over many
instances does not give much of an advantage). In this paper we construct a family
of DAGs with best possible parameters in an asymptotic sense, i.e., where Π∥cc(Gn)
= Ω(n2/ log(n)) (which matches a known upper bound) and Πst(Gn) is within a constant
factor of Π∥cc(Gn). Our analysis relies on a new connection between the pebbling
complexity of a DAG and its depth-robustness (DR) – a well studied combinatorial
property. We show that high DR is sufficient for high Π∥cc. Alwen and Blocki (CRYPTO’16)
showed that high DR is necessary and so, together, these results fully characterize
DAGs with high Π∥cc in terms of DR. Complementing these results, we provide new
upper and lower bounds on the Π∥cc of several important candidate iMHFs from the
literature. We give the first lower bounds on the memory hardness of the Catena
and Balloon Hashing functions in a parallel model of computation and we give the
first lower bounds of any kind for (a version) of Argon2i. Finally we describe
a new class of pebbling attacks improving on those of Alwen and Blocki (CRYPTO’16).
By instantiating these attacks we upperbound the Π∥cc of the Password Hashing
Competition winner Argon2i and one of the Balloon Hashing functions by O (n1.71).
We also show an upper bound of O(n1.625) for the Catena functions and the two
remaining Balloon Hashing functions.'
alternative_title:
- LNCS
author:
- first_name: Joel F
full_name: Alwen, Joel F
id: 2A8DFA8C-F248-11E8-B48F-1D18A9856A87
last_name: Alwen
- first_name: Jeremiah
full_name: Blocki, Jeremiah
last_name: Blocki
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
citation:
ama: 'Alwen JF, Blocki J, Pietrzak KZ. Depth-robust graphs and their cumulative
memory complexity. In: Coron J-S, Buus Nielsen J, eds. Vol 10212. Springer; 2017:3-32.
doi:10.1007/978-3-319-56617-7_1'
apa: 'Alwen, J. F., Blocki, J., & Pietrzak, K. Z. (2017). Depth-robust graphs
and their cumulative memory complexity. In J.-S. Coron & J. Buus Nielsen (Eds.)
(Vol. 10212, pp. 3–32). Presented at the EUROCRYPT: Theory and Applications of
Cryptographic Techniques, Paris, France: Springer. https://doi.org/10.1007/978-3-319-56617-7_1'
chicago: Alwen, Joel F, Jeremiah Blocki, and Krzysztof Z Pietrzak. “Depth-Robust
Graphs and Their Cumulative Memory Complexity.” edited by Jean-Sébastien Coron
and Jesper Buus Nielsen, 10212:3–32. Springer, 2017. https://doi.org/10.1007/978-3-319-56617-7_1.
ieee: 'J. F. Alwen, J. Blocki, and K. Z. Pietrzak, “Depth-robust graphs and their
cumulative memory complexity,” presented at the EUROCRYPT: Theory and Applications
of Cryptographic Techniques, Paris, France, 2017, vol. 10212, pp. 3–32.'
ista: 'Alwen JF, Blocki J, Pietrzak KZ. 2017. Depth-robust graphs and their cumulative
memory complexity. EUROCRYPT: Theory and Applications of Cryptographic Techniques,
LNCS, vol. 10212, 3–32.'
mla: Alwen, Joel F., et al. Depth-Robust Graphs and Their Cumulative Memory Complexity.
Edited by Jean-Sébastien Coron and Jesper Buus Nielsen, vol. 10212, Springer,
2017, pp. 3–32, doi:10.1007/978-3-319-56617-7_1.
short: J.F. Alwen, J. Blocki, K.Z. Pietrzak, in:, J.-S. Coron, J. Buus Nielsen (Eds.),
Springer, 2017, pp. 3–32.
conference:
end_date: 2017-05-04
location: Paris, France
name: 'EUROCRYPT: Theory and Applications of Cryptographic Techniques'
start_date: 2017-04-30
date_created: 2018-12-11T11:47:39Z
date_published: 2017-04-01T00:00:00Z
date_updated: 2021-01-12T08:07:22Z
day: '01'
department:
- _id: KrPi
doi: 10.1007/978-3-319-56617-7_1
ec_funded: 1
editor:
- first_name: Jean-Sébastien
full_name: Coron, Jean-Sébastien
last_name: Coron
- first_name: Jesper
full_name: Buus Nielsen, Jesper
last_name: Buus Nielsen
intvolume: ' 10212'
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://eprint.iacr.org/2016/875
month: '04'
oa: 1
oa_version: Submitted Version
page: 3 - 32
project:
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
call_identifier: H2020
grant_number: '682815'
name: Teaching Old Crypto New Tricks
publication_identifier:
isbn:
- 978-331956616-0
publication_status: published
publisher: Springer
publist_id: '7148'
quality_controlled: '1'
scopus_import: 1
status: public
title: Depth-robust graphs and their cumulative memory complexity
type: conference
user_id: 3E5EF7F0-F248-11E8-B48F-1D18A9856A87
volume: 10212
year: '2017'
...
---
_id: '648'
abstract:
- lang: eng
text: 'Pseudoentropy has found a lot of important applications to cryptography and
complexity theory. In this paper we focus on the foundational problem that has
not been investigated so far, namely by how much pseudoentropy (the amount seen
by computationally bounded attackers) differs from its information-theoretic counterpart
(seen by unbounded observers), given certain limits on attacker’s computational
power? We provide the following answer for HILL pseudoentropy, which exhibits
a threshold behavior around the size exponential in the entropy amount:– If the
attacker size (s) and advantage () satisfy s (formula presented) where k is the
claimed amount of pseudoentropy, then the pseudoentropy boils down to the information-theoretic
smooth entropy. – If s (formula presented) then pseudoentropy could be arbitrarily
bigger than the information-theoretic smooth entropy. Besides answering the posted
question, we show an elegant application of our result to the complexity theory,
namely that it implies the clas-sical result on the existence of functions hard
to approximate (due to Pippenger). In our approach we utilize non-constructive
techniques: the duality of linear programming and the probabilistic method.'
alternative_title:
- LNCS
author:
- first_name: Maciej
full_name: Skórski, Maciej
id: EC09FA6A-02D0-11E9-8223-86B7C91467DD
last_name: Skórski
citation:
ama: 'Skórski M. On the complexity of breaking pseudoentropy. In: Jäger G, Steila
S, eds. Vol 10185. Springer; 2017:600-613. doi:10.1007/978-3-319-55911-7_43'
apa: 'Skórski, M. (2017). On the complexity of breaking pseudoentropy. In G. Jäger
& S. Steila (Eds.) (Vol. 10185, pp. 600–613). Presented at the TAMC: Theory
and Applications of Models of Computation, Bern, Switzerland: Springer. https://doi.org/10.1007/978-3-319-55911-7_43'
chicago: Skórski, Maciej. “On the Complexity of Breaking Pseudoentropy.” edited
by Gerhard Jäger and Silvia Steila, 10185:600–613. Springer, 2017. https://doi.org/10.1007/978-3-319-55911-7_43.
ieee: 'M. Skórski, “On the complexity of breaking pseudoentropy,” presented at the
TAMC: Theory and Applications of Models of Computation, Bern, Switzerland, 2017,
vol. 10185, pp. 600–613.'
ista: 'Skórski M. 2017. On the complexity of breaking pseudoentropy. TAMC: Theory
and Applications of Models of Computation, LNCS, vol. 10185, 600–613.'
mla: Skórski, Maciej. On the Complexity of Breaking Pseudoentropy. Edited
by Gerhard Jäger and Silvia Steila, vol. 10185, Springer, 2017, pp. 600–13, doi:10.1007/978-3-319-55911-7_43.
short: M. Skórski, in:, G. Jäger, S. Steila (Eds.), Springer, 2017, pp. 600–613.
conference:
end_date: 2017-04-22
location: Bern, Switzerland
name: 'TAMC: Theory and Applications of Models of Computation'
start_date: 2017-04-20
date_created: 2018-12-11T11:47:42Z
date_published: 2017-04-01T00:00:00Z
date_updated: 2021-01-12T08:07:39Z
day: '01'
department:
- _id: KrPi
doi: 10.1007/978-3-319-55911-7_43
editor:
- first_name: Gerhard
full_name: Jäger, Gerhard
last_name: Jäger
- first_name: Silvia
full_name: Steila, Silvia
last_name: Steila
intvolume: ' 10185'
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://eprint.iacr.org/2016/1186.pdf
month: '04'
oa: 1
oa_version: Submitted Version
page: 600 - 613
publication_identifier:
isbn:
- 978-331955910-0
publication_status: published
publisher: Springer
publist_id: '7125'
quality_controlled: '1'
scopus_import: 1
status: public
title: On the complexity of breaking pseudoentropy
type: conference
user_id: 3E5EF7F0-F248-11E8-B48F-1D18A9856A87
volume: 10185
year: '2017'
...
---
_id: '650'
abstract:
- lang: eng
text: 'In this work we present a short and unified proof for the Strong and Weak
Regularity Lemma, based on the cryptographic tech-nique called low-complexity
approximations. In short, both problems reduce to a task of finding constructively
an approximation for a certain target function under a class of distinguishers
(test functions), where dis-tinguishers are combinations of simple rectangle-indicators.
In our case these approximations can be learned by a simple iterative procedure,
which yields a unified and simple proof, achieving for any graph with density
d and any approximation parameter the partition size. The novelty in our proof
is: (a) a simple approach which yields both strong and weaker variant, and (b)
improvements when d = o(1). At an abstract level, our proof can be seen a refinement
and simplification of the “analytic” proof given by Lovasz and Szegedy.'
alternative_title:
- LNCS
author:
- first_name: Maciej
full_name: Skórski, Maciej
id: EC09FA6A-02D0-11E9-8223-86B7C91467DD
last_name: Skórski
citation:
ama: 'Skórski M. A cryptographic view of regularity lemmas: Simpler unified proofs
and refined bounds. In: Jäger G, Steila S, eds. Vol 10185. Springer; 2017:586-599.
doi:10.1007/978-3-319-55911-7_42'
apa: 'Skórski, M. (2017). A cryptographic view of regularity lemmas: Simpler unified
proofs and refined bounds. In G. Jäger & S. Steila (Eds.) (Vol. 10185, pp.
586–599). Presented at the TAMC: Theory and Applications of Models of Computation,
Bern, Switzerland: Springer. https://doi.org/10.1007/978-3-319-55911-7_42'
chicago: 'Skórski, Maciej. “A Cryptographic View of Regularity Lemmas: Simpler Unified
Proofs and Refined Bounds.” edited by Gerhard Jäger and Silvia Steila, 10185:586–99.
Springer, 2017. https://doi.org/10.1007/978-3-319-55911-7_42.'
ieee: 'M. Skórski, “A cryptographic view of regularity lemmas: Simpler unified proofs
and refined bounds,” presented at the TAMC: Theory and Applications of Models
of Computation, Bern, Switzerland, 2017, vol. 10185, pp. 586–599.'
ista: 'Skórski M. 2017. A cryptographic view of regularity lemmas: Simpler unified
proofs and refined bounds. TAMC: Theory and Applications of Models of Computation,
LNCS, vol. 10185, 586–599.'
mla: 'Skórski, Maciej. A Cryptographic View of Regularity Lemmas: Simpler Unified
Proofs and Refined Bounds. Edited by Gerhard Jäger and Silvia Steila, vol.
10185, Springer, 2017, pp. 586–99, doi:10.1007/978-3-319-55911-7_42.'
short: M. Skórski, in:, G. Jäger, S. Steila (Eds.), Springer, 2017, pp. 586–599.
conference:
end_date: 2017-04-22
location: Bern, Switzerland
name: 'TAMC: Theory and Applications of Models of Computation'
start_date: 2017-04-20
date_created: 2018-12-11T11:47:42Z
date_published: 2017-01-01T00:00:00Z
date_updated: 2021-01-12T08:07:46Z
day: '01'
department:
- _id: KrPi
doi: 10.1007/978-3-319-55911-7_42
editor:
- first_name: Gerhard
full_name: Jäger, Gerhard
last_name: Jäger
- first_name: Silvia
full_name: Steila, Silvia
last_name: Steila
intvolume: ' 10185'
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://eprint.iacr.org/2016/965.pdf
month: '01'
oa: 1
oa_version: Submitted Version
page: 586 - 599
publication_identifier:
issn:
- '03029743'
publication_status: published
publisher: Springer
publist_id: '7119'
quality_controlled: '1'
scopus_import: 1
status: public
title: 'A cryptographic view of regularity lemmas: Simpler unified proofs and refined
bounds'
type: conference
user_id: 3E5EF7F0-F248-11E8-B48F-1D18A9856A87
volume: 10185
year: '2017'
...
---
_id: '6527'
abstract:
- lang: eng
text: "A memory-hard function (MHF) ƒn with parameter n can be computed in sequential
time and space n. Simultaneously, a high amortized parallel area-time complexity
(aAT) is incurred per evaluation. In practice, MHFs are used to limit the rate
at which an adversary (using a custom computational device) can evaluate a security
sensitive function that still occasionally needs to be evaluated by honest users
(using an off-the-shelf general purpose device). The most prevalent examples of
such sensitive functions are Key Derivation Functions (KDFs) and password hashing
algorithms where rate limits help mitigate off-line dictionary attacks. As the
honest users' inputs to these functions are often (low-entropy) passwords special
attention is given to a class of side-channel resistant MHFs called iMHFs.\r\n\r\nEssentially
all iMHFs can be viewed as some mode of operation (making n calls to some round
function) given by a directed acyclic graph (DAG) with very low indegree. Recently,
a combinatorial property of a DAG has been identified (called \"depth-robustness\")
which results in good provable security for an iMHF based on that DAG. Depth-robust
DAGs have also proven useful in other cryptographic applications. Unfortunately,
up till now, all known very depth-robust DAGs are impractically complicated and
little is known about their exact (i.e. non-asymptotic) depth-robustness both
in theory and in practice.\r\n\r\nIn this work we build and analyze (both formally
and empirically) several exceedingly simple and efficient to navigate practical
DAGs for use in iMHFs and other applications. For each DAG we:\r\n*Prove that
their depth-robustness is asymptotically maximal.\r\n*Prove bounds of at least
3 orders of magnitude better on their exact depth-robustness compared to known
bounds for other practical iMHF.\r\n*Implement and empirically evaluate their
depth-robustness and aAT against a variety of state-of-the art (and several new)
depth-reduction and low aAT attacks. \r\nWe find that, against all attacks, the
new DAGs perform significantly better in practice than Argon2i, the most widely
deployed iMHF in practice.\r\n\r\nAlong the way we also improve the best known
empirical attacks on the aAT of Argon2i by implementing and testing several heuristic
versions of a (hitherto purely theoretical) depth-reduction attack. Finally, we
demonstrate practicality of our constructions by modifying the Argon2i code base
to use one of the new high aAT DAGs. Experimental benchmarks on a standard off-the-shelf
CPU show that the new modifications do not adversely affect the impressive throughput
of Argon2i (despite seemingly enjoying significantly higher aAT).\r\n"
author:
- first_name: Joel F
full_name: Alwen, Joel F
id: 2A8DFA8C-F248-11E8-B48F-1D18A9856A87
last_name: Alwen
- first_name: Jeremiah
full_name: Blocki, Jeremiah
last_name: Blocki
- first_name: Ben
full_name: Harsha, Ben
last_name: Harsha
citation:
ama: 'Alwen JF, Blocki J, Harsha B. Practical graphs for optimal side-channel resistant
memory-hard functions. In: Proceedings of the 2017 ACM SIGSAC Conference on
Computer and Communications Security. ACM Press; 2017:1001-1017. doi:10.1145/3133956.3134031'
apa: 'Alwen, J. F., Blocki, J., & Harsha, B. (2017). Practical graphs for optimal
side-channel resistant memory-hard functions. In Proceedings of the 2017 ACM
SIGSAC Conference on Computer and Communications Security (pp. 1001–1017).
Dallas, TX, USA: ACM Press. https://doi.org/10.1145/3133956.3134031'
chicago: Alwen, Joel F, Jeremiah Blocki, and Ben Harsha. “Practical Graphs for Optimal
Side-Channel Resistant Memory-Hard Functions.” In Proceedings of the 2017 ACM
SIGSAC Conference on Computer and Communications Security, 1001–17. ACM Press,
2017. https://doi.org/10.1145/3133956.3134031.
ieee: J. F. Alwen, J. Blocki, and B. Harsha, “Practical graphs for optimal side-channel
resistant memory-hard functions,” in Proceedings of the 2017 ACM SIGSAC Conference
on Computer and Communications Security, Dallas, TX, USA, 2017, pp. 1001–1017.
ista: 'Alwen JF, Blocki J, Harsha B. 2017. Practical graphs for optimal side-channel
resistant memory-hard functions. Proceedings of the 2017 ACM SIGSAC Conference
on Computer and Communications Security. CCS: Conference on Computer and Communications
Security, 1001–1017.'
mla: Alwen, Joel F., et al. “Practical Graphs for Optimal Side-Channel Resistant
Memory-Hard Functions.” Proceedings of the 2017 ACM SIGSAC Conference on Computer
and Communications Security, ACM Press, 2017, pp. 1001–17, doi:10.1145/3133956.3134031.
short: J.F. Alwen, J. Blocki, B. Harsha, in:, Proceedings of the 2017 ACM SIGSAC
Conference on Computer and Communications Security, ACM Press, 2017, pp. 1001–1017.
conference:
end_date: 2017-11-03
location: Dallas, TX, USA
name: 'CCS: Conference on Computer and Communications Security'
start_date: 2017-10-30
date_created: 2019-06-06T13:21:29Z
date_published: 2017-10-30T00:00:00Z
date_updated: 2021-01-12T08:07:53Z
day: '30'
department:
- _id: KrPi
doi: 10.1145/3133956.3134031
ec_funded: 1
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://eprint.iacr.org/2017/443
month: '10'
oa: 1
oa_version: Submitted Version
page: 1001-1017
project:
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
call_identifier: H2020
grant_number: '682815'
name: Teaching Old Crypto New Tricks
publication: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications
Security
publication_identifier:
isbn:
- '9781450349468'
publication_status: published
publisher: ACM Press
quality_controlled: '1'
scopus_import: 1
status: public
title: Practical graphs for optimal side-channel resistant memory-hard functions
type: conference
user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87
year: '2017'
...
---
_id: '6526'
abstract:
- lang: eng
text: 'This paper studies the complexity of estimating Rényi divergences of discrete
distributions: p observed from samples and the baseline distribution q known a
priori. Extending the results of Acharya et al. (SODA''15) on estimating Rényi
entropy, we present improved estimation techniques together with upper and lower
bounds on the sample complexity. We show that, contrarily to estimating Rényi
entropy where a sublinear (in the alphabet size) number of samples suffices, the
sample complexity is heavily dependent on events occurring unlikely in q, and
is unbounded in general (no matter what an estimation technique is used). For
any divergence of integer order bigger than 1, we provide upper and lower bounds
on the number of samples dependent on probabilities of p and q (the lower bounds
hold for non-integer orders as well). We conclude that the worst-case sample complexity
is polynomial in the alphabet size if and only if the probabilities of q are non-negligible.
This gives theoretical insights into heuristics used in the applied literature
to handle numerical instability, which occurs for small probabilities of q. Our
result shows that they should be handled with care not only because of numerical
issues, but also because of a blow up in the sample complexity.'
article_number: '8006529'
author:
- first_name: Maciej
full_name: Skórski, Maciej
id: EC09FA6A-02D0-11E9-8223-86B7C91467DD
last_name: Skórski
citation:
ama: 'Skórski M. On the complexity of estimating Rènyi divergences. In: 2017
IEEE International Symposium on Information Theory (ISIT). IEEE; 2017. doi:10.1109/isit.2017.8006529'
apa: 'Skórski, M. (2017). On the complexity of estimating Rènyi divergences. In
2017 IEEE International Symposium on Information Theory (ISIT). Aachen,
Germany: IEEE. https://doi.org/10.1109/isit.2017.8006529'
chicago: Skórski, Maciej. “On the Complexity of Estimating Rènyi Divergences.” In
2017 IEEE International Symposium on Information Theory (ISIT). IEEE, 2017.
https://doi.org/10.1109/isit.2017.8006529.
ieee: M. Skórski, “On the complexity of estimating Rènyi divergences,” in 2017
IEEE International Symposium on Information Theory (ISIT), Aachen, Germany,
2017.
ista: 'Skórski M. 2017. On the complexity of estimating Rènyi divergences. 2017
IEEE International Symposium on Information Theory (ISIT). ISIT: International
Symposium on Information Theory, 8006529.'
mla: Skórski, Maciej. “On the Complexity of Estimating Rènyi Divergences.” 2017
IEEE International Symposium on Information Theory (ISIT), 8006529, IEEE,
2017, doi:10.1109/isit.2017.8006529.
short: M. Skórski, in:, 2017 IEEE International Symposium on Information Theory
(ISIT), IEEE, 2017.
conference:
end_date: 2017-06-30
location: Aachen, Germany
name: 'ISIT: International Symposium on Information Theory'
start_date: 2017-06-25
date_created: 2019-06-06T12:53:09Z
date_published: 2017-08-09T00:00:00Z
date_updated: 2021-01-12T08:07:53Z
day: '09'
department:
- _id: KrPi
doi: 10.1109/isit.2017.8006529
ec_funded: 1
external_id:
arxiv:
- '1702.01666'
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://arxiv.org/abs/1702.01666
month: '08'
oa: 1
oa_version: Preprint
project:
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
call_identifier: H2020
grant_number: '682815'
name: Teaching Old Crypto New Tricks
publication: 2017 IEEE International Symposium on Information Theory (ISIT)
publication_identifier:
isbn:
- '9781509040964'
publication_status: published
publisher: IEEE
quality_controlled: '1'
scopus_import: 1
status: public
title: On the complexity of estimating Rènyi divergences
type: conference
user_id: 3E5EF7F0-F248-11E8-B48F-1D18A9856A87
year: '2017'
...
---
_id: '697'
abstract:
- lang: eng
text: 'De, Trevisan and Tulsiani [CRYPTO 2010] show that every distribution over
n-bit strings which has constant statistical distance to uniform (e.g., the output
of a pseudorandom generator mapping n-1 to n bit strings), can be distinguished
from the uniform distribution with advantage epsilon by a circuit of size O( 2^n
epsilon^2). We generalize this result, showing that a distribution which has less
than k bits of min-entropy, can be distinguished from any distribution with k
bits of delta-smooth min-entropy with advantage epsilon by a circuit of size O(2^k
epsilon^2/delta^2). As a special case, this implies that any distribution with
support at most 2^k (e.g., the output of a pseudoentropy generator mapping k to
n bit strings) can be distinguished from any given distribution with min-entropy
k+1 with advantage epsilon by a circuit of size O(2^k epsilon^2). Our result thus
shows that pseudoentropy distributions face basically the same non-uniform attacks
as pseudorandom distributions. '
alternative_title:
- LIPIcs
article_number: '39'
author:
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
- first_name: Maciej
full_name: Skórski, Maciej
id: EC09FA6A-02D0-11E9-8223-86B7C91467DD
last_name: Skórski
citation:
ama: 'Pietrzak KZ, Skórski M. Non uniform attacks against pseudoentropy. In: Vol
80. Schloss Dagstuhl - Leibniz-Zentrum für Informatik; 2017. doi:10.4230/LIPIcs.ICALP.2017.39'
apa: 'Pietrzak, K. Z., & Skórski, M. (2017). Non uniform attacks against pseudoentropy
(Vol. 80). Presented at the ICALP: International Colloquium on Automata, Languages,
and Programming, Warsaw, Poland: Schloss Dagstuhl - Leibniz-Zentrum für Informatik.
https://doi.org/10.4230/LIPIcs.ICALP.2017.39'
chicago: Pietrzak, Krzysztof Z, and Maciej Skórski. “Non Uniform Attacks against
Pseudoentropy,” Vol. 80. Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 2017.
https://doi.org/10.4230/LIPIcs.ICALP.2017.39.
ieee: 'K. Z. Pietrzak and M. Skórski, “Non uniform attacks against pseudoentropy,”
presented at the ICALP: International Colloquium on Automata, Languages, and Programming,
Warsaw, Poland, 2017, vol. 80.'
ista: 'Pietrzak KZ, Skórski M. 2017. Non uniform attacks against pseudoentropy.
ICALP: International Colloquium on Automata, Languages, and Programming, LIPIcs,
vol. 80, 39.'
mla: Pietrzak, Krzysztof Z., and Maciej Skórski. Non Uniform Attacks against
Pseudoentropy. Vol. 80, 39, Schloss Dagstuhl - Leibniz-Zentrum für Informatik,
2017, doi:10.4230/LIPIcs.ICALP.2017.39.
short: K.Z. Pietrzak, M. Skórski, in:, Schloss Dagstuhl - Leibniz-Zentrum für Informatik,
2017.
conference:
end_date: 2017-07-14
location: Warsaw, Poland
name: 'ICALP: International Colloquium on Automata, Languages, and Programming'
start_date: 2017-07-10
date_created: 2018-12-11T11:47:59Z
date_published: 2017-07-01T00:00:00Z
date_updated: 2021-01-12T08:11:15Z
day: '01'
ddc:
- '005'
department:
- _id: KrPi
doi: 10.4230/LIPIcs.ICALP.2017.39
ec_funded: 1
file:
- access_level: open_access
checksum: e95618a001692f1af2d68f5fde43bc1f
content_type: application/pdf
creator: system
date_created: 2018-12-12T10:08:40Z
date_updated: 2020-07-14T12:47:46Z
file_id: '4701'
file_name: IST-2017-893-v1+1_LIPIcs-ICALP-2017-39.pdf
file_size: 601004
relation: main_file
file_date_updated: 2020-07-14T12:47:46Z
has_accepted_license: '1'
intvolume: ' 80'
language:
- iso: eng
month: '07'
oa: 1
oa_version: Published Version
project:
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
call_identifier: H2020
grant_number: '682815'
name: Teaching Old Crypto New Tricks
publication_identifier:
issn:
- '18688969'
publication_status: published
publisher: Schloss Dagstuhl - Leibniz-Zentrum für Informatik
publist_id: '7003'
pubrep_id: '893'
quality_controlled: '1'
scopus_import: 1
status: public
title: Non uniform attacks against pseudoentropy
tmp:
image: /images/cc_by.png
legal_code_url: https://creativecommons.org/licenses/by/4.0/legalcode
name: Creative Commons Attribution 4.0 International Public License (CC-BY 4.0)
short: CC BY (4.0)
type: conference
user_id: 3E5EF7F0-F248-11E8-B48F-1D18A9856A87
volume: 80
year: '2017'
...
---
_id: '710'
abstract:
- lang: eng
text: 'We revisit the problem of estimating entropy of discrete distributions from
independent samples, studied recently by Acharya, Orlitsky, Suresh and Tyagi (SODA
2015), improving their upper and lower bounds on the necessary sample size n.
For estimating Renyi entropy of order alpha, up to constant accuracy and error
probability, we show the following * Upper bounds n = O(1) 2^{(1-1/alpha)H_alpha}
for integer alpha>1, as the worst case over distributions with Renyi entropy
equal to H_alpha. * Lower bounds n = Omega(1) K^{1-1/alpha} for any real alpha>1,
with the constant being an inverse polynomial of the accuracy, as the worst case
over all distributions on K elements. Our upper bounds essentially replace the
alphabet size by a factor exponential in the entropy, which offers improvements
especially in low or medium entropy regimes (interesting for example in anomaly
detection). As for the lower bounds, our proof explicitly shows how the complexity
depends on both alphabet and accuracy, partially solving the open problem posted
in previous works. The argument for upper bounds derives a clean identity for
the variance of falling-power sum of a multinomial distribution. Our approach
for lower bounds utilizes convex optimization to find a distribution with possibly
worse estimation performance, and may be of independent interest as a tool to
work with Le Cam’s two point method. '
alternative_title:
- LIPIcs
article_number: '20'
author:
- first_name: Maciej
full_name: Obremski, Maciej
last_name: Obremski
- first_name: Maciej
full_name: Skórski, Maciej
id: EC09FA6A-02D0-11E9-8223-86B7C91467DD
last_name: Skórski
citation:
ama: 'Obremski M, Skórski M. Renyi entropy estimation revisited. In: Vol 81. Schloss
Dagstuhl - Leibniz-Zentrum für Informatik; 2017. doi:10.4230/LIPIcs.APPROX-RANDOM.2017.20'
apa: 'Obremski, M., & Skórski, M. (2017). Renyi entropy estimation revisited
(Vol. 81). Presented at the 20th International Workshop on Approximation Algorithms
for Combinatorial Optimization Problems, APPROX, Berkeley, USA: Schloss Dagstuhl
- Leibniz-Zentrum für Informatik. https://doi.org/10.4230/LIPIcs.APPROX-RANDOM.2017.20'
chicago: Obremski, Maciej, and Maciej Skórski. “Renyi Entropy Estimation Revisited,”
Vol. 81. Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 2017. https://doi.org/10.4230/LIPIcs.APPROX-RANDOM.2017.20.
ieee: M. Obremski and M. Skórski, “Renyi entropy estimation revisited,” presented
at the 20th International Workshop on Approximation Algorithms for Combinatorial
Optimization Problems, APPROX, Berkeley, USA, 2017, vol. 81.
ista: Obremski M, Skórski M. 2017. Renyi entropy estimation revisited. 20th International
Workshop on Approximation Algorithms for Combinatorial Optimization Problems,
APPROX, LIPIcs, vol. 81, 20.
mla: Obremski, Maciej, and Maciej Skórski. Renyi Entropy Estimation Revisited.
Vol. 81, 20, Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 2017, doi:10.4230/LIPIcs.APPROX-RANDOM.2017.20.
short: M. Obremski, M. Skórski, in:, Schloss Dagstuhl - Leibniz-Zentrum für Informatik,
2017.
conference:
end_date: 2017-08-18
location: Berkeley, USA
name: 20th International Workshop on Approximation Algorithms for Combinatorial
Optimization Problems, APPROX
start_date: 2017-08-18
date_created: 2018-12-11T11:48:04Z
date_published: 2017-08-01T00:00:00Z
date_updated: 2021-01-12T08:11:50Z
day: '01'
ddc:
- '005'
- '600'
department:
- _id: KrPi
doi: 10.4230/LIPIcs.APPROX-RANDOM.2017.20
ec_funded: 1
file:
- access_level: open_access
checksum: 89225c7dcec2c93838458c9102858985
content_type: application/pdf
creator: system
date_created: 2018-12-12T10:13:10Z
date_updated: 2020-07-14T12:47:49Z
file_id: '4991'
file_name: IST-2017-888-v1+1_LIPIcs-APPROX-RANDOM-2017-20.pdf
file_size: 604813
relation: main_file
file_date_updated: 2020-07-14T12:47:49Z
has_accepted_license: '1'
intvolume: ' 81'
language:
- iso: eng
month: '08'
oa: 1
oa_version: Published Version
project:
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
call_identifier: H2020
grant_number: '682815'
name: Teaching Old Crypto New Tricks
publication_identifier:
issn:
- '18688969'
publication_status: published
publisher: Schloss Dagstuhl - Leibniz-Zentrum für Informatik
publist_id: '6979'
pubrep_id: '888'
quality_controlled: '1'
scopus_import: 1
status: public
title: Renyi entropy estimation revisited
tmp:
image: /images/cc_by.png
legal_code_url: https://creativecommons.org/licenses/by/4.0/legalcode
name: Creative Commons Attribution 4.0 International Public License (CC-BY 4.0)
short: CC BY (4.0)
type: conference
user_id: 3E5EF7F0-F248-11E8-B48F-1D18A9856A87
volume: 81
year: '2017'
...
---
_id: '838'
abstract:
- lang: eng
text: 'In this thesis we discuss the exact security of message authentications codes
HMAC , NMAC , and PMAC . NMAC is a mode of operation which turns a fixed input-length
keyed hash function f into a variable input-length function. A practical single-key
variant of NMAC called HMAC is a very popular and widely deployed message authentication
code (MAC). PMAC is a block-cipher based mode of operation, which also happens
to be the most famous fully parallel MAC. NMAC was introduced by Bellare, Canetti
and Krawczyk Crypto’96, who proved it to be a secure pseudorandom function (PRF),
and thus also a MAC, under two assumptions. Unfortunately, for many instantiations
of HMAC one of them has been found to be wrong. To restore the provable guarantees
for NMAC , Bellare [Crypto’06] showed its security without this assumption. PMAC
was introduced by Black and Rogaway at Eurocrypt 2002. If instantiated with a
pseudorandom permutation over n -bit strings, PMAC constitutes a provably secure
variable input-length PRF. For adversaries making q queries, each of length at
most ` (in n -bit blocks), and of total length σ ≤ q` , the original paper proves
an upper bound on the distinguishing advantage of O ( σ 2 / 2 n ), while the currently
best bound is O ( qσ/ 2 n ). In this work we show that this bound is tight by
giving an attack with advantage Ω( q 2 `/ 2 n ). In the PMAC construction one
initially XORs a mask to every message block, where the mask for the i th block
is computed as τ i := γ i · L , where L is a (secret) random value, and γ i is
the i -th codeword of the Gray code. Our attack applies more generally to any
sequence of γ i ’s which contains a large coset of a subgroup of GF (2 n ). As
for NMAC , our first contribution is a simpler and uniform proof: If f is an ε
-secure PRF (against q queries) and a δ - non-adaptively secure PRF (against q
queries), then NMAC f is an ( ε + `qδ )-secure PRF against q queries of length
at most ` blocks each. We also show that this ε + `qδ bound is basically tight
by constructing an f for which an attack with advantage `qδ exists. Moreover,
we analyze the PRF-security of a modification of NMAC called NI by An and Bellare
that avoids the constant rekeying on multi-block messages in NMAC and allows for
an information-theoretic analysis. We carry out such an analysis, obtaining a
tight `q 2 / 2 c bound for this step, improving over the trivial bound of ` 2
q 2 / 2 c . Finally, we investigate, if the security of PMAC can be further improved
by using τ i ’s that are k -wise independent, for k > 1 (the original has k
= 1). We observe that the security of PMAC will not increase in general if k =
2, and then prove that the security increases to O ( q 2 / 2 n ), if the k = 4.
Due to simple extension attacks, this is the best bound one can hope for, using
any distribution on the masks. Whether k = 3 is already sufficient to get this
level of security is left as an open problem. Keywords: Message authentication
codes, Pseudorandom functions, HMAC, PMAC. '
alternative_title:
- ISTA Thesis
article_processing_charge: No
author:
- first_name: Michal
full_name: Rybar, Michal
id: 2B3E3DE8-F248-11E8-B48F-1D18A9856A87
last_name: Rybar
citation:
ama: Rybar M. (The exact security of) Message authentication codes. 2017. doi:10.15479/AT:ISTA:th_828
apa: Rybar, M. (2017). (The exact security of) Message authentication codes.
Institute of Science and Technology Austria. https://doi.org/10.15479/AT:ISTA:th_828
chicago: Rybar, Michal. “(The Exact Security of) Message Authentication Codes.”
Institute of Science and Technology Austria, 2017. https://doi.org/10.15479/AT:ISTA:th_828.
ieee: M. Rybar, “(The exact security of) Message authentication codes,” Institute
of Science and Technology Austria, 2017.
ista: Rybar M. 2017. (The exact security of) Message authentication codes. Institute
of Science and Technology Austria.
mla: Rybar, Michal. (The Exact Security of) Message Authentication Codes.
Institute of Science and Technology Austria, 2017, doi:10.15479/AT:ISTA:th_828.
short: M. Rybar, (The Exact Security of) Message Authentication Codes, Institute
of Science and Technology Austria, 2017.
date_created: 2018-12-11T11:48:46Z
date_published: 2017-06-26T00:00:00Z
date_updated: 2023-09-07T12:02:28Z
day: '26'
ddc:
- '000'
degree_awarded: PhD
department:
- _id: KrPi
doi: 10.15479/AT:ISTA:th_828
file:
- access_level: open_access
checksum: ff8639ec4bded6186f44c7bd3ee26804
content_type: application/pdf
creator: system
date_created: 2018-12-12T10:10:13Z
date_updated: 2020-07-14T12:48:12Z
file_id: '4799'
file_name: IST-2017-828-v1+3_2017_Rybar_thesis.pdf
file_size: 847400
relation: main_file
- access_level: closed
checksum: 3462101745ce8ad199c2d0f75dae4a7e
content_type: application/zip
creator: dernst
date_created: 2019-04-05T08:24:11Z
date_updated: 2020-07-14T12:48:12Z
file_id: '6202'
file_name: 2017_Thesis_Rybar_source.zip
file_size: 26054879
relation: source_file
file_date_updated: 2020-07-14T12:48:12Z
has_accepted_license: '1'
language:
- iso: eng
month: '06'
oa: 1
oa_version: Published Version
page: '86'
publication_identifier:
issn:
- 2663-337X
publication_status: published
publisher: Institute of Science and Technology Austria
publist_id: '6810'
pubrep_id: '828'
related_material:
record:
- id: '2082'
relation: part_of_dissertation
status: public
- id: '6196'
relation: part_of_dissertation
status: public
status: public
title: (The exact security of) Message authentication codes
type: dissertation
user_id: c635000d-4b10-11ee-a964-aac5a93f6ac1
year: '2017'
...
---
_id: '6196'
abstract:
- lang: eng
text: PMAC is a simple and parallel block-cipher mode of operation, which was introduced
by Black and Rogaway at Eurocrypt 2002. If instantiated with a (pseudo)random
permutation over n-bit strings, PMAC constitutes a provably secure variable input-length
(pseudo)random function. For adversaries making q queries, each of length at most
l (in n-bit blocks), and of total length σ ≤ ql, the original paper proves an
upper bound on the distinguishing advantage of Ο(σ2/2n), while the currently
best bound is Ο (qσ/2n).In this work we show that this bound is tight by giving
an attack with advantage Ω (q2l/2n). In the PMAC construction one initially XORs
a mask to every message block, where the mask for the ith block is computed as
τi := γi·L, where L is a (secret) random value, and γi is the i-th codeword of
the Gray code. Our attack applies more generally to any sequence of γi’s which
contains a large coset of a subgroup of GF(2n). We then investigate if the security
of PMAC can be further improved by using τi’s that are k-wise independent, for
k > 1 (the original distribution is only 1-wise independent). We observe that
the security of PMAC will not increase in general, even if the masks are chosen
from a 2-wise independent distribution, and then prove that the security increases
to O(q<2/2n), if the τi are 4-wise independent. Due to simple extension attacks,
this is the best bound one can hope for, using any distribution on the masks.
Whether 3-wise independence is already sufficient to get this level of security
is left as an open problem.
author:
- first_name: Peter
full_name: Gazi, Peter
id: 3E0BFE38-F248-11E8-B48F-1D18A9856A87
last_name: Gazi
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
- first_name: Michal
full_name: Rybar, Michal
id: 2B3E3DE8-F248-11E8-B48F-1D18A9856A87
last_name: Rybar
citation:
ama: Gazi P, Pietrzak KZ, Rybar M. The exact security of PMAC. IACR Transactions
on Symmetric Cryptology. 2017;2016(2):145-161. doi:10.13154/TOSC.V2016.I2.145-161
apa: Gazi, P., Pietrzak, K. Z., & Rybar, M. (2017). The exact security of PMAC.
IACR Transactions on Symmetric Cryptology. Ruhr University Bochum. https://doi.org/10.13154/TOSC.V2016.I2.145-161
chicago: Gazi, Peter, Krzysztof Z Pietrzak, and Michal Rybar. “The Exact Security
of PMAC.” IACR Transactions on Symmetric Cryptology. Ruhr University Bochum,
2017. https://doi.org/10.13154/TOSC.V2016.I2.145-161.
ieee: P. Gazi, K. Z. Pietrzak, and M. Rybar, “The exact security of PMAC,” IACR
Transactions on Symmetric Cryptology, vol. 2016, no. 2. Ruhr University Bochum,
pp. 145–161, 2017.
ista: Gazi P, Pietrzak KZ, Rybar M. 2017. The exact security of PMAC. IACR Transactions
on Symmetric Cryptology. 2016(2), 145–161.
mla: Gazi, Peter, et al. “The Exact Security of PMAC.” IACR Transactions on Symmetric
Cryptology, vol. 2016, no. 2, Ruhr University Bochum, 2017, pp. 145–61, doi:10.13154/TOSC.V2016.I2.145-161.
short: P. Gazi, K.Z. Pietrzak, M. Rybar, IACR Transactions on Symmetric Cryptology
2016 (2017) 145–161.
date_created: 2019-04-04T13:48:23Z
date_published: 2017-02-03T00:00:00Z
date_updated: 2023-09-07T12:02:27Z
day: '03'
ddc:
- '000'
department:
- _id: KrPi
doi: 10.13154/TOSC.V2016.I2.145-161
ec_funded: 1
file:
- access_level: open_access
checksum: f23161d685dd957ae8d7274132999684
content_type: application/pdf
creator: dernst
date_created: 2019-04-04T13:53:58Z
date_updated: 2020-07-14T12:47:24Z
file_id: '6197'
file_name: 2017_IACR_Gazi.pdf
file_size: 597335
relation: main_file
file_date_updated: 2020-07-14T12:47:24Z
has_accepted_license: '1'
intvolume: ' 2016'
issue: '2'
language:
- iso: eng
month: '02'
oa: 1
oa_version: Published Version
page: 145-161
project:
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
call_identifier: H2020
grant_number: '682815'
name: Teaching Old Crypto New Tricks
publication: IACR Transactions on Symmetric Cryptology
publication_identifier:
eissn:
- 2519-173X
publication_status: published
publisher: Ruhr University Bochum
quality_controlled: '1'
related_material:
record:
- id: '838'
relation: dissertation_contains
status: public
status: public
title: The exact security of PMAC
tmp:
image: /images/cc_by.png
legal_code_url: https://creativecommons.org/licenses/by/4.0/legalcode
name: Creative Commons Attribution 4.0 International Public License (CC-BY 4.0)
short: CC BY (4.0)
type: journal_article
user_id: 3E5EF7F0-F248-11E8-B48F-1D18A9856A87
volume: 2016
year: '2017'
...
---
_id: '559'
abstract:
- lang: eng
text: 'Proofs of space (PoS) were suggested as more ecological and economical alternative
to proofs of work, which are currently used in blockchain designs like Bitcoin.
The existing PoS are based on rather sophisticated graph pebbling lower bounds.
Much simpler and in several aspects more efficient schemes based on inverting
random functions have been suggested, but they don’t give meaningful security
guarantees due to existing time-memory trade-offs. In particular, Hellman showed
that any permutation over a domain of size N can be inverted in time T by an algorithm
that is given S bits of auxiliary information whenever (Formula presented). For
functions Hellman gives a weaker attack with S2· T≈ N2 (e.g., S= T≈ N2/3). To
prove lower bounds, one considers an adversary who has access to an oracle f:
[ N] → [N] and can make T oracle queries. The best known lower bound is S· T∈
Ω(N) and holds for random functions and permutations. We construct functions that
provably require more time and/or space to invert. Specifically, for any constant
k we construct a function [N] → [N] that cannot be inverted unless Sk· T∈ Ω(Nk)
(in particular, S= T≈ (Formula presented). Our construction does not contradict
Hellman’s time-memory trade-off, because it cannot be efficiently evaluated in
forward direction. However, its entire function table can be computed in time
quasilinear in N, which is sufficient for the PoS application. Our simplest construction
is built from a random function oracle g: [N] × [N] → [ N] and a random permutation
oracle f: [N] → N] and is defined as h(x) = g(x, x′) where f(x) = π(f(x′)) with
π being any involution without a fixed point, e.g. flipping all the bits. For
this function we prove that any adversary who gets S bits of auxiliary information,
makes at most T oracle queries, and inverts h on an ϵ fraction of outputs must
satisfy S2· T∈ Ω(ϵ2N2).'
alternative_title:
- LNCS
author:
- first_name: Hamza M
full_name: Abusalah, Hamza M
id: 40297222-F248-11E8-B48F-1D18A9856A87
last_name: Abusalah
- first_name: Joel F
full_name: Alwen, Joel F
id: 2A8DFA8C-F248-11E8-B48F-1D18A9856A87
last_name: Alwen
- first_name: Bram
full_name: Cohen, Bram
last_name: Cohen
- first_name: Danylo
full_name: Khilko, Danylo
last_name: Khilko
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
- first_name: Leonid
full_name: Reyzin, Leonid
last_name: Reyzin
citation:
ama: 'Abusalah HM, Alwen JF, Cohen B, Khilko D, Pietrzak KZ, Reyzin L. Beyond Hellman’s
time-memory trade-offs with applications to proofs of space. In: Vol 10625. Springer;
2017:357-379. doi:10.1007/978-3-319-70697-9_13'
apa: 'Abusalah, H. M., Alwen, J. F., Cohen, B., Khilko, D., Pietrzak, K. Z., &
Reyzin, L. (2017). Beyond Hellman’s time-memory trade-offs with applications to
proofs of space (Vol. 10625, pp. 357–379). Presented at the ASIACRYPT: Theory
and Applications of Cryptology and Information Security, Hong Kong, China: Springer.
https://doi.org/10.1007/978-3-319-70697-9_13'
chicago: Abusalah, Hamza M, Joel F Alwen, Bram Cohen, Danylo Khilko, Krzysztof Z
Pietrzak, and Leonid Reyzin. “Beyond Hellman’s Time-Memory Trade-Offs with Applications
to Proofs of Space,” 10625:357–79. Springer, 2017. https://doi.org/10.1007/978-3-319-70697-9_13.
ieee: 'H. M. Abusalah, J. F. Alwen, B. Cohen, D. Khilko, K. Z. Pietrzak, and L.
Reyzin, “Beyond Hellman’s time-memory trade-offs with applications to proofs of
space,” presented at the ASIACRYPT: Theory and Applications of Cryptology and
Information Security, Hong Kong, China, 2017, vol. 10625, pp. 357–379.'
ista: 'Abusalah HM, Alwen JF, Cohen B, Khilko D, Pietrzak KZ, Reyzin L. 2017. Beyond
Hellman’s time-memory trade-offs with applications to proofs of space. ASIACRYPT:
Theory and Applications of Cryptology and Information Security, LNCS, vol. 10625,
357–379.'
mla: Abusalah, Hamza M., et al. Beyond Hellman’s Time-Memory Trade-Offs with
Applications to Proofs of Space. Vol. 10625, Springer, 2017, pp. 357–79, doi:10.1007/978-3-319-70697-9_13.
short: H.M. Abusalah, J.F. Alwen, B. Cohen, D. Khilko, K.Z. Pietrzak, L. Reyzin,
in:, Springer, 2017, pp. 357–379.
conference:
end_date: 2017-12-07
location: Hong Kong, China
name: 'ASIACRYPT: Theory and Applications of Cryptology and Information Security'
start_date: 2017-12-03
date_created: 2018-12-11T11:47:10Z
date_published: 2017-11-18T00:00:00Z
date_updated: 2023-09-07T12:30:22Z
day: '18'
department:
- _id: KrPi
doi: 10.1007/978-3-319-70697-9_13
ec_funded: 1
intvolume: ' 10625'
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://eprint.iacr.org/2017/893.pdf
month: '11'
oa: 1
oa_version: Submitted Version
page: 357 - 379
project:
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
call_identifier: H2020
grant_number: '682815'
name: Teaching Old Crypto New Tricks
publication_identifier:
isbn:
- 978-331970696-2
publication_status: published
publisher: Springer
publist_id: '7257'
quality_controlled: '1'
related_material:
record:
- id: '83'
relation: dissertation_contains
status: public
scopus_import: 1
status: public
title: Beyond Hellman’s time-memory trade-offs with applications to proofs of space
type: conference
user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87
volume: 10625
year: '2017'
...
---
_id: '637'
abstract:
- lang: eng
text: For many cryptographic primitives, it is relatively easy to achieve selective
security (where the adversary commits a-priori to some of the choices to be made
later in the attack) but appears difficult to achieve the more natural notion
of adaptive security (where the adversary can make all choices on the go as the
attack progresses). A series of several recent works shows how to cleverly achieve
adaptive security in several such scenarios including generalized selective decryption
(Panjwani, TCC ’07 and Fuchsbauer et al., CRYPTO ’15), constrained PRFs (Fuchsbauer
et al., ASIACRYPT ’14), and Yao garbled circuits (Jafargholi and Wichs, TCC ’16b).
Although the above works expressed vague intuition that they share a common technique,
the connection was never made precise. In this work we present a new framework
that connects all of these works and allows us to present them in a unified and
simplified fashion. Moreover, we use the framework to derive a new result for
adaptively secure secret sharing over access structures defined via monotone circuits.
We envision that further applications will follow in the future. Underlying our
framework is the following simple idea. It is well known that selective security,
where the adversary commits to n-bits of information about his future choices,
automatically implies adaptive security at the cost of amplifying the adversary’s
advantage by a factor of up to 2n. However, in some cases the proof of selective
security proceeds via a sequence of hybrids, where each pair of adjacent hybrids
locally only requires some smaller partial information consisting of m ≪ n bits.
The partial information needed might be completely different between different
pairs of hybrids, and if we look across all the hybrids we might rely on the entire
n-bit commitment. Nevertheless, the above is sufficient to prove adaptive security,
at the cost of amplifying the adversary’s advantage by a factor of only 2m ≪ 2n.
In all of our examples using the above framework, the different hybrids are captured
by some sort of a graph pebbling game and the amount of information that the adversary
needs to commit to in each pair of hybrids is bounded by the maximum number of
pebbles in play at any point in time. Therefore, coming up with better strategies
for proving adaptive security translates to various pebbling strategies for different
types of graphs.
alternative_title:
- LNCS
author:
- first_name: Zahra
full_name: Jafargholi, Zahra
last_name: Jafargholi
- first_name: Chethan
full_name: Kamath Hosdurg, Chethan
id: 4BD3F30E-F248-11E8-B48F-1D18A9856A87
last_name: Kamath Hosdurg
- first_name: Karen
full_name: Klein, Karen
id: 3E83A2F8-F248-11E8-B48F-1D18A9856A87
last_name: Klein
- first_name: Ilan
full_name: Komargodski, Ilan
last_name: Komargodski
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
- first_name: Daniel
full_name: Wichs, Daniel
last_name: Wichs
citation:
ama: 'Jafargholi Z, Kamath Hosdurg C, Klein K, Komargodski I, Pietrzak KZ, Wichs
D. Be adaptive avoid overcommitting. In: Katz J, Shacham H, eds. Vol 10401. Springer;
2017:133-163. doi:10.1007/978-3-319-63688-7_5'
apa: 'Jafargholi, Z., Kamath Hosdurg, C., Klein, K., Komargodski, I., Pietrzak,
K. Z., & Wichs, D. (2017). Be adaptive avoid overcommitting. In J. Katz &
H. Shacham (Eds.) (Vol. 10401, pp. 133–163). Presented at the CRYPTO: Cryptology,
Santa Barbara, CA, United States: Springer. https://doi.org/10.1007/978-3-319-63688-7_5'
chicago: Jafargholi, Zahra, Chethan Kamath Hosdurg, Karen Klein, Ilan Komargodski,
Krzysztof Z Pietrzak, and Daniel Wichs. “Be Adaptive Avoid Overcommitting.” edited
by Jonathan Katz and Hovav Shacham, 10401:133–63. Springer, 2017. https://doi.org/10.1007/978-3-319-63688-7_5.
ieee: 'Z. Jafargholi, C. Kamath Hosdurg, K. Klein, I. Komargodski, K. Z. Pietrzak,
and D. Wichs, “Be adaptive avoid overcommitting,” presented at the CRYPTO: Cryptology,
Santa Barbara, CA, United States, 2017, vol. 10401, pp. 133–163.'
ista: 'Jafargholi Z, Kamath Hosdurg C, Klein K, Komargodski I, Pietrzak KZ, Wichs
D. 2017. Be adaptive avoid overcommitting. CRYPTO: Cryptology, LNCS, vol. 10401,
133–163.'
mla: Jafargholi, Zahra, et al. Be Adaptive Avoid Overcommitting. Edited by
Jonathan Katz and Hovav Shacham, vol. 10401, Springer, 2017, pp. 133–63, doi:10.1007/978-3-319-63688-7_5.
short: Z. Jafargholi, C. Kamath Hosdurg, K. Klein, I. Komargodski, K.Z. Pietrzak,
D. Wichs, in:, J. Katz, H. Shacham (Eds.), Springer, 2017, pp. 133–163.
conference:
end_date: 2017-07-24
location: Santa Barbara, CA, United States
name: 'CRYPTO: Cryptology'
start_date: 2017-07-20
date_created: 2018-12-11T11:47:38Z
date_published: 2017-01-01T00:00:00Z
date_updated: 2023-09-07T13:32:11Z
day: '01'
department:
- _id: KrPi
doi: 10.1007/978-3-319-63688-7_5
ec_funded: 1
editor:
- first_name: Jonathan
full_name: Katz, Jonathan
last_name: Katz
- first_name: Hovav
full_name: Shacham, Hovav
last_name: Shacham
intvolume: ' 10401'
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://eprint.iacr.org/2017/515
month: '01'
oa: 1
oa_version: Submitted Version
page: 133 - 163
project:
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
call_identifier: H2020
grant_number: '682815'
name: Teaching Old Crypto New Tricks
publication_identifier:
isbn:
- 978-331963687-0
publication_status: published
publisher: Springer
publist_id: '7151'
quality_controlled: '1'
related_material:
record:
- id: '10035'
relation: dissertation_contains
status: public
scopus_import: 1
status: public
title: Be adaptive avoid overcommitting
type: conference
user_id: 3E5EF7F0-F248-11E8-B48F-1D18A9856A87
volume: 10401
year: '2017'
...
---
_id: '1174'
abstract:
- lang: eng
text: Security of cryptographic applications is typically defined by security games.
The adversary, within certain resources, cannot win with probability much better
than 0 (for unpredictability applications, like one-way functions) or much better
than 1/2 (indistinguishability applications for instance encryption schemes).
In so called squared-friendly applications the winning probability of the adversary,
for different values of the application secret randomness, is not only close to
0 or 1/2 on average, but also concentrated in the sense that its second central
moment is small. The class of squared-friendly applications, which contains all
unpredictability applications and many indistinguishability applications, is particularly
important for key derivation. Barak et al. observed that for square-friendly applications
one can beat the "RT-bound", extracting secure keys with significantly
smaller entropy loss. In turn Dodis and Yu showed that in squared-friendly applications
one can directly use a "weak" key, which has only high entropy, as a
secure key. In this paper we give sharp lower bounds on square security assuming
security for "weak" keys. We show that any application which is either
(a) secure with weak keys or (b) allows for entropy savings for keys derived by
universal hashing, must be square-friendly. Quantitatively, our lower bounds match
the positive results of Dodis and Yu and Barak et al. (TCC\'13, CRYPTO\'11) Hence,
they can be understood as a general characterization of squared-friendly applications.
While the positive results on squared-friendly applications where derived by one
clever application of the Cauchy-Schwarz Inequality, for tight lower bounds we
need more machinery. In our approach we use convex optimization techniques and
some theory of circular matrices.
alternative_title:
- LIPIcs
article_number: '57'
article_processing_charge: No
author:
- first_name: Maciej
full_name: Skórski, Maciej
id: EC09FA6A-02D0-11E9-8223-86B7C91467DD
last_name: Skórski
citation:
ama: 'Skórski M. Lower bounds on key derivation for square-friendly applications.
In: Vol 66. Schloss Dagstuhl - Leibniz-Zentrum für Informatik; 2017. doi:10.4230/LIPIcs.STACS.2017.57'
apa: 'Skórski, M. (2017). Lower bounds on key derivation for square-friendly applications
(Vol. 66). Presented at the STACS: Symposium on Theoretical Aspects of Computer
Science, Hannover, Germany: Schloss Dagstuhl - Leibniz-Zentrum für Informatik.
https://doi.org/10.4230/LIPIcs.STACS.2017.57'
chicago: Skórski, Maciej. “Lower Bounds on Key Derivation for Square-Friendly Applications,”
Vol. 66. Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 2017. https://doi.org/10.4230/LIPIcs.STACS.2017.57.
ieee: 'M. Skórski, “Lower bounds on key derivation for square-friendly applications,”
presented at the STACS: Symposium on Theoretical Aspects of Computer Science,
Hannover, Germany, 2017, vol. 66.'
ista: 'Skórski M. 2017. Lower bounds on key derivation for square-friendly applications.
STACS: Symposium on Theoretical Aspects of Computer Science, LIPIcs, vol. 66,
57.'
mla: Skórski, Maciej. Lower Bounds on Key Derivation for Square-Friendly Applications.
Vol. 66, 57, Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 2017, doi:10.4230/LIPIcs.STACS.2017.57.
short: M. Skórski, in:, Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 2017.
conference:
end_date: 2017-03-11
location: Hannover, Germany
name: 'STACS: Symposium on Theoretical Aspects of Computer Science'
start_date: 2017-03-08
date_created: 2018-12-11T11:50:32Z
date_published: 2017-03-01T00:00:00Z
date_updated: 2023-09-20T11:23:15Z
day: '01'
department:
- _id: KrPi
doi: 10.4230/LIPIcs.STACS.2017.57
ec_funded: 1
external_id:
isi:
- '000521077300057'
intvolume: ' 66'
isi: 1
language:
- iso: eng
main_file_link:
- open_access: '1'
url: http://drops.dagstuhl.de/opus/volltexte/2017/6976
month: '03'
oa: 1
oa_version: Submitted Version
project:
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
call_identifier: H2020
grant_number: '682815'
name: Teaching Old Crypto New Tricks
publication_identifier:
issn:
- '18688969'
publication_status: published
publisher: Schloss Dagstuhl - Leibniz-Zentrum für Informatik
publist_id: '6180'
quality_controlled: '1'
scopus_import: '1'
status: public
title: Lower bounds on key derivation for square-friendly applications
type: conference
user_id: c635000d-4b10-11ee-a964-aac5a93f6ac1
volume: 66
year: '2017'
...
---
_id: '1176'
abstract:
- lang: eng
text: The algorithm Argon2i-B of Biryukov, Dinu and Khovratovich is currently being
considered by the IRTF (Internet Research Task Force) as a new de-facto standard
for password hashing. An older version (Argon2i-A) of the same algorithm was chosen
as the winner of the recent Password Hashing Competition. An important competitor
to Argon2i-B is the recently introduced Balloon Hashing (BH) algorithm of Corrigan-Gibs,
Boneh and Schechter. A key security desiderata for any such algorithm is that
evaluating it (even using a custom device) requires a large amount of memory amortized
across multiple instances. Alwen and Blocki (CRYPTO 2016) introduced a class of
theoretical attacks against Argon2i-A and BH. While these attacks yield large
asymptotic reductions in the amount of memory, it was not, a priori, clear if
(1) they can be extended to the newer Argon2i-B, (2) the attacks are effective
on any algorithm for practical parameter ranges (e.g., 1GB of memory) and (3)
if they can be effectively instantiated against any algorithm under realistic
hardware constrains. In this work we answer all three of these questions in the
affirmative for all three algorithms. This is also the first work to analyze the
security of Argon2i-B. In more detail, we extend the theoretical attacks of Alwen
and Blocki (CRYPTO 2016) to the recent Argon2i-B proposal demonstrating severe
asymptotic deficiencies in its security. Next we introduce several novel heuristics
for improving the attack's concrete memory efficiency even when on-chip memory
bandwidth is bounded. We then simulate our attacks on randomly sampled Argon2i-A,
Argon2i-B and BH instances and measure the resulting memory consumption for various
practical parameter ranges and for a variety of upperbounds on the amount of parallelism
available to the attacker. Finally we describe, implement, and test a new heuristic
for applying the Alwen-Blocki attack to functions employing a technique developed
by Corrigan-Gibs et al. for improving concrete security of memory-hard functions.
We analyze the collected data and show the effects various parameters have on
the memory consumption of the attack. In particular, we can draw several interesting
conclusions about the level of security provided by these functions. · For the
Alwen-Blocki attack to fail against practical memory parameters, Argon2i-B must
be instantiated with more than 10 passes on memory - beyond the "paranoid" parameter
setting in the current IRTF proposal. · The technique of Corrigan-Gibs for improving
security can also be overcome by the Alwen-Blocki attack under realistic hardware
constraints. · On a positive note, both the asymptotic and concrete security of
Argon2i-B seem to improve on that of Argon2i-A.
article_number: '7961977'
article_processing_charge: No
author:
- first_name: Joel F
full_name: Alwen, Joel F
id: 2A8DFA8C-F248-11E8-B48F-1D18A9856A87
last_name: Alwen
- first_name: Jeremiah
full_name: Blocki, Jeremiah
last_name: Blocki
citation:
ama: 'Alwen JF, Blocki J. Towards practical attacks on Argon2i and balloon hashing.
In: IEEE; 2017. doi:10.1109/EuroSP.2017.47'
apa: 'Alwen, J. F., & Blocki, J. (2017). Towards practical attacks on Argon2i
and balloon hashing. Presented at the EuroS&P: European Symposium on Security
and Privacy, Paris, France: IEEE. https://doi.org/10.1109/EuroSP.2017.47'
chicago: Alwen, Joel F, and Jeremiah Blocki. “Towards Practical Attacks on Argon2i
and Balloon Hashing.” IEEE, 2017. https://doi.org/10.1109/EuroSP.2017.47.
ieee: 'J. F. Alwen and J. Blocki, “Towards practical attacks on Argon2i and balloon
hashing,” presented at the EuroS&P: European Symposium on Security and Privacy,
Paris, France, 2017.'
ista: 'Alwen JF, Blocki J. 2017. Towards practical attacks on Argon2i and balloon
hashing. EuroS&P: European Symposium on Security and Privacy, 7961977.'
mla: Alwen, Joel F., and Jeremiah Blocki. Towards Practical Attacks on Argon2i
and Balloon Hashing. 7961977, IEEE, 2017, doi:10.1109/EuroSP.2017.47.
short: J.F. Alwen, J. Blocki, in:, IEEE, 2017.
conference:
end_date: 2017-04-28
location: Paris, France
name: 'EuroS&P: European Symposium on Security and Privacy'
start_date: 2017-04-26
date_created: 2018-12-11T11:50:33Z
date_published: 2017-07-03T00:00:00Z
date_updated: 2023-09-20T11:22:25Z
day: '03'
department:
- _id: KrPi
doi: 10.1109/EuroSP.2017.47
external_id:
isi:
- '000424197300011'
isi: 1
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://eprint.iacr.org/2016/759
month: '07'
oa: 1
oa_version: Submitted Version
publication_identifier:
isbn:
- 978-150905761-0
publication_status: published
publisher: IEEE
publist_id: '6178'
quality_controlled: '1'
scopus_import: '1'
status: public
title: Towards practical attacks on Argon2i and balloon hashing
type: conference
user_id: c635000d-4b10-11ee-a964-aac5a93f6ac1
year: '2017'
...
---
_id: '1187'
abstract:
- lang: eng
text: We construct efficient authentication protocols and message authentication
codes (MACs) whose security can be reduced to the learning parity with noise (LPN)
problem. Despite a large body of work—starting with the (Formula presented.) protocol
of Hopper and Blum in 2001—until now it was not even known how to construct an
efficient authentication protocol from LPN which is secure against man-in-the-middle
attacks. A MAC implies such a (two-round) protocol.
article_processing_charge: No
article_type: original
author:
- first_name: Eike
full_name: Kiltz, Eike
last_name: Kiltz
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
- first_name: Daniele
full_name: Venturi, Daniele
last_name: Venturi
- first_name: David
full_name: Cash, David
last_name: Cash
- first_name: Abhishek
full_name: Jain, Abhishek
last_name: Jain
citation:
ama: Kiltz E, Pietrzak KZ, Venturi D, Cash D, Jain A. Efficient authentication from
hard learning problems. Journal of Cryptology. 2017;30(4):1238-1275. doi:10.1007/s00145-016-9247-3
apa: Kiltz, E., Pietrzak, K. Z., Venturi, D., Cash, D., & Jain, A. (2017). Efficient
authentication from hard learning problems. Journal of Cryptology. Springer.
https://doi.org/10.1007/s00145-016-9247-3
chicago: Kiltz, Eike, Krzysztof Z Pietrzak, Daniele Venturi, David Cash, and Abhishek
Jain. “Efficient Authentication from Hard Learning Problems.” Journal of Cryptology.
Springer, 2017. https://doi.org/10.1007/s00145-016-9247-3.
ieee: E. Kiltz, K. Z. Pietrzak, D. Venturi, D. Cash, and A. Jain, “Efficient authentication
from hard learning problems,” Journal of Cryptology, vol. 30, no. 4. Springer,
pp. 1238–1275, 2017.
ista: Kiltz E, Pietrzak KZ, Venturi D, Cash D, Jain A. 2017. Efficient authentication
from hard learning problems. Journal of Cryptology. 30(4), 1238–1275.
mla: Kiltz, Eike, et al. “Efficient Authentication from Hard Learning Problems.”
Journal of Cryptology, vol. 30, no. 4, Springer, 2017, pp. 1238–75, doi:10.1007/s00145-016-9247-3.
short: E. Kiltz, K.Z. Pietrzak, D. Venturi, D. Cash, A. Jain, Journal of Cryptology
30 (2017) 1238–1275.
date_created: 2018-12-11T11:50:37Z
date_published: 2017-10-01T00:00:00Z
date_updated: 2023-09-20T11:20:58Z
day: '01'
ddc:
- '000'
department:
- _id: KrPi
doi: 10.1007/s00145-016-9247-3
ec_funded: 1
external_id:
isi:
- '000410788600007'
file:
- access_level: open_access
checksum: c647520d115b772a1682fc06fa273eb1
content_type: application/pdf
creator: dernst
date_created: 2020-05-14T16:30:17Z
date_updated: 2020-07-14T12:44:37Z
file_id: '7843'
file_name: 2017_JournalCrypto_Kiltz.pdf
file_size: 516959
relation: main_file
file_date_updated: 2020-07-14T12:44:37Z
has_accepted_license: '1'
intvolume: ' 30'
isi: 1
issue: '4'
language:
- iso: eng
month: '10'
oa: 1
oa_version: Submitted Version
page: 1238 - 1275
project:
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
call_identifier: H2020
grant_number: '682815'
name: Teaching Old Crypto New Tricks
- _id: 258C570E-B435-11E9-9278-68D0E5697425
call_identifier: FP7
grant_number: '259668'
name: Provable Security for Physical Cryptography
publication: Journal of Cryptology
publication_status: published
publisher: Springer
publist_id: '6166'
quality_controlled: '1'
related_material:
record:
- id: '3238'
relation: earlier_version
status: public
scopus_import: '1'
status: public
title: Efficient authentication from hard learning problems
type: journal_article
user_id: c635000d-4b10-11ee-a964-aac5a93f6ac1
volume: 30
year: '2017'
...
---
_id: '1177'
abstract:
- lang: eng
text: Boldyreva, Palacio and Warinschi introduced a multiple forking game as an
extension of general forking. The notion of (multiple) forking is a useful abstraction
from the actual simulation of cryptographic scheme to the adversary in a security
reduction, and is achieved through the intermediary of a so-called wrapper algorithm.
Multiple forking has turned out to be a useful tool in the security argument of
several cryptographic protocols. However, a reduction employing multiple forking
incurs a significant degradation of (Formula presented.) , where (Formula presented.)
denotes the upper bound on the underlying random oracle calls and (Formula presented.)
, the number of forkings. In this work we take a closer look at the reasons for
the degradation with a tighter security bound in mind. We nail down the exact
set of conditions for success in the multiple forking game. A careful analysis
of the cryptographic schemes and corresponding security reduction employing multiple
forking leads to the formulation of ‘dependence’ and ‘independence’ conditions
pertaining to the output of the wrapper in different rounds. Based on the (in)dependence
conditions we propose a general framework of multiple forking and a General Multiple
Forking Lemma. Leveraging (in)dependence to the full allows us to improve the
degradation factor in the multiple forking game by a factor of (Formula presented.).
By implication, the cost of a single forking involving two random oracles (augmented
forking) matches that involving a single random oracle (elementary forking). Finally,
we study the effect of these observations on the concrete security of existing
schemes employing multiple forking. We conclude that by careful design of the
protocol (and the wrapper in the security reduction) it is possible to harness
our observations to the full extent.
acknowledgement: "We are grateful to the anonymous reviewers for their insightful
comments. The\r\ndetailed reports helped us a lot to address the technical mistakes
as well as to improve the overall presentation of the paper."
author:
- first_name: Chethan
full_name: Kamath Hosdurg, Chethan
id: 4BD3F30E-F248-11E8-B48F-1D18A9856A87
last_name: Kamath Hosdurg
- first_name: Sanjit
full_name: Chatterjee, Sanjit
last_name: Chatterjee
citation:
ama: 'Kamath Hosdurg C, Chatterjee S. A closer look at multiple-forking: Leveraging
(in)dependence for a tighter bound. Algorithmica. 2016;74(4):1321-1362.
doi:10.1007/s00453-015-9997-6'
apa: 'Kamath Hosdurg, C., & Chatterjee, S. (2016). A closer look at multiple-forking:
Leveraging (in)dependence for a tighter bound. Algorithmica. Springer.
https://doi.org/10.1007/s00453-015-9997-6'
chicago: 'Kamath Hosdurg, Chethan, and Sanjit Chatterjee. “A Closer Look at Multiple-Forking:
Leveraging (in)Dependence for a Tighter Bound.” Algorithmica. Springer,
2016. https://doi.org/10.1007/s00453-015-9997-6.'
ieee: 'C. Kamath Hosdurg and S. Chatterjee, “A closer look at multiple-forking:
Leveraging (in)dependence for a tighter bound,” Algorithmica, vol. 74,
no. 4. Springer, pp. 1321–1362, 2016.'
ista: 'Kamath Hosdurg C, Chatterjee S. 2016. A closer look at multiple-forking:
Leveraging (in)dependence for a tighter bound. Algorithmica. 74(4), 1321–1362.'
mla: 'Kamath Hosdurg, Chethan, and Sanjit Chatterjee. “A Closer Look at Multiple-Forking:
Leveraging (in)Dependence for a Tighter Bound.” Algorithmica, vol. 74,
no. 4, Springer, 2016, pp. 1321–62, doi:10.1007/s00453-015-9997-6.'
short: C. Kamath Hosdurg, S. Chatterjee, Algorithmica 74 (2016) 1321–1362.
date_created: 2018-12-11T11:50:33Z
date_published: 2016-04-01T00:00:00Z
date_updated: 2021-01-12T06:48:52Z
day: '01'
department:
- _id: KrPi
doi: 10.1007/s00453-015-9997-6
intvolume: ' 74'
issue: '4'
language:
- iso: eng
main_file_link:
- open_access: '1'
url: http://eprint.iacr.org/2013/651
month: '04'
oa: 1
oa_version: Submitted Version
page: 1321 - 1362
publication: Algorithmica
publication_status: published
publisher: Springer
publist_id: '6177'
quality_controlled: '1'
status: public
title: 'A closer look at multiple-forking: Leveraging (in)dependence for a tighter
bound'
type: journal_article
user_id: 3E5EF7F0-F248-11E8-B48F-1D18A9856A87
volume: 74
year: '2016'
...
---
_id: '1179'
abstract:
- lang: eng
text: "Computational notions of entropy have recently found many applications, including
leakage-resilient cryptography, deterministic encryption or memory delegation.
The two main types of results which make computational notions so useful are (1)
Chain rules, which quantify by how much the computational entropy of a variable
decreases if conditioned on some other variable (2) Transformations, which quantify
to which extend one type of entropy implies another.\r\n\r\nSuch chain rules and
transformations typically lose a significant amount in quality of the entropy,
and are the reason why applying these results one gets rather weak quantitative
security bounds. In this paper we for the first time prove lower bounds in this
context, showing that existing results for transformations are, unfortunately,
basically optimal for non-adaptive black-box reductions (and it’s hard to imagine
how non black-box reductions or adaptivity could be useful here.)\r\n\r\nA variable
X has k bits of HILL entropy of quality (ϵ,s)\r\nif there exists a variable Y
with k bits min-entropy which cannot be distinguished from X with advantage ϵ\r\n\r\nby
distinguishing circuits of size s. A weaker notion is Metric entropy, where we
switch quantifiers, and only require that for every distinguisher of size s, such
a Y exists.\r\n\r\nWe first describe our result concerning transformations. By
definition, HILL implies Metric without any loss in quality. Metric entropy often
comes up in applications, but must be transformed to HILL for meaningful security
guarantees. The best known result states that if a variable X has k bits of Metric
entropy of quality (ϵ,s)\r\n, then it has k bits of HILL with quality (2ϵ,s⋅ϵ2).
We show that this loss of a factor Ω(ϵ−2)\r\n\r\nin circuit size is necessary.
In fact, we show the stronger result that this loss is already necessary when
transforming so called deterministic real valued Metric entropy to randomised
boolean Metric (both these variants of Metric entropy are implied by HILL without
loss in quality).\r\n\r\nThe chain rule for HILL entropy states that if X has
k bits of HILL entropy of quality (ϵ,s)\r\n, then for any variable Z of length
m, X conditioned on Z has k−m bits of HILL entropy with quality (ϵ,s⋅ϵ2/2m). We
show that a loss of Ω(2m/ϵ) in circuit size necessary here. Note that this still
leaves a gap of ϵ between the known bound and our lower bound."
acknowledgement: "K. Pietrzak—Supported by the European Research Council consolidator
grant (682815-TOCNeT).\r\nM. Skórski—Supported by the National Science Center, Poland
(2015/17/N/ST6/03564)."
alternative_title:
- LNCS
author:
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
- first_name: Skorski
full_name: Maciej, Skorski
last_name: Maciej
citation:
ama: 'Pietrzak KZ, Maciej S. Pseudoentropy: Lower-bounds for chain rules and transformations.
In: Vol 9985. Springer; 2016:183-203. doi:10.1007/978-3-662-53641-4_8'
apa: 'Pietrzak, K. Z., & Maciej, S. (2016). Pseudoentropy: Lower-bounds for
chain rules and transformations (Vol. 9985, pp. 183–203). Presented at the TCC:
Theory of Cryptography Conference, Beijing, China: Springer. https://doi.org/10.1007/978-3-662-53641-4_8'
chicago: 'Pietrzak, Krzysztof Z, and Skorski Maciej. “Pseudoentropy: Lower-Bounds
for Chain Rules and Transformations,” 9985:183–203. Springer, 2016. https://doi.org/10.1007/978-3-662-53641-4_8.'
ieee: 'K. Z. Pietrzak and S. Maciej, “Pseudoentropy: Lower-bounds for chain rules
and transformations,” presented at the TCC: Theory of Cryptography Conference,
Beijing, China, 2016, vol. 9985, pp. 183–203.'
ista: 'Pietrzak KZ, Maciej S. 2016. Pseudoentropy: Lower-bounds for chain rules
and transformations. TCC: Theory of Cryptography Conference, LNCS, vol. 9985,
183–203.'
mla: 'Pietrzak, Krzysztof Z., and Skorski Maciej. Pseudoentropy: Lower-Bounds
for Chain Rules and Transformations. Vol. 9985, Springer, 2016, pp. 183–203,
doi:10.1007/978-3-662-53641-4_8.'
short: K.Z. Pietrzak, S. Maciej, in:, Springer, 2016, pp. 183–203.
conference:
end_date: 2016-11-03
location: Beijing, China
name: 'TCC: Theory of Cryptography Conference'
start_date: 2016-10-31
date_created: 2018-12-11T11:50:34Z
date_published: 2016-10-22T00:00:00Z
date_updated: 2021-01-12T06:48:53Z
day: '22'
department:
- _id: KrPi
doi: 10.1007/978-3-662-53641-4_8
ec_funded: 1
intvolume: ' 9985'
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://eprint.iacr.org/2016/159
month: '10'
oa: 1
oa_version: Preprint
page: 183 - 203
project:
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
call_identifier: H2020
grant_number: '682815'
name: Teaching Old Crypto New Tricks
publication_status: published
publisher: Springer
publist_id: '6175'
quality_controlled: '1'
scopus_import: 1
status: public
title: 'Pseudoentropy: Lower-bounds for chain rules and transformations'
type: conference
user_id: 3E5EF7F0-F248-11E8-B48F-1D18A9856A87
volume: 9985
year: '2016'
...
---
_id: '1231'
abstract:
- lang: eng
text: 'We study the time-and memory-complexities of the problem of computing labels
of (multiple) randomly selected challenge-nodes in a directed acyclic graph. The
w-bit label of a node is the hash of the labels of its parents, and the hash function
is modeled as a random oracle. Specific instances of this problem underlie both
proofs of space [Dziembowski et al. CRYPTO’15] as well as popular memory-hard
functions like scrypt. As our main tool, we introduce the new notion of a probabilistic
parallel entangled pebbling game, a new type of combinatorial pebbling game on
a graph, which is closely related to the labeling game on the same graph. As a
first application of our framework, we prove that for scrypt, when the underlying
hash function is invoked n times, the cumulative memory complexity (CMC) (a notion
recently introduced by Alwen and Serbinenko (STOC’15) to capture amortized memory-hardness
for parallel adversaries) is at least Ω(w · (n/ log(n))2). This bound holds for
adversaries that can store many natural functions of the labels (e.g., linear
combinations), but still not arbitrary functions thereof. We then introduce and
study a combinatorial quantity, and show how a sufficiently small upper bound
on it (which we conjecture) extends our CMC bound for scrypt to hold against arbitrary
adversaries. We also show that such an upper bound solves the main open problem
for proofs-of-space protocols: namely, establishing that the time complexity of
computing the label of a random node in a graph on n nodes (given an initial kw-bit
state) reduces tightly to the time complexity for black pebbling on the same graph
(given an initial k-node pebbling).'
acknowledgement: "Joël Alwen, Chethan Kamath, and Krzysztof Pietrzak’s research is
partially supported by an ERC starting grant (259668-PSPC). Vladimir Kolmogorov
is partially supported by an ERC consolidator grant (616160-DOICV). Binyi Chen was
partially supported by NSF grants CNS-1423566 and CNS-1514526, and a gift from the
Gareatis Foundation. Stefano Tessaro was partially supported by NSF grants CNS-1423566,
CNS-1528178, a Hellman Fellowship, and the Glen and Susanne Culler Chair.\r\n\r\nThis
work was done in part while the authors were visiting the Simons Institute for the
Theory of Computing, supported by the Simons Foundation and by the DIMACS/Simons
Collaboration in Cryptography through NSF grant CNS-1523467."
alternative_title:
- LNCS
author:
- first_name: Joel F
full_name: Alwen, Joel F
id: 2A8DFA8C-F248-11E8-B48F-1D18A9856A87
last_name: Alwen
- first_name: Binyi
full_name: Chen, Binyi
last_name: Chen
- first_name: Chethan
full_name: Kamath Hosdurg, Chethan
id: 4BD3F30E-F248-11E8-B48F-1D18A9856A87
last_name: Kamath Hosdurg
- first_name: Vladimir
full_name: Kolmogorov, Vladimir
id: 3D50B0BA-F248-11E8-B48F-1D18A9856A87
last_name: Kolmogorov
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
- first_name: Stefano
full_name: Tessaro, Stefano
last_name: Tessaro
citation:
ama: 'Alwen JF, Chen B, Kamath Hosdurg C, Kolmogorov V, Pietrzak KZ, Tessaro S.
On the complexity of scrypt and proofs of space in the parallel random oracle
model. In: Vol 9666. Springer; 2016:358-387. doi:10.1007/978-3-662-49896-5_13'
apa: 'Alwen, J. F., Chen, B., Kamath Hosdurg, C., Kolmogorov, V., Pietrzak, K. Z.,
& Tessaro, S. (2016). On the complexity of scrypt and proofs of space in the
parallel random oracle model (Vol. 9666, pp. 358–387). Presented at the EUROCRYPT:
Theory and Applications of Cryptographic Techniques, Vienna, Austria: Springer.
https://doi.org/10.1007/978-3-662-49896-5_13'
chicago: Alwen, Joel F, Binyi Chen, Chethan Kamath Hosdurg, Vladimir Kolmogorov,
Krzysztof Z Pietrzak, and Stefano Tessaro. “On the Complexity of Scrypt and Proofs
of Space in the Parallel Random Oracle Model,” 9666:358–87. Springer, 2016. https://doi.org/10.1007/978-3-662-49896-5_13.
ieee: 'J. F. Alwen, B. Chen, C. Kamath Hosdurg, V. Kolmogorov, K. Z. Pietrzak, and
S. Tessaro, “On the complexity of scrypt and proofs of space in the parallel random
oracle model,” presented at the EUROCRYPT: Theory and Applications of Cryptographic
Techniques, Vienna, Austria, 2016, vol. 9666, pp. 358–387.'
ista: 'Alwen JF, Chen B, Kamath Hosdurg C, Kolmogorov V, Pietrzak KZ, Tessaro S.
2016. On the complexity of scrypt and proofs of space in the parallel random oracle
model. EUROCRYPT: Theory and Applications of Cryptographic Techniques, LNCS, vol.
9666, 358–387.'
mla: Alwen, Joel F., et al. On the Complexity of Scrypt and Proofs of Space in
the Parallel Random Oracle Model. Vol. 9666, Springer, 2016, pp. 358–87, doi:10.1007/978-3-662-49896-5_13.
short: J.F. Alwen, B. Chen, C. Kamath Hosdurg, V. Kolmogorov, K.Z. Pietrzak, S.
Tessaro, in:, Springer, 2016, pp. 358–387.
conference:
end_date: 2016-05-12
location: Vienna, Austria
name: 'EUROCRYPT: Theory and Applications of Cryptographic Techniques'
start_date: 2016-05-08
date_created: 2018-12-11T11:50:51Z
date_published: 2016-04-28T00:00:00Z
date_updated: 2021-01-12T06:49:15Z
day: '28'
department:
- _id: KrPi
- _id: VlKo
doi: 10.1007/978-3-662-49896-5_13
ec_funded: 1
intvolume: ' 9666'
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://eprint.iacr.org/2016/100
month: '04'
oa: 1
oa_version: Submitted Version
page: 358 - 387
project:
- _id: 258C570E-B435-11E9-9278-68D0E5697425
call_identifier: FP7
grant_number: '259668'
name: Provable Security for Physical Cryptography
- _id: 25FBA906-B435-11E9-9278-68D0E5697425
call_identifier: FP7
grant_number: '616160'
name: 'Discrete Optimization in Computer Vision: Theory and Practice'
publication_status: published
publisher: Springer
publist_id: '6103'
quality_controlled: '1'
scopus_import: 1
status: public
title: On the complexity of scrypt and proofs of space in the parallel random oracle
model
type: conference
user_id: 3E5EF7F0-F248-11E8-B48F-1D18A9856A87
volume: 9666
year: '2016'
...
---
_id: '1233'
abstract:
- lang: eng
text: About three decades ago it was realized that implementing private channels
between parties which can be adaptively corrupted requires an encryption scheme
that is secure against selective opening attacks. Whether standard (IND-CPA) security
implies security against selective opening attacks has been a major open question
since. The only known reduction from selective opening to IND-CPA security loses
an exponential factor. A polynomial reduction is only known for the very special
case where the distribution considered in the selective opening security experiment
is a product distribution, i.e., the messages are sampled independently from each
other. In this paper we give a reduction whose loss is quantified via the dependence
graph (where message dependencies correspond to edges) of the underlying message
distribution. In particular, for some concrete distributions including Markov
distributions, our reduction is polynomial.
acknowledgement: G. Fuchsbauer and K. Pietrzak are supported by the European Research
Council, ERC Starting Grant (259668-PSPC). F. Heuer is funded by a Sofja Kovalevskaja
Award of the Alexander von Humboldt Foundation and DFG SPP 1736, Algorithms for
BIG DATA. E. Kiltz is supported by a Sofja Kovalevskaja Award of the Alexander von
Humboldt Foundation, the German Israel Foundation, and ERC Project ERCC (FP7/615074).
alternative_title:
- LNCS
author:
- first_name: Georg
full_name: Fuchsbauer, Georg
id: 46B4C3EE-F248-11E8-B48F-1D18A9856A87
last_name: Fuchsbauer
- first_name: Felix
full_name: Heuer, Felix
last_name: Heuer
- first_name: Eike
full_name: Kiltz, Eike
last_name: Kiltz
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
citation:
ama: 'Fuchsbauer G, Heuer F, Kiltz E, Pietrzak KZ. Standard security does imply
security against selective opening for markov distributions. In: Vol 9562. Springer;
2016:282-305. doi:10.1007/978-3-662-49096-9_12'
apa: 'Fuchsbauer, G., Heuer, F., Kiltz, E., & Pietrzak, K. Z. (2016). Standard
security does imply security against selective opening for markov distributions
(Vol. 9562, pp. 282–305). Presented at the TCC: Theory of Cryptography Conference,
Tel Aviv, Israel: Springer. https://doi.org/10.1007/978-3-662-49096-9_12'
chicago: Fuchsbauer, Georg, Felix Heuer, Eike Kiltz, and Krzysztof Z Pietrzak. “Standard
Security Does Imply Security against Selective Opening for Markov Distributions,”
9562:282–305. Springer, 2016. https://doi.org/10.1007/978-3-662-49096-9_12.
ieee: 'G. Fuchsbauer, F. Heuer, E. Kiltz, and K. Z. Pietrzak, “Standard security
does imply security against selective opening for markov distributions,” presented
at the TCC: Theory of Cryptography Conference, Tel Aviv, Israel, 2016, vol. 9562,
pp. 282–305.'
ista: 'Fuchsbauer G, Heuer F, Kiltz E, Pietrzak KZ. 2016. Standard security does
imply security against selective opening for markov distributions. TCC: Theory
of Cryptography Conference, LNCS, vol. 9562, 282–305.'
mla: Fuchsbauer, Georg, et al. Standard Security Does Imply Security against
Selective Opening for Markov Distributions. Vol. 9562, Springer, 2016, pp.
282–305, doi:10.1007/978-3-662-49096-9_12.
short: G. Fuchsbauer, F. Heuer, E. Kiltz, K.Z. Pietrzak, in:, Springer, 2016, pp.
282–305.
conference:
end_date: 2016-01-13
location: Tel Aviv, Israel
name: 'TCC: Theory of Cryptography Conference'
start_date: 2016-01-10
date_created: 2018-12-11T11:50:51Z
date_published: 2016-01-01T00:00:00Z
date_updated: 2021-01-12T06:49:16Z
day: '01'
department:
- _id: KrPi
doi: 10.1007/978-3-662-49096-9_12
ec_funded: 1
intvolume: ' 9562'
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://eprint.iacr.org/2015/853
month: '01'
oa: 1
oa_version: Submitted Version
page: 282 - 305
project:
- _id: 258C570E-B435-11E9-9278-68D0E5697425
call_identifier: FP7
grant_number: '259668'
name: Provable Security for Physical Cryptography
publication_status: published
publisher: Springer
publist_id: '6100'
quality_controlled: '1'
scopus_import: 1
status: public
title: Standard security does imply security against selective opening for markov
distributions
type: conference
user_id: 3E5EF7F0-F248-11E8-B48F-1D18A9856A87
volume: 9562
year: '2016'
...
---
_id: '1365'
abstract:
- lang: eng
text: A memory-hard function (MHF) f is equipped with a space cost σ and time cost
τ parameter such that repeatedly computing fσ,τ on an application specific integrated
circuit (ASIC) is not economically advantageous relative to a general purpose
computer. Technically we would like that any (generalized) circuit for evaluating
an iMHF fσ,τ has area × time (AT) complexity at Θ(σ2 ∗ τ). A data-independent
MHF (iMHF) has the added property that it can be computed with almost optimal
memory and time complexity by an algorithm which accesses memory in a pattern
independent of the input value. Such functions can be specified by fixing a directed
acyclic graph (DAG) G on n = Θ(σ ∗ τ) nodes representing its computation graph.
In this work we develop new tools for analyzing iMHFs. First we define and motivate
a new complexity measure capturing the amount of energy (i.e. electricity) required
to compute a function. We argue that, in practice, this measure is at least as
important as the more traditional AT-complexity. Next we describe an algorithm
A for repeatedly evaluating an iMHF based on an arbitrary DAG G. We upperbound
both its energy and AT complexities per instance evaluated in terms of a certain
combinatorial property of G. Next we instantiate our attack for several general
classes of DAGs which include those underlying many of the most important iMHF
candidates in the literature. In particular, we obtain the following results which
hold for all choices of parameters σ and τ (and thread-count) such that n = σ
∗ τ. -The Catena-Dragonfly function of [FLW13] has AT and energy complexities
O(n1.67). -The Catena-Butterfly function of [FLW13] has complexities is O(n1.67).
-The Double-Buffer and the Linear functions of [CGBS16] both have complexities
in O(n1.67). -The Argon2i function of [BDK15] (winner of the Password Hashing
Competition [PHC]) has complexities O(n7/4 log(n)). -The Single-Buffer function
of [CGBS16] has complexities O(n7/4 log(n)). -Any iMHF can be computed by an algorithm
with complexities O(n2/ log1 −ε(n)) for all ε > 0. In particular when τ = 1
this shows that the goal of constructing an iMHF with AT-complexity Θ(σ2 ∗ τ )
is unachievable. Along the way we prove a lemma upper-bounding the depth-robustness
of any DAG which may prove to be of independent interest.
alternative_title:
- LNCS
author:
- first_name: Joel F
full_name: Alwen, Joel F
id: 2A8DFA8C-F248-11E8-B48F-1D18A9856A87
last_name: Alwen
- first_name: Jeremiah
full_name: Blocki, Jeremiah
last_name: Blocki
citation:
ama: 'Alwen JF, Blocki J. Efficiently computing data-independent memory-hard functions.
In: Vol 9815. Springer; 2016:241-271. doi:10.1007/978-3-662-53008-5_9'
apa: 'Alwen, J. F., & Blocki, J. (2016). Efficiently computing data-independent
memory-hard functions (Vol. 9815, pp. 241–271). Presented at the CRYPTO: International
Cryptology Conference, Santa Barbara, CA, USA: Springer. https://doi.org/10.1007/978-3-662-53008-5_9'
chicago: Alwen, Joel F, and Jeremiah Blocki. “Efficiently Computing Data-Independent
Memory-Hard Functions,” 9815:241–71. Springer, 2016. https://doi.org/10.1007/978-3-662-53008-5_9.
ieee: 'J. F. Alwen and J. Blocki, “Efficiently computing data-independent memory-hard
functions,” presented at the CRYPTO: International Cryptology Conference, Santa
Barbara, CA, USA, 2016, vol. 9815, pp. 241–271.'
ista: 'Alwen JF, Blocki J. 2016. Efficiently computing data-independent memory-hard
functions. CRYPTO: International Cryptology Conference, LNCS, vol. 9815, 241–271.'
mla: Alwen, Joel F., and Jeremiah Blocki. Efficiently Computing Data-Independent
Memory-Hard Functions. Vol. 9815, Springer, 2016, pp. 241–71, doi:10.1007/978-3-662-53008-5_9.
short: J.F. Alwen, J. Blocki, in:, Springer, 2016, pp. 241–271.
conference:
end_date: 2016-08-18
location: Santa Barbara, CA, USA
name: 'CRYPTO: International Cryptology Conference'
start_date: 2016-08-14
date_created: 2018-12-11T11:51:36Z
date_published: 2016-08-01T00:00:00Z
date_updated: 2021-01-12T06:50:11Z
day: '01'
department:
- _id: KrPi
doi: 10.1007/978-3-662-53008-5_9
intvolume: ' 9815'
language:
- iso: eng
main_file_link:
- open_access: '1'
url: http://eprint.iacr.org/2016/115
month: '08'
oa: 1
oa_version: Preprint
page: 241 - 271
publication_status: published
publisher: Springer
publist_id: '5876'
quality_controlled: '1'
scopus_import: 1
status: public
title: Efficiently computing data-independent memory-hard functions
type: conference
user_id: 3E5EF7F0-F248-11E8-B48F-1D18A9856A87
volume: 9815
year: '2016'
...
---
_id: '1366'
abstract:
- lang: eng
text: 'We study the problem of devising provably secure PRNGs with input based on
the sponge paradigm. Such constructions are very appealing, as efficient software/hardware
implementations of SHA-3 can easily be translated into a PRNG in a nearly black-box
way. The only existing sponge-based construction, proposed by Bertoni et al. (CHES
2010), fails to achieve the security notion of robustness recently considered
by Dodis et al. (CCS 2013), for two reasons: (1) The construction is deterministic,
and thus there are high-entropy input distributions on which the construction
fails to extract random bits, and (2) The construction is not forward secure,
and presented solutions aiming at restoring forward security have not been rigorously
analyzed. We propose a seeded variant of Bertoni et al.’s PRNG with input which
we prove secure in the sense of robustness, delivering in particular concrete
security bounds. On the way, we make what we believe to be an important conceptual
contribution, developing a variant of the security framework of Dodis et al. tailored
at the ideal permutation model that captures PRNG security in settings where the
weakly random inputs are provided from a large class of possible adversarial samplers
which are also allowed to query the random permutation. As a further application
of our techniques, we also present an efficient sponge-based key-derivation function
(which can be instantiated from SHA-3 in a black-box fashion), which we also prove
secure when fed with samples from permutation-dependent distributions.'
alternative_title:
- LNCS
author:
- first_name: Peter
full_name: Gazi, Peter
id: 3E0BFE38-F248-11E8-B48F-1D18A9856A87
last_name: Gazi
- first_name: Stefano
full_name: Tessaro, Stefano
last_name: Tessaro
citation:
ama: 'Gazi P, Tessaro S. Provably robust sponge-based PRNGs and KDFs. In: Vol 9665.
Springer; 2016:87-116. doi:10.1007/978-3-662-49890-3_4'
apa: 'Gazi, P., & Tessaro, S. (2016). Provably robust sponge-based PRNGs and
KDFs (Vol. 9665, pp. 87–116). Presented at the EUROCRYPT: Theory and Applications
of Cryptographic Techniques, Vienna, Austria: Springer. https://doi.org/10.1007/978-3-662-49890-3_4'
chicago: Gazi, Peter, and Stefano Tessaro. “Provably Robust Sponge-Based PRNGs and
KDFs,” 9665:87–116. Springer, 2016. https://doi.org/10.1007/978-3-662-49890-3_4.
ieee: 'P. Gazi and S. Tessaro, “Provably robust sponge-based PRNGs and KDFs,” presented
at the EUROCRYPT: Theory and Applications of Cryptographic Techniques, Vienna,
Austria, 2016, vol. 9665, pp. 87–116.'
ista: 'Gazi P, Tessaro S. 2016. Provably robust sponge-based PRNGs and KDFs. EUROCRYPT:
Theory and Applications of Cryptographic Techniques, LNCS, vol. 9665, 87–116.'
mla: Gazi, Peter, and Stefano Tessaro. Provably Robust Sponge-Based PRNGs and
KDFs. Vol. 9665, Springer, 2016, pp. 87–116, doi:10.1007/978-3-662-49890-3_4.
short: P. Gazi, S. Tessaro, in:, Springer, 2016, pp. 87–116.
conference:
end_date: 2016-05-12
location: Vienna, Austria
name: 'EUROCRYPT: Theory and Applications of Cryptographic Techniques'
start_date: 2016-05-08
date_created: 2018-12-11T11:51:36Z
date_published: 2016-05-01T00:00:00Z
date_updated: 2021-01-12T06:50:11Z
day: '01'
department:
- _id: KrPi
doi: 10.1007/978-3-662-49890-3_4
ec_funded: 1
intvolume: ' 9665'
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://eprint.iacr.org/2016/169/20160219:201940
month: '05'
oa: 1
oa_version: Preprint
page: 87 - 116
project:
- _id: 258C570E-B435-11E9-9278-68D0E5697425
call_identifier: FP7
grant_number: '259668'
name: Provable Security for Physical Cryptography
publication_status: published
publisher: Springer
publist_id: '5872'
quality_controlled: '1'
scopus_import: 1
status: public
title: Provably robust sponge-based PRNGs and KDFs
type: conference
user_id: 3E5EF7F0-F248-11E8-B48F-1D18A9856A87
volume: 9665
year: '2016'
...
---
_id: '1592'
abstract:
- lang: eng
text: A modular approach to constructing cryptographic protocols leads to simple
designs but often inefficient instantiations. On the other hand, ad hoc constructions
may yield efficient protocols at the cost of losing conceptual simplicity. We
suggest a new design paradigm, structure-preserving cryptography, that provides
a way to construct modular protocols with reasonable efficiency while retaining
conceptual simplicity. A cryptographic scheme over a bilinear group is called
structure-preserving if its public inputs and outputs consist of elements from
the bilinear groups and their consistency can be verified by evaluating pairing-product
equations. As structure-preserving schemes smoothly interoperate with each other,
they are useful as building blocks in modular design of cryptographic applications.
This paper introduces structure-preserving commitment and signature schemes over
bilinear groups with several desirable properties. The commitment schemes include
homomorphic, trapdoor and length-reducing commitments to group elements, and the
structure-preserving signature schemes are the first ones that yield constant-size
signatures on multiple group elements. A structure-preserving signature scheme
is called automorphic if the public keys lie in the message space, which cannot
be achieved by compressing inputs via a cryptographic hash function, as this would
destroy the mathematical structure we are trying to preserve. Automorphic signatures
can be used for building certification chains underlying privacy-preserving protocols.
Among a vast number of applications of structure-preserving protocols, we present
an efficient round-optimal blind-signature scheme and a group signature scheme
with an efficient and concurrently secure protocol for enrolling new members.
acknowledgement: The authors would like to thank the anonymous reviewers of this paper.
We also would like to express our appreciation to the program committee and the
anonymous reviewers for CRYPTO 2010. The first author thanks Sherman S. M. Chow
for his comment on group signatures in Sect. 7.1.
author:
- first_name: Masayuki
full_name: Abe, Masayuki
last_name: Abe
- first_name: Georg
full_name: Fuchsbauer, Georg
id: 46B4C3EE-F248-11E8-B48F-1D18A9856A87
last_name: Fuchsbauer
- first_name: Jens
full_name: Groth, Jens
last_name: Groth
- first_name: Kristiyan
full_name: Haralambiev, Kristiyan
last_name: Haralambiev
- first_name: Miyako
full_name: Ohkubo, Miyako
last_name: Ohkubo
citation:
ama: Abe M, Fuchsbauer G, Groth J, Haralambiev K, Ohkubo M. Structure preserving
signatures and commitments to group elements. Journal of Cryptology. 2016;29(2):363-421.
doi:10.1007/s00145-014-9196-7
apa: Abe, M., Fuchsbauer, G., Groth, J., Haralambiev, K., & Ohkubo, M. (2016).
Structure preserving signatures and commitments to group elements. Journal
of Cryptology. Springer. https://doi.org/10.1007/s00145-014-9196-7
chicago: Abe, Masayuki, Georg Fuchsbauer, Jens Groth, Kristiyan Haralambiev, and
Miyako Ohkubo. “Structure Preserving Signatures and Commitments to Group Elements.”
Journal of Cryptology. Springer, 2016. https://doi.org/10.1007/s00145-014-9196-7.
ieee: M. Abe, G. Fuchsbauer, J. Groth, K. Haralambiev, and M. Ohkubo, “Structure
preserving signatures and commitments to group elements,” Journal of Cryptology,
vol. 29, no. 2. Springer, pp. 363–421, 2016.
ista: Abe M, Fuchsbauer G, Groth J, Haralambiev K, Ohkubo M. 2016. Structure preserving
signatures and commitments to group elements. Journal of Cryptology. 29(2), 363–421.
mla: Abe, Masayuki, et al. “Structure Preserving Signatures and Commitments to Group
Elements.” Journal of Cryptology, vol. 29, no. 2, Springer, 2016, pp. 363–421,
doi:10.1007/s00145-014-9196-7.
short: M. Abe, G. Fuchsbauer, J. Groth, K. Haralambiev, M. Ohkubo, Journal of Cryptology
29 (2016) 363–421.
date_created: 2018-12-11T11:52:54Z
date_published: 2016-04-01T00:00:00Z
date_updated: 2021-01-12T06:51:49Z
day: '01'
department:
- _id: KrPi
doi: 10.1007/s00145-014-9196-7
intvolume: ' 29'
issue: '2'
language:
- iso: eng
month: '04'
oa_version: None
page: 363 - 421
publication: Journal of Cryptology
publication_status: published
publisher: Springer
publist_id: '5579'
quality_controlled: '1'
scopus_import: 1
status: public
title: Structure preserving signatures and commitments to group elements
type: journal_article
user_id: 3E5EF7F0-F248-11E8-B48F-1D18A9856A87
volume: 29
year: '2016'
...
---
_id: '1225'
abstract:
- lang: eng
text: At Crypto 2015 Fuchsbauer, Hanser and Slamanig (FHS) presented the first standard-model
construction of efficient roundoptimal blind signatures that does not require
complexity leveraging. It is conceptually simple and builds on the primitive of
structure-preserving signatures on equivalence classes (SPS-EQ). FHS prove the
unforgeability of their scheme assuming EUF-CMA security of the SPS-EQ scheme
and hardness of a version of the DH inversion problem. Blindness under adversarially
chosen keys is proven under an interactive variant of the DDH assumption. We propose
a variant of their scheme whose blindness can be proven under a non-interactive
assumption, namely a variant of the bilinear DDH assumption. We moreover prove
its unforgeability assuming only unforgeability of the underlying SPS-EQ but no
additional assumptions as needed for the FHS scheme.
alternative_title:
- LNCS
author:
- first_name: Georg
full_name: Fuchsbauer, Georg
id: 46B4C3EE-F248-11E8-B48F-1D18A9856A87
last_name: Fuchsbauer
- first_name: Christian
full_name: Hanser, Christian
last_name: Hanser
- first_name: Chethan
full_name: Kamath Hosdurg, Chethan
id: 4BD3F30E-F248-11E8-B48F-1D18A9856A87
last_name: Kamath Hosdurg
- first_name: Daniel
full_name: Slamanig, Daniel
last_name: Slamanig
citation:
ama: 'Fuchsbauer G, Hanser C, Kamath Hosdurg C, Slamanig D. Practical round-optimal
blind signatures in the standard model from weaker assumptions. In: Vol 9841.
Springer; 2016:391-408. doi:10.1007/978-3-319-44618-9_21'
apa: 'Fuchsbauer, G., Hanser, C., Kamath Hosdurg, C., & Slamanig, D. (2016).
Practical round-optimal blind signatures in the standard model from weaker assumptions
(Vol. 9841, pp. 391–408). Presented at the SCN: Security and Cryptography for
Networks, Amalfi, Italy: Springer. https://doi.org/10.1007/978-3-319-44618-9_21'
chicago: Fuchsbauer, Georg, Christian Hanser, Chethan Kamath Hosdurg, and Daniel
Slamanig. “Practical Round-Optimal Blind Signatures in the Standard Model from
Weaker Assumptions,” 9841:391–408. Springer, 2016. https://doi.org/10.1007/978-3-319-44618-9_21.
ieee: 'G. Fuchsbauer, C. Hanser, C. Kamath Hosdurg, and D. Slamanig, “Practical
round-optimal blind signatures in the standard model from weaker assumptions,”
presented at the SCN: Security and Cryptography for Networks, Amalfi, Italy, 2016,
vol. 9841, pp. 391–408.'
ista: 'Fuchsbauer G, Hanser C, Kamath Hosdurg C, Slamanig D. 2016. Practical round-optimal
blind signatures in the standard model from weaker assumptions. SCN: Security
and Cryptography for Networks, LNCS, vol. 9841, 391–408.'
mla: Fuchsbauer, Georg, et al. Practical Round-Optimal Blind Signatures in the
Standard Model from Weaker Assumptions. Vol. 9841, Springer, 2016, pp. 391–408,
doi:10.1007/978-3-319-44618-9_21.
short: G. Fuchsbauer, C. Hanser, C. Kamath Hosdurg, D. Slamanig, in:, Springer,
2016, pp. 391–408.
conference:
end_date: 2016-09-02
location: Amalfi, Italy
name: 'SCN: Security and Cryptography for Networks'
start_date: 2016-08-31
date_created: 2018-12-11T11:50:49Z
date_published: 2016-08-11T00:00:00Z
date_updated: 2023-02-23T10:08:16Z
day: '11'
department:
- _id: KrPi
doi: 10.1007/978-3-319-44618-9_21
ec_funded: 1
intvolume: ' 9841'
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://eprint.iacr.org/2016/662
month: '08'
oa: 1
oa_version: Submitted Version
page: 391 - 408
project:
- _id: 258C570E-B435-11E9-9278-68D0E5697425
call_identifier: FP7
grant_number: '259668'
name: Provable Security for Physical Cryptography
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
call_identifier: H2020
grant_number: '682815'
name: Teaching Old Crypto New Tricks
publication_status: published
publisher: Springer
publist_id: '6109'
quality_controlled: '1'
related_material:
record:
- id: '1647'
relation: earlier_version
status: public
scopus_import: 1
status: public
title: Practical round-optimal blind signatures in the standard model from weaker
assumptions
type: conference
user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87
volume: 9841
year: '2016'
...
---
_id: '1653'
abstract:
- lang: eng
text: "A somewhere statistically binding (SSB) hash, introduced by Hubáček and Wichs
(ITCS ’15), can be used to hash a long string x to a short digest y = H hk (x)
using a public hashing-key hk. Furthermore, there is a way to set up the hash
key hk to make it statistically binding on some arbitrary hidden position i, meaning
that: (1) the digest y completely determines the i’th bit (or symbol) of x so
that all pre-images of y have the same value in the i’th position, (2) it is computationally
infeasible to distinguish the position i on which hk is statistically binding
from any other position i’. Lastly, the hash should have a local opening property
analogous to Merkle-Tree hashing, meaning that given x and y = H hk (x) it should
be possible to create a short proof π that certifies the value of the i’th bit
(or symbol) of x without having to provide the entire input x. A similar primitive
called a positional accumulator, introduced by Koppula, Lewko and Waters (STOC
’15) further supports dynamic updates of the hashed value. These tools, which
are interesting in their own right, also serve as one of the main technical components
in several recent works building advanced applications from indistinguishability
obfuscation (iO).\r\n\r\nThe prior constructions of SSB hashing and positional
accumulators required fully homomorphic encryption (FHE) and iO respectively.
In this work, we give new constructions of these tools based on well studied number-theoretic
assumptions such as DDH, Phi-Hiding and DCR, as well as a general construction
from lossy/injective functions."
alternative_title:
- LNCS
author:
- first_name: Tatsuaki
full_name: Okamoto, Tatsuaki
last_name: Okamoto
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
- first_name: Brent
full_name: Waters, Brent
last_name: Waters
- first_name: Daniel
full_name: Wichs, Daniel
last_name: Wichs
citation:
ama: 'Okamoto T, Pietrzak KZ, Waters B, Wichs D. New realizations of somewhere statistically
binding hashing and positional accumulators. In: Vol 9452. Springer; 2016:121-145.
doi:10.1007/978-3-662-48797-6_6'
apa: 'Okamoto, T., Pietrzak, K. Z., Waters, B., & Wichs, D. (2016). New realizations
of somewhere statistically binding hashing and positional accumulators (Vol. 9452,
pp. 121–145). Presented at the ASIACRYPT: Theory and Application of Cryptology
and Information Security, Auckland, New Zealand: Springer. https://doi.org/10.1007/978-3-662-48797-6_6'
chicago: Okamoto, Tatsuaki, Krzysztof Z Pietrzak, Brent Waters, and Daniel Wichs.
“New Realizations of Somewhere Statistically Binding Hashing and Positional Accumulators,”
9452:121–45. Springer, 2016. https://doi.org/10.1007/978-3-662-48797-6_6.
ieee: 'T. Okamoto, K. Z. Pietrzak, B. Waters, and D. Wichs, “New realizations of
somewhere statistically binding hashing and positional accumulators,” presented
at the ASIACRYPT: Theory and Application of Cryptology and Information Security,
Auckland, New Zealand, 2016, vol. 9452, pp. 121–145.'
ista: 'Okamoto T, Pietrzak KZ, Waters B, Wichs D. 2016. New realizations of somewhere
statistically binding hashing and positional accumulators. ASIACRYPT: Theory and
Application of Cryptology and Information Security, LNCS, vol. 9452, 121–145.'
mla: Okamoto, Tatsuaki, et al. New Realizations of Somewhere Statistically Binding
Hashing and Positional Accumulators. Vol. 9452, Springer, 2016, pp. 121–45,
doi:10.1007/978-3-662-48797-6_6.
short: T. Okamoto, K.Z. Pietrzak, B. Waters, D. Wichs, in:, Springer, 2016, pp.
121–145.
conference:
end_date: 2015-12-03
location: Auckland, New Zealand
name: 'ASIACRYPT: Theory and Application of Cryptology and Information Security'
start_date: 2015-11-29
date_created: 2018-12-11T11:53:16Z
date_published: 2016-01-08T00:00:00Z
date_updated: 2021-01-12T06:52:16Z
day: '08'
ddc:
- '000'
department:
- _id: KrPi
doi: 10.1007/978-3-662-48797-6_6
ec_funded: 1
file:
- access_level: open_access
checksum: a57711cb660c5b17b42bb47275a00180
content_type: application/pdf
creator: system
date_created: 2018-12-12T10:12:05Z
date_updated: 2020-07-14T12:45:08Z
file_id: '4923'
file_name: IST-2016-677-v1+1_869.pdf
file_size: 580088
relation: main_file
file_date_updated: 2020-07-14T12:45:08Z
has_accepted_license: '1'
intvolume: ' 9452'
language:
- iso: eng
month: '01'
oa: 1
oa_version: Submitted Version
page: 121 - 145
project:
- _id: 258C570E-B435-11E9-9278-68D0E5697425
call_identifier: FP7
grant_number: '259668'
name: Provable Security for Physical Cryptography
publication_status: published
publisher: Springer
publist_id: '5497'
pubrep_id: '677'
quality_controlled: '1'
scopus_import: 1
status: public
title: New realizations of somewhere statistically binding hashing and positional
accumulators
type: conference
user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87
volume: 9452
year: '2016'
...
---
_id: '1479'
abstract:
- lang: eng
text: "Most entropy notions H(.) like Shannon or min-entropy satisfy a chain rule
stating that for random variables X,Z, and A we have H(X|Z,A)≥H(X|Z)−|A|. That
is, by conditioning on A the entropy of X can decrease by at most the bitlength
|A| of A. Such chain rules are known to hold for some computational entropy notions
like Yao’s and unpredictability-entropy. For HILL entropy, the computational analogue
of min-entropy, the chain rule is of special interest and has found many applications,
including leakage-resilient cryptography, deterministic encryption, and memory
delegation. These applications rely on restricted special cases of the chain rule.
Whether the chain rule for conditional HILL entropy holds in general was an open
problem for which we give a strong negative answer: we construct joint distributions
(X,Z,A), where A is a distribution over a single bit, such that the HILL entropy
H HILL (X|Z) is large but H HILL (X|Z,A) is basically zero.\r\n\r\nOur counterexample
just makes the minimal assumption that NP⊈P/poly. Under the stronger assumption
that injective one-way function exist, we can make all the distributions efficiently
samplable.\r\n\r\nFinally, we show that some more sophisticated cryptographic
objects like lossy functions can be used to sample a distribution constituting
a counterexample to the chain rule making only a single invocation to the underlying
object."
acknowledgement: "This work was partly funded by the European Research Council under
ERC Starting Grant 259668-PSPC and ERC Advanced Grant 321310-PERCY.\r\n"
author:
- first_name: Stephan
full_name: Krenn, Stephan
id: 329FCCF0-F248-11E8-B48F-1D18A9856A87
last_name: Krenn
orcid: 0000-0003-2835-9093
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
- first_name: Akshay
full_name: Wadia, Akshay
last_name: Wadia
- first_name: Daniel
full_name: Wichs, Daniel
last_name: Wichs
citation:
ama: Krenn S, Pietrzak KZ, Wadia A, Wichs D. A counterexample to the chain rule
for conditional HILL entropy. Computational Complexity. 2016;25(3):567-605.
doi:10.1007/s00037-015-0120-9
apa: Krenn, S., Pietrzak, K. Z., Wadia, A., & Wichs, D. (2016). A counterexample
to the chain rule for conditional HILL entropy. Computational Complexity.
Springer. https://doi.org/10.1007/s00037-015-0120-9
chicago: Krenn, Stephan, Krzysztof Z Pietrzak, Akshay Wadia, and Daniel Wichs. “A
Counterexample to the Chain Rule for Conditional HILL Entropy.” Computational
Complexity. Springer, 2016. https://doi.org/10.1007/s00037-015-0120-9.
ieee: S. Krenn, K. Z. Pietrzak, A. Wadia, and D. Wichs, “A counterexample to the
chain rule for conditional HILL entropy,” Computational Complexity, vol.
25, no. 3. Springer, pp. 567–605, 2016.
ista: Krenn S, Pietrzak KZ, Wadia A, Wichs D. 2016. A counterexample to the chain
rule for conditional HILL entropy. Computational Complexity. 25(3), 567–605.
mla: Krenn, Stephan, et al. “A Counterexample to the Chain Rule for Conditional
HILL Entropy.” Computational Complexity, vol. 25, no. 3, Springer, 2016,
pp. 567–605, doi:10.1007/s00037-015-0120-9.
short: S. Krenn, K.Z. Pietrzak, A. Wadia, D. Wichs, Computational Complexity 25
(2016) 567–605.
date_created: 2018-12-11T11:52:16Z
date_published: 2016-09-01T00:00:00Z
date_updated: 2023-02-23T11:05:09Z
day: '01'
ddc:
- '004'
department:
- _id: KrPi
doi: 10.1007/s00037-015-0120-9
ec_funded: 1
file:
- access_level: open_access
checksum: 7659296174fa75f5f0364f31f46f4bcf
content_type: application/pdf
creator: system
date_created: 2018-12-12T10:13:29Z
date_updated: 2020-07-14T12:44:56Z
file_id: '5012'
file_name: IST-2017-766-v1+1_678.pdf
file_size: 483258
relation: main_file
file_date_updated: 2020-07-14T12:44:56Z
has_accepted_license: '1'
intvolume: ' 25'
issue: '3'
language:
- iso: eng
month: '09'
oa: 1
oa_version: Submitted Version
page: 567 - 605
project:
- _id: 258C570E-B435-11E9-9278-68D0E5697425
call_identifier: FP7
grant_number: '259668'
name: Provable Security for Physical Cryptography
publication: Computational Complexity
publication_status: published
publisher: Springer
publist_id: '5715'
pubrep_id: '766'
quality_controlled: '1'
related_material:
record:
- id: '2940'
relation: earlier_version
status: public
scopus_import: 1
status: public
title: A counterexample to the chain rule for conditional HILL entropy
tmp:
image: /images/cc_by.png
legal_code_url: https://creativecommons.org/licenses/by/4.0/legalcode
name: Creative Commons Attribution 4.0 International Public License (CC-BY 4.0)
short: CC BY (4.0)
type: journal_article
user_id: 3E5EF7F0-F248-11E8-B48F-1D18A9856A87
volume: 25
year: '2016'
...
---
_id: '1229'
abstract:
- lang: eng
text: Witness encryption (WE) was introduced by Garg et al. [GGSW13]. A WE scheme
is defined for some NP language L and lets a sender encrypt messages relative
to instances x. A ciphertext for x can be decrypted using w witnessing x ∈ L,
but hides the message if x ∈ L. Garg et al. construct WE from multilinear maps
and give another construction [GGH+13b] using indistinguishability obfuscation
(iO) for circuits. Due to the reliance on such heavy tools, WE can cur- rently
hardly be implemented on powerful hardware and will unlikely be realizable on
constrained devices like smart cards any time soon. We construct a WE scheme where
encryption is done by simply computing a Naor-Yung ciphertext (two CPA encryptions
and a NIZK proof). To achieve this, our scheme has a setup phase, which outputs
public parameters containing an obfuscated circuit (only required for decryption),
two encryption keys and a common reference string (used for encryption). This
setup need only be run once, and the parame- ters can be used for arbitrary many
encryptions. Our scheme can also be turned into a functional WE scheme, where
a message is encrypted w.r.t. a statement and a function f, and decryption with
a witness w yields f (m, w). Our construction is inspired by the functional encryption
scheme by Garg et al. and we prove (selective) security assuming iO and statistically
simulation-sound NIZK. We give a construction of the latter in bilinear groups
and combining it with ElGamal encryption, our ciphertexts are of size 1.3 kB at
a 128-bit security level and can be computed on a smart card.
acknowledgement: Research supported by the European Research Council, ERC starting grant
(259668-PSPC) and ERC consolidator grant (682815 - TOCNeT).
alternative_title:
- LNCS
author:
- first_name: Hamza M
full_name: Abusalah, Hamza M
id: 40297222-F248-11E8-B48F-1D18A9856A87
last_name: Abusalah
- first_name: Georg
full_name: Fuchsbauer, Georg
id: 46B4C3EE-F248-11E8-B48F-1D18A9856A87
last_name: Fuchsbauer
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
citation:
ama: 'Abusalah HM, Fuchsbauer G, Pietrzak KZ. Offline witness encryption. In: Vol
9696. Springer; 2016:285-303. doi:10.1007/978-3-319-39555-5_16'
apa: 'Abusalah, H. M., Fuchsbauer, G., & Pietrzak, K. Z. (2016). Offline witness
encryption (Vol. 9696, pp. 285–303). Presented at the ACNS: Applied Cryptography
and Network Security, Guildford, UK: Springer. https://doi.org/10.1007/978-3-319-39555-5_16'
chicago: Abusalah, Hamza M, Georg Fuchsbauer, and Krzysztof Z Pietrzak. “Offline
Witness Encryption,” 9696:285–303. Springer, 2016. https://doi.org/10.1007/978-3-319-39555-5_16.
ieee: 'H. M. Abusalah, G. Fuchsbauer, and K. Z. Pietrzak, “Offline witness encryption,”
presented at the ACNS: Applied Cryptography and Network Security, Guildford, UK,
2016, vol. 9696, pp. 285–303.'
ista: 'Abusalah HM, Fuchsbauer G, Pietrzak KZ. 2016. Offline witness encryption.
ACNS: Applied Cryptography and Network Security, LNCS, vol. 9696, 285–303.'
mla: Abusalah, Hamza M., et al. Offline Witness Encryption. Vol. 9696, Springer,
2016, pp. 285–303, doi:10.1007/978-3-319-39555-5_16.
short: H.M. Abusalah, G. Fuchsbauer, K.Z. Pietrzak, in:, Springer, 2016, pp. 285–303.
conference:
end_date: 2016-06-22
location: Guildford, UK
name: 'ACNS: Applied Cryptography and Network Security'
start_date: 2016-06-19
date_created: 2018-12-11T11:50:50Z
date_published: 2016-06-09T00:00:00Z
date_updated: 2023-09-07T12:30:22Z
day: '09'
ddc:
- '005'
- '600'
department:
- _id: KrPi
doi: 10.1007/978-3-319-39555-5_16
ec_funded: 1
file:
- access_level: open_access
checksum: 34fa9ce681da845a1ba945ba3dc57867
content_type: application/pdf
creator: system
date_created: 2018-12-12T10:17:20Z
date_updated: 2020-07-14T12:44:39Z
file_id: '5273'
file_name: IST-2017-765-v1+1_838.pdf
file_size: 515000
relation: main_file
file_date_updated: 2020-07-14T12:44:39Z
has_accepted_license: '1'
intvolume: ' 9696'
language:
- iso: eng
month: '06'
oa: 1
oa_version: Submitted Version
page: 285 - 303
project:
- _id: 258C570E-B435-11E9-9278-68D0E5697425
call_identifier: FP7
grant_number: '259668'
name: Provable Security for Physical Cryptography
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
call_identifier: H2020
grant_number: '682815'
name: Teaching Old Crypto New Tricks
publication_status: published
publisher: Springer
publist_id: '6105'
pubrep_id: '765'
quality_controlled: '1'
related_material:
record:
- id: '83'
relation: dissertation_contains
status: public
scopus_import: 1
status: public
title: Offline witness encryption
type: conference
user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87
volume: 9696
year: '2016'
...
---
_id: '1236'
abstract:
- lang: eng
text: 'A constrained pseudorandom function F: K × X → Y for a family T ⊆ 2X of subsets
of X is a function where for any key k ∈ K and set S ∈ T one can efficiently compute
a constrained key kS which allows to evaluate F (k, ·) on all inputs x ∈ S, while
even given this key, the outputs on all inputs x ∉ S look random. At Asiacrypt’13
Boneh and Waters gave a construction which supports the most general set family
so far. Its keys kc are defined for sets decided by boolean circuits C and enable
evaluation of the PRF on any x ∈ X where C(x) = 1. In their construction the PRF
input length and the size of the circuits C for which constrained keys can be
computed must be fixed beforehand during key generation. We construct a constrained
PRF that has an unbounded input length and whose constrained keys can be defined
for any set recognized by a Turing machine. The only a priori bound we make is
on the description size of the machines. We prove our construction secure assuming
publiccoin differing-input obfuscation. As applications of our constrained PRF
we build a broadcast encryption scheme where the number of potential receivers
need not be fixed at setup (in particular, the length of the keys is independent
of the number of parties) and the first identity-based non-interactive key exchange
protocol with no bound on the number of parties that can agree on a shared key.'
acknowledgement: Supported by the European Research Council, ERC Starting Grant (259668-PSPC).
alternative_title:
- LNCS
author:
- first_name: Hamza M
full_name: Abusalah, Hamza M
id: 40297222-F248-11E8-B48F-1D18A9856A87
last_name: Abusalah
- first_name: Georg
full_name: Fuchsbauer, Georg
id: 46B4C3EE-F248-11E8-B48F-1D18A9856A87
last_name: Fuchsbauer
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
citation:
ama: 'Abusalah HM, Fuchsbauer G, Pietrzak KZ. Constrained PRFs for unbounded inputs.
In: Vol 9610. Springer; 2016:413-428. doi:10.1007/978-3-319-29485-8_24'
apa: 'Abusalah, H. M., Fuchsbauer, G., & Pietrzak, K. Z. (2016). Constrained
PRFs for unbounded inputs (Vol. 9610, pp. 413–428). Presented at the CT-RSA: Topics
in Cryptology, San Francisco, CA, USA: Springer. https://doi.org/10.1007/978-3-319-29485-8_24'
chicago: Abusalah, Hamza M, Georg Fuchsbauer, and Krzysztof Z Pietrzak. “Constrained
PRFs for Unbounded Inputs,” 9610:413–28. Springer, 2016. https://doi.org/10.1007/978-3-319-29485-8_24.
ieee: 'H. M. Abusalah, G. Fuchsbauer, and K. Z. Pietrzak, “Constrained PRFs for
unbounded inputs,” presented at the CT-RSA: Topics in Cryptology, San Francisco,
CA, USA, 2016, vol. 9610, pp. 413–428.'
ista: 'Abusalah HM, Fuchsbauer G, Pietrzak KZ. 2016. Constrained PRFs for unbounded
inputs. CT-RSA: Topics in Cryptology, LNCS, vol. 9610, 413–428.'
mla: Abusalah, Hamza M., et al. Constrained PRFs for Unbounded Inputs. Vol.
9610, Springer, 2016, pp. 413–28, doi:10.1007/978-3-319-29485-8_24.
short: H.M. Abusalah, G. Fuchsbauer, K.Z. Pietrzak, in:, Springer, 2016, pp. 413–428.
conference:
end_date: 2016-03-04
location: San Francisco, CA, USA
name: 'CT-RSA: Topics in Cryptology'
start_date: 2016-02-29
date_created: 2018-12-11T11:50:52Z
date_published: 2016-02-02T00:00:00Z
date_updated: 2023-09-07T12:30:22Z
day: '02'
ddc:
- '005'
- '600'
department:
- _id: KrPi
doi: 10.1007/978-3-319-29485-8_24
ec_funded: 1
file:
- access_level: open_access
checksum: 3851cee49933ae13b1272e516f213e13
content_type: application/pdf
creator: system
date_created: 2018-12-12T10:08:05Z
date_updated: 2020-07-14T12:44:41Z
file_id: '4664'
file_name: IST-2017-764-v1+1_279.pdf
file_size: 495176
relation: main_file
file_date_updated: 2020-07-14T12:44:41Z
has_accepted_license: '1'
intvolume: ' 9610'
language:
- iso: eng
month: '02'
oa: 1
oa_version: Submitted Version
page: 413 - 428
project:
- _id: 258C570E-B435-11E9-9278-68D0E5697425
call_identifier: FP7
grant_number: '259668'
name: Provable Security for Physical Cryptography
publication_status: published
publisher: Springer
publist_id: '6097'
pubrep_id: '764'
quality_controlled: '1'
related_material:
record:
- id: '83'
relation: dissertation_contains
status: public
scopus_import: 1
status: public
title: Constrained PRFs for unbounded inputs
type: conference
user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87
volume: 9610
year: '2016'
...
---
_id: '1235'
abstract:
- lang: eng
text: 'A constrained pseudorandom function (CPRF) F: K×X → Y for a family T of subsets
of χ is a function where for any key k ∈ K and set S ∈ T one can efficiently compute
a short constrained key kS, which allows to evaluate F(k, ·) on all inputs x ∈
S, while the outputs on all inputs x /∈ S look random even given kS. Abusalah
et al. recently constructed the first constrained PRF for inputs of arbitrary
length whose sets S are decided by Turing machines. They use their CPRF to build
broadcast encryption and the first ID-based non-interactive key exchange for an
unbounded number of users. Their constrained keys are obfuscated circuits and
are therefore large. In this work we drastically reduce the key size and define
a constrained key for a Turing machine M as a short signature on M. For this,
we introduce a new signature primitive with constrained signing keys that let
one only sign certain messages, while forging a signature on others is hard even
when knowing the coins for key generation.'
acknowledgement: H. Abusalah—Research supported by the European Research Council,
ERC starting grant (259668-PSPC) and ERC consolidator grant (682815 - TOCNeT).
alternative_title:
- LNCS
author:
- first_name: Hamza M
full_name: Abusalah, Hamza M
id: 40297222-F248-11E8-B48F-1D18A9856A87
last_name: Abusalah
- first_name: Georg
full_name: Fuchsbauer, Georg
id: 46B4C3EE-F248-11E8-B48F-1D18A9856A87
last_name: Fuchsbauer
citation:
ama: 'Abusalah HM, Fuchsbauer G. Constrained PRFs for unbounded inputs with short
keys. In: Vol 9696. Springer; 2016:445-463. doi:10.1007/978-3-319-39555-5_24'
apa: 'Abusalah, H. M., & Fuchsbauer, G. (2016). Constrained PRFs for unbounded
inputs with short keys (Vol. 9696, pp. 445–463). Presented at the ACNS: Applied
Cryptography and Network Security, Guildford, UK: Springer. https://doi.org/10.1007/978-3-319-39555-5_24'
chicago: Abusalah, Hamza M, and Georg Fuchsbauer. “Constrained PRFs for Unbounded
Inputs with Short Keys,” 9696:445–63. Springer, 2016. https://doi.org/10.1007/978-3-319-39555-5_24.
ieee: 'H. M. Abusalah and G. Fuchsbauer, “Constrained PRFs for unbounded inputs
with short keys,” presented at the ACNS: Applied Cryptography and Network Security,
Guildford, UK, 2016, vol. 9696, pp. 445–463.'
ista: 'Abusalah HM, Fuchsbauer G. 2016. Constrained PRFs for unbounded inputs with
short keys. ACNS: Applied Cryptography and Network Security, LNCS, vol. 9696,
445–463.'
mla: Abusalah, Hamza M., and Georg Fuchsbauer. Constrained PRFs for Unbounded
Inputs with Short Keys. Vol. 9696, Springer, 2016, pp. 445–63, doi:10.1007/978-3-319-39555-5_24.
short: H.M. Abusalah, G. Fuchsbauer, in:, Springer, 2016, pp. 445–463.
conference:
end_date: 2016-06-22
location: Guildford, UK
name: 'ACNS: Applied Cryptography and Network Security'
start_date: 2016-06-19
date_created: 2018-12-11T11:50:52Z
date_published: 2016-01-01T00:00:00Z
date_updated: 2023-09-07T12:30:22Z
day: '01'
department:
- _id: KrPi
doi: 10.1007/978-3-319-39555-5_24
ec_funded: 1
intvolume: ' 9696'
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://eprint.iacr.org/2016/279.pdf
month: '01'
oa: 1
oa_version: Submitted Version
page: 445 - 463
project:
- _id: 258C570E-B435-11E9-9278-68D0E5697425
call_identifier: FP7
grant_number: '259668'
name: Provable Security for Physical Cryptography
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
call_identifier: H2020
grant_number: '682815'
name: Teaching Old Crypto New Tricks
publication_status: published
publisher: Springer
publist_id: '6098'
quality_controlled: '1'
related_material:
record:
- id: '83'
relation: dissertation_contains
status: public
scopus_import: 1
status: public
title: Constrained PRFs for unbounded inputs with short keys
type: conference
user_id: 3E5EF7F0-F248-11E8-B48F-1D18A9856A87
volume: 9696
year: '2016'
...
---
_id: '1474'
abstract:
- lang: eng
text: Cryptographic access control offers selective access to encrypted data via
a combination of key management and functionality-rich cryptographic schemes,
such as attribute-based encryption. Using this approach, publicly available meta-data
may inadvertently leak information on the access policy that is enforced by cryptography,
which renders cryptographic access control unusable in settings where this information
is highly sensitive. We begin to address this problem by presenting rigorous definitions
for policy privacy in cryptographic access control. For concreteness we set our
results in the model of Role-Based Access Control (RBAC), where we identify and
formalize several different flavors of privacy, however, our framework should
serve as inspiration for other models of access control. Based on our insights
we propose a new system which significantly improves on the privacy properties
of state-of-the-art constructions. Our design is based on a novel type of privacy-preserving
attribute-based encryption, which we introduce and show how to instantiate. We
present our results in the context of a cryptographic RBAC system by Ferrara et
al. (CSF'13), which uses cryptography to control read access to files, while write
access is still delegated to trusted monitors. We give an extension of the construction
that permits cryptographic control over write access. Our construction assumes
that key management uses out-of-band channels between the policy enforcer and
the users but eliminates completely the need for monitoring read/write access
to the data.
article_processing_charge: No
author:
- first_name: Anna
full_name: Ferrara, Anna
last_name: Ferrara
- first_name: Georg
full_name: Fuchsbauer, Georg
id: 46B4C3EE-F248-11E8-B48F-1D18A9856A87
last_name: Fuchsbauer
- first_name: Bin
full_name: Liu, Bin
last_name: Liu
- first_name: Bogdan
full_name: Warinschi, Bogdan
last_name: Warinschi
citation:
ama: 'Ferrara A, Fuchsbauer G, Liu B, Warinschi B. Policy privacy in cryptographic
access control. In: IEEE; 2015:46-60. doi:10.1109/CSF.2015.11'
apa: 'Ferrara, A., Fuchsbauer, G., Liu, B., & Warinschi, B. (2015). Policy privacy
in cryptographic access control (pp. 46–60). Presented at the CSF: Computer Security
Foundations, Verona, Italy: IEEE. https://doi.org/10.1109/CSF.2015.11'
chicago: Ferrara, Anna, Georg Fuchsbauer, Bin Liu, and Bogdan Warinschi. “Policy
Privacy in Cryptographic Access Control,” 46–60. IEEE, 2015. https://doi.org/10.1109/CSF.2015.11.
ieee: 'A. Ferrara, G. Fuchsbauer, B. Liu, and B. Warinschi, “Policy privacy in cryptographic
access control,” presented at the CSF: Computer Security Foundations, Verona,
Italy, 2015, pp. 46–60.'
ista: 'Ferrara A, Fuchsbauer G, Liu B, Warinschi B. 2015. Policy privacy in cryptographic
access control. CSF: Computer Security Foundations, 46–60.'
mla: Ferrara, Anna, et al. Policy Privacy in Cryptographic Access Control.
IEEE, 2015, pp. 46–60, doi:10.1109/CSF.2015.11.
short: A. Ferrara, G. Fuchsbauer, B. Liu, B. Warinschi, in:, IEEE, 2015, pp. 46–60.
conference:
end_date: 2015-07-17
location: Verona, Italy
name: 'CSF: Computer Security Foundations'
start_date: 2015-07-13
date_created: 2018-12-11T11:52:14Z
date_published: 2015-09-04T00:00:00Z
date_updated: 2021-01-12T06:50:59Z
day: '04'
department:
- _id: KrPi
doi: 10.1109/CSF.2015.11
ec_funded: 1
language:
- iso: eng
main_file_link:
- open_access: '1'
url: http://epubs.surrey.ac.uk/808055/
month: '09'
oa: 1
oa_version: Submitted Version
page: 46-60
project:
- _id: 258C570E-B435-11E9-9278-68D0E5697425
call_identifier: FP7
grant_number: '259668'
name: Provable Security for Physical Cryptography
publication_status: published
publisher: IEEE
publist_id: '5722'
quality_controlled: '1'
status: public
title: Policy privacy in cryptographic access control
type: conference
user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87
year: '2015'
...
---
_id: '1646'
abstract:
- lang: eng
text: 'A pseudorandom function (PRF) is a keyed function F : K × X → Y where, for
a random key k ∈ K, the function F(k, ·) is indistinguishable from a uniformly
random function, given black-box access. A key-homomorphic PRF has the additional
feature that for any keys k, k'' and any input x, we have F(k+k'', x) = F(k, x)⊕F(k'',
x) for some group operations +,⊕ on K and Y, respectively. A constrained PRF for
a family of setsS ⊆ P(X) has the property that, given any key k and set S ∈ S,
one can efficiently compute a “constrained” key kS that enables evaluation of
F(k, x) on all inputs x ∈ S, while the values F(k, x) for x /∈ S remain pseudorandom
even given kS. In this paper we construct PRFs that are simultaneously constrained
and key homomorphic, where the homomorphic property holds even for constrained
keys. We first show that the multilinear map-based bit-fixing and circuit-constrained
PRFs of Boneh and Waters (Asiacrypt 2013) can be modified to also be keyhomomorphic.
We then show that the LWE-based key-homomorphic PRFs of Banerjee and Peikert (Crypto
2014) are essentially already prefix-constrained PRFs, using a (non-obvious) definition
of constrained keys and associated group operation. Moreover, the constrained
keys themselves are pseudorandom, and the constraining and evaluation functions
can all be computed in low depth. As an application of key-homomorphic constrained
PRFs,we construct a proxy re-encryption schemewith fine-grained access control.
This scheme allows storing encrypted data on an untrusted server, where each file
can be encrypted relative to some attributes, so that only parties whose constrained
keys match the attributes can decrypt. Moreover, the server can re-key (arbitrary
subsets of) the ciphertexts without learning anything about the plaintexts, thus
permitting efficient and finegrained revocation.'
alternative_title:
- LNCS
article_processing_charge: No
author:
- first_name: Abishek
full_name: Banerjee, Abishek
last_name: Banerjee
- first_name: Georg
full_name: Fuchsbauer, Georg
id: 46B4C3EE-F248-11E8-B48F-1D18A9856A87
last_name: Fuchsbauer
- first_name: Chris
full_name: Peikert, Chris
last_name: Peikert
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
- first_name: Sophie
full_name: Stevens, Sophie
last_name: Stevens
citation:
ama: 'Banerjee A, Fuchsbauer G, Peikert C, Pietrzak KZ, Stevens S. Key-homomorphic
constrained pseudorandom functions. In: 12th Theory of Cryptography Conference.
Vol 9015. Springer Nature; 2015:31-60. doi:10.1007/978-3-662-46497-7_2'
apa: 'Banerjee, A., Fuchsbauer, G., Peikert, C., Pietrzak, K. Z., & Stevens,
S. (2015). Key-homomorphic constrained pseudorandom functions. In 12th Theory
of Cryptography Conference (Vol. 9015, pp. 31–60). Warsaw, Poland: Springer
Nature. https://doi.org/10.1007/978-3-662-46497-7_2'
chicago: Banerjee, Abishek, Georg Fuchsbauer, Chris Peikert, Krzysztof Z Pietrzak,
and Sophie Stevens. “Key-Homomorphic Constrained Pseudorandom Functions.” In 12th
Theory of Cryptography Conference, 9015:31–60. Springer Nature, 2015. https://doi.org/10.1007/978-3-662-46497-7_2.
ieee: A. Banerjee, G. Fuchsbauer, C. Peikert, K. Z. Pietrzak, and S. Stevens, “Key-homomorphic
constrained pseudorandom functions,” in 12th Theory of Cryptography Conference,
Warsaw, Poland, 2015, vol. 9015, pp. 31–60.
ista: 'Banerjee A, Fuchsbauer G, Peikert C, Pietrzak KZ, Stevens S. 2015. Key-homomorphic
constrained pseudorandom functions. 12th Theory of Cryptography Conference. TCC:
Theory of Cryptography Conference, LNCS, vol. 9015, 31–60.'
mla: Banerjee, Abishek, et al. “Key-Homomorphic Constrained Pseudorandom Functions.”
12th Theory of Cryptography Conference, vol. 9015, Springer Nature, 2015,
pp. 31–60, doi:10.1007/978-3-662-46497-7_2.
short: A. Banerjee, G. Fuchsbauer, C. Peikert, K.Z. Pietrzak, S. Stevens, in:, 12th
Theory of Cryptography Conference, Springer Nature, 2015, pp. 31–60.
conference:
end_date: 2015-03-25
location: Warsaw, Poland
name: 'TCC: Theory of Cryptography Conference'
start_date: 2015-03-23
date_created: 2018-12-11T11:53:14Z
date_published: 2015-03-01T00:00:00Z
date_updated: 2022-02-03T08:41:46Z
day: '01'
ddc:
- '000'
- '004'
department:
- _id: KrPi
doi: 10.1007/978-3-662-46497-7_2
ec_funded: 1
file:
- access_level: open_access
checksum: 3c5093bda5783c89beaacabf1aa0e60e
content_type: application/pdf
creator: system
date_created: 2018-12-12T10:15:17Z
date_updated: 2020-07-14T12:45:08Z
file_id: '5136'
file_name: IST-2016-679-v1+1_180.pdf
file_size: 450665
relation: main_file
file_date_updated: 2020-07-14T12:45:08Z
has_accepted_license: '1'
intvolume: ' 9015'
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://eprint.iacr.org/2015/180
month: '03'
oa: 1
oa_version: Submitted Version
page: 31 - 60
project:
- _id: 258C570E-B435-11E9-9278-68D0E5697425
call_identifier: FP7
grant_number: '259668'
name: Provable Security for Physical Cryptography
publication: 12th Theory of Cryptography Conference
publication_identifier:
isbn:
- 978-3-662-46496-0
publication_status: published
publisher: Springer Nature
publist_id: '5505'
pubrep_id: '679'
quality_controlled: '1'
scopus_import: '1'
status: public
title: Key-homomorphic constrained pseudorandom functions
type: conference
user_id: 8b945eb4-e2f2-11eb-945a-df72226e66a9
volume: 9015
year: '2015'
...
---
_id: '1648'
abstract:
- lang: eng
text: Generalized Selective Decryption (GSD), introduced by Panjwani [TCC’07], is
a game for a symmetric encryption scheme Enc that captures the difficulty of proving
adaptive security of certain protocols, most notably the Logical Key Hierarchy
(LKH) multicast encryption protocol. In the GSD game there are n keys k1,...,
kn, which the adversary may adaptively corrupt (learn); moreover, it can ask for
encryptions Encki (kj) of keys under other keys. The adversary’s task is to distinguish
keys (which it cannot trivially compute) from random. Proving the hardness of
GSD assuming only IND-CPA security of Enc is surprisingly hard. Using “complexity
leveraging” loses a factor exponential in n, which makes the proof practically
meaningless. We can think of the GSD game as building a graph on n vertices, where
we add an edge i → j when the adversary asks for an encryption of kj under ki.
If restricted to graphs of depth ℓ, Panjwani gave a reduction that loses only
a factor exponential in ℓ (not n). To date, this is the only non-trivial result
known for GSD. In this paper we give almost-polynomial reductions for large classes
of graphs. Most importantly, we prove the security of the GSD game restricted
to trees losing only a quasi-polynomial factor n3 log n+5. Trees are an important
special case capturing real-world protocols like the LKH protocol. Our new bound
improves upon Panjwani’s on some LKH variants proposed in the literature where
the underlying tree is not balanced. Our proof builds on ideas from the “nested
hybrids” technique recently introduced by Fuchsbauer et al. [Asiacrypt’14] for
proving the adaptive security of constrained PRFs.
alternative_title:
- LNCS
author:
- first_name: Georg
full_name: Fuchsbauer, Georg
id: 46B4C3EE-F248-11E8-B48F-1D18A9856A87
last_name: Fuchsbauer
- first_name: Zahra
full_name: Jafargholi, Zahra
last_name: Jafargholi
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
citation:
ama: 'Fuchsbauer G, Jafargholi Z, Pietrzak KZ. A quasipolynomial reduction for generalized
selective decryption on trees. In: Vol 9215. Springer; 2015:601-620. doi:10.1007/978-3-662-47989-6_29'
apa: 'Fuchsbauer, G., Jafargholi, Z., & Pietrzak, K. Z. (2015). A quasipolynomial
reduction for generalized selective decryption on trees (Vol. 9215, pp. 601–620).
Presented at the CRYPTO: International Cryptology Conference, Santa Barbara, CA,
USA: Springer. https://doi.org/10.1007/978-3-662-47989-6_29'
chicago: Fuchsbauer, Georg, Zahra Jafargholi, and Krzysztof Z Pietrzak. “A Quasipolynomial
Reduction for Generalized Selective Decryption on Trees,” 9215:601–20. Springer,
2015. https://doi.org/10.1007/978-3-662-47989-6_29.
ieee: 'G. Fuchsbauer, Z. Jafargholi, and K. Z. Pietrzak, “A quasipolynomial reduction
for generalized selective decryption on trees,” presented at the CRYPTO: International
Cryptology Conference, Santa Barbara, CA, USA, 2015, vol. 9215, pp. 601–620.'
ista: 'Fuchsbauer G, Jafargholi Z, Pietrzak KZ. 2015. A quasipolynomial reduction
for generalized selective decryption on trees. CRYPTO: International Cryptology
Conference, LNCS, vol. 9215, 601–620.'
mla: Fuchsbauer, Georg, et al. A Quasipolynomial Reduction for Generalized Selective
Decryption on Trees. Vol. 9215, Springer, 2015, pp. 601–20, doi:10.1007/978-3-662-47989-6_29.
short: G. Fuchsbauer, Z. Jafargholi, K.Z. Pietrzak, in:, Springer, 2015, pp. 601–620.
conference:
end_date: 2015-08-20
location: Santa Barbara, CA, USA
name: 'CRYPTO: International Cryptology Conference'
start_date: 2015-08-16
date_created: 2018-12-11T11:53:14Z
date_published: 2015-08-01T00:00:00Z
date_updated: 2021-01-12T06:52:14Z
day: '01'
ddc:
- '004'
department:
- _id: KrPi
doi: 10.1007/978-3-662-47989-6_29
ec_funded: 1
file:
- access_level: open_access
checksum: 99b76b3263d5082554d0a9cbdeca3a22
content_type: application/pdf
creator: system
date_created: 2018-12-12T10:13:31Z
date_updated: 2020-07-14T12:45:08Z
file_id: '5015'
file_name: IST-2016-674-v1+1_389.pdf
file_size: 505618
relation: main_file
file_date_updated: 2020-07-14T12:45:08Z
has_accepted_license: '1'
intvolume: ' 9215'
language:
- iso: eng
month: '08'
oa: 1
oa_version: Submitted Version
page: 601 - 620
project:
- _id: 258C570E-B435-11E9-9278-68D0E5697425
call_identifier: FP7
grant_number: '259668'
name: Provable Security for Physical Cryptography
publication_status: published
publisher: Springer
publist_id: '5502'
pubrep_id: '674'
quality_controlled: '1'
scopus_import: 1
status: public
title: A quasipolynomial reduction for generalized selective decryption on trees
tmp:
image: /images/cc_by.png
legal_code_url: https://creativecommons.org/licenses/by/4.0/legalcode
name: Creative Commons Attribution 4.0 International Public License (CC-BY 4.0)
short: CC BY (4.0)
type: conference
user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87
volume: 9215
year: '2015'
...
---
_id: '1649'
abstract:
- lang: eng
text: 'We extend a commitment scheme based on the learning with errors over rings
(RLWE) problem, and present efficient companion zeroknowledge proofs of knowledge.
Our scheme maps elements from the ring (or equivalently, n elements from '
alternative_title:
- LNCS
author:
- first_name: Fabrice
full_name: Benhamouda, Fabrice
last_name: Benhamouda
- first_name: Stephan
full_name: Krenn, Stephan
last_name: Krenn
- first_name: Vadim
full_name: Lyubashevsky, Vadim
last_name: Lyubashevsky
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
citation:
ama: Benhamouda F, Krenn S, Lyubashevsky V, Pietrzak KZ. Efficient zero-knowledge
proofs for commitments from learning with errors over rings. 2015;9326:305-325.
doi:10.1007/978-3-319-24174-6_16
apa: 'Benhamouda, F., Krenn, S., Lyubashevsky, V., & Pietrzak, K. Z. (2015).
Efficient zero-knowledge proofs for commitments from learning with errors over
rings. Presented at the ESORICS: European Symposium on Research in Computer Security,
Vienna, Austria: Springer. https://doi.org/10.1007/978-3-319-24174-6_16'
chicago: Benhamouda, Fabrice, Stephan Krenn, Vadim Lyubashevsky, and Krzysztof Z
Pietrzak. “Efficient Zero-Knowledge Proofs for Commitments from Learning with
Errors over Rings.” Lecture Notes in Computer Science. Springer, 2015. https://doi.org/10.1007/978-3-319-24174-6_16.
ieee: F. Benhamouda, S. Krenn, V. Lyubashevsky, and K. Z. Pietrzak, “Efficient zero-knowledge
proofs for commitments from learning with errors over rings,” vol. 9326. Springer,
pp. 305–325, 2015.
ista: Benhamouda F, Krenn S, Lyubashevsky V, Pietrzak KZ. 2015. Efficient zero-knowledge
proofs for commitments from learning with errors over rings. 9326, 305–325.
mla: Benhamouda, Fabrice, et al. Efficient Zero-Knowledge Proofs for Commitments
from Learning with Errors over Rings. Vol. 9326, Springer, 2015, pp. 305–25,
doi:10.1007/978-3-319-24174-6_16.
short: F. Benhamouda, S. Krenn, V. Lyubashevsky, K.Z. Pietrzak, 9326 (2015) 305–325.
conference:
end_date: 2015-09-25
location: Vienna, Austria
name: 'ESORICS: European Symposium on Research in Computer Security'
start_date: 2015-09-21
date_created: 2018-12-11T11:53:15Z
date_published: 2015-01-01T00:00:00Z
date_updated: 2021-01-12T06:52:14Z
day: '01'
ddc:
- '000'
- '004'
department:
- _id: KrPi
doi: 10.1007/978-3-319-24174-6_16
ec_funded: 1
file:
- access_level: open_access
checksum: 6eac4a485b2aa644b2d3f753ed0b280b
content_type: application/pdf
creator: system
date_created: 2018-12-12T10:11:28Z
date_updated: 2020-07-14T12:45:08Z
file_id: '4883'
file_name: IST-2016-678-v1+1_889.pdf
file_size: 494239
relation: main_file
file_date_updated: 2020-07-14T12:45:08Z
has_accepted_license: '1'
intvolume: ' 9326'
language:
- iso: eng
license: https://creativecommons.org/licenses/by-nc/4.0/
month: '01'
oa: 1
oa_version: Published Version
page: 305 - 325
project:
- _id: 258C570E-B435-11E9-9278-68D0E5697425
call_identifier: FP7
grant_number: '259668'
name: Provable Security for Physical Cryptography
publication_status: published
publisher: Springer
publist_id: '5501'
pubrep_id: '678'
quality_controlled: '1'
scopus_import: 1
series_title: Lecture Notes in Computer Science
status: public
title: Efficient zero-knowledge proofs for commitments from learning with errors over
rings
tmp:
image: /images/cc_by_nc.png
legal_code_url: https://creativecommons.org/licenses/by-nc/4.0/legalcode
name: Creative Commons Attribution-NonCommercial 4.0 International (CC BY-NC 4.0)
short: CC BY-NC (4.0)
type: conference
user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87
volume: 9326
year: '2015'
...
---
_id: '1644'
abstract:
- lang: eng
text: Increasing the computational complexity of evaluating a hash function, both
for the honest users as well as for an adversary, is a useful technique employed
for example in password-based cryptographic schemes to impede brute-force attacks,
and also in so-called proofs of work (used in protocols like Bitcoin) to show
that a certain amount of computation was performed by a legitimate user. A natural
approach to adjust the complexity of a hash function is to iterate it c times,
for some parameter c, in the hope that any query to the scheme requires c evaluations
of the underlying hash function. However, results by Dodis et al. (Crypto 2012)
imply that plain iteration falls short of achieving this goal, and designing schemes
which provably have such a desirable property remained an open problem. This paper
formalizes explicitly what it means for a given scheme to amplify the query complexity
of a hash function. In the random oracle model, the goal of a secure query-complexity
amplifier (QCA) scheme is captured as transforming, in the sense of indifferentiability,
a random oracle allowing R queries (for the adversary) into one provably allowing
only r < R queries. Turned around, this means that making r queries to the
scheme requires at least R queries to the actual random oracle. Second, a new
scheme, called collision-free iteration, is proposed and proven to achieve c-fold
QCA for both the honest parties and the adversary, for any fixed parameter c.
alternative_title:
- LNCS
author:
- first_name: Grégory
full_name: Demay, Grégory
last_name: Demay
- first_name: Peter
full_name: Gazi, Peter
id: 3E0BFE38-F248-11E8-B48F-1D18A9856A87
last_name: Gazi
- first_name: Ueli
full_name: Maurer, Ueli
last_name: Maurer
- first_name: Björn
full_name: Tackmann, Björn
last_name: Tackmann
citation:
ama: 'Demay G, Gazi P, Maurer U, Tackmann B. Query-complexity amplification for
random oracles. In: Vol 9063. Springer; 2015:159-180. doi:10.1007/978-3-319-17470-9_10'
apa: 'Demay, G., Gazi, P., Maurer, U., & Tackmann, B. (2015). Query-complexity
amplification for random oracles (Vol. 9063, pp. 159–180). Presented at the ICITS:
International Conference on Information Theoretic Security, Lugano, Switzerland:
Springer. https://doi.org/10.1007/978-3-319-17470-9_10'
chicago: Demay, Grégory, Peter Gazi, Ueli Maurer, and Björn Tackmann. “Query-Complexity
Amplification for Random Oracles,” 9063:159–80. Springer, 2015. https://doi.org/10.1007/978-3-319-17470-9_10.
ieee: 'G. Demay, P. Gazi, U. Maurer, and B. Tackmann, “Query-complexity amplification
for random oracles,” presented at the ICITS: International Conference on Information
Theoretic Security, Lugano, Switzerland, 2015, vol. 9063, pp. 159–180.'
ista: 'Demay G, Gazi P, Maurer U, Tackmann B. 2015. Query-complexity amplification
for random oracles. ICITS: International Conference on Information Theoretic Security,
LNCS, vol. 9063, 159–180.'
mla: Demay, Grégory, et al. Query-Complexity Amplification for Random Oracles.
Vol. 9063, Springer, 2015, pp. 159–80, doi:10.1007/978-3-319-17470-9_10.
short: G. Demay, P. Gazi, U. Maurer, B. Tackmann, in:, Springer, 2015, pp. 159–180.
conference:
end_date: 2015-05-05
location: Lugano, Switzerland
name: 'ICITS: International Conference on Information Theoretic Security'
start_date: 2015-05-02
date_created: 2018-12-11T11:53:13Z
date_published: 2015-01-01T00:00:00Z
date_updated: 2021-01-12T06:52:13Z
day: '01'
department:
- _id: KrPi
doi: 10.1007/978-3-319-17470-9_10
ec_funded: 1
intvolume: ' 9063'
language:
- iso: eng
main_file_link:
- open_access: '1'
url: http://eprint.iacr.org/2015/315
month: '01'
oa: 1
oa_version: Submitted Version
page: 159 - 180
project:
- _id: 258C570E-B435-11E9-9278-68D0E5697425
call_identifier: FP7
grant_number: '259668'
name: Provable Security for Physical Cryptography
publication_status: published
publisher: Springer
publist_id: '5507'
quality_controlled: '1'
scopus_import: 1
status: public
title: Query-complexity amplification for random oracles
type: conference
user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87
volume: 9063
year: '2015'
...
---
_id: '1647'
abstract:
- lang: eng
text: Round-optimal blind signatures are notoriously hard to construct in the standard
model, especially in the malicious-signer model, where blindness must hold under
adversarially chosen keys. This is substantiated by several impossibility results.
The only construction that can be termed theoretically efficient, by Garg and
Gupta (Eurocrypt’14), requires complexity leveraging, inducing an exponential
security loss. We present a construction of practically efficient round-optimal
blind signatures in the standard model. It is conceptually simple and builds on
the recent structure-preserving signatures on equivalence classes (SPSEQ) from
Asiacrypt’14. While the traditional notion of blindness follows from standard
assumptions, we prove blindness under adversarially chosen keys under an interactive
variant of DDH. However, we neither require non-uniform assumptions nor complexity
leveraging. We then show how to extend our construction to partially blind signatures
and to blind signatures on message vectors, which yield a construction of one-show
anonymous credentials à la “anonymous credentials light” (CCS’13) in the standard
model. Furthermore, we give the first SPS-EQ construction under noninteractive
assumptions and show how SPS-EQ schemes imply conventional structure-preserving
signatures, which allows us to apply optimality results for the latter to SPS-EQ.
alternative_title:
- LNCS
article_processing_charge: No
author:
- first_name: Georg
full_name: Fuchsbauer, Georg
id: 46B4C3EE-F248-11E8-B48F-1D18A9856A87
last_name: Fuchsbauer
- first_name: Christian
full_name: Hanser, Christian
last_name: Hanser
- first_name: Daniel
full_name: Slamanig, Daniel
last_name: Slamanig
citation:
ama: 'Fuchsbauer G, Hanser C, Slamanig D. Practical round-optimal blind signatures
in the standard model. In: Vol 9216. Springer; 2015:233-253. doi:10.1007/978-3-662-48000-7_12'
apa: 'Fuchsbauer, G., Hanser, C., & Slamanig, D. (2015). Practical round-optimal
blind signatures in the standard model (Vol. 9216, pp. 233–253). Presented at
the CRYPTO: International Cryptology Conference, Santa Barbara, CA, United States:
Springer. https://doi.org/10.1007/978-3-662-48000-7_12'
chicago: Fuchsbauer, Georg, Christian Hanser, and Daniel Slamanig. “Practical Round-Optimal
Blind Signatures in the Standard Model,” 9216:233–53. Springer, 2015. https://doi.org/10.1007/978-3-662-48000-7_12.
ieee: 'G. Fuchsbauer, C. Hanser, and D. Slamanig, “Practical round-optimal blind
signatures in the standard model,” presented at the CRYPTO: International Cryptology
Conference, Santa Barbara, CA, United States, 2015, vol. 9216, pp. 233–253.'
ista: 'Fuchsbauer G, Hanser C, Slamanig D. 2015. Practical round-optimal blind signatures
in the standard model. CRYPTO: International Cryptology Conference, LNCS, vol.
9216, 233–253.'
mla: Fuchsbauer, Georg, et al. Practical Round-Optimal Blind Signatures in the
Standard Model. Vol. 9216, Springer, 2015, pp. 233–53, doi:10.1007/978-3-662-48000-7_12.
short: G. Fuchsbauer, C. Hanser, D. Slamanig, in:, Springer, 2015, pp. 233–253.
conference:
end_date: 2015-08-20
location: Santa Barbara, CA, United States
name: 'CRYPTO: International Cryptology Conference'
start_date: 2015-08-16
date_created: 2018-12-11T11:53:14Z
date_published: 2015-08-01T00:00:00Z
date_updated: 2023-02-21T16:44:51Z
day: '01'
department:
- _id: KrPi
doi: 10.1007/978-3-662-48000-7_12
ec_funded: 1
intvolume: ' 9216'
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://eprint.iacr.org/2015/626.pdf
month: '08'
oa: 1
oa_version: Submitted Version
page: 233 - 253
project:
- _id: 258C570E-B435-11E9-9278-68D0E5697425
call_identifier: FP7
grant_number: '259668'
name: Provable Security for Physical Cryptography
publication_status: published
publisher: Springer
publist_id: '5503'
quality_controlled: '1'
related_material:
record:
- id: '1225'
relation: later_version
status: public
scopus_import: 1
status: public
title: Practical round-optimal blind signatures in the standard model
type: conference
user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87
volume: 9216
year: '2015'
...
---
_id: '1645'
abstract:
- lang: eng
text: Secret-key constructions are often proved secure in a model where one or more
underlying components are replaced by an idealized oracle accessible to the attacker.
This model gives rise to information-theoretic security analyses, and several
advances have been made in this area over the last few years. This paper provides
a systematic overview of what is achievable in this model, and how existing works
fit into this view.
article_number: '7133163'
author:
- first_name: Peter
full_name: Gazi, Peter
id: 3E0BFE38-F248-11E8-B48F-1D18A9856A87
last_name: Gazi
- first_name: Stefano
full_name: Tessaro, Stefano
last_name: Tessaro
citation:
ama: 'Gazi P, Tessaro S. Secret-key cryptography from ideal primitives: A systematic
verview. In: 2015 IEEE Information Theory Workshop. IEEE; 2015. doi:10.1109/ITW.2015.7133163'
apa: 'Gazi, P., & Tessaro, S. (2015). Secret-key cryptography from ideal primitives:
A systematic verview. In 2015 IEEE Information Theory Workshop. Jerusalem,
Israel: IEEE. https://doi.org/10.1109/ITW.2015.7133163'
chicago: 'Gazi, Peter, and Stefano Tessaro. “Secret-Key Cryptography from Ideal
Primitives: A Systematic Verview.” In 2015 IEEE Information Theory Workshop.
IEEE, 2015. https://doi.org/10.1109/ITW.2015.7133163.'
ieee: 'P. Gazi and S. Tessaro, “Secret-key cryptography from ideal primitives: A
systematic verview,” in 2015 IEEE Information Theory Workshop, Jerusalem,
Israel, 2015.'
ista: 'Gazi P, Tessaro S. 2015. Secret-key cryptography from ideal primitives: A
systematic verview. 2015 IEEE Information Theory Workshop. ITW 2015: IEEE Information
Theory Workshop, 7133163.'
mla: 'Gazi, Peter, and Stefano Tessaro. “Secret-Key Cryptography from Ideal Primitives:
A Systematic Verview.” 2015 IEEE Information Theory Workshop, 7133163,
IEEE, 2015, doi:10.1109/ITW.2015.7133163.'
short: P. Gazi, S. Tessaro, in:, 2015 IEEE Information Theory Workshop, IEEE, 2015.
conference:
end_date: 2015-05-01
location: Jerusalem, Israel
name: 'ITW 2015: IEEE Information Theory Workshop'
start_date: 2015-04-26
date_created: 2018-12-11T11:53:13Z
date_published: 2015-06-24T00:00:00Z
date_updated: 2021-01-12T06:52:13Z
day: '24'
department:
- _id: KrPi
doi: 10.1109/ITW.2015.7133163
ec_funded: 1
language:
- iso: eng
month: '06'
oa_version: None
project:
- _id: 258C570E-B435-11E9-9278-68D0E5697425
call_identifier: FP7
grant_number: '259668'
name: Provable Security for Physical Cryptography
publication: 2015 IEEE Information Theory Workshop
publication_status: published
publisher: IEEE
publist_id: '5506'
quality_controlled: '1'
scopus_import: 1
status: public
title: 'Secret-key cryptography from ideal primitives: A systematic verview'
type: conference
user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87
year: '2015'
...
---
_id: '1654'
abstract:
- lang: eng
text: "HMAC and its variant NMAC are the most popular approaches to deriving a MAC
(and more generally, a PRF) from a cryptographic hash function. Despite nearly
two decades of research, their exact security still remains far from understood
in many different contexts. Indeed, recent works have re-surfaced interest for
{\\em generic} attacks, i.e., attacks that treat the compression function of the
underlying hash function as a black box.\r\n\r\nGeneric security can be proved
in a model where the underlying compression function is modeled as a random function
-- yet, to date, the question of proving tight, non-trivial bounds on the generic
security of HMAC/NMAC even as a PRF remains a challenging open question.\r\n\r\nIn
this paper, we ask the question of whether a small modification to HMAC and NMAC
can allow us to exactly characterize the security of the resulting constructions,
while only incurring little penalty with respect to efficiency. To this end, we
present simple variants of NMAC and HMAC, for which we prove tight bounds on the
generic PRF security, expressed in terms of numbers of construction and compression
function queries necessary to break the construction. All of our constructions
are obtained via a (near) {\\em black-box} modification of NMAC and HMAC, which
can be interpreted as an initial step of key-dependent message pre-processing.\r\n\r\nWhile
our focus is on PRF security, a further attractive feature of our new constructions
is that they clearly defeat all recent generic attacks against properties such
as state recovery and universal forgery. These exploit properties of the so-called
``functional graph'' which are not directly accessible in our new constructions. "
alternative_title:
- LNCS
author:
- first_name: Peter
full_name: Gazi, Peter
id: 3E0BFE38-F248-11E8-B48F-1D18A9856A87
last_name: Gazi
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
- first_name: Stefano
full_name: Tessaro, Stefano
last_name: Tessaro
citation:
ama: Gazi P, Pietrzak KZ, Tessaro S. Generic security of NMAC and HMAC with input
whitening. 2015;9453:85-109. doi:10.1007/978-3-662-48800-3_4
apa: 'Gazi, P., Pietrzak, K. Z., & Tessaro, S. (2015). Generic security of NMAC
and HMAC with input whitening. Presented at the ASIACRYPT: Theory and Application
of Cryptology and Information Security, Auckland, New Zealand: Springer. https://doi.org/10.1007/978-3-662-48800-3_4'
chicago: Gazi, Peter, Krzysztof Z Pietrzak, and Stefano Tessaro. “Generic Security
of NMAC and HMAC with Input Whitening.” Lecture Notes in Computer Science. Springer,
2015. https://doi.org/10.1007/978-3-662-48800-3_4.
ieee: P. Gazi, K. Z. Pietrzak, and S. Tessaro, “Generic security of NMAC and HMAC
with input whitening,” vol. 9453. Springer, pp. 85–109, 2015.
ista: Gazi P, Pietrzak KZ, Tessaro S. 2015. Generic security of NMAC and HMAC with
input whitening. 9453, 85–109.
mla: Gazi, Peter, et al. Generic Security of NMAC and HMAC with Input Whitening.
Vol. 9453, Springer, 2015, pp. 85–109, doi:10.1007/978-3-662-48800-3_4.
short: P. Gazi, K.Z. Pietrzak, S. Tessaro, 9453 (2015) 85–109.
conference:
end_date: 2015-12-03
location: Auckland, New Zealand
name: 'ASIACRYPT: Theory and Application of Cryptology and Information Security'
start_date: 2015-11-29
date_created: 2018-12-11T11:53:17Z
date_published: 2015-12-30T00:00:00Z
date_updated: 2021-01-12T06:52:16Z
day: '30'
ddc:
- '004'
- '005'
department:
- _id: KrPi
doi: 10.1007/978-3-662-48800-3_4
ec_funded: 1
file:
- access_level: open_access
checksum: d1e53203db2d8573a560995ccdffac62
content_type: application/pdf
creator: system
date_created: 2018-12-12T10:09:09Z
date_updated: 2020-07-14T12:45:08Z
file_id: '4732'
file_name: IST-2016-676-v1+1_881.pdf
file_size: 512071
relation: main_file
file_date_updated: 2020-07-14T12:45:08Z
has_accepted_license: '1'
intvolume: ' 9453'
language:
- iso: eng
month: '12'
oa: 1
oa_version: Submitted Version
page: 85 - 109
project:
- _id: 258C570E-B435-11E9-9278-68D0E5697425
call_identifier: FP7
grant_number: '259668'
name: Provable Security for Physical Cryptography
publication_status: published
publisher: Springer
publist_id: '5496'
pubrep_id: '676'
quality_controlled: '1'
scopus_import: 1
series_title: Lecture Notes in Computer Science
status: public
title: Generic security of NMAC and HMAC with input whitening
type: conference
user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87
volume: 9453
year: '2015'
...
---
_id: '1650'
abstract:
- lang: eng
text: "We consider the task of deriving a key with high HILL entropy (i.e., being
computationally indistinguishable from a key with high min-entropy) from an unpredictable
source.\r\n\r\nPrevious to this work, the only known way to transform unpredictability
into a key that was ϵ indistinguishable from having min-entropy was via pseudorandomness,
for example by Goldreich-Levin (GL) hardcore bits. This approach has the inherent
limitation that from a source with k bits of unpredictability entropy one can
derive a key of length (and thus HILL entropy) at most k−2log(1/ϵ) bits. In many
settings, e.g. when dealing with biometric data, such a 2log(1/ϵ) bit entropy
loss in not an option. Our main technical contribution is a theorem that states
that in the high entropy regime, unpredictability implies HILL entropy. Concretely,
any variable K with |K|−d bits of unpredictability entropy has the same amount
of so called metric entropy (against real-valued, deterministic distinguishers),
which is known to imply the same amount of HILL entropy. The loss in circuit size
in this argument is exponential in the entropy gap d, and thus this result only
applies for small d (i.e., where the size of distinguishers considered is exponential
in d).\r\n\r\nTo overcome the above restriction, we investigate if it’s possible
to first “condense” unpredictability entropy and make the entropy gap small. We
show that any source with k bits of unpredictability can be condensed into a source
of length k with k−3 bits of unpredictability entropy. Our condenser simply “abuses"
the GL construction and derives a k bit key from a source with k bits of unpredicatibily.
The original GL theorem implies nothing when extracting that many bits, but we
show that in this regime, GL still behaves like a “condenser" for unpredictability.
This result comes with two caveats (1) the loss in circuit size is exponential
in k and (2) we require that the source we start with has no HILL entropy (equivalently,
one can efficiently check if a guess is correct). We leave it as an intriguing
open problem to overcome these restrictions or to prove they’re inherent."
alternative_title:
- LNCS
author:
- first_name: Maciej
full_name: Skórski, Maciej
last_name: Skórski
- first_name: Alexander
full_name: Golovnev, Alexander
last_name: Golovnev
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
citation:
ama: 'Skórski M, Golovnev A, Pietrzak KZ. Condensed unpredictability . In: Vol 9134.
Springer; 2015:1046-1057. doi:10.1007/978-3-662-47672-7_85'
apa: 'Skórski, M., Golovnev, A., & Pietrzak, K. Z. (2015). Condensed unpredictability (Vol.
9134, pp. 1046–1057). Presented at the ICALP: Automata, Languages and Programming,
Kyoto, Japan: Springer. https://doi.org/10.1007/978-3-662-47672-7_85'
chicago: Skórski, Maciej, Alexander Golovnev, and Krzysztof Z Pietrzak. “Condensed
Unpredictability ,” 9134:1046–57. Springer, 2015. https://doi.org/10.1007/978-3-662-47672-7_85.
ieee: 'M. Skórski, A. Golovnev, and K. Z. Pietrzak, “Condensed unpredictability
,” presented at the ICALP: Automata, Languages and Programming, Kyoto, Japan,
2015, vol. 9134, pp. 1046–1057.'
ista: 'Skórski M, Golovnev A, Pietrzak KZ. 2015. Condensed unpredictability . ICALP:
Automata, Languages and Programming, LNCS, vol. 9134, 1046–1057.'
mla: Skórski, Maciej, et al. Condensed Unpredictability . Vol. 9134, Springer,
2015, pp. 1046–57, doi:10.1007/978-3-662-47672-7_85.
short: M. Skórski, A. Golovnev, K.Z. Pietrzak, in:, Springer, 2015, pp. 1046–1057.
conference:
end_date: 2015-07-10
location: Kyoto, Japan
name: 'ICALP: Automata, Languages and Programming'
start_date: 2015-07-06
date_created: 2018-12-11T11:53:15Z
date_published: 2015-06-20T00:00:00Z
date_updated: 2021-01-12T06:52:15Z
day: '20'
ddc:
- '000'
- '005'
department:
- _id: KrPi
doi: 10.1007/978-3-662-47672-7_85
ec_funded: 1
file:
- access_level: open_access
checksum: e808c7eecb631336fc9f9bf2e8d4ecae
content_type: application/pdf
creator: system
date_created: 2018-12-12T10:08:32Z
date_updated: 2020-07-14T12:45:08Z
file_id: '4693'
file_name: IST-2016-675-v1+1_384.pdf
file_size: 525503
relation: main_file
file_date_updated: 2020-07-14T12:45:08Z
has_accepted_license: '1'
intvolume: ' 9134'
language:
- iso: eng
month: '06'
oa: 1
oa_version: Published Version
page: 1046 - 1057
project:
- _id: 258C570E-B435-11E9-9278-68D0E5697425
call_identifier: FP7
grant_number: '259668'
name: Provable Security for Physical Cryptography
publication_status: published
publisher: Springer
publist_id: '5500'
pubrep_id: '675'
quality_controlled: '1'
scopus_import: 1
status: public
title: 'Condensed unpredictability '
tmp:
image: /images/cc_by.png
legal_code_url: https://creativecommons.org/licenses/by/4.0/legalcode
name: Creative Commons Attribution 4.0 International Public License (CC-BY 4.0)
short: CC BY (4.0)
type: conference
user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87
volume: 9134
year: '2015'
...
---
_id: '1651'
abstract:
- lang: eng
text: Cryptographic e-cash allows off-line electronic transactions between a bank,
users and merchants in a secure and anonymous fashion. A plethora of e-cash constructions
has been proposed in the literature; however, these traditional e-cash schemes
only allow coins to be transferred once between users and merchants. Ideally,
we would like users to be able to transfer coins between each other multiple times
before deposit, as happens with physical cash. “Transferable” e-cash schemes are
the solution to this problem. Unfortunately, the currently proposed schemes are
either completely impractical or do not achieve the desirable anonymity properties
without compromises, such as assuming the existence of a trusted “judge” who can
trace all coins and users in the system. This paper presents the first efficient
and fully anonymous transferable e-cash scheme without any trusted third parties.
We start by revising the security and anonymity properties of transferable e-cash
to capture issues that were previously overlooked. For our construction we use
the recently proposed malleable signatures by Chase et al. to allow the secure
and anonymous transfer of coins, combined with a new efficient double-spending
detection mechanism. Finally, we discuss an instantiation of our construction.
acknowledgement: Work done as an intern in Microsoft Research Redmond and as a student
at Brown University, where supported by NSF grant 0964379. Supported by the European
Research Council, ERC Starting Grant (259668-PSPC).
alternative_title:
- LNCS
article_processing_charge: No
author:
- first_name: Foteini
full_name: Baldimtsi, Foteini
last_name: Baldimtsi
- first_name: Melissa
full_name: Chase, Melissa
last_name: Chase
- first_name: Georg
full_name: Fuchsbauer, Georg
id: 46B4C3EE-F248-11E8-B48F-1D18A9856A87
last_name: Fuchsbauer
- first_name: Markulf
full_name: Kohlweiss, Markulf
last_name: Kohlweiss
citation:
ama: 'Baldimtsi F, Chase M, Fuchsbauer G, Kohlweiss M. Anonymous transferable e-cash.
In: Public-Key Cryptography - PKC 2015. Vol 9020. Springer; 2015:101-124.
doi:10.1007/978-3-662-46447-2_5'
apa: 'Baldimtsi, F., Chase, M., Fuchsbauer, G., & Kohlweiss, M. (2015). Anonymous
transferable e-cash. In Public-Key Cryptography - PKC 2015 (Vol. 9020,
pp. 101–124). Gaithersburg, MD, United States: Springer. https://doi.org/10.1007/978-3-662-46447-2_5'
chicago: Baldimtsi, Foteini, Melissa Chase, Georg Fuchsbauer, and Markulf Kohlweiss.
“Anonymous Transferable E-Cash.” In Public-Key Cryptography - PKC 2015,
9020:101–24. Springer, 2015. https://doi.org/10.1007/978-3-662-46447-2_5.
ieee: F. Baldimtsi, M. Chase, G. Fuchsbauer, and M. Kohlweiss, “Anonymous transferable
e-cash,” in Public-Key Cryptography - PKC 2015, Gaithersburg, MD, United
States, 2015, vol. 9020, pp. 101–124.
ista: 'Baldimtsi F, Chase M, Fuchsbauer G, Kohlweiss M. 2015. Anonymous transferable
e-cash. Public-Key Cryptography - PKC 2015. PKC: Public Key Crypography, LNCS,
vol. 9020, 101–124.'
mla: Baldimtsi, Foteini, et al. “Anonymous Transferable E-Cash.” Public-Key Cryptography
- PKC 2015, vol. 9020, Springer, 2015, pp. 101–24, doi:10.1007/978-3-662-46447-2_5.
short: F. Baldimtsi, M. Chase, G. Fuchsbauer, M. Kohlweiss, in:, Public-Key Cryptography
- PKC 2015, Springer, 2015, pp. 101–124.
conference:
end_date: 2015-04-01
location: Gaithersburg, MD, United States
name: 'PKC: Public Key Crypography'
start_date: 2015-03-30
date_created: 2018-12-11T11:53:15Z
date_published: 2015-03-17T00:00:00Z
date_updated: 2022-05-23T10:08:37Z
day: '17'
department:
- _id: KrPi
doi: 10.1007/978-3-662-46447-2_5
ec_funded: 1
intvolume: ' 9020'
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://doi.org/10.1007/978-3-662-46447-2_5
month: '03'
oa: 1
oa_version: Published Version
page: 101 - 124
project:
- _id: 258C570E-B435-11E9-9278-68D0E5697425
call_identifier: FP7
grant_number: '259668'
name: Provable Security for Physical Cryptography
publication: Public-Key Cryptography - PKC 2015
publication_identifier:
isbn:
- 978-3-662-46446-5
publication_status: published
publisher: Springer
publist_id: '5499'
quality_controlled: '1'
scopus_import: '1'
status: public
title: Anonymous transferable e-cash
type: conference
user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87
volume: 9020
year: '2015'
...
---
_id: '1652'
abstract:
- lang: eng
text: We develop new theoretical tools for proving lower-bounds on the (amortized)
complexity of certain functions in models of parallel computation. We apply the
tools to construct a class of functions with high amortized memory complexity
in the parallel Random Oracle Model (pROM); a variant of the standard ROM allowing
for batches of simultaneous queries. In particular we obtain a new, more robust,
type of Memory-Hard Functions (MHF); a security primitive which has recently been
gaining acceptance in practice as an effective means of countering brute-force
attacks on security relevant functions. Along the way we also demonstrate an important
shortcoming of previous definitions of MHFs and give a new definition addressing
the problem. The tools we develop represent an adaptation of the powerful pebbling
paradigm (initially introduced by Hewitt and Paterson [HP70] and Cook [Coo73])
to a simple and intuitive parallel setting. We define a simple pebbling game Gp
over graphs which aims to abstract parallel computation in an intuitive way. As
a conceptual contribution we define a measure of pebbling complexity for graphs
called cumulative complexity (CC) and show how it overcomes a crucial shortcoming
(in the parallel setting) exhibited by more traditional complexity measures used
in the past. As a main technical contribution we give an explicit construction
of a constant in-degree family of graphs whose CC in Gp approaches maximality
to within a polylogarithmic factor for any graph of equal size (analogous to the
graphs of Tarjan et. al. [PTC76, LT82] for sequential pebbling games). Finally,
for a given graph G and related function fG, we derive a lower-bound on the amortized
memory complexity of fG in the pROM in terms of the CC of G in the game Gp.
author:
- first_name: Joel F
full_name: Alwen, Joel F
id: 2A8DFA8C-F248-11E8-B48F-1D18A9856A87
last_name: Alwen
- first_name: Vladimir
full_name: Serbinenko, Vladimir
last_name: Serbinenko
citation:
ama: 'Alwen JF, Serbinenko V. High parallel complexity graphs and memory-hard functions.
In: Proceedings of the 47th Annual ACM Symposium on Theory of Computing.
ACM; 2015:595-603. doi:10.1145/2746539.2746622'
apa: 'Alwen, J. F., & Serbinenko, V. (2015). High parallel complexity graphs
and memory-hard functions. In Proceedings of the 47th annual ACM symposium
on Theory of computing (pp. 595–603). Portland, OR, United States: ACM. https://doi.org/10.1145/2746539.2746622'
chicago: Alwen, Joel F, and Vladimir Serbinenko. “High Parallel Complexity Graphs
and Memory-Hard Functions.” In Proceedings of the 47th Annual ACM Symposium
on Theory of Computing, 595–603. ACM, 2015. https://doi.org/10.1145/2746539.2746622.
ieee: J. F. Alwen and V. Serbinenko, “High parallel complexity graphs and memory-hard
functions,” in Proceedings of the 47th annual ACM symposium on Theory of computing,
Portland, OR, United States, 2015, pp. 595–603.
ista: 'Alwen JF, Serbinenko V. 2015. High parallel complexity graphs and memory-hard
functions. Proceedings of the 47th annual ACM symposium on Theory of computing.
STOC: Symposium on the Theory of Computing, 595–603.'
mla: Alwen, Joel F., and Vladimir Serbinenko. “High Parallel Complexity Graphs and
Memory-Hard Functions.” Proceedings of the 47th Annual ACM Symposium on Theory
of Computing, ACM, 2015, pp. 595–603, doi:10.1145/2746539.2746622.
short: J.F. Alwen, V. Serbinenko, in:, Proceedings of the 47th Annual ACM Symposium
on Theory of Computing, ACM, 2015, pp. 595–603.
conference:
end_date: 2015-06-17
location: Portland, OR, United States
name: 'STOC: Symposium on the Theory of Computing'
start_date: 2015-06-14
date_created: 2018-12-11T11:53:16Z
date_published: 2015-06-01T00:00:00Z
date_updated: 2021-01-12T06:52:16Z
day: '01'
department:
- _id: KrPi
doi: 10.1145/2746539.2746622
ec_funded: 1
language:
- iso: eng
main_file_link:
- open_access: '1'
url: http://eprint.iacr.org/2014/238
month: '06'
oa: 1
oa_version: Submitted Version
page: 595 - 603
project:
- _id: 258C570E-B435-11E9-9278-68D0E5697425
call_identifier: FP7
grant_number: '259668'
name: Provable Security for Physical Cryptography
publication: Proceedings of the 47th annual ACM symposium on Theory of computing
publication_status: published
publisher: ACM
publist_id: '5498'
quality_controlled: '1'
scopus_import: 1
status: public
title: High parallel complexity graphs and memory-hard functions
type: conference
user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87
year: '2015'
...
---
_id: '1672'
abstract:
- lang: eng
text: Composable notions of incoercibility aim to forbid a coercer from using anything
beyond the coerced parties’ inputs and outputs to catch them when they try to
deceive him. Existing definitions are restricted to weak coercion types, and/or
are not universally composable. Furthermore, they often make too strong assumptions
on the knowledge of coerced parties—e.g., they assume they known the identities
and/or the strategies of other coerced parties, or those of corrupted parties—
which makes them unsuitable for applications of incoercibility such as e-voting,
where colluding adversarial parties may attempt to coerce honest voters, e.g.,
by offering them money for a promised vote, and use their own view to check that
the voter keeps his end of the bargain. In this work we put forward the first
universally composable notion of incoercible multi-party computation, which satisfies
the above intuition and does not assume collusions among coerced parties or knowledge
of the corrupted set. We define natural notions of UC incoercibility corresponding
to standard coercion-types, i.e., receipt-freeness and resistance to full-active
coercion. Importantly, our suggested notion has the unique property that it builds
on top of the well studied UC framework by Canetti instead of modifying it. This
guarantees backwards compatibility, and allows us to inherit results from the
rich UC literature. We then present MPC protocols which realize our notions of
UC incoercibility given access to an arguably minimal setup—namely honestly generate
tamper-proof hardware performing a very simple cryptographic operation—e.g., a
smart card. This is, to our knowledge, the first proposed construction of an MPC
protocol (for more than two parties) that is incoercibly secure and universally
composable, and therefore the first construction of a universally composable receipt-free
e-voting protocol.
acknowledgement: Joël Alwen was supported by the ERC starting grant (259668-PSPC).
Rafail Ostrovsky was supported in part by NSF grants 09165174, 1065276, 1118126
and 1136174, US-Israel BSF grant 2008411, OKAWA Foundation Research Award, IBM Faculty
Research Award, Xerox Faculty Research Award, B. John Garrick Foundation Award,
Teradata Research Award, Lockheed-Martin Corporation Research Award, and the Defense
Advanced Research Projects Agency through the U.S. Office of Naval Research under
Contract N00014 -11 -1-0392. The views expressed are those of the author and do
not reflect the official policy or position of the Department of Defense or the
U.S. Government. Vassilis Zikas was supported in part by the Swiss National Science
Foundation (SNF) via the Ambizione grant PZ00P-2142549.
alternative_title:
- LNCS
article_processing_charge: No
author:
- first_name: Joel F
full_name: Alwen, Joel F
id: 2A8DFA8C-F248-11E8-B48F-1D18A9856A87
last_name: Alwen
- first_name: Rafail
full_name: Ostrovsky, Rafail
last_name: Ostrovsky
- first_name: Hongsheng
full_name: Zhou, Hongsheng
last_name: Zhou
- first_name: Vassilis
full_name: Zikas, Vassilis
last_name: Zikas
citation:
ama: 'Alwen JF, Ostrovsky R, Zhou H, Zikas V. Incoercible multi-party computation
and universally composable receipt-free voting. In: Advances in Cryptology
- CRYPTO 2015. Vol 9216. Lecture Notes in Computer Science. Springer; 2015:763-780.
doi:10.1007/978-3-662-48000-7_37'
apa: 'Alwen, J. F., Ostrovsky, R., Zhou, H., & Zikas, V. (2015). Incoercible
multi-party computation and universally composable receipt-free voting. In Advances
in Cryptology - CRYPTO 2015 (Vol. 9216, pp. 763–780). Santa Barbara, CA, United
States: Springer. https://doi.org/10.1007/978-3-662-48000-7_37'
chicago: Alwen, Joel F, Rafail Ostrovsky, Hongsheng Zhou, and Vassilis Zikas. “Incoercible
Multi-Party Computation and Universally Composable Receipt-Free Voting.” In Advances
in Cryptology - CRYPTO 2015, 9216:763–80. Lecture Notes in Computer Science.
Springer, 2015. https://doi.org/10.1007/978-3-662-48000-7_37.
ieee: J. F. Alwen, R. Ostrovsky, H. Zhou, and V. Zikas, “Incoercible multi-party
computation and universally composable receipt-free voting,” in Advances in
Cryptology - CRYPTO 2015, Santa Barbara, CA, United States, 2015, vol. 9216,
pp. 763–780.
ista: 'Alwen JF, Ostrovsky R, Zhou H, Zikas V. 2015. Incoercible multi-party computation
and universally composable receipt-free voting. Advances in Cryptology - CRYPTO
2015. CRYPTO: International Cryptology ConferenceLecture Notes in Computer Science,
LNCS, vol. 9216, 763–780.'
mla: Alwen, Joel F., et al. “Incoercible Multi-Party Computation and Universally
Composable Receipt-Free Voting.” Advances in Cryptology - CRYPTO 2015,
vol. 9216, Springer, 2015, pp. 763–80, doi:10.1007/978-3-662-48000-7_37.
short: J.F. Alwen, R. Ostrovsky, H. Zhou, V. Zikas, in:, Advances in Cryptology
- CRYPTO 2015, Springer, 2015, pp. 763–780.
conference:
end_date: 2015-08-20
location: Santa Barbara, CA, United States
name: 'CRYPTO: International Cryptology Conference'
start_date: 2015-08-16
date_created: 2018-12-11T11:53:23Z
date_published: 2015-08-01T00:00:00Z
date_updated: 2022-06-07T09:51:55Z
day: '01'
ddc:
- '000'
department:
- _id: KrPi
doi: 10.1007/978-3-662-48000-7_37
ec_funded: 1
file:
- access_level: open_access
checksum: 5b6649e80d1f781a8910f7cce6427f78
content_type: application/pdf
creator: dernst
date_created: 2020-05-15T08:55:29Z
date_updated: 2020-07-14T12:45:11Z
file_id: '7853'
file_name: 2015_CRYPTO_Alwen.pdf
file_size: 397363
relation: main_file
file_date_updated: 2020-07-14T12:45:11Z
has_accepted_license: '1'
intvolume: ' 9216'
language:
- iso: eng
month: '08'
oa: 1
oa_version: Submitted Version
page: 763 - 780
project:
- _id: 258C570E-B435-11E9-9278-68D0E5697425
call_identifier: FP7
grant_number: '259668'
name: Provable Security for Physical Cryptography
publication: Advances in Cryptology - CRYPTO 2015
publication_identifier:
eisbn:
- 978-3-662-48000-7
isbn:
- 978-3-662-47999-5
publication_status: published
publisher: Springer
publist_id: '5476'
quality_controlled: '1'
scopus_import: '1'
series_title: Lecture Notes in Computer Science
status: public
title: Incoercible multi-party computation and universally composable receipt-free
voting
type: conference
user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87
volume: 9216
year: '2015'
...
---
_id: '1669'
abstract:
- lang: eng
text: Computational notions of entropy (a.k.a. pseudoentropy) have found many applications,
including leakage-resilient cryptography, deterministic encryption or memory delegation.
The most important tools to argue about pseudoentropy are chain rules, which quantify
by how much (in terms of quantity and quality) the pseudoentropy of a given random
variable X decreases when conditioned on some other variable Z (think for example
of X as a secret key and Z as information leaked by a side-channel). In this paper
we give a very simple and modular proof of the chain rule for HILL pseudoentropy,
improving best known parameters. Our version allows for increasing the acceptable
length of leakage in applications up to a constant factor compared to the best
previous bounds. As a contribution of independent interest, we provide a comprehensive
study of all known versions of the chain rule, comparing their worst-case strength
and limitations.
alternative_title:
- LNCS
author:
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
- first_name: Maciej
full_name: Skórski, Maciej
last_name: Skórski
citation:
ama: Pietrzak KZ, Skórski M. The chain rule for HILL pseudoentropy, revisited. 2015;9230:81-98.
doi:10.1007/978-3-319-22174-8_5
apa: 'Pietrzak, K. Z., & Skórski, M. (2015). The chain rule for HILL pseudoentropy,
revisited. Presented at the LATINCRYPT: Cryptology and Information Security in
Latin America, Guadalajara, Mexico: Springer. https://doi.org/10.1007/978-3-319-22174-8_5'
chicago: Pietrzak, Krzysztof Z, and Maciej Skórski. “The Chain Rule for HILL Pseudoentropy,
Revisited.” Lecture Notes in Computer Science. Springer, 2015. https://doi.org/10.1007/978-3-319-22174-8_5.
ieee: K. Z. Pietrzak and M. Skórski, “The chain rule for HILL pseudoentropy, revisited,”
vol. 9230. Springer, pp. 81–98, 2015.
ista: Pietrzak KZ, Skórski M. 2015. The chain rule for HILL pseudoentropy, revisited.
9230, 81–98.
mla: Pietrzak, Krzysztof Z., and Maciej Skórski. The Chain Rule for HILL Pseudoentropy,
Revisited. Vol. 9230, Springer, 2015, pp. 81–98, doi:10.1007/978-3-319-22174-8_5.
short: K.Z. Pietrzak, M. Skórski, 9230 (2015) 81–98.
conference:
end_date: 2015-08-26
location: Guadalajara, Mexico
name: 'LATINCRYPT: Cryptology and Information Security in Latin America'
start_date: 2015-08-23
date_created: 2018-12-11T11:53:22Z
date_published: 2015-08-15T00:00:00Z
date_updated: 2021-01-12T06:52:24Z
day: '15'
ddc:
- '005'
department:
- _id: KrPi
doi: 10.1007/978-3-319-22174-8_5
ec_funded: 1
file:
- access_level: open_access
checksum: 8cd4215b83efba720e8cf27c23ff4781
content_type: application/pdf
creator: system
date_created: 2018-12-12T10:18:29Z
date_updated: 2020-07-14T12:45:11Z
file_id: '5351'
file_name: IST-2016-669-v1+1_599.pdf
file_size: 443340
relation: main_file
file_date_updated: 2020-07-14T12:45:11Z
has_accepted_license: '1'
intvolume: ' 9230'
language:
- iso: eng
month: '08'
oa: 1
oa_version: Submitted Version
page: 81 - 98
project:
- _id: 258C570E-B435-11E9-9278-68D0E5697425
call_identifier: FP7
grant_number: '259668'
name: Provable Security for Physical Cryptography
publication_status: published
publisher: Springer
publist_id: '5480'
pubrep_id: '669'
quality_controlled: '1'
scopus_import: 1
series_title: Lecture Notes in Computer Science
status: public
title: The chain rule for HILL pseudoentropy, revisited
type: conference
user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87
volume: 9230
year: '2015'
...
---
_id: '1671'
abstract:
- lang: eng
text: This paper studies the concrete security of PRFs and MACs obtained by keying
hash functions based on the sponge paradigm. One such hash function is KECCAK,
selected as NIST’s new SHA-3 standard. In contrast to other approaches like HMAC,
the exact security of keyed sponges is not well understood. Indeed, recent security
analyses delivered concrete security bounds which are far from existing attacks.
This paper aims to close this gap. We prove (nearly) exact bounds on the concrete
PRF security of keyed sponges using a random permutation. These bounds are tight
for the most relevant ranges of parameters, i.e., for messages of length (roughly)
l ≤ min{2n/4, 2r} blocks, where n is the state size and r is the desired output
length; and for l ≤ q queries (to the construction or the underlying permutation).
Moreover, we also improve standard-model bounds. As an intermediate step of independent
interest, we prove tight bounds on the PRF security of the truncated CBC-MAC construction,
which operates as plain CBC-MAC, but only returns a prefix of the output.
alternative_title:
- LNCS
author:
- first_name: Peter
full_name: Gazi, Peter
id: 3E0BFE38-F248-11E8-B48F-1D18A9856A87
last_name: Gazi
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
- first_name: Stefano
full_name: Tessaro, Stefano
last_name: Tessaro
citation:
ama: 'Gazi P, Pietrzak KZ, Tessaro S. The exact PRF security of truncation: Tight
bounds for keyed sponges and truncated CBC. In: Vol 9215. Springer; 2015:368-387.
doi:10.1007/978-3-662-47989-6_18'
apa: 'Gazi, P., Pietrzak, K. Z., & Tessaro, S. (2015). The exact PRF security
of truncation: Tight bounds for keyed sponges and truncated CBC (Vol. 9215, pp.
368–387). Presented at the CRYPTO: International Cryptology Conference, Santa
Barbara, CA, United States: Springer. https://doi.org/10.1007/978-3-662-47989-6_18'
chicago: 'Gazi, Peter, Krzysztof Z Pietrzak, and Stefano Tessaro. “The Exact PRF
Security of Truncation: Tight Bounds for Keyed Sponges and Truncated CBC,” 9215:368–87.
Springer, 2015. https://doi.org/10.1007/978-3-662-47989-6_18.'
ieee: 'P. Gazi, K. Z. Pietrzak, and S. Tessaro, “The exact PRF security of truncation:
Tight bounds for keyed sponges and truncated CBC,” presented at the CRYPTO: International
Cryptology Conference, Santa Barbara, CA, United States, 2015, vol. 9215, pp.
368–387.'
ista: 'Gazi P, Pietrzak KZ, Tessaro S. 2015. The exact PRF security of truncation:
Tight bounds for keyed sponges and truncated CBC. CRYPTO: International Cryptology
Conference, LNCS, vol. 9215, 368–387.'
mla: 'Gazi, Peter, et al. The Exact PRF Security of Truncation: Tight Bounds
for Keyed Sponges and Truncated CBC. Vol. 9215, Springer, 2015, pp. 368–87,
doi:10.1007/978-3-662-47989-6_18.'
short: P. Gazi, K.Z. Pietrzak, S. Tessaro, in:, Springer, 2015, pp. 368–387.
conference:
end_date: 2015-08-20
location: Santa Barbara, CA, United States
name: 'CRYPTO: International Cryptology Conference'
start_date: 2015-08-16
date_created: 2018-12-11T11:53:23Z
date_published: 2015-08-01T00:00:00Z
date_updated: 2021-01-12T06:52:25Z
day: '01'
ddc:
- '004'
- '005'
department:
- _id: KrPi
doi: 10.1007/978-3-662-47989-6_18
ec_funded: 1
file:
- access_level: open_access
checksum: 17d854227b3b753fd34f5d29e5b5a32e
content_type: application/pdf
creator: system
date_created: 2018-12-12T10:10:38Z
date_updated: 2020-07-14T12:45:11Z
file_id: '4827'
file_name: IST-2016-673-v1+1_053.pdf
file_size: 592296
relation: main_file
file_date_updated: 2020-07-14T12:45:11Z
has_accepted_license: '1'
intvolume: ' 9215'
language:
- iso: eng
month: '08'
oa: 1
oa_version: Submitted Version
page: 368 - 387
project:
- _id: 258C570E-B435-11E9-9278-68D0E5697425
call_identifier: FP7
grant_number: '259668'
name: Provable Security for Physical Cryptography
publication_status: published
publisher: Springer
publist_id: '5478'
pubrep_id: '673'
quality_controlled: '1'
scopus_import: 1
status: public
title: 'The exact PRF security of truncation: Tight bounds for keyed sponges and truncated
CBC'
type: conference
user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87
volume: 9215
year: '2015'
...
---
_id: '1668'
abstract:
- lang: eng
text: "We revisit the security (as a pseudorandom permutation) of cascading-based
constructions for block-cipher key-length extension. Previous works typically
considered the extreme case where the adversary is given the entire codebook of
the construction, the only complexity measure being the number qe of queries to
the underlying ideal block cipher, representing adversary’s secret-key-independent
computation. Here, we initiate a systematic study of the more natural case of
an adversary restricted to adaptively learning a number qc of plaintext/ciphertext
pairs that is less than the entire codebook. For any such qc, we aim to determine
the highest number of block-cipher queries qe the adversary can issue without
being able to successfully distinguish the construction (under a secret key) from
a random permutation.\r\nMore concretely, we show the following results for key-length
extension schemes using a block cipher with n-bit blocks and κ-bit keys:\r\nPlain
cascades of length ℓ=2r+1 are secure whenever qcqre≪2r(κ+n), qc≪2κ and qe≪22κ.
The bound for r=1 also applies to two-key triple encryption (as used within Triple
DES).\r\nThe r-round XOR-cascade is secure as long as qcqre≪2r(κ+n), matching
an attack by Gaži (CRYPTO 2013).\r\nWe fully characterize the security of Gaži
and Tessaro’s two-call "
alternative_title:
- LNCS
author:
- first_name: Peter
full_name: Gazi, Peter
id: 3E0BFE38-F248-11E8-B48F-1D18A9856A87
last_name: Gazi
- first_name: Jooyoung
full_name: Lee, Jooyoung
last_name: Lee
- first_name: Yannick
full_name: Seurin, Yannick
last_name: Seurin
- first_name: John
full_name: Steinberger, John
last_name: Steinberger
- first_name: Stefano
full_name: Tessaro, Stefano
last_name: Tessaro
citation:
ama: 'Gazi P, Lee J, Seurin Y, Steinberger J, Tessaro S. Relaxing full-codebook
security: A refined analysis of key-length extension schemes. 2015;9054:319-341.
doi:10.1007/978-3-662-48116-5_16'
apa: 'Gazi, P., Lee, J., Seurin, Y., Steinberger, J., & Tessaro, S. (2015).
Relaxing full-codebook security: A refined analysis of key-length extension schemes.
Presented at the FSE: Fast Software Encryption, Istanbul, Turkey: Springer. https://doi.org/10.1007/978-3-662-48116-5_16'
chicago: 'Gazi, Peter, Jooyoung Lee, Yannick Seurin, John Steinberger, and Stefano
Tessaro. “Relaxing Full-Codebook Security: A Refined Analysis of Key-Length Extension
Schemes.” Lecture Notes in Computer Science. Springer, 2015. https://doi.org/10.1007/978-3-662-48116-5_16.'
ieee: 'P. Gazi, J. Lee, Y. Seurin, J. Steinberger, and S. Tessaro, “Relaxing full-codebook
security: A refined analysis of key-length extension schemes,” vol. 9054. Springer,
pp. 319–341, 2015.'
ista: 'Gazi P, Lee J, Seurin Y, Steinberger J, Tessaro S. 2015. Relaxing full-codebook
security: A refined analysis of key-length extension schemes. 9054, 319–341.'
mla: 'Gazi, Peter, et al. Relaxing Full-Codebook Security: A Refined Analysis
of Key-Length Extension Schemes. Vol. 9054, Springer, 2015, pp. 319–41, doi:10.1007/978-3-662-48116-5_16.'
short: P. Gazi, J. Lee, Y. Seurin, J. Steinberger, S. Tessaro, 9054 (2015) 319–341.
conference:
end_date: 2015-03-11
location: Istanbul, Turkey
name: 'FSE: Fast Software Encryption'
start_date: 2015-03-08
date_created: 2018-12-11T11:53:22Z
date_published: 2015-08-12T00:00:00Z
date_updated: 2020-08-11T10:09:26Z
day: '12'
department:
- _id: KrPi
doi: 10.1007/978-3-662-48116-5_16
ec_funded: 1
intvolume: ' 9054'
language:
- iso: eng
main_file_link:
- open_access: '1'
url: http://eprint.iacr.org/2015/397
month: '08'
oa: 1
oa_version: Submitted Version
page: 319 - 341
project:
- _id: 258C570E-B435-11E9-9278-68D0E5697425
call_identifier: FP7
grant_number: '259668'
name: Provable Security for Physical Cryptography
publication_status: published
publisher: Springer
publist_id: '5481'
quality_controlled: '1'
scopus_import: 1
series_title: Lecture Notes in Computer Science
status: public
title: 'Relaxing full-codebook security: A refined analysis of key-length extension
schemes'
type: conference
user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87
volume: 9054
year: '2015'
...
---
_id: '1675'
abstract:
- lang: eng
text: Proofs of work (PoW) have been suggested by Dwork and Naor (Crypto’92) as
protection to a shared resource. The basic idea is to ask the service requestor
to dedicate some non-trivial amount of computational work to every request. The
original applications included prevention of spam and protection against denial
of service attacks. More recently, PoWs have been used to prevent double spending
in the Bitcoin digital currency system. In this work, we put forward an alternative
concept for PoWs - so-called proofs of space (PoS), where a service requestor
must dedicate a significant amount of disk space as opposed to computation. We
construct secure PoS schemes in the random oracle model (with one additional mild
assumption required for the proof to go through), using graphs with high “pebbling
complexity” and Merkle hash-trees. We discuss some applications, including follow-up
work where a decentralized digital currency scheme called Spacecoin is constructed
that uses PoS (instead of wasteful PoW like in Bitcoin) to prevent double spending.
The main technical contribution of this work is the construction of (directed,
loop-free) graphs on N vertices with in-degree O(log logN) such that even if one
places Θ(N) pebbles on the nodes of the graph, there’s a constant fraction of
nodes that needs Θ(N) steps to be pebbled (where in every step one can put a pebble
on a node if all its parents have a pebble).
alternative_title:
- LNCS
article_processing_charge: No
author:
- first_name: Stefan
full_name: Dziembowski, Stefan
last_name: Dziembowski
- first_name: Sebastian
full_name: Faust, Sebastian
last_name: Faust
- first_name: Vladimir
full_name: Kolmogorov, Vladimir
id: 3D50B0BA-F248-11E8-B48F-1D18A9856A87
last_name: Kolmogorov
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
citation:
ama: 'Dziembowski S, Faust S, Kolmogorov V, Pietrzak KZ. Proofs of space. In: 35th
Annual Cryptology Conference. Vol 9216. Springer; 2015:585-605. doi:10.1007/978-3-662-48000-7_29'
apa: 'Dziembowski, S., Faust, S., Kolmogorov, V., & Pietrzak, K. Z. (2015).
Proofs of space. In 35th Annual Cryptology Conference (Vol. 9216, pp. 585–605).
Santa Barbara, CA, United States: Springer. https://doi.org/10.1007/978-3-662-48000-7_29'
chicago: Dziembowski, Stefan, Sebastian Faust, Vladimir Kolmogorov, and Krzysztof
Z Pietrzak. “Proofs of Space.” In 35th Annual Cryptology Conference, 9216:585–605.
Springer, 2015. https://doi.org/10.1007/978-3-662-48000-7_29.
ieee: S. Dziembowski, S. Faust, V. Kolmogorov, and K. Z. Pietrzak, “Proofs of space,”
in 35th Annual Cryptology Conference, Santa Barbara, CA, United States,
2015, vol. 9216, pp. 585–605.
ista: 'Dziembowski S, Faust S, Kolmogorov V, Pietrzak KZ. 2015. Proofs of space.
35th Annual Cryptology Conference. CRYPTO: International Cryptology Conference,
LNCS, vol. 9216, 585–605.'
mla: Dziembowski, Stefan, et al. “Proofs of Space.” 35th Annual Cryptology Conference,
vol. 9216, Springer, 2015, pp. 585–605, doi:10.1007/978-3-662-48000-7_29.
short: S. Dziembowski, S. Faust, V. Kolmogorov, K.Z. Pietrzak, in:, 35th Annual
Cryptology Conference, Springer, 2015, pp. 585–605.
conference:
end_date: 2015-08-20
location: Santa Barbara, CA, United States
name: 'CRYPTO: International Cryptology Conference'
start_date: 2015-08-16
date_created: 2018-12-11T11:53:24Z
date_published: 2015-08-01T00:00:00Z
date_updated: 2024-03-20T08:31:49Z
day: '01'
department:
- _id: VlKo
- _id: KrPi
doi: 10.1007/978-3-662-48000-7_29
ec_funded: 1
intvolume: ' 9216'
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://eprint.iacr.org/2013/796.pdf
month: '08'
oa: 1
oa_version: Preprint
page: 585 - 605
project:
- _id: 25FBA906-B435-11E9-9278-68D0E5697425
call_identifier: FP7
grant_number: '616160'
name: 'Discrete Optimization in Computer Vision: Theory and Practice'
- _id: 258C570E-B435-11E9-9278-68D0E5697425
call_identifier: FP7
grant_number: '259668'
name: Provable Security for Physical Cryptography
publication: 35th Annual Cryptology Conference
publication_identifier:
isbn:
- '9783662479995'
issn:
- 0302-9743
publication_status: published
publisher: Springer
publist_id: '5474'
pubrep_id: '671'
quality_controlled: '1'
related_material:
record:
- id: '2274'
relation: earlier_version
status: public
scopus_import: '1'
status: public
title: Proofs of space
type: conference
user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87
volume: 9216
year: '2015'
...
---
_id: '1643'
abstract:
- lang: eng
text: We extend the notion of verifiable random functions (VRF) to constrained VRFs,
which generalize the concept of constrained pseudorandom functions, put forward
by Boneh and Waters (Asiacrypt’13), and independently by Kiayias et al. (CCS’13)
and Boyle et al. (PKC’14), who call them delegatable PRFs and functional PRFs,
respectively. In a standard VRF the secret key sk allows one to evaluate a pseudorandom
function at any point of its domain; in addition, it enables computation of a
non-interactive proof that the function value was computed correctly. In a constrained
VRF from the key sk one can derive constrained keys skS for subsets S of the domain,
which allow computation of function values and proofs only at points in S. After
formally defining constrained VRFs, we derive instantiations from the multilinear-maps-based
constrained PRFs by Boneh and Waters, yielding a VRF with constrained keys for
any set that can be decided by a polynomial-size circuit. Our VRFs have the same
function values as the Boneh-Waters PRFs and are proved secure under the same
hardness assumption, showing that verifiability comes at no cost. Constrained
(functional) VRFs were stated as an open problem by Boyle et al.
alternative_title:
- LNCS
author:
- first_name: Georg
full_name: Fuchsbauer, Georg
id: 46B4C3EE-F248-11E8-B48F-1D18A9856A87
last_name: Fuchsbauer
citation:
ama: 'Fuchsbauer G. Constrained Verifiable Random Functions . In: Abdalla M, De
Prisco R, eds. SCN 2014. Vol 8642. Springer; 2014:95-114. doi:10.1007/978-3-319-10879-7_7'
apa: 'Fuchsbauer, G. (2014). Constrained Verifiable Random Functions . In M. Abdalla
& R. De Prisco (Eds.), SCN 2014 (Vol. 8642, pp. 95–114). Amalfi, Italy:
Springer. https://doi.org/10.1007/978-3-319-10879-7_7'
chicago: Fuchsbauer, Georg. “Constrained Verifiable Random Functions .” In SCN
2014, edited by Michel Abdalla and Roberto De Prisco, 8642:95–114. Springer,
2014. https://doi.org/10.1007/978-3-319-10879-7_7.
ieee: G. Fuchsbauer, “Constrained Verifiable Random Functions ,” in SCN 2014,
Amalfi, Italy, 2014, vol. 8642, pp. 95–114.
ista: 'Fuchsbauer G. 2014. Constrained Verifiable Random Functions . SCN 2014. SCN:
Security and Cryptography for Networks, LNCS, vol. 8642, 95–114.'
mla: Fuchsbauer, Georg. “Constrained Verifiable Random Functions .” SCN 2014,
edited by Michel Abdalla and Roberto De Prisco, vol. 8642, Springer, 2014, pp.
95–114, doi:10.1007/978-3-319-10879-7_7.
short: G. Fuchsbauer, in:, M. Abdalla, R. De Prisco (Eds.), SCN 2014, Springer,
2014, pp. 95–114.
conference:
end_date: 2014-09-05
location: Amalfi, Italy
name: 'SCN: Security and Cryptography for Networks'
start_date: 2014-09-03
date_created: 2018-12-11T11:53:13Z
date_published: 2014-01-01T00:00:00Z
date_updated: 2021-01-12T06:52:12Z
day: '01'
department:
- _id: KrPi
doi: 10.1007/978-3-319-10879-7_7
ec_funded: 1
editor:
- first_name: Michel
full_name: Abdalla, Michel
last_name: Abdalla
- first_name: Roberto
full_name: De Prisco, Roberto
last_name: De Prisco
intvolume: ' 8642'
language:
- iso: eng
main_file_link:
- open_access: '1'
url: http://eprint.iacr.org/2014/537
month: '01'
oa: 1
oa_version: Submitted Version
page: 95 - 114
project:
- _id: 258C570E-B435-11E9-9278-68D0E5697425
call_identifier: FP7
grant_number: '259668'
name: Provable Security for Physical Cryptography
publication: SCN 2014
publication_status: published
publisher: Springer
publist_id: '5509'
scopus_import: 1
status: public
title: 'Constrained Verifiable Random Functions '
type: conference
user_id: 4435EBFC-F248-11E8-B48F-1D18A9856A87
volume: 8642
year: '2014'
...
---
_id: '1907'
abstract:
- lang: eng
text: 'Most cryptographic security proofs require showing that two systems are indistinguishable.
A central tool in such proofs is that of a game, where winning the game means
provoking a certain condition, and it is shown that the two systems considered
cannot be distinguished unless this condition is provoked. Upper bounding the
probability of winning such a game, i.e., provoking this condition, for an arbitrary
strategy is usually hard, except in the special case where the best strategy for
winning such a game is known to be non-adaptive. A sufficient criterion for ensuring
the optimality of non-adaptive strategies is that of conditional equivalence to
a system, a notion introduced in [1]. In this paper, we show that this criterion
is not necessary to ensure the optimality of non-adaptive strategies by giving
two results of independent interest: 1) the optimality of non-adaptive strategies
is not preserved under parallel composition; 2) in contrast, conditional equivalence
is preserved under parallel composition.'
article_number: '6875125'
author:
- first_name: Grégory
full_name: Demay, Grégory
last_name: Demay
- first_name: Peter
full_name: Gazi, Peter
id: 3E0BFE38-F248-11E8-B48F-1D18A9856A87
last_name: Gazi
- first_name: Ueli
full_name: Maurer, Ueli
last_name: Maurer
- first_name: Björn
full_name: Tackmann, Björn
last_name: Tackmann
citation:
ama: 'Demay G, Gazi P, Maurer U, Tackmann B. Optimality of non-adaptive strategies:
The case of parallel games. In: IEEE International Symposium on Information
Theory. IEEE; 2014. doi:10.1109/ISIT.2014.6875125'
apa: 'Demay, G., Gazi, P., Maurer, U., & Tackmann, B. (2014). Optimality of
non-adaptive strategies: The case of parallel games. In IEEE International
Symposium on Information Theory. Honolulu, USA: IEEE. https://doi.org/10.1109/ISIT.2014.6875125'
chicago: 'Demay, Grégory, Peter Gazi, Ueli Maurer, and Björn Tackmann. “Optimality
of Non-Adaptive Strategies: The Case of Parallel Games.” In IEEE International
Symposium on Information Theory. IEEE, 2014. https://doi.org/10.1109/ISIT.2014.6875125.'
ieee: 'G. Demay, P. Gazi, U. Maurer, and B. Tackmann, “Optimality of non-adaptive
strategies: The case of parallel games,” in IEEE International Symposium on
Information Theory, Honolulu, USA, 2014.'
ista: 'Demay G, Gazi P, Maurer U, Tackmann B. 2014. Optimality of non-adaptive strategies:
The case of parallel games. IEEE International Symposium on Information Theory.
IEEE International Symposium on Information Theory Proceedings, 6875125.'
mla: 'Demay, Grégory, et al. “Optimality of Non-Adaptive Strategies: The Case of
Parallel Games.” IEEE International Symposium on Information Theory, 6875125,
IEEE, 2014, doi:10.1109/ISIT.2014.6875125.'
short: G. Demay, P. Gazi, U. Maurer, B. Tackmann, in:, IEEE International Symposium
on Information Theory, IEEE, 2014.
conference:
end_date: 2014-07-04
location: Honolulu, USA
name: IEEE International Symposium on Information Theory Proceedings
start_date: 2014-06-29
date_created: 2018-12-11T11:54:39Z
date_published: 2014-01-01T00:00:00Z
date_updated: 2021-01-12T06:53:59Z
day: '01'
department:
- _id: KrPi
doi: 10.1109/ISIT.2014.6875125
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://eprint.iacr.org/2014/299
month: '01'
oa: 1
oa_version: Submitted Version
publication: IEEE International Symposium on Information Theory
publication_status: published
publisher: IEEE
publist_id: '5188'
quality_controlled: '1'
scopus_import: 1
status: public
title: 'Optimality of non-adaptive strategies: The case of parallel games'
type: conference
user_id: 4435EBFC-F248-11E8-B48F-1D18A9856A87
year: '2014'
...
---
_id: '2045'
abstract:
- lang: eng
text: 'We introduce and study a new notion of enhanced chosen-ciphertext security
(ECCA) for public-key encryption. Loosely speaking, in the ECCA security experiment,
the decryption oracle provided to the adversary is augmented to return not only
the output of the decryption algorithm on a queried ciphertext but also of a randomness-recovery
algorithm associated to the scheme. Our results mainly concern the case where
the randomness-recovery algorithm is efficient. We provide constructions of ECCA-secure
encryption from adaptive trapdoor functions as defined by Kiltz et al. (EUROCRYPT
2010), resulting in ECCA encryption from standard number-theoretic assumptions.
We then give two applications of ECCA-secure encryption: (1) We use it as a unifying
concept in showing equivalence of adaptive trapdoor functions and tag-based adaptive
trapdoor functions, resolving an open question of Kiltz et al. (2) We show that
ECCA-secure encryption can be used to securely realize an approach to public-key
encryption with non-interactive opening (PKENO) originally suggested by Damgård
and Thorbek (EUROCRYPT 2007), resulting in new and practical PKENO schemes quite
different from those in prior work. Our results demonstrate that ECCA security
is of both practical and theoretical interest.'
acknowledgement: The second author was supported by EPSRC grant EP/H043454/1.
alternative_title:
- LNCS
author:
- first_name: Dana
full_name: Dachman Soled, Dana
last_name: Dachman Soled
- first_name: Georg
full_name: Fuchsbauer, Georg
id: 46B4C3EE-F248-11E8-B48F-1D18A9856A87
last_name: Fuchsbauer
- first_name: Payman
full_name: Mohassel, Payman
last_name: Mohassel
- first_name: Adam
full_name: O’Neill, Adam
last_name: O’Neill
citation:
ama: 'Dachman Soled D, Fuchsbauer G, Mohassel P, O’Neill A. Enhanced chosen-ciphertext
security and applications. In: Krawczyk H, ed. Lecture Notes in Computer Science
(Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes
in Bioinformatics). Vol 8383. Springer; 2014:329-344. doi:10.1007/978-3-642-54631-0_19'
apa: 'Dachman Soled, D., Fuchsbauer, G., Mohassel, P., & O’Neill, A. (2014).
Enhanced chosen-ciphertext security and applications. In H. Krawczyk (Ed.), Lecture
Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence
and Lecture Notes in Bioinformatics) (Vol. 8383, pp. 329–344). Buenos Aires,
Argentina: Springer. https://doi.org/10.1007/978-3-642-54631-0_19'
chicago: Dachman Soled, Dana, Georg Fuchsbauer, Payman Mohassel, and Adam O’Neill.
“Enhanced Chosen-Ciphertext Security and Applications.” In Lecture Notes in
Computer Science (Including Subseries Lecture Notes in Artificial Intelligence
and Lecture Notes in Bioinformatics), edited by Hugo Krawczyk, 8383:329–44.
Springer, 2014. https://doi.org/10.1007/978-3-642-54631-0_19.
ieee: D. Dachman Soled, G. Fuchsbauer, P. Mohassel, and A. O’Neill, “Enhanced chosen-ciphertext
security and applications,” in Lecture Notes in Computer Science (including
subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics),
Buenos Aires, Argentina, 2014, vol. 8383, pp. 329–344.
ista: 'Dachman Soled D, Fuchsbauer G, Mohassel P, O’Neill A. 2014. Enhanced chosen-ciphertext
security and applications. Lecture Notes in Computer Science (including subseries
Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics).
PKC: Public Key Crypography, LNCS, vol. 8383, 329–344.'
mla: Dachman Soled, Dana, et al. “Enhanced Chosen-Ciphertext Security and Applications.”
Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial
Intelligence and Lecture Notes in Bioinformatics), edited by Hugo Krawczyk,
vol. 8383, Springer, 2014, pp. 329–44, doi:10.1007/978-3-642-54631-0_19.
short: D. Dachman Soled, G. Fuchsbauer, P. Mohassel, A. O’Neill, in:, H. Krawczyk
(Ed.), Lecture Notes in Computer Science (Including Subseries Lecture Notes in
Artificial Intelligence and Lecture Notes in Bioinformatics), Springer, 2014,
pp. 329–344.
conference:
end_date: 2014-03-28
location: Buenos Aires, Argentina
name: 'PKC: Public Key Crypography'
start_date: 2014-03-26
date_created: 2018-12-11T11:55:24Z
date_published: 2014-01-01T00:00:00Z
date_updated: 2021-01-12T06:54:57Z
day: '01'
department:
- _id: KrPi
doi: 10.1007/978-3-642-54631-0_19
ec_funded: 1
editor:
- first_name: Hugo
full_name: Krawczyk, Hugo
last_name: Krawczyk
intvolume: ' 8383'
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://eprint.iacr.org/2012/543
month: '01'
oa: 1
oa_version: Submitted Version
page: 329 - 344
project:
- _id: 258C570E-B435-11E9-9278-68D0E5697425
call_identifier: FP7
grant_number: '259668'
name: Provable Security for Physical Cryptography
publication: Lecture Notes in Computer Science (including subseries Lecture Notes
in Artificial Intelligence and Lecture Notes in Bioinformatics)
publication_status: published
publisher: Springer
publist_id: '5006'
quality_controlled: '1'
scopus_import: 1
status: public
title: Enhanced chosen-ciphertext security and applications
type: conference
user_id: 4435EBFC-F248-11E8-B48F-1D18A9856A87
volume: 8383
year: '2014'
...
---
_id: '2047'
abstract:
- lang: eng
text: Following the publication of an attack on genome-wide association studies
(GWAS) data proposed by Homer et al., considerable attention has been given to
developing methods for releasing GWAS data in a privacy-preserving way. Here,
we develop an end-to-end differentially private method for solving regression
problems with convex penalty functions and selecting the penalty parameters by
cross-validation. In particular, we focus on penalized logistic regression with
elastic-net regularization, a method widely used to in GWAS analyses to identify
disease-causing genes. We show how a differentially private procedure for penalized
logistic regression with elastic-net regularization can be applied to the analysis
of GWAS data and evaluate our method’s performance.
acknowledgement: This research was partially supported by BCS- 0941518 to the Department
of Statistics at Carnegie Mellon University.
alternative_title:
- LNCS
author:
- first_name: Fei
full_name: Yu, Fei
last_name: Yu
- first_name: Michal
full_name: Rybar, Michal
id: 2B3E3DE8-F248-11E8-B48F-1D18A9856A87
last_name: Rybar
- first_name: Caroline
full_name: Uhler, Caroline
id: 49ADD78E-F248-11E8-B48F-1D18A9856A87
last_name: Uhler
orcid: 0000-0002-7008-0216
- first_name: Stephen
full_name: Fienberg, Stephen
last_name: Fienberg
citation:
ama: 'Yu F, Rybar M, Uhler C, Fienberg S. Differentially-private logistic regression
for detecting multiple-SNP association in GWAS databases. In: Domingo Ferrer J,
ed. Lecture Notes in Computer Science (Including Subseries Lecture Notes in
Artificial Intelligence and Lecture Notes in Bioinformatics). Vol 8744. Springer;
2014:170-184. doi:10.1007/978-3-319-11257-2_14'
apa: 'Yu, F., Rybar, M., Uhler, C., & Fienberg, S. (2014). Differentially-private
logistic regression for detecting multiple-SNP association in GWAS databases.
In J. Domingo Ferrer (Ed.), Lecture Notes in Computer Science (including subseries
Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
(Vol. 8744, pp. 170–184). Ibiza, Spain: Springer. https://doi.org/10.1007/978-3-319-11257-2_14'
chicago: Yu, Fei, Michal Rybar, Caroline Uhler, and Stephen Fienberg. “Differentially-Private
Logistic Regression for Detecting Multiple-SNP Association in GWAS Databases.”
In Lecture Notes in Computer Science (Including Subseries Lecture Notes in
Artificial Intelligence and Lecture Notes in Bioinformatics), edited by Josep
Domingo Ferrer, 8744:170–84. Springer, 2014. https://doi.org/10.1007/978-3-319-11257-2_14.
ieee: F. Yu, M. Rybar, C. Uhler, and S. Fienberg, “Differentially-private logistic
regression for detecting multiple-SNP association in GWAS databases,” in Lecture
Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence
and Lecture Notes in Bioinformatics), Ibiza, Spain, 2014, vol. 8744, pp. 170–184.
ista: 'Yu F, Rybar M, Uhler C, Fienberg S. 2014. Differentially-private logistic
regression for detecting multiple-SNP association in GWAS databases. Lecture Notes
in Computer Science (including subseries Lecture Notes in Artificial Intelligence
and Lecture Notes in Bioinformatics). PSD: Privacy in Statistical Databases, LNCS,
vol. 8744, 170–184.'
mla: Yu, Fei, et al. “Differentially-Private Logistic Regression for Detecting Multiple-SNP
Association in GWAS Databases.” Lecture Notes in Computer Science (Including
Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics),
edited by Josep Domingo Ferrer, vol. 8744, Springer, 2014, pp. 170–84, doi:10.1007/978-3-319-11257-2_14.
short: F. Yu, M. Rybar, C. Uhler, S. Fienberg, in:, J. Domingo Ferrer (Ed.), Lecture
Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence
and Lecture Notes in Bioinformatics), Springer, 2014, pp. 170–184.
conference:
end_date: 2014-09-19
location: Ibiza, Spain
name: 'PSD: Privacy in Statistical Databases'
start_date: 2014-09-17
date_created: 2018-12-11T11:55:24Z
date_published: 2014-01-01T00:00:00Z
date_updated: 2021-01-12T06:54:57Z
day: '01'
department:
- _id: KrPi
- _id: CaUh
doi: 10.1007/978-3-319-11257-2_14
editor:
- first_name: Josep
full_name: Domingo Ferrer, Josep
last_name: Domingo Ferrer
external_id:
arxiv:
- '1407.8067'
intvolume: ' 8744'
language:
- iso: eng
main_file_link:
- open_access: '1'
url: http://arxiv.org/abs/1407.8067
month: '01'
oa: 1
oa_version: Submitted Version
page: 170 - 184
project:
- _id: 25636330-B435-11E9-9278-68D0E5697425
grant_number: 11-NSF-1070
name: ROOTS Genome-wide Analysis of Root Traits
publication: Lecture Notes in Computer Science (including subseries Lecture Notes
in Artificial Intelligence and Lecture Notes in Bioinformatics)
publication_status: published
publisher: Springer
publist_id: '5004'
quality_controlled: '1'
scopus_import: 1
status: public
title: Differentially-private logistic regression for detecting multiple-SNP association
in GWAS databases
type: conference
user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87
volume: 8744
year: '2014'
...
---
_id: '2046'
abstract:
- lang: eng
text: 'We introduce policy-based signatures (PBS), where a signer can only sign
messages conforming to some authority-specified policy. The main requirements
are unforgeability and privacy, the latter meaning that signatures not reveal
the policy. PBS offers value along two fronts: (1) On the practical side, they
allow a corporation to control what messages its employees can sign under the
corporate key. (2) On the theoretical side, they unify existing work, capturing
other forms of signatures as special cases or allowing them to be easily built.
Our work focuses on definitions of PBS, proofs that this challenging primitive
is realizable for arbitrary policies, efficient constructions for specific policies,
and a few representative applications.'
acknowledgement: Part of his work was done while at Bristol University, supported
by EPSRC grant EP/H043454/1.
alternative_title:
- LNCS
author:
- first_name: Mihir
full_name: Bellare, Mihir
last_name: Bellare
- first_name: Georg
full_name: Fuchsbauer, Georg
id: 46B4C3EE-F248-11E8-B48F-1D18A9856A87
last_name: Fuchsbauer
citation:
ama: 'Bellare M, Fuchsbauer G. Policy-based signatures. In: Krawczyk H, ed. Lecture
Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence
and Lecture Notes in Bioinformatics). Vol 8383. Springer; 2014:520-537. doi:10.1007/978-3-642-54631-0_30'
apa: 'Bellare, M., & Fuchsbauer, G. (2014). Policy-based signatures. In H. Krawczyk
(Ed.), Lecture Notes in Computer Science (including subseries Lecture Notes
in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 8383,
pp. 520–537). Buenos Aires, Argentina: Springer. https://doi.org/10.1007/978-3-642-54631-0_30'
chicago: Bellare, Mihir, and Georg Fuchsbauer. “Policy-Based Signatures.” In Lecture
Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence
and Lecture Notes in Bioinformatics), edited by Hugo Krawczyk, 8383:520–37.
Springer, 2014. https://doi.org/10.1007/978-3-642-54631-0_30.
ieee: M. Bellare and G. Fuchsbauer, “Policy-based signatures,” in Lecture Notes
in Computer Science (including subseries Lecture Notes in Artificial Intelligence
and Lecture Notes in Bioinformatics), Buenos Aires, Argentina, 2014, vol.
8383, pp. 520–537.
ista: 'Bellare M, Fuchsbauer G. 2014. Policy-based signatures. Lecture Notes in
Computer Science (including subseries Lecture Notes in Artificial Intelligence
and Lecture Notes in Bioinformatics). PKC: Public Key Crypography, LNCS, vol.
8383, 520–537.'
mla: Bellare, Mihir, and Georg Fuchsbauer. “Policy-Based Signatures.” Lecture
Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence
and Lecture Notes in Bioinformatics), edited by Hugo Krawczyk, vol. 8383,
Springer, 2014, pp. 520–37, doi:10.1007/978-3-642-54631-0_30.
short: M. Bellare, G. Fuchsbauer, in:, H. Krawczyk (Ed.), Lecture Notes in Computer
Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture
Notes in Bioinformatics), Springer, 2014, pp. 520–537.
conference:
end_date: 2014-05-28
location: Buenos Aires, Argentina
name: 'PKC: Public Key Crypography'
start_date: 2014-05-26
date_created: 2018-12-11T11:55:24Z
date_published: 2014-01-01T00:00:00Z
date_updated: 2021-01-12T06:54:57Z
day: '01'
department:
- _id: KrPi
doi: 10.1007/978-3-642-54631-0_30
ec_funded: 1
editor:
- first_name: Hugo
full_name: Krawczyk, Hugo
last_name: Krawczyk
intvolume: ' 8383'
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://eprint.iacr.org/2013/413
month: '01'
oa: 1
oa_version: Submitted Version
page: 520 - 537
project:
- _id: 258C570E-B435-11E9-9278-68D0E5697425
call_identifier: FP7
grant_number: '259668'
name: Provable Security for Physical Cryptography
publication: Lecture Notes in Computer Science (including subseries Lecture Notes
in Artificial Intelligence and Lecture Notes in Bioinformatics)
publication_status: published
publisher: Springer
publist_id: '5005'
quality_controlled: '1'
scopus_import: 1
status: public
title: Policy-based signatures
type: conference
user_id: 4435EBFC-F248-11E8-B48F-1D18A9856A87
volume: 8383
year: '2014'
...
---
_id: '2185'
abstract:
- lang: eng
text: 'We revisit the classical problem of converting an imperfect source of randomness
into a usable cryptographic key. Assume that we have some cryptographic application
P that expects a uniformly random m-bit key R and ensures that the best attack
(in some complexity class) against P(R) has success probability at most δ. Our
goal is to design a key-derivation function (KDF) h that converts any random source
X of min-entropy k into a sufficiently "good" key h(X), guaranteeing
that P(h(X)) has comparable security δ′ which is ''close'' to δ. Seeded randomness
extractors provide a generic way to solve this problem for all applications P,
with resulting security δ′ = O(δ), provided that we start with entropy k ≥ m +
2 log (1/δ) - O(1). By a result of Radhakrishnan and Ta-Shma, this bound on k
(called the "RT-bound") is also known to be tight in general. Unfortunately,
in many situations the loss of 2 log (1/δ) bits of entropy is unacceptable. This
motivates the study KDFs with less entropy waste by placing some restrictions
on the source X or the application P. In this work we obtain the following new
positive and negative results in this regard: - Efficient samplability of the
source X does not help beat the RT-bound for general applications. This resolves
the SRT (samplable RT) conjecture of Dachman-Soled et al. [DGKM12] in the affirmative,
and also shows that the existence of computationally-secure extractors beating
the RT-bound implies the existence of one-way functions. - We continue in the
line of work initiated by Barak et al. [BDK+11] and construct new information-theoretic
KDFs which beat the RT-bound for large but restricted classes of applications.
Specifically, we design efficient KDFs that work for all unpredictability applications
P (e.g., signatures, MACs, one-way functions, etc.) and can either: (1) extract
all of the entropy k = m with a very modest security loss δ′ = O(δ·log (1/δ)),
or alternatively, (2) achieve essentially optimal security δ′ = O(δ) with a very
modest entropy loss k ≥ m + loglog (1/δ). In comparison, the best prior results
from [BDK+11] for this class of applications would only guarantee δ′ = O(√δ) when
k = m, and would need k ≥ m + log (1/δ) to get δ′ = O(δ). - The weaker bounds
of [BDK+11] hold for a larger class of so-called "square- friendly"
applications (which includes all unpredictability, but also some important indistinguishability,
applications). Unfortunately, we show that these weaker bounds are tight for the
larger class of applications. - We abstract out a clean, information-theoretic
notion of (k,δ,δ′)- unpredictability extractors, which guarantee "induced"
security δ′ for any δ-secure unpredictability application P, and characterize
the parameters achievable for such unpredictability extractors. Of independent
interest, we also relate this notion to the previously-known notion of (min-entropy)
condensers, and improve the state-of-the-art parameters for such condensers.'
alternative_title:
- LNCS
author:
- first_name: Yevgeniy
full_name: Dodis, Yevgeniy
last_name: Dodis
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
- first_name: Daniel
full_name: Wichs, Daniel
last_name: Wichs
citation:
ama: 'Dodis Y, Pietrzak KZ, Wichs D. Key derivation without entropy waste. In: Nguyen
P, Oswald E, eds. Vol 8441. Springer; 2014:93-110. doi:10.1007/978-3-642-55220-5_6'
apa: 'Dodis, Y., Pietrzak, K. Z., & Wichs, D. (2014). Key derivation without
entropy waste. In P. Nguyen & E. Oswald (Eds.) (Vol. 8441, pp. 93–110). Presented
at the EUROCRYPT: Theory and Applications of Cryptographic Techniques, Copenhagen,
Denmark: Springer. https://doi.org/10.1007/978-3-642-55220-5_6'
chicago: Dodis, Yevgeniy, Krzysztof Z Pietrzak, and Daniel Wichs. “Key Derivation
without Entropy Waste.” edited by Phong Nguyen and Elisabeth Oswald, 8441:93–110.
Springer, 2014. https://doi.org/10.1007/978-3-642-55220-5_6.
ieee: 'Y. Dodis, K. Z. Pietrzak, and D. Wichs, “Key derivation without entropy waste,”
presented at the EUROCRYPT: Theory and Applications of Cryptographic Techniques,
Copenhagen, Denmark, 2014, vol. 8441, pp. 93–110.'
ista: 'Dodis Y, Pietrzak KZ, Wichs D. 2014. Key derivation without entropy waste.
EUROCRYPT: Theory and Applications of Cryptographic Techniques, LNCS, vol. 8441,
93–110.'
mla: Dodis, Yevgeniy, et al. Key Derivation without Entropy Waste. Edited
by Phong Nguyen and Elisabeth Oswald, vol. 8441, Springer, 2014, pp. 93–110, doi:10.1007/978-3-642-55220-5_6.
short: Y. Dodis, K.Z. Pietrzak, D. Wichs, in:, P. Nguyen, E. Oswald (Eds.), Springer,
2014, pp. 93–110.
conference:
end_date: 2014-05-15
location: Copenhagen, Denmark
name: 'EUROCRYPT: Theory and Applications of Cryptographic Techniques'
start_date: 2014-05-11
date_created: 2018-12-11T11:56:12Z
date_published: 2014-04-01T00:00:00Z
date_updated: 2021-01-12T06:55:51Z
day: '01'
ddc:
- '000'
- '004'
department:
- _id: KrPi
doi: 10.1007/978-3-642-55220-5_6
editor:
- first_name: Phong
full_name: Nguyen, Phong
last_name: Nguyen
- first_name: Elisabeth
full_name: Oswald, Elisabeth
last_name: Oswald
file:
- access_level: open_access
checksum: da1aa01221086083b23c92e547b48ff4
content_type: application/pdf
creator: system
date_created: 2018-12-12T10:08:43Z
date_updated: 2020-07-14T12:45:31Z
file_id: '4705'
file_name: IST-2016-680-v1+1_708.pdf
file_size: 505389
relation: main_file
file_date_updated: 2020-07-14T12:45:31Z
has_accepted_license: '1'
intvolume: ' 8441'
language:
- iso: eng
month: '04'
oa: 1
oa_version: Submitted Version
page: 93 - 110
publication_status: published
publisher: Springer
publist_id: '4795'
pubrep_id: '680'
quality_controlled: '1'
scopus_import: 1
status: public
title: Key derivation without entropy waste
type: conference
user_id: 4435EBFC-F248-11E8-B48F-1D18A9856A87
volume: 8441
year: '2014'
...
---
_id: '2219'
abstract:
- lang: eng
text: Recently, Döttling et al. (ASIACRYPT 2012) proposed the first chosen-ciphertext
(IND-CCA) secure public-key encryption scheme from the learning parity with noise
(LPN) assumption. In this work we give an alternative scheme which is conceptually
simpler and more efficient. At the core of our construction is a trapdoor technique
originally proposed for lattices by Micciancio and Peikert (EUROCRYPT 2012), which
we adapt to the LPN setting. The main technical tool is a new double-trapdoor
mechanism, together with a trapdoor switching lemma based on a computational variant
of the leftover hash lemma.
alternative_title:
- LNCS
author:
- first_name: Eike
full_name: Kiltz, Eike
last_name: Kiltz
- first_name: Daniel
full_name: Masny, Daniel
last_name: Masny
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
citation:
ama: 'Kiltz E, Masny D, Pietrzak KZ. Simple chosen-ciphertext security from low
noise LPN. In: Vol 8383. Springer; 2014:1-18. doi:10.1007/978-3-642-54631-0_1'
apa: 'Kiltz, E., Masny, D., & Pietrzak, K. Z. (2014). Simple chosen-ciphertext
security from low noise LPN (Vol. 8383, pp. 1–18). Presented at the IACR: International
Conference on Practice and Theory in Public-Key Cryptography, Springer. https://doi.org/10.1007/978-3-642-54631-0_1'
chicago: Kiltz, Eike, Daniel Masny, and Krzysztof Z Pietrzak. “Simple Chosen-Ciphertext
Security from Low Noise LPN,” 8383:1–18. Springer, 2014. https://doi.org/10.1007/978-3-642-54631-0_1.
ieee: 'E. Kiltz, D. Masny, and K. Z. Pietrzak, “Simple chosen-ciphertext security
from low noise LPN,” presented at the IACR: International Conference on Practice
and Theory in Public-Key Cryptography, 2014, vol. 8383, pp. 1–18.'
ista: 'Kiltz E, Masny D, Pietrzak KZ. 2014. Simple chosen-ciphertext security from
low noise LPN. IACR: International Conference on Practice and Theory in Public-Key
Cryptography, LNCS, vol. 8383, 1–18.'
mla: Kiltz, Eike, et al. Simple Chosen-Ciphertext Security from Low Noise LPN.
Vol. 8383, Springer, 2014, pp. 1–18, doi:10.1007/978-3-642-54631-0_1.
short: E. Kiltz, D. Masny, K.Z. Pietrzak, in:, Springer, 2014, pp. 1–18.
conference:
name: 'IACR: International Conference on Practice and Theory in Public-Key Cryptography'
date_created: 2018-12-11T11:56:24Z
date_published: 2014-03-01T00:00:00Z
date_updated: 2021-01-12T06:56:05Z
day: '01'
department:
- _id: KrPi
doi: 10.1007/978-3-642-54631-0_1
intvolume: ' 8383'
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://eprint.iacr.org/2015/401
month: '03'
oa: 1
oa_version: Submitted Version
page: 1 - 18
publication_identifier:
isbn:
- 978-364254630-3
publication_status: published
publisher: Springer
publist_id: '4748'
quality_controlled: '1'
scopus_import: 1
status: public
title: Simple chosen-ciphertext security from low noise LPN
type: conference
user_id: 4435EBFC-F248-11E8-B48F-1D18A9856A87
volume: 8383
year: '2014'
...
---
_id: '2236'
abstract:
- lang: eng
text: Consider a joint distribution (X,A) on a set. We show that for any family
of distinguishers, there exists a simulator such that 1 no function in can distinguish
(X,A) from (X,h(X)) with advantage ε, 2 h is only O(2 3ℓ ε -2) times less efficient
than the functions in. For the most interesting settings of the parameters (in
particular, the cryptographic case where X has superlogarithmic min-entropy, ε
> 0 is negligible and consists of circuits of polynomial size), we can make
the simulator h deterministic. As an illustrative application of our theorem,
we give a new security proof for the leakage-resilient stream-cipher from Eurocrypt'09.
Our proof is simpler and quantitatively much better than the original proof using
the dense model theorem, giving meaningful security guarantees if instantiated
with a standard blockcipher like AES. Subsequent to this work, Chung, Lui and
Pass gave an interactive variant of our main theorem, and used it to investigate
weak notions of Zero-Knowledge. Vadhan and Zheng give a more constructive version
of our theorem using their new uniform min-max theorem.
alternative_title:
- LNCS
author:
- first_name: Dimitar
full_name: Jetchev, Dimitar
last_name: Jetchev
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
citation:
ama: 'Jetchev D, Pietrzak KZ. How to fake auxiliary input. In: Lindell Y, ed. Vol
8349. Springer; 2014:566-590. doi:10.1007/978-3-642-54242-8_24'
apa: 'Jetchev, D., & Pietrzak, K. Z. (2014). How to fake auxiliary input. In
Y. Lindell (Ed.) (Vol. 8349, pp. 566–590). Presented at the TCC: Theory of Cryptography
Conference, San Diego, USA: Springer. https://doi.org/10.1007/978-3-642-54242-8_24'
chicago: Jetchev, Dimitar, and Krzysztof Z Pietrzak. “How to Fake Auxiliary Input.”
edited by Yehuda Lindell, 8349:566–90. Springer, 2014. https://doi.org/10.1007/978-3-642-54242-8_24.
ieee: 'D. Jetchev and K. Z. Pietrzak, “How to fake auxiliary input,” presented at
the TCC: Theory of Cryptography Conference, San Diego, USA, 2014, vol. 8349, pp.
566–590.'
ista: 'Jetchev D, Pietrzak KZ. 2014. How to fake auxiliary input. TCC: Theory of
Cryptography Conference, LNCS, vol. 8349, 566–590.'
mla: Jetchev, Dimitar, and Krzysztof Z. Pietrzak. How to Fake Auxiliary Input.
Edited by Yehuda Lindell, vol. 8349, Springer, 2014, pp. 566–90, doi:10.1007/978-3-642-54242-8_24.
short: D. Jetchev, K.Z. Pietrzak, in:, Y. Lindell (Ed.), Springer, 2014, pp. 566–590.
conference:
end_date: 2014-02-26
location: San Diego, USA
name: 'TCC: Theory of Cryptography Conference'
start_date: 2014-02-24
date_created: 2018-12-11T11:56:29Z
date_published: 2014-02-01T00:00:00Z
date_updated: 2021-01-12T06:56:12Z
day: '01'
ddc:
- '004'
department:
- _id: KrPi
doi: 10.1007/978-3-642-54242-8_24
ec_funded: 1
editor:
- first_name: Yehuda
full_name: Lindell, Yehuda
last_name: Lindell
file:
- access_level: open_access
checksum: 42960325c29dcd8d832edadcc3ce0045
content_type: application/pdf
creator: system
date_created: 2018-12-12T10:17:21Z
date_updated: 2020-07-14T12:45:34Z
file_id: '5275'
file_name: IST-2016-681-v1+1_869_1_.pdf
file_size: 313528
relation: main_file
file_date_updated: 2020-07-14T12:45:34Z
has_accepted_license: '1'
intvolume: ' 8349'
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://repository.ist.ac.at/id/eprint/681
month: '02'
oa: 1
oa_version: Submitted Version
page: 566 - 590
project:
- _id: 258C570E-B435-11E9-9278-68D0E5697425
call_identifier: FP7
grant_number: '259668'
name: Provable Security for Physical Cryptography
publication_identifier:
isbn:
- 978-364254241-1
publication_status: published
publisher: Springer
publist_id: '4725'
pubrep_id: '681'
quality_controlled: '1'
status: public
title: How to fake auxiliary input
type: conference
user_id: 4435EBFC-F248-11E8-B48F-1D18A9856A87
volume: 8349
year: '2014'
...
---
_id: '2852'
abstract:
- lang: eng
text: A robust combiner for hash functions takes two candidate implementations and
constructs a hash function which is secure as long as at least one of the candidates
is secure. So far, hash function combiners only aim at preserving a single property
such as collision-resistance or pseudorandomness. However, when hash functions
are used in protocols like TLS they are often required to provide several properties
simultaneously. We therefore put forward the notion of robust multi-property combiners
and elaborate on different definitions for such combiners. We then propose a combiner
that provably preserves (target) collision-resistance, pseudorandomness, and being
a secure message authentication code. This combiner satisfies the strongest notion
we propose, which requires that the combined function satisfies every security
property which is satisfied by at least one of the underlying hash function. If
the underlying hash functions have output length n, the combiner has output length
2 n. This basically matches a known lower bound for black-box combiners for collision-resistance
only, thus the other properties can be achieved without penalizing the length
of the hash values. We then propose a combiner which also preserves the property
of being indifferentiable from a random oracle, slightly increasing the output
length to 2 n+ω(log n). Moreover, we show how to augment our constructions in
order to make them also robust for the one-wayness property, but in this case
require an a priory upper bound on the input length.
author:
- first_name: Marc
full_name: Fischlin, Marc
last_name: Fischlin
- first_name: Anja
full_name: Lehmann, Anja
last_name: Lehmann
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
citation:
ama: Fischlin M, Lehmann A, Pietrzak KZ. Robust multi-property combiners for hash
functions. Journal of Cryptology. 2014;27(3):397-428. doi:10.1007/s00145-013-9148-7
apa: Fischlin, M., Lehmann, A., & Pietrzak, K. Z. (2014). Robust multi-property
combiners for hash functions. Journal of Cryptology. Springer. https://doi.org/10.1007/s00145-013-9148-7
chicago: Fischlin, Marc, Anja Lehmann, and Krzysztof Z Pietrzak. “Robust Multi-Property
Combiners for Hash Functions.” Journal of Cryptology. Springer, 2014. https://doi.org/10.1007/s00145-013-9148-7.
ieee: M. Fischlin, A. Lehmann, and K. Z. Pietrzak, “Robust multi-property combiners
for hash functions,” Journal of Cryptology, vol. 27, no. 3. Springer, pp.
397–428, 2014.
ista: Fischlin M, Lehmann A, Pietrzak KZ. 2014. Robust multi-property combiners
for hash functions. Journal of Cryptology. 27(3), 397–428.
mla: Fischlin, Marc, et al. “Robust Multi-Property Combiners for Hash Functions.”
Journal of Cryptology, vol. 27, no. 3, Springer, 2014, pp. 397–428, doi:10.1007/s00145-013-9148-7.
short: M. Fischlin, A. Lehmann, K.Z. Pietrzak, Journal of Cryptology 27 (2014) 397–428.
date_created: 2018-12-11T11:59:56Z
date_published: 2014-07-01T00:00:00Z
date_updated: 2023-02-23T11:17:53Z
day: '01'
department:
- _id: KrPi
doi: 10.1007/s00145-013-9148-7
intvolume: ' 27'
issue: '3'
language:
- iso: eng
month: '07'
oa_version: None
page: 397 - 428
publication: Journal of Cryptology
publication_status: published
publisher: Springer
publist_id: '3940'
quality_controlled: '1'
related_material:
record:
- id: '3225'
relation: earlier_version
status: public
scopus_import: 1
status: public
title: Robust multi-property combiners for hash functions
type: journal_article
user_id: 3FFCCD3A-F248-11E8-B48F-1D18A9856A87
volume: 27
year: '2014'
...
---
_id: '2082'
abstract:
- lang: eng
text: 'NMAC is a mode of operation which turns a fixed input-length keyed hash function
f into a variable input-length function. A practical single-key variant of NMAC
called HMAC is a very popular and widely deployed message authentication code
(MAC). Security proofs and attacks for NMAC can typically be lifted to HMAC. NMAC
was introduced by Bellare, Canetti and Krawczyk [Crypto''96], who proved it to
be a secure pseudorandom function (PRF), and thus also a MAC, assuming that (1)
f is a PRF and (2) the function we get when cascading f is weakly collision-resistant.
Unfortunately, HMAC is typically instantiated with cryptographic hash functions
like MD5 or SHA-1 for which (2) has been found to be wrong. To restore the provable
guarantees for NMAC, Bellare [Crypto''06] showed its security based solely on
the assumption that f is a PRF, albeit via a non-uniform reduction. - Our first
contribution is a simpler and uniform proof for this fact: If f is an ε-secure
PRF (against q queries) and a δ-non-adaptively secure PRF (against q queries),
then NMAC f is an (ε+ℓqδ)-secure PRF against q queries of length at most ℓ blocks
each. - We then show that this ε+ℓqδ bound is basically tight. For the most interesting
case where ℓqδ ≥ ε we prove this by constructing an f for which an attack with
advantage ℓqδ exists. This also violates the bound O(ℓε) on the PRF-security of
NMAC recently claimed by Koblitz and Menezes. - Finally, we analyze the PRF-security
of a modification of NMAC called NI [An and Bellare, Crypto''99] that differs
mainly by using a compression function with an additional keying input. This avoids
the constant rekeying on multi-block messages in NMAC and allows for a security
proof starting by the standard switch from a PRF to a random function, followed
by an information-theoretic analysis. We carry out such an analysis, obtaining
a tight ℓq2/2 c bound for this step, improving over the trivial bound of ℓ2q2/2c.
The proof borrows combinatorial techniques originally developed for proving the
security of CBC-MAC [Bellare et al., Crypto''05].'
alternative_title:
- LNCS
author:
- first_name: Peter
full_name: Gazi, Peter
id: 3E0BFE38-F248-11E8-B48F-1D18A9856A87
last_name: Gazi
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
- first_name: Michal
full_name: Rybar, Michal
id: 2B3E3DE8-F248-11E8-B48F-1D18A9856A87
last_name: Rybar
citation:
ama: 'Gazi P, Pietrzak KZ, Rybar M. The exact PRF-security of NMAC and HMAC. In:
Garay J, Gennaro R, eds. Vol 8616. Springer; 2014:113-130. doi:10.1007/978-3-662-44371-2_7'
apa: 'Gazi, P., Pietrzak, K. Z., & Rybar, M. (2014). The exact PRF-security
of NMAC and HMAC. In J. Garay & R. Gennaro (Eds.) (Vol. 8616, pp. 113–130).
Presented at the CRYPTO: International Cryptology Conference, Santa Barbara, USA:
Springer. https://doi.org/10.1007/978-3-662-44371-2_7'
chicago: Gazi, Peter, Krzysztof Z Pietrzak, and Michal Rybar. “The Exact PRF-Security
of NMAC and HMAC.” edited by Juan Garay and Rosario Gennaro, 8616:113–30. Springer,
2014. https://doi.org/10.1007/978-3-662-44371-2_7.
ieee: 'P. Gazi, K. Z. Pietrzak, and M. Rybar, “The exact PRF-security of NMAC and
HMAC,” presented at the CRYPTO: International Cryptology Conference, Santa Barbara,
USA, 2014, vol. 8616, no. 1, pp. 113–130.'
ista: 'Gazi P, Pietrzak KZ, Rybar M. 2014. The exact PRF-security of NMAC and HMAC.
CRYPTO: International Cryptology Conference, LNCS, vol. 8616, 113–130.'
mla: Gazi, Peter, et al. The Exact PRF-Security of NMAC and HMAC. Edited
by Juan Garay and Rosario Gennaro, vol. 8616, no. 1, Springer, 2014, pp. 113–30,
doi:10.1007/978-3-662-44371-2_7.
short: P. Gazi, K.Z. Pietrzak, M. Rybar, in:, J. Garay, R. Gennaro (Eds.), Springer,
2014, pp. 113–130.
conference:
end_date: 2014-08-21
location: Santa Barbara, USA
name: 'CRYPTO: International Cryptology Conference'
start_date: 2014-08-17
date_created: 2018-12-11T11:55:36Z
date_published: 2014-01-01T00:00:00Z
date_updated: 2023-09-07T12:02:27Z
day: '01'
ddc:
- '000'
- '004'
department:
- _id: KrPi
doi: 10.1007/978-3-662-44371-2_7
ec_funded: 1
editor:
- first_name: Juan
full_name: Garay, Juan
last_name: Garay
- first_name: Rosario
full_name: Gennaro, Rosario
last_name: Gennaro
file:
- access_level: open_access
checksum: dab6ab36a5f6af94f2b597e6404ed11d
content_type: application/pdf
creator: system
date_created: 2018-12-12T10:13:17Z
date_updated: 2020-07-14T12:45:28Z
file_id: '4999'
file_name: IST-2016-682-v1+1_578.pdf
file_size: 492310
relation: main_file
file_date_updated: 2020-07-14T12:45:28Z
has_accepted_license: '1'
intvolume: ' 8616'
issue: '1'
language:
- iso: eng
month: '01'
oa: 1
oa_version: Submitted Version
page: 113 - 130
project:
- _id: 258C570E-B435-11E9-9278-68D0E5697425
call_identifier: FP7
grant_number: '259668'
name: Provable Security for Physical Cryptography
publication_status: published
publisher: Springer
publist_id: '4955'
pubrep_id: '682'
quality_controlled: '1'
related_material:
record:
- id: '838'
relation: dissertation_contains
status: public
status: public
title: The exact PRF-security of NMAC and HMAC
type: conference
user_id: 4435EBFC-F248-11E8-B48F-1D18A9856A87
volume: 8616
year: '2014'
...
---
_id: '2259'
abstract:
- lang: eng
text: "The learning with rounding (LWR) problem, introduced by Banerjee, Peikert
and Rosen at EUROCRYPT ’12, is a variant of learning with errors (LWE), where
one replaces random errors with deterministic rounding. The LWR problem was shown
to be as hard as LWE for a setting of parameters where the modulus and modulus-to-error
ratio are super-polynomial. In this work we resolve the main open problem and
give a new reduction that works for a larger range of parameters, allowing for
a polynomial modulus and modulus-to-error ratio. In particular, a smaller modulus
gives us greater efficiency, and a smaller modulus-to-error ratio gives us greater
security, which now follows from the worst-case hardness of GapSVP with polynomial
(rather than super-polynomial) approximation factors.\r\n\r\nAs a tool in the
reduction, we show that there is a “lossy mode” for the LWR problem, in which
LWR samples only reveal partial information about the secret. This property gives
us several interesting new applications, including a proof that LWR remains secure
with weakly random secrets of sufficient min-entropy, and very simple constructions
of deterministic encryption, lossy trapdoor functions and reusable extractors.\r\n\r\nOur
approach is inspired by a technique of Goldwasser et al. from ICS ’10, which implicitly
showed the existence of a “lossy mode” for LWE. By refining this technique, we
also improve on the parameters of that work to only requiring a polynomial (instead
of super-polynomial) modulus and modulus-to-error ratio.\r\n"
alternative_title:
- LNCS
author:
- first_name: Joel F
full_name: Alwen, Joel F
id: 2A8DFA8C-F248-11E8-B48F-1D18A9856A87
last_name: Alwen
- first_name: Stephan
full_name: Krenn, Stephan
id: 329FCCF0-F248-11E8-B48F-1D18A9856A87
last_name: Krenn
orcid: 0000-0003-2835-9093
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
- first_name: Daniel
full_name: Wichs, Daniel
last_name: Wichs
citation:
ama: 'Alwen JF, Krenn S, Pietrzak KZ, Wichs D. Learning with rounding, revisited:
New reduction properties and applications. 2013;8042(1):57-74. doi:10.1007/978-3-642-40041-4_4'
apa: 'Alwen, J. F., Krenn, S., Pietrzak, K. Z., & Wichs, D. (2013). Learning
with rounding, revisited: New reduction properties and applications. Presented
at the CRYPTO: International Cryptology Conference, Santa Barbara, CA, United
States: Springer. https://doi.org/10.1007/978-3-642-40041-4_4'
chicago: 'Alwen, Joel F, Stephan Krenn, Krzysztof Z Pietrzak, and Daniel Wichs.
“Learning with Rounding, Revisited: New Reduction Properties and Applications.”
Lecture Notes in Computer Science. Springer, 2013. https://doi.org/10.1007/978-3-642-40041-4_4.'
ieee: 'J. F. Alwen, S. Krenn, K. Z. Pietrzak, and D. Wichs, “Learning with rounding,
revisited: New reduction properties and applications,” vol. 8042, no. 1. Springer,
pp. 57–74, 2013.'
ista: 'Alwen JF, Krenn S, Pietrzak KZ, Wichs D. 2013. Learning with rounding, revisited:
New reduction properties and applications. 8042(1), 57–74.'
mla: 'Alwen, Joel F., et al. Learning with Rounding, Revisited: New Reduction
Properties and Applications. Vol. 8042, no. 1, Springer, 2013, pp. 57–74,
doi:10.1007/978-3-642-40041-4_4.'
short: J.F. Alwen, S. Krenn, K.Z. Pietrzak, D. Wichs, 8042 (2013) 57–74.
conference:
end_date: 2013-08-22
location: Santa Barbara, CA, United States
name: 'CRYPTO: International Cryptology Conference'
start_date: 2013-08-18
date_created: 2018-12-11T11:56:37Z
date_published: 2013-01-01T00:00:00Z
date_updated: 2021-01-12T06:56:21Z
day: '01'
ddc:
- '000'
- '004'
department:
- _id: KrPi
doi: 10.1007/978-3-642-40041-4_4
ec_funded: 1
file:
- access_level: open_access
checksum: 16d428408a806b8e49eecc607deab115
content_type: application/pdf
creator: system
date_created: 2018-12-12T10:11:55Z
date_updated: 2020-07-14T12:45:35Z
file_id: '4912'
file_name: IST-2016-684-v1+1_098.pdf
file_size: 587898
relation: main_file
file_date_updated: 2020-07-14T12:45:35Z
has_accepted_license: '1'
intvolume: ' 8042'
issue: '1'
language:
- iso: eng
month: '01'
oa: 1
oa_version: Published Version
page: 57 - 74
project:
- _id: 258C570E-B435-11E9-9278-68D0E5697425
call_identifier: FP7
grant_number: '259668'
name: Provable Security for Physical Cryptography
publication_status: published
publisher: Springer
publist_id: '4687'
pubrep_id: '684'
quality_controlled: '1'
scopus_import: 1
series_title: Lecture Notes in Computer Science
status: public
title: 'Learning with rounding, revisited: New reduction properties and applications'
type: conference
user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87
volume: 8042
year: '2013'
...
---
_id: '2258'
abstract:
- lang: eng
text: "In a digital signature scheme with message recovery, rather than transmitting
the message m and its signature σ, a single enhanced signature τ is transmitted.
The verifier is able to recover m from τ and at the same time verify its authenticity.
The two most important parameters of such a scheme are its security and overhead
|τ| − |m|. A simple argument shows that for any scheme with “n bits security”
|τ| − |m| ≥ n, i.e., the overhead is lower bounded by the security parameter n.
Currently, the best known constructions in the random oracle model are far from
this lower bound requiring an overhead of n + logq h , where q h is the number
of queries to the random oracle. In this paper we give a construction which basically
matches the n bit lower bound. We propose a simple digital signature scheme with
n + o(logq h ) bits overhead, where q h denotes the number of random oracle queries.\r\n\r\nOur
construction works in two steps. First, we propose a signature scheme with message
recovery having optimal overhead in a new ideal model, the random invertible function
model. Second, we show that a four-round Feistel network with random oracles as
round functions is tightly “public-indifferentiable” from a random invertible
function. At the core of our indifferentiability proof is an almost tight upper
bound for the expected number of edges of the densest “small” subgraph of a random
Cayley graph, which may be of independent interest.\r\n"
alternative_title:
- LNCS
author:
- first_name: Eike
full_name: Kiltz, Eike
last_name: Kiltz
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
- first_name: Mario
full_name: Szegedy, Mario
last_name: Szegedy
citation:
ama: Kiltz E, Pietrzak KZ, Szegedy M. Digital signatures with minimal overhead from
indifferentiable random invertible functions. 2013;8042:571-588. doi:10.1007/978-3-642-40041-4_31
apa: 'Kiltz, E., Pietrzak, K. Z., & Szegedy, M. (2013). Digital signatures with
minimal overhead from indifferentiable random invertible functions. Presented
at the CRYPTO: International Cryptology Conference, Santa Barbara, CA, United
States: Springer. https://doi.org/10.1007/978-3-642-40041-4_31'
chicago: Kiltz, Eike, Krzysztof Z Pietrzak, and Mario Szegedy. “Digital Signatures
with Minimal Overhead from Indifferentiable Random Invertible Functions.” Lecture
Notes in Computer Science. Springer, 2013. https://doi.org/10.1007/978-3-642-40041-4_31.
ieee: E. Kiltz, K. Z. Pietrzak, and M. Szegedy, “Digital signatures with minimal
overhead from indifferentiable random invertible functions,” vol. 8042. Springer,
pp. 571–588, 2013.
ista: Kiltz E, Pietrzak KZ, Szegedy M. 2013. Digital signatures with minimal overhead
from indifferentiable random invertible functions. 8042, 571–588.
mla: Kiltz, Eike, et al. Digital Signatures with Minimal Overhead from Indifferentiable
Random Invertible Functions. Vol. 8042, Springer, 2013, pp. 571–88, doi:10.1007/978-3-642-40041-4_31.
short: E. Kiltz, K.Z. Pietrzak, M. Szegedy, 8042 (2013) 571–588.
conference:
end_date: 2013-08-22
location: Santa Barbara, CA, United States
name: 'CRYPTO: International Cryptology Conference'
start_date: 2013-08-18
date_created: 2018-12-11T11:56:37Z
date_published: 2013-01-01T00:00:00Z
date_updated: 2021-01-12T06:56:21Z
day: '01'
ddc:
- '000'
- '004'
department:
- _id: KrPi
doi: 10.1007/978-3-642-40041-4_31
ec_funded: 1
file:
- access_level: open_access
checksum: 18a3f602cb41de184dc0e16a0e907633
content_type: application/pdf
creator: system
date_created: 2018-12-12T10:09:20Z
date_updated: 2020-07-14T12:45:35Z
file_id: '4744'
file_name: IST-2016-685-v1+1_658.pdf
file_size: 493175
relation: main_file
file_date_updated: 2020-07-14T12:45:35Z
has_accepted_license: '1'
intvolume: ' 8042'
language:
- iso: eng
month: '01'
oa: 1
oa_version: Submitted Version
page: 571 - 588
project:
- _id: 258C570E-B435-11E9-9278-68D0E5697425
call_identifier: FP7
grant_number: '259668'
name: Provable Security for Physical Cryptography
publication_status: published
publisher: Springer
publist_id: '4688'
pubrep_id: '685'
quality_controlled: '1'
scopus_import: 1
series_title: Lecture Notes in Computer Science
status: public
title: Digital signatures with minimal overhead from indifferentiable random invertible
functions
type: conference
user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87
volume: 8042
year: '2013'
...
---
_id: '2260'
abstract:
- lang: eng
text: "Direct Anonymous Attestation (DAA) is one of the most complex cryptographic
protocols deployed in practice. It allows an embedded secure processor known as
a Trusted Platform Module (TPM) to attest to the configuration of its host computer
without violating the owner’s privacy. DAA has been standardized by the Trusted
Computing Group and ISO/IEC.\r\n\r\nThe security of the DAA standard and all existing
schemes is analyzed in the random-oracle model. We provide the first constructions
of DAA in the standard model, that is, without relying on random oracles. Our
constructions use new building blocks, including the first efficient signatures
of knowledge in the standard model, which have many applications beyond DAA.\r\n"
alternative_title:
- LNCS
author:
- first_name: David
full_name: Bernhard, David
last_name: Bernhard
- first_name: Georg
full_name: Fuchsbauer, Georg
id: 46B4C3EE-F248-11E8-B48F-1D18A9856A87
last_name: Fuchsbauer
- first_name: Essam
full_name: Ghadafi, Essam
last_name: Ghadafi
citation:
ama: Bernhard D, Fuchsbauer G, Ghadafi E. Efficient signatures of knowledge and
DAA in the standard model. 2013;7954:518-533. doi:10.1007/978-3-642-38980-1_33
apa: 'Bernhard, D., Fuchsbauer, G., & Ghadafi, E. (2013). Efficient signatures
of knowledge and DAA in the standard model. Presented at the ACNS: Applied Cryptography
and Network Security, Banff, AB, Canada: Springer. https://doi.org/10.1007/978-3-642-38980-1_33'
chicago: Bernhard, David, Georg Fuchsbauer, and Essam Ghadafi. “Efficient Signatures
of Knowledge and DAA in the Standard Model.” Lecture Notes in Computer Science.
Springer, 2013. https://doi.org/10.1007/978-3-642-38980-1_33.
ieee: D. Bernhard, G. Fuchsbauer, and E. Ghadafi, “Efficient signatures of knowledge
and DAA in the standard model,” vol. 7954. Springer, pp. 518–533, 2013.
ista: Bernhard D, Fuchsbauer G, Ghadafi E. 2013. Efficient signatures of knowledge
and DAA in the standard model. 7954, 518–533.
mla: Bernhard, David, et al. Efficient Signatures of Knowledge and DAA in the
Standard Model. Vol. 7954, Springer, 2013, pp. 518–33, doi:10.1007/978-3-642-38980-1_33.
short: D. Bernhard, G. Fuchsbauer, E. Ghadafi, 7954 (2013) 518–533.
conference:
end_date: 2013-06-28
location: Banff, AB, Canada
name: 'ACNS: Applied Cryptography and Network Security'
start_date: 2013-06-25
date_created: 2018-12-11T11:56:37Z
date_published: 2013-06-01T00:00:00Z
date_updated: 2020-08-11T10:09:44Z
day: '01'
department:
- _id: KrPi
doi: 10.1007/978-3-642-38980-1_33
intvolume: ' 7954'
language:
- iso: eng
main_file_link:
- open_access: '1'
url: http://eprint.iacr.org/2012/475
month: '06'
oa: 1
oa_version: Submitted Version
page: 518 - 533
publication_status: published
publisher: Springer
publist_id: '4686'
quality_controlled: '1'
scopus_import: 1
series_title: Lecture Notes in Computer Science
status: public
title: Efficient signatures of knowledge and DAA in the standard model
type: conference
user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87
volume: 7954
year: '2013'
...
---
_id: '2291'
abstract:
- lang: eng
text: "Cryptographic access control promises to offer easily distributed trust and
broader applicability, while reducing reliance on low-level online monitors. Traditional
implementations of cryptographic access control rely on simple cryptographic primitives
whereas recent endeavors employ primitives with richer functionality and security
guarantees. Worryingly, few of the existing cryptographic access-control schemes
come with precise guarantees, the gap between the policy specification and the
implementation being analyzed only informally, if at all. In this paper we begin
addressing this shortcoming. Unlike prior work that targeted ad-hoc policy specification,
we look at the well-established Role-Based Access Control (RBAC) model, as used
in a typical file system. In short, we provide a precise syntax for a computational
version of RBAC, offer rigorous definitions for cryptographic policy enforcement
of a large class of RBAC security policies, and demonstrate that an implementation
based on attribute-based encryption meets our security notions. We view our main
contribution as being at the conceptual level. Although we work with RBAC for
concreteness, our general methodology could guide future research for uses of
cryptography in other access-control models. \r\n"
author:
- first_name: Anna
full_name: Ferrara, Anna
last_name: Ferrara
- first_name: Georg
full_name: Fuchsbauer, Georg
id: 46B4C3EE-F248-11E8-B48F-1D18A9856A87
last_name: Fuchsbauer
- first_name: Bogdan
full_name: Warinschi, Bogdan
last_name: Warinschi
citation:
ama: 'Ferrara A, Fuchsbauer G, Warinschi B. Cryptographically enforced RBAC. In:
IEEE; 2013:115-129. doi:10.1109/CSF.2013.15'
apa: 'Ferrara, A., Fuchsbauer, G., & Warinschi, B. (2013). Cryptographically
enforced RBAC (pp. 115–129). Presented at the CSF: Computer Security Foundations,
New Orleans, LA, United States: IEEE. https://doi.org/10.1109/CSF.2013.15'
chicago: Ferrara, Anna, Georg Fuchsbauer, and Bogdan Warinschi. “Cryptographically
Enforced RBAC,” 115–29. IEEE, 2013. https://doi.org/10.1109/CSF.2013.15.
ieee: 'A. Ferrara, G. Fuchsbauer, and B. Warinschi, “Cryptographically enforced
RBAC,” presented at the CSF: Computer Security Foundations, New Orleans, LA, United
States, 2013, pp. 115–129.'
ista: 'Ferrara A, Fuchsbauer G, Warinschi B. 2013. Cryptographically enforced RBAC.
CSF: Computer Security Foundations, 115–129.'
mla: Ferrara, Anna, et al. Cryptographically Enforced RBAC. IEEE, 2013, pp.
115–29, doi:10.1109/CSF.2013.15.
short: A. Ferrara, G. Fuchsbauer, B. Warinschi, in:, IEEE, 2013, pp. 115–129.
conference:
end_date: 2013-09-28
location: New Orleans, LA, United States
name: 'CSF: Computer Security Foundations'
start_date: 2013-09-26
date_created: 2018-12-11T11:56:48Z
date_published: 2013-09-01T00:00:00Z
date_updated: 2021-01-12T06:56:34Z
day: '01'
department:
- _id: KrPi
doi: 10.1109/CSF.2013.15
language:
- iso: eng
main_file_link:
- open_access: '1'
url: http://eprint.iacr.org/2013/492
month: '09'
oa: 1
oa_version: Submitted Version
page: 115 - 129
publication_status: published
publisher: IEEE
publist_id: '4637'
quality_controlled: '1'
scopus_import: 1
status: public
title: Cryptographically enforced RBAC
type: conference
user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87
year: '2013'
...
---
_id: '2940'
abstract:
- lang: eng
text: "A chain rule for an entropy notion H(.) states that the entropy H(X) of a
variable X decreases by at most l if conditioned on an l-bit string A, i.e., H(X|A)>=
H(X)-l. More generally, it satisfies a chain rule for conditional entropy if H(X|Y,A)>=
H(X|Y)-l.\r\n\r\nAll natural information theoretic entropy notions we are aware
of (like Shannon or min-entropy) satisfy some kind of chain rule for conditional
entropy. Moreover, many computational entropy notions (like Yao entropy, unpredictability
entropy and several variants of HILL entropy) satisfy the chain rule for conditional
entropy, though here not only the quantity decreases by l, but also the quality
of the entropy decreases exponentially in l. However, for \r\nthe standard notion
of conditional HILL entropy (the computational equivalent of min-entropy) the
existence of such a rule was unknown so far.\r\n\r\nIn this paper, we prove that
for conditional HILL entropy no meaningful chain rule exists, assuming the existence
of one-way permutations: there exist distributions X,Y,A, where A is a distribution
over a single bit, but $H(X|Y)>>H(X|Y,A)$, even if we simultaneously allow
for a massive degradation in the quality of the entropy.\r\n\r\nThe idea underlying
our construction is based on a surprising connection between the chain rule for
HILL entropy and deniable encryption. "
alternative_title:
- LNCS
author:
- first_name: Stephan
full_name: Krenn, Stephan
id: 329FCCF0-F248-11E8-B48F-1D18A9856A87
last_name: Krenn
orcid: 0000-0003-2835-9093
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
- first_name: Akshay
full_name: Wadia, Akshay
last_name: Wadia
citation:
ama: 'Krenn S, Pietrzak KZ, Wadia A. A counterexample to the chain rule for conditional
HILL entropy, and what deniable encryption has to do with it. In: Sahai A, ed.
Vol 7785. Springer; 2013:23-39. doi:10.1007/978-3-642-36594-2_2'
apa: 'Krenn, S., Pietrzak, K. Z., & Wadia, A. (2013). A counterexample to the
chain rule for conditional HILL entropy, and what deniable encryption has to do
with it. In A. Sahai (Ed.) (Vol. 7785, pp. 23–39). Presented at the TCC: Theory
of Cryptography Conference, Tokyo, Japan: Springer. https://doi.org/10.1007/978-3-642-36594-2_2'
chicago: Krenn, Stephan, Krzysztof Z Pietrzak, and Akshay Wadia. “A Counterexample
to the Chain Rule for Conditional HILL Entropy, and What Deniable Encryption Has
to Do with It.” edited by Amit Sahai, 7785:23–39. Springer, 2013. https://doi.org/10.1007/978-3-642-36594-2_2.
ieee: 'S. Krenn, K. Z. Pietrzak, and A. Wadia, “A counterexample to the chain rule
for conditional HILL entropy, and what deniable encryption has to do with it,”
presented at the TCC: Theory of Cryptography Conference, Tokyo, Japan, 2013, vol.
7785, pp. 23–39.'
ista: 'Krenn S, Pietrzak KZ, Wadia A. 2013. A counterexample to the chain rule for
conditional HILL entropy, and what deniable encryption has to do with it. TCC:
Theory of Cryptography Conference, LNCS, vol. 7785, 23–39.'
mla: Krenn, Stephan, et al. A Counterexample to the Chain Rule for Conditional
HILL Entropy, and What Deniable Encryption Has to Do with It. Edited by Amit
Sahai, vol. 7785, Springer, 2013, pp. 23–39, doi:10.1007/978-3-642-36594-2_2.
short: S. Krenn, K.Z. Pietrzak, A. Wadia, in:, A. Sahai (Ed.), Springer, 2013, pp.
23–39.
conference:
end_date: 2013-03-06
location: Tokyo, Japan
name: 'TCC: Theory of Cryptography Conference'
start_date: 2013-03-03
date_created: 2018-12-11T12:00:27Z
date_published: 2013-01-29T00:00:00Z
date_updated: 2023-02-23T10:00:43Z
day: '29'
ddc:
- '000'
department:
- _id: KrPi
doi: 10.1007/978-3-642-36594-2_2
ec_funded: 1
editor:
- first_name: Amit
full_name: Sahai, Amit
last_name: Sahai
file:
- access_level: open_access
checksum: beb0cc1c0579da2d2e84394230a5da78
content_type: application/pdf
creator: dernst
date_created: 2019-01-22T14:11:11Z
date_updated: 2020-07-14T12:45:54Z
file_id: '5875'
file_name: 2013_LNCS_Krenn.pdf
file_size: 414823
relation: main_file
file_date_updated: 2020-07-14T12:45:54Z
has_accepted_license: '1'
intvolume: ' 7785'
language:
- iso: eng
month: '01'
oa: 1
oa_version: Submitted Version
page: 23 - 39
project:
- _id: 258C570E-B435-11E9-9278-68D0E5697425
call_identifier: FP7
grant_number: '259668'
name: Provable Security for Physical Cryptography
publication_status: published
publisher: Springer
publist_id: '3795'
quality_controlled: '1'
related_material:
record:
- id: '1479'
relation: later_version
status: public
scopus_import: 1
status: public
title: A counterexample to the chain rule for conditional HILL entropy, and what deniable
encryption has to do with it
type: conference
user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87
volume: 7785
year: '2013'
...
---
_id: '502'
abstract:
- lang: eng
text: 'Blind signatures allow users to obtain signatures on messages hidden from
the signer; moreover, the signer cannot link the resulting message/signature pair
to the signing session. This paper presents blind signature schemes, in which
the number of interactions between the user and the signer is minimal and whose
blind signatures are short. Our schemes are defined over bilinear groups and are
proved secure in the common-reference-string model without random oracles and
under standard assumptions: CDH and the decision-linear assumption. (We also give
variants over asymmetric groups based on similar assumptions.) The blind signatures
are Waters signatures, which consist of 2 group elements. Moreover, we instantiate
partially blind signatures, where the message consists of a part hidden from the
signer and a commonly known public part, and schemes achieving perfect blindness.
We propose new variants of blind signatures, such as signer-friendly partially
blind signatures, where the public part can be chosen by the signer without prior
agreement, 3-party blind signatures, as well as blind signatures on multiple aggregated
messages provided by independent sources. We also extend Waters signatures to
non-binary alphabets by proving a new result on the underlying hash function. '
author:
- first_name: Olivier
full_name: Blazy, Olivier
last_name: Blazy
- first_name: Georg
full_name: Fuchsbauer, Georg
id: 46B4C3EE-F248-11E8-B48F-1D18A9856A87
last_name: Fuchsbauer
- first_name: David
full_name: Pointcheval, David
last_name: Pointcheval
- first_name: Damien
full_name: Vergnaud, Damien
last_name: Vergnaud
citation:
ama: Blazy O, Fuchsbauer G, Pointcheval D, Vergnaud D. Short blind signatures. Journal
of Computer Security. 2013;21(5):627-661. doi:10.3233/JCS-130477
apa: Blazy, O., Fuchsbauer, G., Pointcheval, D., & Vergnaud, D. (2013). Short
blind signatures. Journal of Computer Security. IOS Press. https://doi.org/10.3233/JCS-130477
chicago: Blazy, Olivier, Georg Fuchsbauer, David Pointcheval, and Damien Vergnaud.
“Short Blind Signatures.” Journal of Computer Security. IOS Press, 2013.
https://doi.org/10.3233/JCS-130477.
ieee: O. Blazy, G. Fuchsbauer, D. Pointcheval, and D. Vergnaud, “Short blind signatures,”
Journal of Computer Security, vol. 21, no. 5. IOS Press, pp. 627–661, 2013.
ista: Blazy O, Fuchsbauer G, Pointcheval D, Vergnaud D. 2013. Short blind signatures.
Journal of Computer Security. 21(5), 627–661.
mla: Blazy, Olivier, et al. “Short Blind Signatures.” Journal of Computer Security,
vol. 21, no. 5, IOS Press, 2013, pp. 627–61, doi:10.3233/JCS-130477.
short: O. Blazy, G. Fuchsbauer, D. Pointcheval, D. Vergnaud, Journal of Computer
Security 21 (2013) 627–661.
date_created: 2018-12-11T11:46:50Z
date_published: 2013-11-22T00:00:00Z
date_updated: 2021-01-12T08:01:09Z
day: '22'
department:
- _id: KrPi
doi: 10.3233/JCS-130477
intvolume: ' 21'
issue: '5'
language:
- iso: eng
month: '11'
oa_version: None
page: 627 - 661
publication: Journal of Computer Security
publication_status: published
publisher: IOS Press
publist_id: '7318'
quality_controlled: '1'
scopus_import: 1
status: public
title: Short blind signatures
type: journal_article
user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87
volume: 21
year: '2013'
...
---
_id: '2274'
abstract:
- lang: eng
text: "Proofs of work (PoW) have been suggested by Dwork and Naor (Crypto'92) as
protection to a shared resource. The basic idea is to ask the service requestor
to dedicate some non-trivial amount of computational work to every request. The
original applications included prevention of spam and protection against denial
of service attacks. More recently, PoWs have been used to prevent double spending
in the Bitcoin digital currency system.\r\n\r\nIn this work, we put forward an
alternative concept for PoWs -- so-called proofs of space (PoS), where a service
requestor must dedicate a significant amount of disk space as opposed to computation.
We construct secure PoS schemes in the random oracle model, using graphs with
high "pebbling complexity" and Merkle hash-trees. "
author:
- first_name: Stefan
full_name: Dziembowski, Stefan
last_name: Dziembowski
- first_name: Sebastian
full_name: Faust, Sebastian
last_name: Faust
- first_name: Vladimir
full_name: Kolmogorov, Vladimir
id: 3D50B0BA-F248-11E8-B48F-1D18A9856A87
last_name: Kolmogorov
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
citation:
ama: Dziembowski S, Faust S, Kolmogorov V, Pietrzak KZ. Proofs of Space.
IST Austria; 2013.
apa: Dziembowski, S., Faust, S., Kolmogorov, V., & Pietrzak, K. Z. (2013). Proofs
of Space. IST Austria.
chicago: Dziembowski, Stefan, Sebastian Faust, Vladimir Kolmogorov, and Krzysztof
Z Pietrzak. Proofs of Space. IST Austria, 2013.
ieee: S. Dziembowski, S. Faust, V. Kolmogorov, and K. Z. Pietrzak, Proofs of
Space. IST Austria, 2013.
ista: Dziembowski S, Faust S, Kolmogorov V, Pietrzak KZ. 2013. Proofs of Space,
IST Austria,p.
mla: Dziembowski, Stefan, et al. Proofs of Space. IST Austria, 2013.
short: S. Dziembowski, S. Faust, V. Kolmogorov, K.Z. Pietrzak, Proofs of Space,
IST Austria, 2013.
date_created: 2018-12-11T11:56:42Z
date_published: 2013-11-28T00:00:00Z
date_updated: 2024-03-20T08:31:49Z
day: '28'
ddc:
- '530'
department:
- _id: VlKo
- _id: KrPi
file:
- access_level: open_access
checksum: 37b61637b62fc079d9141c59d9f1a94f
content_type: application/pdf
creator: system
date_created: 2018-12-12T10:16:11Z
date_updated: 2020-07-14T12:45:36Z
file_id: '5197'
file_name: IST-2016-671-v1+1_796.pdf
file_size: 405870
relation: main_file
file_date_updated: 2020-07-14T12:45:36Z
has_accepted_license: '1'
language:
- iso: eng
month: '11'
oa: 1
oa_version: Published Version
publication_status: published
publisher: IST Austria
publist_id: '4670'
pubrep_id: '671'
related_material:
record:
- id: '1675'
relation: later_version
status: public
scopus_import: 1
status: public
title: Proofs of Space
type: report
user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87
year: '2013'
...
---
_id: '2048'
abstract:
- lang: eng
text: Leakage resilient cryptography attempts to incorporate side-channel leakage
into the black-box security model and designs cryptographic schemes that are provably
secure within it. Informally, a scheme is leakage-resilient if it remains secure
even if an adversary learns a bounded amount of arbitrary information about the
schemes internal state. Unfortunately, most leakage resilient schemes are unnecessarily
complicated in order to achieve strong provable security guarantees. As advocated
by Yu et al. [CCS’10], this mostly is an artefact of the security proof and in
practice much simpler construction may already suffice to protect against realistic
side-channel attacks. In this paper, we show that indeed for simpler constructions
leakage-resilience can be obtained when we aim for relaxed security notions where
the leakage-functions and/or the inputs to the primitive are chosen non-adaptively.
For example, we show that a three round Feistel network instantiated with a leakage
resilient PRF yields a leakage resilient PRP if the inputs are chosen non-adaptively
(This complements the result of Dodis and Pietrzak [CRYPTO’10] who show that if
a adaptive queries are allowed, a superlogarithmic number of rounds is necessary.)
We also show that a minor variation of the classical GGM construction gives a
leakage resilient PRF if both, the leakage-function and the inputs, are chosen
non-adaptively.
acknowledgement: "Sebastian Faust acknowledges support from the Danish National Research
Foundation and The National Science Foundation of China (under the grant 61061130540)
for the Sino-Danish Center for the Theory of Interactive Computation, within part
of this work was performed; and from the CFEM research center, supported by the
Danish Strategic Research Council. \r\nSupported by the European Research Council/ERC
Starting Grant 259668-PSPC.\r\n"
alternative_title:
- LNCS
author:
- first_name: Sebastian
full_name: Faust, Sebastian
last_name: Faust
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
- first_name: Joachim
full_name: Schipper, Joachim
id: 7BE863D4-E9CF-11E9-9EDB-90527418172C
last_name: Schipper
citation:
ama: 'Faust S, Pietrzak KZ, Schipper J. Practical leakage-resilient symmetric cryptography.
In: Conference Proceedings CHES 2012. Vol 7428. Springer; 2012:213-232.
doi:10.1007/978-3-642-33027-8_13'
apa: 'Faust, S., Pietrzak, K. Z., & Schipper, J. (2012). Practical leakage-resilient
symmetric cryptography. In Conference proceedings CHES 2012 (Vol. 7428,
pp. 213–232). Leuven, Belgium: Springer. https://doi.org/10.1007/978-3-642-33027-8_13'
chicago: Faust, Sebastian, Krzysztof Z Pietrzak, and Joachim Schipper. “Practical
Leakage-Resilient Symmetric Cryptography.” In Conference Proceedings CHES
2012, 7428:213–32. Springer, 2012. https://doi.org/10.1007/978-3-642-33027-8_13.
ieee: S. Faust, K. Z. Pietrzak, and J. Schipper, “Practical leakage-resilient symmetric
cryptography,” in Conference proceedings CHES 2012, Leuven, Belgium, 2012,
vol. 7428, pp. 213–232.
ista: 'Faust S, Pietrzak KZ, Schipper J. 2012. Practical leakage-resilient symmetric
cryptography. Conference proceedings CHES 2012. CHES: Cryptographic Hardware
and Embedded Systems, LNCS, vol. 7428, 213–232.'
mla: Faust, Sebastian, et al. “Practical Leakage-Resilient Symmetric Cryptography.”
Conference Proceedings CHES 2012, vol. 7428, Springer, 2012, pp. 213–32,
doi:10.1007/978-3-642-33027-8_13.
short: S. Faust, K.Z. Pietrzak, J. Schipper, in:, Conference Proceedings CHES 2012,
Springer, 2012, pp. 213–232.
conference:
end_date: 2012-09-12
location: Leuven, Belgium
name: 'CHES: Cryptographic Hardware and Embedded Systems'
start_date: 2012-09-09
date_created: 2018-12-11T11:55:25Z
date_published: 2012-09-01T00:00:00Z
date_updated: 2021-01-12T06:54:58Z
day: '01'
department:
- _id: KrPi
doi: 10.1007/978-3-642-33027-8_13
ec_funded: 1
intvolume: ' 7428'
language:
- iso: eng
main_file_link:
- open_access: '1'
url: http://www.iacr.org/archive/ches2012/74280211/74280211.pdf
month: '09'
oa: 1
oa_version: Preprint
page: 213 - 232
project:
- _id: 258C570E-B435-11E9-9278-68D0E5697425
call_identifier: FP7
grant_number: '259668'
name: Provable Security for Physical Cryptography
publication: ' Conference proceedings CHES 2012'
publication_status: published
publisher: Springer
publist_id: '5003'
quality_controlled: '1'
scopus_import: 1
status: public
title: Practical leakage-resilient symmetric cryptography
type: conference
user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87
volume: 7428
year: '2012'
...
---
_id: '2049'
abstract:
- lang: eng
text: "We propose a new authentication protocol that is provably secure based on
a ring variant of the learning parity with noise (LPN) problem. The protocol follows
the design principle of the LPN-based protocol from Eurocrypt’11 (Kiltz et al.),
and like it, is a two round protocol secure against active attacks. Moreover,
our protocol has small communication complexity and a very small footprint which
makes it applicable in scenarios that involve low-cost, resource-constrained devices.\r\n\r\nPerformance-wise,
our protocol is more efficient than previous LPN-based schemes, such as the many
variants of the Hopper-Blum (HB) protocol and the aforementioned protocol from
Eurocrypt’11. Our implementation results show that it is even comparable to the
standard challenge-and-response protocols based on the AES block-cipher. Our basic
protocol is roughly 20 times slower than AES, but with the advantage of having
10 times smaller code size. Furthermore, if a few hundred bytes of non-volatile
memory are available to allow the storage of some off-line pre-computations, then
the online phase of our protocols is only twice as slow as AES.\r\n"
acknowledgement: "Supported by the European Research Council / ERC Starting Grant
(259668- PSPC)\r\nWe would like to thank the anonymous referees of this confer-
ence and those of the ECRYPT Workshop on Lightweight Cryptography for very useful
comments, and in particular for the suggestion that the scheme is somewhat vulnerable
to a man-in-the-middle attack whenever an adversary observes two reader challenges
that are the same. We hope that the attack we described in Appendix A corresponds
to what the reviewer had in mind. We also thank Tanja Lange for pointing us to the
pa- per of [Kir11] and for discussions of some of her recent work. "
alternative_title:
- LNCS
author:
- first_name: Stefan
full_name: Heyse, Stefan
last_name: Heyse
- first_name: Eike
full_name: Kiltz, Eike
last_name: Kiltz
- first_name: Vadim
full_name: Lyubashevsky, Vadim
last_name: Lyubashevsky
- first_name: Christof
full_name: Paar, Christof
last_name: Paar
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
citation:
ama: 'Heyse S, Kiltz E, Lyubashevsky V, Paar C, Pietrzak KZ. Lapin: An efficient
authentication protocol based on ring-LPN. In: Conference Proceedings FSE
2012. Vol 7549. Springer; 2012:346-365. doi:10.1007/978-3-642-34047-5_20'
apa: 'Heyse, S., Kiltz, E., Lyubashevsky, V., Paar, C., & Pietrzak, K. Z. (2012).
Lapin: An efficient authentication protocol based on ring-LPN. In Conference
proceedings FSE 2012 (Vol. 7549, pp. 346–365). Washington, DC, USA: Springer.
https://doi.org/10.1007/978-3-642-34047-5_20'
chicago: 'Heyse, Stefan, Eike Kiltz, Vadim Lyubashevsky, Christof Paar, and Krzysztof
Z Pietrzak. “Lapin: An Efficient Authentication Protocol Based on Ring-LPN.” In
Conference Proceedings FSE 2012, 7549:346–65. Springer, 2012. https://doi.org/10.1007/978-3-642-34047-5_20.'
ieee: 'S. Heyse, E. Kiltz, V. Lyubashevsky, C. Paar, and K. Z. Pietrzak, “Lapin:
An efficient authentication protocol based on ring-LPN,” in Conference proceedings
FSE 2012, Washington, DC, USA, 2012, vol. 7549, pp. 346–365.'
ista: 'Heyse S, Kiltz E, Lyubashevsky V, Paar C, Pietrzak KZ. 2012. Lapin: An efficient
authentication protocol based on ring-LPN. Conference proceedings FSE 2012. FSE:
Fast Software Encryption, LNCS, vol. 7549, 346–365.'
mla: 'Heyse, Stefan, et al. “Lapin: An Efficient Authentication Protocol Based on
Ring-LPN.” Conference Proceedings FSE 2012, vol. 7549, Springer, 2012,
pp. 346–65, doi:10.1007/978-3-642-34047-5_20.'
short: S. Heyse, E. Kiltz, V. Lyubashevsky, C. Paar, K.Z. Pietrzak, in:, Conference
Proceedings FSE 2012, Springer, 2012, pp. 346–365.
conference:
end_date: 2012-03-21
location: Washington, DC, USA
name: 'FSE: Fast Software Encryption'
start_date: 2012-03-19
date_created: 2018-12-11T11:55:25Z
date_published: 2012-03-01T00:00:00Z
date_updated: 2021-01-12T06:54:58Z
day: '01'
department:
- _id: KrPi
doi: 10.1007/978-3-642-34047-5_20
ec_funded: 1
intvolume: ' 7549'
language:
- iso: eng
main_file_link:
- open_access: '1'
url: http://www.iacr.org/archive/fse2012/75490350/75490350.pdf
month: '03'
oa: 1
oa_version: Preprint
page: 346 - 365
project:
- _id: 258C570E-B435-11E9-9278-68D0E5697425
call_identifier: FP7
grant_number: '259668'
name: Provable Security for Physical Cryptography
publication: ' Conference proceedings FSE 2012'
publication_status: published
publisher: Springer
publist_id: '5002'
quality_controlled: '1'
scopus_import: 1
status: public
title: 'Lapin: An efficient authentication protocol based on ring-LPN'
type: conference
user_id: 3E5EF7F0-F248-11E8-B48F-1D18A9856A87
volume: 7549
year: '2012'
...