---
_id: '14820'
abstract:
- lang: eng
text: "We consider a natural problem dealing with weighted packet selection across
a rechargeable link, which e.g., finds applications in cryptocurrency networks.
The capacity of a link (u, v) is determined by how many nodes u and v allocate
for this link. Specifically, the input is a finite ordered sequence of packets
that arrive in both directions along a link. Given (u, v) and a packet of weight
x going from u to v, node u can either accept or reject the packet. If u accepts
the packet, the capacity on link (u, v) decreases by x. Correspondingly, v's capacity
on \r\n increases by x. If a node rejects the packet, this will entail a cost
affinely linear in the weight of the packet. A link is “rechargeable” in the sense
that the total capacity of the link has to remain constant, but the allocation
of capacity at the ends of the link can depend arbitrarily on the nodes' decisions.
The goal is to minimise the sum of the capacity injected into the link and the
cost of rejecting packets. We show that the problem is NP-hard, but can be approximated
efficiently with a ratio of (1+E) . (1+3) for some arbitrary E>0."
acknowledgement: We thank Mahsa Bastankhah and Mohammad Ali Maddah-Ali for fruitful
discussions about different variants of the problem. This work is supported by the
European Research Council (ERC) Consolidator Project 864228 (AdjustNet), 2020-2025,
the ERC CoG 863818 (ForM-SMArt), and the German Research Foundation (DFG) grant
470029389 (FlexNets), 2021-2024.
article_number: '114353'
article_processing_charge: Yes (via OA deal)
article_type: original
author:
- first_name: Stefan
full_name: Schmid, Stefan
last_name: Schmid
- first_name: Jakub
full_name: Svoboda, Jakub
id: 130759D2-D7DD-11E9-87D2-DE0DE6697425
last_name: Svoboda
orcid: 0000-0002-1419-3267
- first_name: Michelle X
full_name: Yeo, Michelle X
id: 2D82B818-F248-11E8-B48F-1D18A9856A87
last_name: Yeo
citation:
ama: 'Schmid S, Svoboda J, Yeo MX. Weighted packet selection for rechargeable links
in cryptocurrency networks: Complexity and approximation. Theoretical Computer
Science. 2024;989. doi:10.1016/j.tcs.2023.114353'
apa: 'Schmid, S., Svoboda, J., & Yeo, M. X. (2024). Weighted packet selection
for rechargeable links in cryptocurrency networks: Complexity and approximation.
Theoretical Computer Science. Elsevier. https://doi.org/10.1016/j.tcs.2023.114353'
chicago: 'Schmid, Stefan, Jakub Svoboda, and Michelle X Yeo. “Weighted Packet Selection
for Rechargeable Links in Cryptocurrency Networks: Complexity and Approximation.”
Theoretical Computer Science. Elsevier, 2024. https://doi.org/10.1016/j.tcs.2023.114353.'
ieee: 'S. Schmid, J. Svoboda, and M. X. Yeo, “Weighted packet selection for rechargeable
links in cryptocurrency networks: Complexity and approximation,” Theoretical
Computer Science, vol. 989. Elsevier, 2024.'
ista: 'Schmid S, Svoboda J, Yeo MX. 2024. Weighted packet selection for rechargeable
links in cryptocurrency networks: Complexity and approximation. Theoretical Computer
Science. 989, 114353.'
mla: 'Schmid, Stefan, et al. “Weighted Packet Selection for Rechargeable Links in
Cryptocurrency Networks: Complexity and Approximation.” Theoretical Computer
Science, vol. 989, 114353, Elsevier, 2024, doi:10.1016/j.tcs.2023.114353.'
short: S. Schmid, J. Svoboda, M.X. Yeo, Theoretical Computer Science 989 (2024).
date_created: 2024-01-16T13:40:41Z
date_published: 2024-01-11T00:00:00Z
date_updated: 2024-01-17T09:23:03Z
day: '11'
department:
- _id: KrCh
- _id: KrPi
doi: 10.1016/j.tcs.2023.114353
ec_funded: 1
intvolume: ' 989'
keyword:
- General Computer Science
- Theoretical Computer Science
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://doi.org/10.1016/j.tcs.2023.114353
month: '01'
oa: 1
oa_version: Published Version
project:
- _id: 0599E47C-7A3F-11EA-A408-12923DDC885E
call_identifier: H2020
grant_number: '863818'
name: 'Formal Methods for Stochastic Models: Algorithms and Applications'
publication: Theoretical Computer Science
publication_identifier:
issn:
- 0304-3975
publication_status: epub_ahead
publisher: Elsevier
quality_controlled: '1'
status: public
title: 'Weighted packet selection for rechargeable links in cryptocurrency networks:
Complexity and approximation'
type: journal_article
user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87
volume: 989
year: '2024'
...
---
_id: '15007'
abstract:
- lang: eng
text: Traditional blockchains grant the miner of a block full control not only over
which transactions but also their order. This constitutes a major flaw discovered
with the introduction of decentralized finance and allows miners to perform MEV
attacks. In this paper, we address the issue of sandwich attacks by providing
a construction that takes as input a blockchain protocol and outputs a new blockchain
protocol with the same security but in which sandwich attacks are not profitable.
Furthermore, our protocol is fully decentralized with no trusted third parties
or heavy cryptography primitives and carries a linear increase in latency and
minimum computation overhead.
acknowledgement: "We would like to thank Krzysztof Pietrzak and Jovana Mićić for useful
discussions. This work has been funded by the Swiss National Science Foundation
(SNSF) under grant agreement Nr. 200021_188443 (Advanced Consensus Protocols).\r\n"
alternative_title:
- LIPIcs
article_number: '12'
article_processing_charge: No
author:
- first_name: Orestis
full_name: Alpos, Orestis
last_name: Alpos
- first_name: Ignacio
full_name: Amores-Sesar, Ignacio
last_name: Amores-Sesar
- first_name: Christian
full_name: Cachin, Christian
last_name: Cachin
- first_name: Michelle X
full_name: Yeo, Michelle X
id: 2D82B818-F248-11E8-B48F-1D18A9856A87
last_name: Yeo
citation:
ama: 'Alpos O, Amores-Sesar I, Cachin C, Yeo MX. Eating sandwiches: Modular and
lightweight elimination of transaction reordering attacks. In: 27th International
Conference on Principles of Distributed Systems. Vol 286. Schloss Dagstuhl
- Leibniz-Zentrum für Informatik; 2024. doi:10.4230/LIPIcs.OPODIS.2023.12'
apa: 'Alpos, O., Amores-Sesar, I., Cachin, C., & Yeo, M. X. (2024). Eating sandwiches:
Modular and lightweight elimination of transaction reordering attacks. In 27th
International Conference on Principles of Distributed Systems (Vol. 286).
Tokyo, Japan: Schloss Dagstuhl - Leibniz-Zentrum für Informatik. https://doi.org/10.4230/LIPIcs.OPODIS.2023.12'
chicago: 'Alpos, Orestis, Ignacio Amores-Sesar, Christian Cachin, and Michelle X
Yeo. “Eating Sandwiches: Modular and Lightweight Elimination of Transaction Reordering
Attacks.” In 27th International Conference on Principles of Distributed Systems,
Vol. 286. Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 2024. https://doi.org/10.4230/LIPIcs.OPODIS.2023.12.'
ieee: 'O. Alpos, I. Amores-Sesar, C. Cachin, and M. X. Yeo, “Eating sandwiches:
Modular and lightweight elimination of transaction reordering attacks,” in 27th
International Conference on Principles of Distributed Systems, Tokyo, Japan,
2024, vol. 286.'
ista: 'Alpos O, Amores-Sesar I, Cachin C, Yeo MX. 2024. Eating sandwiches: Modular
and lightweight elimination of transaction reordering attacks. 27th International
Conference on Principles of Distributed Systems. OPODIS: Conference on Principles
of Distributed Systems, LIPIcs, vol. 286, 12.'
mla: 'Alpos, Orestis, et al. “Eating Sandwiches: Modular and Lightweight Elimination
of Transaction Reordering Attacks.” 27th International Conference on Principles
of Distributed Systems, vol. 286, 12, Schloss Dagstuhl - Leibniz-Zentrum für
Informatik, 2024, doi:10.4230/LIPIcs.OPODIS.2023.12.'
short: O. Alpos, I. Amores-Sesar, C. Cachin, M.X. Yeo, in:, 27th International Conference
on Principles of Distributed Systems, Schloss Dagstuhl - Leibniz-Zentrum für Informatik,
2024.
conference:
end_date: 2023-12-08
location: Tokyo, Japan
name: 'OPODIS: Conference on Principles of Distributed Systems'
start_date: 2023-12-06
date_created: 2024-02-18T23:01:02Z
date_published: 2024-01-18T00:00:00Z
date_updated: 2024-02-26T10:18:18Z
day: '18'
ddc:
- '000'
department:
- _id: KrPi
doi: 10.4230/LIPIcs.OPODIS.2023.12
external_id:
arxiv:
- '2307.02954'
file:
- access_level: open_access
checksum: 2993e810a45e8c8056106834b07aea92
content_type: application/pdf
creator: dernst
date_created: 2024-02-26T10:16:57Z
date_updated: 2024-02-26T10:16:57Z
file_id: '15031'
file_name: 2024_LIPICs_Alpos.pdf
file_size: 1505994
relation: main_file
success: 1
file_date_updated: 2024-02-26T10:16:57Z
has_accepted_license: '1'
intvolume: ' 286'
language:
- iso: eng
month: '01'
oa: 1
oa_version: Published Version
publication: 27th International Conference on Principles of Distributed Systems
publication_identifier:
isbn:
- '9783959773089'
issn:
- 1868-8969
publication_status: published
publisher: Schloss Dagstuhl - Leibniz-Zentrum für Informatik
quality_controlled: '1'
scopus_import: '1'
status: public
title: 'Eating sandwiches: Modular and lightweight elimination of transaction reordering
attacks'
tmp:
image: /images/cc_by.png
legal_code_url: https://creativecommons.org/licenses/by/4.0/legalcode
name: Creative Commons Attribution 4.0 International Public License (CC-BY 4.0)
short: CC BY (4.0)
type: conference
user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87
volume: 286
year: '2024'
...
---
_id: '13143'
abstract:
- lang: eng
text: "GIMPS and PrimeGrid are large-scale distributed projects dedicated to searching
giant prime numbers, usually of special forms like Mersenne and Proth primes.
The numbers in the current search-space are millions of digits large and the participating
volunteers need to run resource-consuming primality tests. Once a candidate prime
N has been found, the only way for another party to independently verify the primality
of N used to be by repeating the expensive primality test. To avoid the need for
second recomputation of each primality test, these projects have recently adopted
certifying mechanisms that enable efficient verification of performed tests. However,
the mechanisms presently in place only detect benign errors and there is no guarantee
against adversarial behavior: a malicious volunteer can mislead the project to
reject a giant prime as being non-prime.\r\nIn this paper, we propose a practical,
cryptographically-sound mechanism for certifying the non-primality of Proth numbers.
That is, a volunteer can – parallel to running the primality test for N – generate
an efficiently verifiable proof at a little extra cost certifying that N is not
prime. The interactive protocol has statistical soundness and can be made non-interactive
using the Fiat-Shamir heuristic.\r\nOur approach is based on a cryptographic primitive
called Proof of Exponentiation (PoE) which, for a group G, certifies that a tuple
(x,y,T)∈G2×N satisfies x2T=y (Pietrzak, ITCS 2019 and Wesolowski, J. Cryptol.
2020). In particular, we show how to adapt Pietrzak’s PoE at a moderate additional
cost to make it a cryptographically-sound certificate of non-primality."
acknowledgement: 'We are grateful to Pavel Atnashev for clarifying via e-mail several
aspects of the primality tests implementated in the PrimeGrid project. Pavel Hubáček
is supported by the Czech Academy of Sciences (RVO 67985840), the Grant Agency of
the Czech Republic under the grant agreement no. 19-27871X, and by the Charles University
project UNCE/SCI/004. Chethan Kamath is supported by Azrieli International Postdoctoral
Fellowship, ISF grants 484/18 and 1789/19, and ERC StG project SPP: Secrecy Preserving
Proofs.'
alternative_title:
- LNCS
article_processing_charge: No
author:
- first_name: Charlotte
full_name: Hoffmann, Charlotte
id: 0f78d746-dc7d-11ea-9b2f-83f92091afe7
last_name: Hoffmann
- first_name: Pavel
full_name: Hubáček, Pavel
last_name: Hubáček
- first_name: Chethan
full_name: Kamath, Chethan
last_name: Kamath
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
citation:
ama: 'Hoffmann C, Hubáček P, Kamath C, Pietrzak KZ. Certifying giant nonprimes.
In: Public-Key Cryptography - PKC 2023. Vol 13940. Springer Nature; 2023:530-553.
doi:10.1007/978-3-031-31368-4_19'
apa: 'Hoffmann, C., Hubáček, P., Kamath, C., & Pietrzak, K. Z. (2023). Certifying
giant nonprimes. In Public-Key Cryptography - PKC 2023 (Vol. 13940, pp.
530–553). Atlanta, GA, United States: Springer Nature. https://doi.org/10.1007/978-3-031-31368-4_19'
chicago: Hoffmann, Charlotte, Pavel Hubáček, Chethan Kamath, and Krzysztof Z Pietrzak.
“Certifying Giant Nonprimes.” In Public-Key Cryptography - PKC 2023, 13940:530–53.
Springer Nature, 2023. https://doi.org/10.1007/978-3-031-31368-4_19.
ieee: C. Hoffmann, P. Hubáček, C. Kamath, and K. Z. Pietrzak, “Certifying giant
nonprimes,” in Public-Key Cryptography - PKC 2023, Atlanta, GA, United
States, 2023, vol. 13940, pp. 530–553.
ista: 'Hoffmann C, Hubáček P, Kamath C, Pietrzak KZ. 2023. Certifying giant nonprimes.
Public-Key Cryptography - PKC 2023. PKC: Public-Key Cryptography, LNCS, vol. 13940,
530–553.'
mla: Hoffmann, Charlotte, et al. “Certifying Giant Nonprimes.” Public-Key Cryptography
- PKC 2023, vol. 13940, Springer Nature, 2023, pp. 530–53, doi:10.1007/978-3-031-31368-4_19.
short: C. Hoffmann, P. Hubáček, C. Kamath, K.Z. Pietrzak, in:, Public-Key Cryptography
- PKC 2023, Springer Nature, 2023, pp. 530–553.
conference:
end_date: 2023-05-10
location: Atlanta, GA, United States
name: 'PKC: Public-Key Cryptography'
start_date: 2023-05-07
date_created: 2023-06-18T22:00:47Z
date_published: 2023-05-02T00:00:00Z
date_updated: 2023-06-19T08:03:37Z
day: '02'
department:
- _id: KrPi
doi: 10.1007/978-3-031-31368-4_19
intvolume: ' 13940'
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://eprint.iacr.org/2023/238
month: '05'
oa: 1
oa_version: Submitted Version
page: 530-553
publication: Public-Key Cryptography - PKC 2023
publication_identifier:
eissn:
- 1611-3349
isbn:
- '9783031313677'
issn:
- 0302-9743
publication_status: published
publisher: Springer Nature
quality_controlled: '1'
scopus_import: '1'
status: public
title: Certifying giant nonprimes
type: conference
user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87
volume: 13940
year: '2023'
...
---
_id: '12164'
abstract:
- lang: eng
text: 'A shared-memory counter is a widely-used and well-studied concurrent object.
It supports two operations: An Inc operation that increases its value by 1 and
a Read operation that returns its current value. In Jayanti et al (SIAM J Comput,
30(2), 2000), Jayanti, Tan and Toueg proved a linear lower bound on the worst-case
step complexity of obstruction-free implementations, from read-write registers,
of a large class of shared objects that includes counters. The lower bound leaves
open the question of finding counter implementations with sub-linear amortized
step complexity. In this work, we address this gap. We show that n-process, wait-free
and linearizable counters can be implemented from read-write registers with O(log2n)
amortized step complexity. This is the first counter algorithm from read-write
registers that provides sub-linear amortized step complexity in executions of
arbitrary length. Since a logarithmic lower bound on the amortized step complexity
of obstruction-free counter implementations exists, our upper bound is within
a logarithmic factor of the optimal. The worst-case step complexity of the construction
remains linear, which is optimal. This is obtained thanks to a new max register
construction with O(logn) amortized step complexity in executions of arbitrary
length in which the value stored in the register does not grow too quickly. We
then leverage an existing counter algorithm by Aspnes, Attiya and Censor-Hillel
[1] in which we “plug” our max register implementation to show that it remains
linearizable while achieving O(log2n) amortized step complexity.'
acknowledgement: A preliminary version of this work appeared in DISC’19. Mirza Ahad
Baig, Alessia Milani and Corentin Travers are supported by ANR projects Descartes
and FREDDA. Mirza Ahad Baig is supported by UMI Relax. Danny Hendler is supported
by the Israel Science Foundation (Grants 380/18 and 1425/22).
article_processing_charge: No
article_type: original
author:
- first_name: Mirza Ahad
full_name: Baig, Mirza Ahad
id: 3EDE6DE4-AA5A-11E9-986D-341CE6697425
last_name: Baig
- first_name: Danny
full_name: Hendler, Danny
last_name: Hendler
- first_name: Alessia
full_name: Milani, Alessia
last_name: Milani
- first_name: Corentin
full_name: Travers, Corentin
last_name: Travers
citation:
ama: Baig MA, Hendler D, Milani A, Travers C. Long-lived counters with polylogarithmic
amortized step complexity. Distributed Computing. 2023;36:29-43. doi:10.1007/s00446-022-00439-5
apa: Baig, M. A., Hendler, D., Milani, A., & Travers, C. (2023). Long-lived
counters with polylogarithmic amortized step complexity. Distributed Computing.
Springer Nature. https://doi.org/10.1007/s00446-022-00439-5
chicago: Baig, Mirza Ahad, Danny Hendler, Alessia Milani, and Corentin Travers.
“Long-Lived Counters with Polylogarithmic Amortized Step Complexity.” Distributed
Computing. Springer Nature, 2023. https://doi.org/10.1007/s00446-022-00439-5.
ieee: M. A. Baig, D. Hendler, A. Milani, and C. Travers, “Long-lived counters with
polylogarithmic amortized step complexity,” Distributed Computing, vol.
36. Springer Nature, pp. 29–43, 2023.
ista: Baig MA, Hendler D, Milani A, Travers C. 2023. Long-lived counters with polylogarithmic
amortized step complexity. Distributed Computing. 36, 29–43.
mla: Baig, Mirza Ahad, et al. “Long-Lived Counters with Polylogarithmic Amortized
Step Complexity.” Distributed Computing, vol. 36, Springer Nature, 2023,
pp. 29–43, doi:10.1007/s00446-022-00439-5.
short: M.A. Baig, D. Hendler, A. Milani, C. Travers, Distributed Computing 36 (2023)
29–43.
date_created: 2023-01-12T12:10:08Z
date_published: 2023-03-01T00:00:00Z
date_updated: 2023-08-16T08:39:36Z
day: '01'
department:
- _id: KrPi
doi: 10.1007/s00446-022-00439-5
external_id:
isi:
- '000890138700001'
intvolume: ' 36'
isi: 1
keyword:
- Computational Theory and Mathematics
- Computer Networks and Communications
- Hardware and Architecture
- Theoretical Computer Science
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://drops.dagstuhl.de/opus/volltexte/2019/11310/
month: '03'
oa: 1
oa_version: Preprint
page: 29-43
publication: Distributed Computing
publication_identifier:
eissn:
- 1432-0452
issn:
- 0178-2770
publication_status: published
publisher: Springer Nature
quality_controlled: '1'
scopus_import: '1'
status: public
title: Long-lived counters with polylogarithmic amortized step complexity
type: journal_article
user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87
volume: 36
year: '2023'
...
---
_id: '14428'
abstract:
- lang: eng
text: "Suppose we have two hash functions h1 and h2, but we trust the security of
only one of them. To mitigate this worry, we wish to build a hash combiner Ch1,h2
which is secure so long as one of the underlying hash functions is. This question
has been well-studied in the regime of collision resistance. In this case, concatenating
the two hash function outputs clearly works. Unfortunately, a long series of works
(Boneh and Boyen, CRYPTO’06; Pietrzak, Eurocrypt’07; Pietrzak, CRYPTO’08) showed
no (noticeably) shorter combiner for collision resistance is possible.\r\nIn this
work, we revisit this pessimistic state of affairs, motivated by the observation
that collision-resistance is insufficient for many interesting applications of
cryptographic hash functions anyway. We argue the right formulation of the “hash
combiner” is to build what we call random oracle (RO) combiners, utilizing stronger
assumptions for stronger constructions.\r\nIndeed, we circumvent the previous
lower bounds for collision resistance by constructing a simple length-preserving
RO combiner C˜h1,h2Z1,Z2(M)=h1(M,Z1)⊕h2(M,Z2),where Z1,Z2\r\n are random salts
of appropriate length. We show that this extra randomness is necessary for RO
combiners, and indeed our construction is somewhat tight with this lower bound.\r\nOn
the negative side, we show that one cannot generically apply the composition theorem
to further replace “monolithic” hash functions h1 and h2 by some simpler indifferentiable
construction (such as the Merkle-Damgård transformation) from smaller components,
such as fixed-length compression functions. Finally, despite this issue, we directly
prove collision resistance of the Merkle-Damgård variant of our combiner, where
h1 and h2 are replaced by iterative Merkle-Damgård hashes applied to a fixed-length
compression function. Thus, we can still subvert the concatenation barrier for
collision-resistance combiners while utilizing practically small fixed-length
components underneath."
alternative_title:
- LNCS
article_processing_charge: No
author:
- first_name: Yevgeniy
full_name: Dodis, Yevgeniy
last_name: Dodis
- first_name: Niels
full_name: Ferguson, Niels
last_name: Ferguson
- first_name: Eli
full_name: Goldin, Eli
last_name: Goldin
- first_name: Peter
full_name: Hall, Peter
last_name: Hall
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
citation:
ama: 'Dodis Y, Ferguson N, Goldin E, Hall P, Pietrzak KZ. Random oracle combiners:
Breaking the concatenation barrier for collision-resistance. In: 43rd Annual
International Cryptology Conference. Vol 14082. Springer Nature; 2023:514-546.
doi:10.1007/978-3-031-38545-2_17'
apa: 'Dodis, Y., Ferguson, N., Goldin, E., Hall, P., & Pietrzak, K. Z. (2023).
Random oracle combiners: Breaking the concatenation barrier for collision-resistance.
In 43rd Annual International Cryptology Conference (Vol. 14082, pp. 514–546).
Santa Barbara, CA, United States: Springer Nature. https://doi.org/10.1007/978-3-031-38545-2_17'
chicago: 'Dodis, Yevgeniy, Niels Ferguson, Eli Goldin, Peter Hall, and Krzysztof
Z Pietrzak. “Random Oracle Combiners: Breaking the Concatenation Barrier for Collision-Resistance.”
In 43rd Annual International Cryptology Conference, 14082:514–46. Springer
Nature, 2023. https://doi.org/10.1007/978-3-031-38545-2_17.'
ieee: 'Y. Dodis, N. Ferguson, E. Goldin, P. Hall, and K. Z. Pietrzak, “Random oracle
combiners: Breaking the concatenation barrier for collision-resistance,” in 43rd
Annual International Cryptology Conference, Santa Barbara, CA, United States,
2023, vol. 14082, pp. 514–546.'
ista: 'Dodis Y, Ferguson N, Goldin E, Hall P, Pietrzak KZ. 2023. Random oracle combiners:
Breaking the concatenation barrier for collision-resistance. 43rd Annual International
Cryptology Conference. CRYPTO: Advances in Cryptology, LNCS, vol. 14082, 514–546.'
mla: 'Dodis, Yevgeniy, et al. “Random Oracle Combiners: Breaking the Concatenation
Barrier for Collision-Resistance.” 43rd Annual International Cryptology Conference,
vol. 14082, Springer Nature, 2023, pp. 514–46, doi:10.1007/978-3-031-38545-2_17.'
short: Y. Dodis, N. Ferguson, E. Goldin, P. Hall, K.Z. Pietrzak, in:, 43rd Annual
International Cryptology Conference, Springer Nature, 2023, pp. 514–546.
conference:
end_date: 2023-08-24
location: Santa Barbara, CA, United States
name: 'CRYPTO: Advances in Cryptology'
start_date: 2023-08-20
date_created: 2023-10-15T22:01:11Z
date_published: 2023-08-09T00:00:00Z
date_updated: 2023-10-16T08:02:11Z
day: '09'
department:
- _id: KrPi
doi: 10.1007/978-3-031-38545-2_17
intvolume: ' 14082'
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://eprint.iacr.org/2023/1041
month: '08'
oa: 1
oa_version: Preprint
page: 514-546
publication: 43rd Annual International Cryptology Conference
publication_identifier:
eissn:
- 1611-3349
isbn:
- '9783031385445'
issn:
- 0302-9743
publication_status: published
publisher: Springer Nature
quality_controlled: '1'
scopus_import: '1'
status: public
title: 'Random oracle combiners: Breaking the concatenation barrier for collision-resistance'
type: conference
user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87
volume: 14082
year: '2023'
...
---
_id: '14457'
abstract:
- lang: eng
text: "Threshold secret sharing allows a dealer to split a secret s into n shares,
such that any t shares allow for reconstructing s, but no t-1 shares reveal any
information about s. Leakage-resilient secret sharing requires that the secret
remains hidden, even when an adversary additionally obtains a limited amount of
leakage from every share. Benhamouda et al. (CRYPTO’18) proved that Shamir’s secret
sharing scheme is one bit leakage-resilient for reconstruction threshold t≥0.85n
and conjectured that the same holds for t = c.n for any constant 0≤c≤1. Nielsen
and Simkin (EUROCRYPT’20) showed that this is the best one can hope for by proving
that Shamir’s scheme is not secure against one-bit leakage when t0c.n/log(n).\r\nIn
this work, we strengthen the lower bound of Nielsen and Simkin. We consider noisy
leakage-resilience, where a random subset of leakages is replaced by uniformly
random noise. We prove a lower bound for Shamir’s secret sharing, similar to that
of Nielsen and Simkin, which holds even when a constant fraction of leakages is
replaced by random noise. To this end, we first prove a lower bound on the share
size of any noisy-leakage-resilient sharing scheme. We then use this lower bound
to show that there exist universal constants c1, c2, such that for sufficiently
large n it holds that Shamir’s secret sharing scheme is not noisy-leakage-resilient
for t≤c1.n/log(n), even when a c2 fraction of leakages are replaced by random
noise.\r\n\r\n\r\n\r\n"
alternative_title:
- LNCS
article_processing_charge: No
author:
- first_name: Charlotte
full_name: Hoffmann, Charlotte
id: 0f78d746-dc7d-11ea-9b2f-83f92091afe7
last_name: Hoffmann
orcid: 0000-0003-2027-5549
- first_name: Mark
full_name: Simkin, Mark
last_name: Simkin
citation:
ama: 'Hoffmann C, Simkin M. Stronger lower bounds for leakage-resilient secret sharing.
In: 8th International Conference on Cryptology and Information Security in
Latin America. Vol 14168. Springer Nature; 2023:215-228. doi:10.1007/978-3-031-44469-2_11'
apa: 'Hoffmann, C., & Simkin, M. (2023). Stronger lower bounds for leakage-resilient
secret sharing. In 8th International Conference on Cryptology and Information
Security in Latin America (Vol. 14168, pp. 215–228). Quito, Ecuador: Springer
Nature. https://doi.org/10.1007/978-3-031-44469-2_11'
chicago: Hoffmann, Charlotte, and Mark Simkin. “Stronger Lower Bounds for Leakage-Resilient
Secret Sharing.” In 8th International Conference on Cryptology and Information
Security in Latin America, 14168:215–28. Springer Nature, 2023. https://doi.org/10.1007/978-3-031-44469-2_11.
ieee: C. Hoffmann and M. Simkin, “Stronger lower bounds for leakage-resilient secret
sharing,” in 8th International Conference on Cryptology and Information Security
in Latin America, Quito, Ecuador, 2023, vol. 14168, pp. 215–228.
ista: 'Hoffmann C, Simkin M. 2023. Stronger lower bounds for leakage-resilient secret
sharing. 8th International Conference on Cryptology and Information Security in
Latin America. LATINCRYPT: Conference on Cryptology and Information Security in
Latin America, LNCS, vol. 14168, 215–228.'
mla: Hoffmann, Charlotte, and Mark Simkin. “Stronger Lower Bounds for Leakage-Resilient
Secret Sharing.” 8th International Conference on Cryptology and Information
Security in Latin America, vol. 14168, Springer Nature, 2023, pp. 215–28,
doi:10.1007/978-3-031-44469-2_11.
short: C. Hoffmann, M. Simkin, in:, 8th International Conference on Cryptology and
Information Security in Latin America, Springer Nature, 2023, pp. 215–228.
conference:
end_date: 2023-10-06
location: Quito, Ecuador
name: 'LATINCRYPT: Conference on Cryptology and Information Security in Latin America'
start_date: 2023-10-03
date_created: 2023-10-29T23:01:16Z
date_published: 2023-10-01T00:00:00Z
date_updated: 2023-10-31T11:43:12Z
day: '01'
department:
- _id: KrPi
doi: 10.1007/978-3-031-44469-2_11
intvolume: ' 14168'
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://eprint.iacr.org/2023/1017
month: '10'
oa: 1
oa_version: Preprint
page: 215-228
publication: 8th International Conference on Cryptology and Information Security in
Latin America
publication_identifier:
eissn:
- 1611-3349
isbn:
- '9783031444685'
issn:
- 0302-9743
publication_status: published
publisher: Springer Nature
quality_controlled: '1'
scopus_import: '1'
status: public
title: Stronger lower bounds for leakage-resilient secret sharing
type: conference
user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87
volume: 14168
year: '2023'
...
---
_id: '13238'
abstract:
- lang: eng
text: "We consider a natural problem dealing with weighted packet selection across
a rechargeable link, which e.g., finds applications in cryptocurrency networks.
The capacity of a link (u, v) is determined by how much nodes u and v allocate
for this link. Specifically, the input is a finite ordered sequence of packets
that arrive in both directions along a link. Given (u, v) and a packet of weight
x going from u to v, node u can either accept or reject the packet. If u accepts
the packet, the capacity on link (u, v) decreases by x. Correspondingly, v’s capacity
on (u, v) increases by x. If a node rejects the packet, this will entail a cost
affinely linear in the weight of the packet. A link is “rechargeable” in the sense
that the total capacity of the link has to remain constant, but the allocation
of capacity at the ends of the link can depend arbitrarily on the nodes’ decisions.
The goal is to minimise the sum of the capacity injected into the link and the
cost of rejecting packets. We show that the problem is NP-hard, but can be approximated
efficiently with a ratio of (1+ε)⋅(1+3–√) for some arbitrary ε>0.\r\n."
acknowledgement: We thank Mahsa Bastankhah and Mohammad Ali Maddah-Ali for fruitful
discussions about different variants of the problem. This work is supported by the
European Research Council (ERC) Consolidator Project 864228 (AdjustNet), 2020-2025,
the ERC CoG 863818 (ForM-SMArt), and the German Research Foundation (DFG) grant
470029389 (FlexNets), 2021–2024.
alternative_title:
- LNCS
article_processing_charge: No
author:
- first_name: Stefan
full_name: Schmid, Stefan
last_name: Schmid
- first_name: Jakub
full_name: Svoboda, Jakub
id: 130759D2-D7DD-11E9-87D2-DE0DE6697425
last_name: Svoboda
orcid: 0000-0002-1419-3267
- first_name: Michelle X
full_name: Yeo, Michelle X
id: 2D82B818-F248-11E8-B48F-1D18A9856A87
last_name: Yeo
citation:
ama: 'Schmid S, Svoboda J, Yeo MX. Weighted packet selection for rechargeable links
in cryptocurrency networks: Complexity and approximation. In: SIROCCO 2023:
Structural Information and Communication Complexity . Vol 13892. Springer
Nature; 2023:576-594. doi:10.1007/978-3-031-32733-9_26'
apa: 'Schmid, S., Svoboda, J., & Yeo, M. X. (2023). Weighted packet selection
for rechargeable links in cryptocurrency networks: Complexity and approximation.
In SIROCCO 2023: Structural Information and Communication Complexity (Vol.
13892, pp. 576–594). Alcala de Henares, Spain: Springer Nature. https://doi.org/10.1007/978-3-031-32733-9_26'
chicago: 'Schmid, Stefan, Jakub Svoboda, and Michelle X Yeo. “Weighted Packet Selection
for Rechargeable Links in Cryptocurrency Networks: Complexity and Approximation.”
In SIROCCO 2023: Structural Information and Communication Complexity ,
13892:576–94. Springer Nature, 2023. https://doi.org/10.1007/978-3-031-32733-9_26.'
ieee: 'S. Schmid, J. Svoboda, and M. X. Yeo, “Weighted packet selection for rechargeable
links in cryptocurrency networks: Complexity and approximation,” in SIROCCO
2023: Structural Information and Communication Complexity , Alcala de Henares,
Spain, 2023, vol. 13892, pp. 576–594.'
ista: 'Schmid S, Svoboda J, Yeo MX. 2023. Weighted packet selection for rechargeable
links in cryptocurrency networks: Complexity and approximation. SIROCCO 2023:
Structural Information and Communication Complexity . SIROCCO: Structural Information
and Communication Complexity, LNCS, vol. 13892, 576–594.'
mla: 'Schmid, Stefan, et al. “Weighted Packet Selection for Rechargeable Links in Cryptocurrency
Networks: Complexity and Approximation.” SIROCCO 2023: Structural Information
and Communication Complexity , vol. 13892, Springer Nature, 2023, pp. 576–94,
doi:10.1007/978-3-031-32733-9_26.'
short: 'S. Schmid, J. Svoboda, M.X. Yeo, in:, SIROCCO 2023: Structural Information
and Communication Complexity , Springer Nature, 2023, pp. 576–594.'
conference:
end_date: 2023-06-09
location: Alcala de Henares, Spain
name: 'SIROCCO: Structural Information and Communication Complexity'
start_date: 2023-06-06
date_created: 2023-07-16T22:01:12Z
date_published: 2023-05-25T00:00:00Z
date_updated: 2023-11-30T10:54:51Z
day: '25'
department:
- _id: KrPi
- _id: KrCh
doi: 10.1007/978-3-031-32733-9_26
ec_funded: 1
external_id:
arxiv:
- '2204.13459'
intvolume: ' 13892'
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://doi.org/10.48550/arXiv.2204.13459
month: '05'
oa: 1
oa_version: Preprint
page: 576-594
project:
- _id: 0599E47C-7A3F-11EA-A408-12923DDC885E
call_identifier: H2020
grant_number: '863818'
name: 'Formal Methods for Stochastic Models: Algorithms and Applications'
publication: 'SIROCCO 2023: Structural Information and Communication Complexity '
publication_identifier:
eissn:
- 1611-3349
isbn:
- '9783031327322'
issn:
- 0302-9743
publication_status: published
publisher: Springer Nature
quality_controlled: '1'
related_material:
record:
- id: '14506'
relation: dissertation_contains
status: public
scopus_import: '1'
status: public
title: 'Weighted packet selection for rechargeable links in cryptocurrency networks:
Complexity and approximation'
type: conference
user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87
volume: 13892
year: '2023'
...
---
_id: '14506'
abstract:
- lang: eng
text: "Payment channel networks are a promising approach to improve the scalability
bottleneck\r\nof cryptocurrencies. Two design principles behind payment channel
networks are\r\nefficiency and privacy. Payment channel networks improve efficiency
by allowing users\r\nto transact in a peer-to-peer fashion along multi-hop routes
in the network, avoiding\r\nthe lengthy process of consensus on the blockchain.
Transacting over payment channel\r\nnetworks also improves privacy as these transactions
are not broadcast to the blockchain.\r\nDespite the influx of recent protocols
built on top of payment channel networks and\r\ntheir analysis, a common shortcoming
of many of these protocols is that they typically\r\nfocus only on either improving
efficiency or privacy, but not both. Another limitation\r\non the efficiency front
is that the models used to model actions, costs and utilities of\r\nusers are
limited or come with unrealistic assumptions.\r\nThis thesis aims to address some
of the shortcomings of recent protocols and algorithms\r\non payment channel networks,
particularly in their privacy and efficiency aspects. We\r\nfirst present a payment
route discovery protocol based on hub labelling and private\r\ninformation retrieval
that hides the route query and is also efficient. We then present\r\na rebalancing
protocol that formulates the rebalancing problem as a linear program\r\nand solves
the linear program using multiparty computation so as to hide the channel\r\nbalances.
The rebalancing solution as output by our protocol is also globally optimal.\r\nWe
go on to develop more realistic models of the action space, costs, and utilities
of\r\nboth existing and new users that want to join the network. In each of these
settings,\r\nwe also develop algorithms to optimise the utility of these users
with good guarantees\r\non the approximation and competitive ratios."
alternative_title:
- ISTA Thesis
article_processing_charge: No
author:
- first_name: Michelle X
full_name: Yeo, Michelle X
id: 2D82B818-F248-11E8-B48F-1D18A9856A87
last_name: Yeo
citation:
ama: Yeo MX. Advances in efficiency and privacy in payment channel network analysis.
2023. doi:10.15479/14506
apa: Yeo, M. X. (2023). Advances in efficiency and privacy in payment channel
network analysis. Institute of Science and Technology Austria. https://doi.org/10.15479/14506
chicago: Yeo, Michelle X. “Advances in Efficiency and Privacy in Payment Channel
Network Analysis.” Institute of Science and Technology Austria, 2023. https://doi.org/10.15479/14506.
ieee: M. X. Yeo, “Advances in efficiency and privacy in payment channel network
analysis,” Institute of Science and Technology Austria, 2023.
ista: Yeo MX. 2023. Advances in efficiency and privacy in payment channel network
analysis. Institute of Science and Technology Austria.
mla: Yeo, Michelle X. Advances in Efficiency and Privacy in Payment Channel Network
Analysis. Institute of Science and Technology Austria, 2023, doi:10.15479/14506.
short: M.X. Yeo, Advances in Efficiency and Privacy in Payment Channel Network Analysis,
Institute of Science and Technology Austria, 2023.
date_created: 2023-11-10T08:10:43Z
date_published: 2023-11-10T00:00:00Z
date_updated: 2023-11-30T10:54:51Z
day: '10'
ddc:
- '000'
degree_awarded: PhD
department:
- _id: GradSch
- _id: KrPi
doi: 10.15479/14506
ec_funded: 1
file:
- access_level: closed
checksum: 521c72818d720a52b377207b2ee87b6a
content_type: application/x-zip-compressed
creator: cchlebak
date_created: 2023-11-23T10:29:55Z
date_updated: 2023-11-23T10:29:55Z
file_id: '14598'
file_name: thesis_yeo.zip
file_size: 3037720
relation: source_file
- access_level: open_access
checksum: 0ed5d16899687aecf13d843c9878c9f2
content_type: application/pdf
creator: cchlebak
date_created: 2023-11-23T10:30:08Z
date_updated: 2023-11-23T10:30:08Z
file_id: '14599'
file_name: thesis_yeo.pdf
file_size: 2717256
relation: main_file
success: 1
file_date_updated: 2023-11-23T10:30:08Z
has_accepted_license: '1'
language:
- iso: eng
month: '11'
oa: 1
oa_version: Published Version
page: '162'
project:
- _id: 2564DBCA-B435-11E9-9278-68D0E5697425
call_identifier: H2020
grant_number: '665385'
name: International IST Doctoral Program
publication_identifier:
issn:
- 2663 - 337X
publication_status: published
publisher: Institute of Science and Technology Austria
related_material:
record:
- id: '9969'
relation: part_of_dissertation
status: public
- id: '13238'
relation: part_of_dissertation
status: public
- id: '14490'
relation: part_of_dissertation
status: public
status: public
supervisor:
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
title: Advances in efficiency and privacy in payment channel network analysis
type: dissertation
user_id: 8b945eb4-e2f2-11eb-945a-df72226e66a9
year: '2023'
...
---
_id: '14490'
abstract:
- lang: eng
text: Payment channel networks (PCNs) are a promising solution to the scalability
problem of cryptocurrencies. Any two users connected by a payment channel in the
network can theoretically send an unbounded number of instant, costless transactions
between them. Users who are not directly connected can also transact with each
other in a multi-hop fashion. In this work, we study the incentive structure behind
the creation of payment channel networks, particularly from the point of view
of a single user that wants to join the network. We define a utility function
for a new user in terms of expected revenue, expected fees, and the cost of creating
channels, and then provide constant factor approximation algorithms that optimise
the utility function given a certain budget. Additionally, we take a step back
from a single user to the whole network and examine the parameter spaces under
which simple graph topologies form a Nash equilibrium.
acknowledgement: The work was partially supported by the Austrian Science Fund (FWF)
through the project CoRaF (grant 2020388). It was also partially supported by NCN
Grant 2019/35/B/ST6/04138 and ERC Grant 885666.
article_processing_charge: No
author:
- first_name: Zeta
full_name: Avarikioti, Zeta
last_name: Avarikioti
- first_name: Tomasz
full_name: Lizurej, Tomasz
last_name: Lizurej
- first_name: Tomasz
full_name: Michalak, Tomasz
last_name: Michalak
- first_name: Michelle X
full_name: Yeo, Michelle X
id: 2D82B818-F248-11E8-B48F-1D18A9856A87
last_name: Yeo
citation:
ama: 'Avarikioti Z, Lizurej T, Michalak T, Yeo MX. Lightning creation games. In:
43rd International Conference on Distributed Computing Systems. Vol 2023.
IEEE; 2023:603-613. doi:10.1109/ICDCS57875.2023.00037'
apa: 'Avarikioti, Z., Lizurej, T., Michalak, T., & Yeo, M. X. (2023). Lightning
creation games. In 43rd International Conference on Distributed Computing Systems
(Vol. 2023, pp. 603–613). Hong Kong, China: IEEE. https://doi.org/10.1109/ICDCS57875.2023.00037'
chicago: Avarikioti, Zeta, Tomasz Lizurej, Tomasz Michalak, and Michelle X Yeo.
“Lightning Creation Games.” In 43rd International Conference on Distributed
Computing Systems, 2023:603–13. IEEE, 2023. https://doi.org/10.1109/ICDCS57875.2023.00037.
ieee: Z. Avarikioti, T. Lizurej, T. Michalak, and M. X. Yeo, “Lightning creation
games,” in 43rd International Conference on Distributed Computing Systems,
Hong Kong, China, 2023, vol. 2023, pp. 603–613.
ista: 'Avarikioti Z, Lizurej T, Michalak T, Yeo MX. 2023. Lightning creation games.
43rd International Conference on Distributed Computing Systems. ICDCS: International
Conference on Distributed Computing Systems vol. 2023, 603–613.'
mla: Avarikioti, Zeta, et al. “Lightning Creation Games.” 43rd International
Conference on Distributed Computing Systems, vol. 2023, IEEE, 2023, pp. 603–13,
doi:10.1109/ICDCS57875.2023.00037.
short: Z. Avarikioti, T. Lizurej, T. Michalak, M.X. Yeo, in:, 43rd International
Conference on Distributed Computing Systems, IEEE, 2023, pp. 603–613.
conference:
end_date: 2023-07-21
location: Hong Kong, China
name: 'ICDCS: International Conference on Distributed Computing Systems'
start_date: 2023-07-18
date_created: 2023-11-05T23:00:54Z
date_published: 2023-10-11T00:00:00Z
date_updated: 2023-11-30T10:54:51Z
day: '11'
department:
- _id: KrPi
doi: 10.1109/ICDCS57875.2023.00037
external_id:
arxiv:
- '2306.16006'
intvolume: ' 2023'
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://doi.org/10.48550/arXiv.2306.16006
month: '10'
oa: 1
oa_version: Preprint
page: 603-613
publication: 43rd International Conference on Distributed Computing Systems
publication_identifier:
eissn:
- 2575-8411
isbn:
- '9798350339864'
publication_status: published
publisher: IEEE
quality_controlled: '1'
related_material:
record:
- id: '14506'
relation: dissertation_contains
status: public
scopus_import: '1'
status: public
title: Lightning creation games
type: conference
user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87
volume: 2023
year: '2023'
...
---
_id: '14693'
abstract:
- lang: eng
text: "Lucas sequences are constant-recursive integer sequences with a long history
of applications in cryptography, both in the design of cryptographic schemes and
cryptanalysis. In this work, we study the sequential hardness of computing Lucas
sequences over an RSA modulus.\r\nFirst, we show that modular Lucas sequences
are at least as sequentially hard as the classical delay function given by iterated
modular squaring proposed by Rivest, Shamir, and Wagner (MIT Tech. Rep. 1996)
in the context of time-lock puzzles. Moreover, there is no obvious reduction in
the other direction, which suggests that the assumption of sequential hardness
of modular Lucas sequences is strictly weaker than that of iterated modular squaring.
In other words, the sequential hardness of modular Lucas sequences might hold
even in the case of an algorithmic improvement violating the sequential hardness
of iterated modular squaring.\r\nSecond, we demonstrate the feasibility of constructing
practically-efficient verifiable delay functions based on the sequential hardness
of modular Lucas sequences. Our construction builds on the work of Pietrzak (ITCS
2019) by leveraging the intrinsic connection between the problem of computing
modular Lucas sequences and exponentiation in an appropriate extension field."
acknowledgement: "Home Theory of Cryptography Conference paper\r\n(Verifiable) Delay
Functions from Lucas Sequences\r\nDownload book PDF\r\nDownload book EPUB\r\nSimilar
content being viewed by others\r\n\r\nSlider with three content items shown per
slide. Use the Previous and Next buttons to navigate the slides or the slide controller
buttons at the end to navigate through each slide.\r\nPrevious slide\r\nGeneric-Group
Delay Functions Require Hidden-Order Groups\r\nChapter© 2020\r\n\r\nShifted powers
in Lucas–Lehmer sequences\r\nArticle30 January 2019\r\n\r\nA New Class of Trapdoor
Verifiable Delay Functions\r\nChapter© 2023\r\n\r\nWeak Pseudoprimality Associated
with the Generalized Lucas Sequences\r\nChapter© 2022\r\n\r\nOn the Security of
Time-Lock Puzzles and Timed Commitments\r\nChapter© 2020\r\n\r\nGeneration of full
cycles by a composition of NLFSRs\r\nArticle08 March 2014\r\n\r\nCryptographically
Strong de Bruijn Sequences with Large Periods\r\nChapter© 2013\r\n\r\nOpen Problems
on With-Carry Sequence Generators\r\nChapter© 2014\r\n\r\nGenerically Speeding-Up
Repeated Squaring Is Equivalent to Factoring: Sharp Thresholds for All Generic-Ring
Delay Functions\r\nChapter© 2020\r\n\r\nNext slide\r\nGo to slide 1\r\nGo to slide
2\r\nGo to slide 3\r\n(Verifiable) Delay Functions from Lucas Sequences\r\nCharlotte
Hoffmann, Pavel Hubáček, Chethan Kamath & Tomáš Krňák \r\nConference paper\r\nFirst
Online: 27 November 2023\r\n83 Accesses\r\n\r\nPart of the Lecture Notes in Computer
Science book series (LNCS,volume 14372)\r\n\r\nAbstract\r\nLucas sequences are constant-recursive
integer sequences with a long history of applications in cryptography, both in the
design of cryptographic schemes and cryptanalysis. In this work, we study the sequential
hardness of computing Lucas sequences over an RSA modulus.\r\n\r\nFirst, we show
that modular Lucas sequences are at least as sequentially hard as the classical
delay function given by iterated modular squaring proposed by Rivest, Shamir, and
Wagner (MIT Tech. Rep. 1996) in the context of time-lock puzzles. Moreover, there
is no obvious reduction in the other direction, which suggests that the assumption
of sequential hardness of modular Lucas sequences is strictly weaker than that of
iterated modular squaring. In other words, the sequential hardness of modular Lucas
sequences might hold even in the case of an algorithmic improvement violating the
sequential hardness of iterated modular squaring.\r\n\r\nSecond, we demonstrate
the feasibility of constructing practically-efficient verifiable delay functions
based on the sequential hardness of modular Lucas sequences. Our construction builds
on the work of Pietrzak (ITCS 2019) by leveraging the intrinsic connection between
the problem of computing modular Lucas sequences and exponentiation in an appropriate
extension field.\r\n\r\nKeywords\r\nDelay functions\r\nVerifiable delay functions\r\nLucas
sequences\r\nDownload conference paper PDF\r\n\r\n1 Introduction\r\nA verifiable
delay function (VDF) \r\n is a function that satisfies two properties. First, it
is a delay function, which means it must take a prescribed (wall) time T to compute
f, irrespective of the amount of parallelism available. Second, it should be possible
for anyone to quickly verify – say, given a short proof \r\n – the value of the
function (even without resorting to parallelism), where by quickly we mean that
the verification time should be independent of or significantly smaller than T (e.g.,
logarithmic in T). If we drop either of the two requirements, then the primitive
turns out trivial to construct. For instance, for an appropriately chosen hash function
h, the delay function \r\n defined by T-times iterated hashing of the input is a
natural heuristic for an inherently sequential task which, however, seems hard to
verify more efficiently than by recomputing. On the other hand, the identity function
\r\n is trivial to verify but also easily computable. Designing a simple function
satisfying the two properties simultaneously proved to be a nontrivial task.\r\n\r\nThe
notion of VDFs was introduced in [31] and later formalised in [9]. In principle,
since the task of constructing a VDF reduces to the task of incrementally-verifiable
computation [9, 53], constructions of VDFs could leverage succinct non-interactive
arguments of knowledge (SNARKs): take any sequentially-hard function f (for instance,
iterated hashing) as the delay function and then use the SNARK on top of it as the
mechanism for verifying the computation of the delay function. However, as discussed
in [9], the resulting construction is not quite practical since we would rely on
a general-purpose machinery of SNARKs with significant overhead.\r\n\r\nEfficient
VDFs via Algebraic Delay Functions. VDFs have recently found interesting applications
in design of blockchains [17], randomness beacons [43, 51], proofs of data replication
[9], or short-lived zero-knowledge proofs and signatures [3]. Since efficiency is
an important factor there, this has resulted in a flurry of constructions of VDFs
that are tailored with application and practicality in mind. They rely on more algebraic,
structured delay functions that often involve iterating an atomic operation so that
one can resort to custom proof systems to achieve verifiability. These constructions
involve a range of algebraic settings like the RSA or class groups [5, 8, 25, 42,
55], permutation polynomials over finite fields [9], isogenies of elliptic curves
[21, 52] and, very recently, lattices [15, 28]. The constructions in [42, 55] are
arguably the most practical and the mechanism that underlies their delay function
is the same: carry out iterated squaring in groups of unknown order, like RSA groups
[47] or class groups [12]. What distinguishes these two proposals is the way verification
is carried out, i.e., how the underlying “proof of exponentiation” works: while
Pietrzak [42] resorts to an LFKN-style recursive proof system [35], Wesolowski [55]
uses a clever linear decomposition of the exponent.\r\n\r\nIterated Modular Squaring
and Sequentiality. The delay function that underlies the VDFs in [5, 25, 42, 55]
is the same, and its security relies on the conjectured sequential hardness of iterated
squaring in a group of unknown order (suggested in the context of time-lock puzzles
by Rivest, Shamir, and Wagner [48]). Given that the practically efficient VDFs all
rely on the above single delay function, an immediate open problem is to identify
additional sources of sequential hardness that are structured enough to support
practically efficient verifiability.\r\n\r\n1.1 Our Approach to (Verifiable) Delay
Functions\r\nIn this work, we study an alternative source of sequential hardness
in the algebraic setting and use it to construct efficient verifiable delay functions.
The sequentiality of our delay function relies on an atomic operation that is related
to the computation of so-called Lucas sequences [29, 34, 57], explained next.\r\n\r\nLucas
Sequences. A Lucas sequence is a constant-recursive integer sequence that satisfies
the recurrence relation\r\n\r\nfor integers P and Q.Footnote1 Specifically, the
Lucas sequences of integers \r\n and \r\n of the first and second type (respectively)
are defined recursively as\r\n\r\nwith \r\n, and\r\n\r\nwith \r\n.\r\n\r\nThese
sequences can be alternatively defined by the characteristic polynomial \r\n. Specifically,
given the discriminant \r\n of the characteristic polynomial, one can alternatively
compute the above sequences by performing operations in the extension field\r\n\r\nusing
the identities\r\n\r\nwhere \r\n and its conjugate \r\n are roots of the characteristic
polynomial. Since conjugation and exponentiation commute in the extension field
(i.e., \r\n), computing the i-th terms of the two Lucas sequences over integers
reduces to computing \r\n in the extension field, and vice versa.\r\n\r\nThe intrinsic
connection between computing the terms in the Lucas sequences and that of exponentiation
in the extension has been leveraged to provide alternative instantiations of public-key
encryption schemes like RSA and ElGamal in terms of Lucas sequences [7, 30]. However,
as we explain later, the corresponding underlying computational hardness assumptions
are not necessarily equivalent.\r\n\r\nOverview of Our Delay Function. The delay
function in [5, 25, 42, 55] is defined as the iterated squaring base x in a (safe)
RSA groupFootnote2 modulo N:\r\n\r\nOur delay function is its analogue in the setting
of Lucas sequences:\r\n\r\nAs mentioned above, computing \r\n can be carried out
equivalently in the extension field \r\n using the known relationship to roots of
the characteristic polynomial of the Lucas sequence. Thus, the delay function can
be alternatively defined as\r\n\r\nNote that the atomic operation of our delay function
is “doubling” the index of an element of the Lucas sequence modulo N (i.e., \r\n)
or, equivalently, squaring in the extension field \r\n (as opposed to squaring in
\r\n). Using the representation of \r\n as \r\n, squaring in \r\n can be expressed
as a combination of squaring, multiplication and addition modulo N, since\r\n\r\n(1)\r\nSince
\r\n is a group of unknown order (provided the factorization of N is kept secret),
iterated squaring remains hard here. In fact, we show in Sect. 3.2 that iterated
squaring in \r\n is at least as hard as iterated squaring for RSA moduli N. Moreover,
we conjecture in Conjecture 1 that it is, in fact, strictly harder (also see discussion
below on advantages of our approach).\r\n\r\nVerifying Modular Lucas Sequence. To
obtain a VDF, we need to show how to efficiently verify our delay function. To this
end, we show how to adapt the interactive proof of exponentiation from [42] to our
setting, which then – via the Fiat-Shamir Transform [22] – yields the non-interactive
verification algorithm.Footnote3 Thus, our main result is stated informally below.\r\n\r\nTheorem
1\r\n(Informally stated, see Theorem 2). Assuming sequential hardness of modular
Lucas sequence, there exists statistically-sound VDF in the random-oracle model.\r\n\r\nHowever,
the modification of Pietrzak’s protocol is not trivial and we have to overcome several
hurdles that we face in this task, which we elaborate on in Sect. 1.2. We conclude
this section with discussions about our results.\r\n\r\nAdvantage of Our Approach.
Our main advantage is the reliance on a potentially weaker (sequential) hardness
assumption while maintaining efficiency: we show in Sect. 3.2 that modular Lucas
sequences are at least as sequentially-hard as the classical delay function given
by iterated modular squaring [48]. Despite the linear recursive structure of Lucas
sequences, there is no obvious reduction in the other direction, which suggests
that the assumption of sequential hardness of modular Lucas sequences is strictly
weaker than that of iterated modular squaring (Conjecture 1). In other words, the
sequential hardness of modular Lucas sequences might hold even in the case of an
algorithmic improvement violating the sequential hardness of iterated modular squaring.
Even though both assumptions need the group order to be hidden, we believe that
there is need for a nuanced analysis of sequential hardness assumptions in hidden
order groups, especially because all current delay functions that provide sufficient
structure for applications are based on iterated modular squaring. If the iterated
modular squaring assumption is broken, our delay function is currently the only
practical alternative in the RSA group.\r\n\r\nDelay Functions in Idealised Models.
Recent works studied the relationship of group-theoretic (verifiable) delay functions
to the hardness of factoring in idealised models such as the algebraic group model
and the generic ring model [27, 50]. In the generic ring model, Rotem and Segev
[50] showed the equivalence of straight-line delay functions in the RSA setting
and factoring. Our construction gives rise to a straight-line delay function and,
by their result, its sequentiality is equivalent to factoring for generic algorithms.
However, their result holds only in the generic ring model and leaves the relationship
between the two assumptions unresolved in the standard model.\r\n\r\nCompare this
with the status of the RSA assumption and factoring. On one hand, we know that in
the generic ring model, RSA and factoring are equivalent [2]. Yet, it is possible
to rule out certain classes of reductions from factoring to RSA in the standard
model [11]. Most importantly, despite the equivalence in the generic ring model,
there is currently no reduction from factoring to RSA in the standard model and
it remains one of the major open problems in number theory related to cryptography
since the introduction of the RSA assumption.\r\n\r\nIn summary, speeding up iterated
squaring by a non-generic algorithm could be possible (necessarily exploiting the
representations of ring elements modulo N), while such an algorithm may not lead
to a speed-up in the computation of modular Lucas sequences despite the result of
Rotem and Segev [50].\r\n\r\n1.2 Technical Overview\r\nPietrzak’s VDF. Let \r\n
be an RSA modulus where p and q are safe primes and let x be a random element from
\r\n. At its core, Pietrzak’s VDF relies on the interactive protocol for the statement\r\n\r\n“(N,
x, y, T) satisfies \r\n”.\r\n\r\nThe protocol is recursive and, in a round-by-round
fashion, reduces the claim to a smaller statement by halving the time parameter.
To be precise, in each round, the (honest) prover sends the “midpoint” \r\n of the
current statement to the verifier and they together reduce the statement to\r\n\r\n“\r\n
satisfies \r\n”,\r\n\r\nwhere \r\n and \r\n for a random challenge r. This is continued
till \r\n is obtained at which point the verifier simply checks whether \r\n using
a single modular squaring.\r\n\r\nSince the challenges r are public, the protocol
can be compiled into a non-interactive one using the Fiat-Shamir transform [22]
and this yields a means to verify the delay function\r\n\r\nIt is worth pointing
out that the choice of safe primes is crucial for proving soundness: in case the
group has easy-to-find elements of small order then it becomes easy to break soundness
(see, e.g., [10]).\r\n\r\nAdapting Pietrzak’s Protocol to Lucas Sequences. For a
modulus \r\n and integers \r\n, recall that our delay function is defined as\r\n\r\nor
equivalently\r\n\r\nfor the discriminant \r\n of the characteristic polynomial \r\n.
Towards building a verification algorithm for this delay function, the natural first
step is to design an interactive protocol for the statement\r\n\r\n“(N, P, Q, y,
T) satisfies \r\n.”\r\n\r\nIt turns out that the interactive protocol from [42]
can be adapted for this purpose. However, we encounter two technicalities in this
process.\r\n\r\nDealing with elements of small order. The main problem that we face
while designing our protocol is avoiding elements of small order. In the case of
[42], this was accomplished by moving to the setting of signed quadratic residues
[26] in which the sub-groups are all of large order. It is not clear whether a corresponding
object exists for our algebraic setting. However, in an earlier draft of Pietrzak’s
protocol [41], this problem was dealt with in a different manner: the prover sends
a square root of \r\n, from which the original \r\n can be recovered easily (by
squaring it) with a guarantee that the result lies in a group of quadratic residues
\r\n. Notice that the prover knows the square root of \r\n, because it is just a
previous term in the sequence he computed.\r\n\r\nIn our setting, we cannot simply
ask for the square root of the midpoint as the subgroup of \r\n we effectively work
in has a different structure. Nevertheless, we can use a similar approach: for an
appropriately chosen small a, we provide an a-th root of \r\n (instead of \r\n itself)
to the prover in the beginning of the protocol. The prover then computes the whole
sequence for \r\n. In the end, he has the a-th root of every term of the original
sequence and he can recover any element of the original sequence by raising to the
a-th power.\r\n\r\nSampling strong modulus. The second technicality is related to
the first one. In order to ensure that we can use the above trick, we require a
modulus where the small subgroups are reasonably small not only in the group \r\n
but also in the extension \r\n. Thus the traditional sampling algorithms that are
used to sample strong primes (e.g., [46]) are not sufficient for our purposes. However,
sampling strong primes that suit our criteria can still be carried out efficiently
as we show in the full version.\r\n\r\nComparing Our Technique with [8, 25]. The
VDFs in [8, 25] are also inspired by [42] and, hence, faced the same problem of
low-order elements. In [8], this is dealt with by amplifying the soundness at the
cost of parallel repetition and hence larger proofs and extra computation. In [25],
the number of repetitions of [8] is reduced significantly by introducing the following
technique: The exponent of the initial instance is reduced by some parameter \r\n
and at the end of an interactive phase, the verifier performs final exponentiation
with \r\n, thereby weeding out potential false low-order elements in the claim.
This technique differs from the approach taken in our work in the following ways:
The technique from [25] works in arbitrary groups but it requires the parameter
\r\n to be large and of a specific form. In particular, the VDF becomes more efficient
when \r\n is larger than \r\n. In our protocol, we work in RSA groups whose modulus
is the product of primes that satisfy certain conditions depending on a. This enables
us to choose a parameter a that is smaller than a statistical security parameter
and thereby makes the final exponentiation performed by the verifier much more efficient.
Further, a can be any natural number, while \r\n must be set as powers of all small
prime numbers up a certain bound in [25].\r\n\r\n1.3 More Related Work\r\nTimed
Primitives. The notion of VDFs was introduced in [31] and later formalised in [9].
VDFs are closely related to the notions of time-lock puzzles [48] and proofs of
sequential work [36]. Roughly speaking, a time-lock puzzle is a delay function that
additionally allows efficient sampling of the output via a trapdoor. A proof of
sequential work, on the other hand, is a delay “multi-function”, in the sense that
the output is not necessarily unique. Constructions of time-lock puzzles are rare
[6, 38, 48], and there are known limitations: e.g., that it cannot exist in the
random-oracle model [36]. However, we know how to construct proofs of sequential
work in the random-oracle model [1, 16, 19, 36].\r\n\r\nSince VDFs have found several
applications, e.g., in the design of resource-efficient blockchains [17], randomness
beacons [43, 51] and proof of data replication [9], there have been several constructions.
Among them, the most notable are the iterated-squaring based construction from [8,
25, 42, 55], the permutation-polynomial based construction from [9], the isogenies-based
construction from [13, 21, 52] and the construction from lattice problems [15, 28].
The constructions in [42, 55] are quite practical (see the survey [10]) and the
VDF deployed in the cryptocurrency Chia is basically their construction adapted
to the algebraic setting of class groups [17]. This is arguably the closest work
to ours. On the other hand, the constructions from [21, 52], which work in the algebraic
setting of isogenies of elliptic curves where no analogue of square and multiply
is known, simply rely on “exponentiation”. Although, these constructions provide
a certain form of quantum resistance, they are presently far from efficient. Freitag
et al. [23] constructed VDFs from any sequentially hard function and polynomial
hardness of learning with errors, the first from standard assumptions. The works
of Cini, Lai, and Malavolta [15, 28] constructed the first VDF from lattice-based
assumptions and conjectured it to be post-quantum secure.\r\n\r\nSeveral variants
of VDFs have also been proposed. A VDF is said to be unique if the proof that is
used for verification is unique [42]. Recently, Choudhuri et al. [5] constructed
unique VDFs from the sequential hardness of iterated squaring in any RSA group and
polynomial hardness of LWE. A VDF is tight [18] if the gap between simply computing
the function and computing it with a proof is small. Yet another extension is a
continuous VDF [20]. The feasibility of time-lock puzzles and proofs of sequential
works were recently extended to VDFs. It was shown [50] that the latter requirement,
i.e., working in a group of unknown order, is inherent in a black-box sense. It
was shown in [18, 37] that there are barriers to constructing tight VDFs in the
random-oracle model.\r\n\r\nVDFs also have surprising connection to complexity theory
[14, 20, 33].\r\n\r\nWork Related to Lucas Sequences. Lucas sequences have long
been studied in the context of number theory: see for example [45] or [44] for a
survey of its applications to number theory. Its earliest application to cryptography
can be traced to the \r\n factoring algorithm [56]. Constructive applications were
found later thanks to the parallels with exponentiation. Several encryption and
signature schemes were proposed, most notably the LUC family of encryption and signatures
[30, 39]. It was later shown that some of these schemes can be broken or that the
advantages it claimed were not present [7]. Other applications can be found in [32].\r\n\r\n2
Preliminaries\r\n2.1 Interactive Proof Systems\r\nInteractive Protocols. An interactive
protocol consists of a pair \r\n of interactive Turing machines that are run on
a common input \r\n. The first machine \r\n is the prover and is computationally
unbounded. The second machine \r\n is the verifier and is probabilistic polynomial-time.\r\n\r\nIn
an \r\n-round (i.e., \r\n-message) interactive protocol, in each round \r\n, first
\r\n sends a message \r\n to \r\n and then \r\n sends a message \r\n to \r\n, where
\r\n is a finite alphabet. At the end of the interaction, \r\n runs a (deterministic)
Turing machine on input \r\n. The interactive protocol is public-coin if \r\n is
a uniformly distributed random string in \r\n.\r\n\r\nInteractive Proof Systems.
The notion of an interactive proof for a language L is due to Goldwasser, Micali
and Rackoff [24].\r\n\r\nDefinition 1\r\nFor a function \r\n, an interactive protocol
\r\n is an \r\n-statistically-sound interactive proof system for L if:\r\n\r\nCompleteness:
For every \r\n, if \r\n interacts with \r\n on common input \r\n, then \r\n accepts
with probability 1.\r\n\r\nSoundness: For every \r\n and every (computationally-unbounded)
cheating prover strategy \r\n, the verifier \r\n accepts when interacting with \r\n
with probability less than \r\n, where \r\n is called the soundness error.\r\n\r\n2.2
Verifiable Delay Functions\r\nWe adapt the definition of verifiable delay functions
from [9] but we decouple the verifiability and sequentiality properties for clarity
of exposition of our results. First, we present the definition of a delay function.\r\n\r\nDefinition
2\r\nA delay function \r\n consists of a triple of algorithms with the following
syntax:\r\n\r\n:\r\n\r\nOn input a security parameter \r\n, the algorithm \r\n outputs
public parameters \r\n.\r\n\r\n:\r\n\r\nOn input public parameters \r\n and a time
parameter \r\n, the algorithm \r\n outputs a challenge x.\r\n\r\n:\r\n\r\nOn input
a challenge pair (x, T), the (deterministic) algorithm \r\n outputs the value y
of the delay function in time T.\r\n\r\nThe security property required of a delay
function is sequential hardness as defined below.\r\n\r\nDefinition 3\r\n(Sequentiality).
We say that a delay function \r\n satisfies the sequentiality property, if there
exists an \r\n such that for all \r\n and for every adversary \r\n, where \r\n uses
\r\n processors and runs in time \r\n, there exists a negligible function \r\n such
that\r\n\r\nfigure a\r\nA few remarks about our definition of sequentiality are
in order:\r\n\r\n1.\r\nWe require computing \r\n to be hard in less than T sequential
steps even using any polynomially-bounded amount of parallelism and precomputation.
Note that it is necessary to bound the amount of parallelism, as an adversary could
otherwise break the underlying hardness assumption (e.g. hardness of factorization).
Analogously, T should be polynomial in \r\n as, otherwise, breaking the underlying
hardness assumptions becomes easier than computing \r\n itself for large values
of T.\r\n\r\n2.\r\nAnother issue is what bound on the number of sequential steps
of the adversary should one impose. For example, the delay function based on T repeated
modular squarings can be computed in sequential time \r\n using polynomial parallelism
[4]. Thus, one cannot simply bound the sequential time of the adversary by o(T).
Similarly to [38], we adapt the \r\n bound for \r\n which, in particular, is asymptotically
smaller than \r\n.\r\n\r\n3.\r\nWithout loss of generality, we assume that the size
of \r\n is at least linear in n and the adversary A does not have to get the unary
representation of the security parameter \r\n as its input.\r\n\r\nThe definition
of verifiable delay function extends a delay function with the possibility to compute
publicly-verifiable proofs of correctness of the output value.\r\n\r\nDefinition
4\r\nA delay function \r\n is a verifiable delay function if it is equipped with
two additional algorithms \r\n and \r\n with the following syntax:\r\n\r\n:\r\n\r\nOn
input public parameters and a challenge pair (x, T), the \r\n algorithm outputs
\r\n, where \r\n is a proof that the output y is the output of \r\n.\r\n\r\n:\r\n\r\nOn
input public parameters, a challenge pair (x, T), and an output/proof pair \r\n,
the (deterministic) algorithm \r\n outputs either \r\n or \r\n.\r\n\r\nIn addition
to sequentiality (inherited from the underlying delay function), the \r\n and \r\n
algorithms must together satisfy correctness and (statistical) soundness as defined
below.\r\n\r\nDefinition 5\r\n(Correctness). A verifiable delay function \r\n is
correct if for all \r\n\r\nfigure b\r\nDefinition 6\r\n(Statistical soundness).
A verifiable delay function \r\n is statistically sound if for every (computationally
unbounded) malicious prover \r\n there exists a negligible function \r\n such that
for all \r\n\r\nfigure c\r\n3 Delay Functions from Lucas Sequences\r\nIn this section,
we propose a delay function based on Lucas sequences and prove its sequentiality
assuming that iterated squaring in a group of unknown order is sequential (Sect.
3.1). Further, we conjecture (Sect. 3.2) that our delay function candidate is even
more robust than its predecessor proposed by Rivest, Shamir, and Wagner [48]. Finally,
we turn our delay function candidate into a verifiable delay function (Sect. 4).\r\n\r\n3.1
The Atomic Operation\r\nOur delay function is based on subsequences of Lucas sequences,
whose indexes are powers of two. Below, we use \r\n to denote the set of non-negative
integers.\r\n\r\nDefinition 7\r\nFor integers \r\n, the Lucas sequences \r\n and
\r\n are defined for all \r\n as\r\n\r\nwith \r\n and \r\n, and\r\n\r\nwith \r\n
and \r\n.\r\n\r\nWe define subsequences \r\n, respectively \r\n, of \r\n, respectively
\r\n for all \r\n as\r\n\r\n(2)\r\nAlthough the value of \r\n depends on parameters
(P, Q), we omit (P, Q) from the notation because these parameters will be always
obvious from the context.\r\n\r\nThe underlying atomic operation for our delay function
is\r\n\r\nThere are several ways to compute \r\n in T sequential steps, and we describe
two of them below.\r\n\r\nAn Approach Based on Squaring in a Suitable Extension
Ring. To compute the value \r\n, we can use the extension ring \r\n, where \r\n
is the discriminant of the characteristic polynomial \r\n of the Lucas sequence.
The characteristic polynomial f(z) has a root \r\n, and it is known that, for all
\r\n, it holds that\r\n\r\nThus, by iterated squaring of \r\n, we can compute terms
of our target subsequences. To get a better understanding of squaring in the extension
ring, consider the representation of the root \r\n for some \r\n. Then,\r\n\r\nThen,
the atomic operation of our delay function can be interpreted as \r\n, defined for
all \r\n as\r\n\r\n(3)\r\nAn Approach Based on Known Identities. Many useful identities
for members of modular Lucas sequences are known, such as\r\n\r\n(4)\r\nSetting
\r\n we get\r\n\r\n(5)\r\nThe above identities are not hard to derive (see, e.g.,
Lemma 12.5 in [40]). Indexes are doubled on each of application of the identities
in Eq. (5), and, thus, for \r\n, we define an auxiliary sequence \r\n by \r\n. Using
the identities in Eq. (5), we get recursive equations\r\n\r\n(6)\r\nThen, the atomic
operation of our delay function can be interpreted as \r\n, defined for all \r\n
as\r\n\r\n(7)\r\nAfter a closer inspection, the reader may have an intuition that
an auxiliary sequence \r\n, which introduces a third state variable, is redundant.
This intuition is indeed right. In fact, there is another easily derivable identity\r\n\r\n(8)\r\nwhich
can be found, e.g., as Lemma 12.2 in [40]. On the other hand, Eq. (8) is quite interesting
because it allows us to compute large powers of an element \r\n using two Lucas
sequences. We use this fact in the security reduction in Sect. 3.2. Our construction
of a delay function, denoted \r\n, is given in Fig. 1.\r\n\r\nFig. 1.\r\nfigure
1\r\nOur delay function candidate \r\n based on a modular Lucas sequence.\r\n\r\nFull
size image\r\nOn the Discriminant D. Notice that whenever D is a quadratic residue
modulo N, the value \r\n is an element of \r\n and hence \r\n. By definition, LCS.Gen
generates a parameter D that is a quadratic residue with probability 1/4, so it
might seem that in one fourth of the cases there is another approach to compute
\r\n: find the element \r\n and then perform n sequential squarings in the group
\r\n. However, it is well known that finding square roots of uniform elements in
\r\n is equivalent to factoring the modulus N, so this approach is not feasible.
We can therefore omit any restrictions on the discriminant D in the definition of
our delay function LCS.\r\n\r\n3.2 Reduction from RSW Delay Function\r\nIn order
to prove the sequentiality property (Definition 3) of our candidate \r\n, we rely
on the standard conjecture of the sequentiality of the \r\n time-lock puzzles, implicitly
stated in [48] as the underlying hardness assumption.\r\n\r\nDefinition 8\r\n(\r\n
delay function). The \r\n delay function is defined as follows:\r\n\r\n: Samples
two n-bit primes p and q and outputs \r\n.\r\n\r\n: Outputs an x sampled from the
uniform distribution on \r\n.\r\n\r\n: Outputs \r\n.\r\n\r\nTheorem 2\r\nIf the
\r\n delay function has the sequentiality property, then the \r\n delay function
has the sequentiality property.\r\n\r\nProof\r\nSuppose there exists an adversary
\r\n who contradicts the sequentiality of \r\n, where \r\n is a precomputation algorithm
and \r\n is an online algorithm. We construct an adversary \r\n who contradicts
the sequentiality of \r\n as follows:\r\n\r\nThe algorithm \r\n is defined identically
to the algorithm \r\n.\r\n\r\nOn input \r\n, \r\n picks a P from the uniform distribution
on \r\n, sets\r\n\r\nand it runs \r\n to compute \r\n. The algorithm \r\n computes
\r\n using the identity in Eq. (8).\r\n\r\nNote that the input distribution for
the algorithm \r\n produced by \r\n differs from the one produced by \r\n, because
the \r\n generator samples Q from the uniform distribution on \r\n (instead of \r\n).
However, this is not a problem since the size of \r\n is negligible compared to
the size of \r\n, so the statistical distance between the distribution of D produced
by \r\n and the distribution of D sampled by \r\n is negligible in the security
parameter. Thus, except for a negligible multiplicative loss, the adversary \r\n
attains the same success probability of breaking the sequentiality of \r\n as the
probability of \r\n breaking the sequentiality of \r\n – a contradiction to the
assumption of the theorem. \r\n\r\nWe believe that the converse implication to
Theorem 2 is not true, i.e., that breaking the sequentiality of \r\n does not necessarily
imply breaking the sequentiality of \r\n. Below, we state it as a conjecture.\r\n\r\nConjecture
1\r\nSequentiality of \r\n cannot be reduced to sequentiality of \r\n.\r\n\r\nOne
reason why the above conjecture might be true is that, while the \r\n delay function
is based solely only on multiplication in the group \r\n, our \r\n delay function
uses the full arithmetic (addition and multiplication) of the commutative ring \r\n.\r\n\r\nOne
way to support the conjecture would be to construct an algorithm that speeds up
iterated squaring but is not immediately applicable to Lucas sequences. By [49]
we know that this cannot be achieved by a generic algorithm. A non-generic algorithm
that solves iterated squaring in time \r\n is presented in [4]. The main tool of
their construction is the Explicit Chinese Remainder Theorem modulo N. However,
a similiar theorem exists also for univariate polynomial rings, which suggests that
a similar speed-up can be obtained for our delay function by adapting the techniques
in [4] to our setting.\r\n\r\n4 VDF from Lucas Sequences\r\nIn Sect. 3.1 we saw
different ways of computing the atomic operation of the delay function. Computing
\r\n in the extension field seems to be the more natural and time and space effective
approach. Furthermore, writing the atomic operation \r\n as \r\n is very clear,
and, thus, we follow this approach throughout the rest of the paper.\r\n\r\n4.1
Structure of \r\nTo construct a VDF based on Lucas sequences, we use an algebraic
extension\r\n\r\n(9)\r\nwhere N is an RSA modulus and \r\n. In this section, we
describe the structure of the algebraic extension given in Expression (9). Based
on our understanding of the structure of the above algebraic extension, we can conclude
that using modulus N composed of safe primes (i.e., for all prime factors p of N,
\r\n has a large prime divisor) is necessary but not sufficient condition for security
of our construction. We specify some sufficient conditions on factors of N in the
subsequent Sect. 4.2.\r\n\r\nFirst, we introduce some simplifying notation for quotient
rings.\r\n\r\nDefinition 9\r\nFor \r\n and \r\n, we denote by \r\n the quotient
ring \r\n, where (m, f(x)) denotes the ideal of the ring \r\n generated by m and
f(x).\r\n\r\nObservation 1, below, allows us to restrict our analysis only to the
structure of \r\n for prime \r\n.\r\n\r\nObservation 1\r\nLet \r\n be distinct primes,
\r\n and \r\n. Then\r\n\r\nProof\r\nUsing the Chinese reminder theorem, we get\r\n\r\nas
claimed. \r\n\r\nThe following lemma characterizes the structure of \r\n with
respect to the discriminant of f. We use \r\n to denote the standard Legendre symbol.\r\n\r\nLemma
1\r\nLet \r\n and \r\n be a polynomial of degree 2 with the discriminant D. Then\r\n\r\nProof\r\nWe
consider each case separately:\r\n\r\nIf \r\n, then f(x) is irreducible over \r\n
and \r\n is a field with \r\n elements. Since \r\n is a finite field, \r\n is cyclic
and contains \r\n elements.\r\n\r\nIf \r\n, then \r\n and f has some double root
\r\n and it can be written as \r\n for some \r\n. Since the ring \r\n is isomorphic
to the ring \r\n (consider the isomorphism \r\n), we can restrict ourselves to describing
the structure of \r\n.\r\n\r\nWe will prove that the function \r\n,\r\n\r\nis an
isomorphism. First, the polynomial \r\n is invertible if and only if \r\n (inverse
is \r\n). For the choice \r\n, we have\r\n\r\nThus \r\n is onto. Second, \r\n is,
in fact, a bijection, because\r\n\r\n(10)\r\nFinally, \r\n is a homomorphism, because\r\n\r\nIf
\r\n, then f(x) has two roots \r\n. We have an isomorphism\r\n\r\nand \r\n. \r\n\r\n4.2
Strong Groups and Strong Primes\r\nTo achieve the verifiability property of our
construction, we need \r\n to contain a strong subgroup (defined next) of order
asymptotically linear in p. We remark that our definition of strong primes is stronger
than the one by Rivest and Silverman [46].\r\n\r\nDefinition 10\r\n(Strong groups).
For \r\n, we say that a non-trivial group \r\n is \r\n-strong, if the order of each
non-trivial subgroup of \r\n is greater than \r\n.\r\n\r\nObservation 2\r\nIf \r\n
and \r\n are \r\n-strong groups, then \r\n is a \r\n-strong group.\r\n\r\nIt can
be seen from Lemma 1 that \r\n always contains groups of small order (e.g. \r\n).
To avoid these, we descend into the subgroup of a-th powers of elements of \r\n.
Below, we introduce the corresponding notation.\r\n\r\nDefinition 11\r\nFor an Abelian
group \r\n and \r\n, we define the subgroup \r\n of \r\n in the multiplicative notation
and \r\n in the additive notation.\r\n\r\nFurther, we show in Lemma 2 below that
\r\n-strong primality (defined next) is a sufficient condition for \r\n to be a
\r\n-strong group.\r\n\r\nDefinition 12\r\n(Strong primes). Let \r\n and \r\n. We
say that p is a \r\n-strong prime, if \r\n and there exists \r\n, \r\n, such that
\r\n and every prime factor of W is greater than \r\n.\r\n\r\nSince a is a public
parameter in our setup, super-polynomial a could reveal partial information about
the factorization of N. However, we could allow a to be polynomial in \r\n while
maintaining hardness of factoring N.Footnote4 For the sake of simplicity of Definition
12, we rather use stronger condition \r\n. The following simple observation will
be useful for proving Lemma 2.\r\n\r\nObservation 3\r\nFor \r\n.\r\n\r\nLemma 2\r\nLet
p be a \r\n-strong prime and \r\n be a quadratic polynomial. Then, \r\n is a \r\n-strong
group.\r\n\r\nProof\r\nFrom definition of the strong primes, there exists \r\n,
whose factors are bigger than \r\n and \r\n. We denote \r\n a factor of W. Applying
Observation 3 to Lemma 1, we get\r\n\r\nIn particular, we used above the fact that
Observation 2 implies that \r\n as explained next. Since \r\n, all divisors of \r\n
are divisors of aW. By definition of a and W in Definition 12, we also have that
\r\n, which implies that any factor of \r\n divides either a or W, but not both.
When we divide \r\n by all the common divisors with a, only the common divisors
with W are left, which implies \r\n. The proof of the lemma is now completed by
Observation 2.\r\n\r\nCorollary 1\r\nLet p be a \r\n-strong prime, q be a \r\n-strong
prime, \r\n, \r\n, \r\n and \r\n. Then \r\n is \r\n-strong.\r\n\r\n4.3 Our Interactive
Protocol\r\nOur interactive protocol is formally described in Fig. 3. To understand
this protocol, we first recall the outline of Pietrzak’s interactive protocol from
Sect. 1.2 and then highlight the hurdles. Let \r\n be an RSA modulus where p and
q are strong primes and let x be a random element from \r\n. The interactive protocol
in [42] allows a prover to convince the verifier of the statement\r\n\r\n“(N, x,
y, T) satisfies \r\n”.\r\n\r\nThe protocol is recursive and in a round-by-round
fashion reduces the claim to a smaller statement by halving the time parameter.
To be precise, in each round the (honest) prover sends the “midpoint” \r\n of the
current statement to the verifier and they together reduce the statement to\r\n\r\n“\r\n
satisfies \r\n”,\r\n\r\nwhere \r\n and \r\n for a random challenge r. This is continued
until \r\n is obtained at which point the verifier simply checks whether \r\n.\r\n\r\nThe
main problem, we face while designing our protocol is ensuring that the verifier
can check whether \r\n sent by prover lies in an appropriate subgroup of \r\n. In
the first draft of Pietrzak’s protocol [41], prover sends a square root of \r\n,
from which the original \r\n can be recovered easily (by simply squaring it) with
a guarantee, that the result lies in a group of quadratic residues \r\n. Notice
that the prover knows the square root of \r\n, because it is just a previous term
in the sequence he computed.\r\n\r\nUsing Pietrzak’s protocol directly for our delay
function would require computing a-th roots in RSA group for some arbitrary a. Since
this is a computationally hard problem, we cannot use the same trick. In fact, the
VDF construction of Wesolowski [54] is based on similar hardness assumption.\r\n\r\nWhile
Pietrzak shifted from \r\n to the group of signed quadratic residues \r\n in his
following paper [42] to get unique proofs, we resort to his old idea of ‘squaring
a square root’ and generalise it.\r\n\r\nThe high level idea is simple. First, on
input \r\n, prover computes the sequence \r\n. Next, during the protocol, verifier
maps all elements sent by the prover by homomorphism\r\n\r\n(11)\r\ninto the target
strong group \r\n. This process is illustrated in Fig. 2. Notice that the equality
\r\n for the original sequence implies the equality \r\n for the mapped sequence
\r\n.\r\n\r\nFig. 2.\r\nfigure 2\r\nIllustration of our computation of the iterated
squaring using the a-th root of \r\n. Horizontal arrows are \r\n and diagonal arrows
are \r\n.\r\n\r\nFull size image\r\nRestriction to Elements of \r\n. Mapping Eq.
(11) introduces a new technical difficulty. Since \r\n is not injective, we narrow
the domain inputs, for which the output of our VDF is verifiable, from \r\n to \r\n.
Furthermore, the only way to verify that a certain x is an element of \r\n is to
get an a-th root of x and raise it to the ath power. So we have to represent elements
of \r\n by elements of \r\n anyway. To resolve these two issues, we introduce a
non-unique representation of elements of \r\n.\r\n\r\nDefinition 13\r\nFor \r\n
and \r\n, we denote \r\n (an element of \r\n) by [x]. Since this representation
of \r\n is not unique, we define an equality relation by\r\n\r\nWe will denote by
tilde () the elements that were already powered to the a by a verifier (i.e. ).
Thus tilded variables verifiably belong to the target group \r\n.\r\n\r\nIn the
following text, the goal of the brackets notation in Definition 13 is to distinguish
places where the equality means the equality of elements of \r\n from those places,
where the equality holds up to \r\n. A reader can also see the notation in Definition
13 as a concrete representation of elements of a factor group \r\n.\r\n\r\nOur security
reduction 2 required the delay function to operate everywhere on \r\n. This is not
a problem if the \r\n algorithm is modified to output the set \r\n.\r\n\r\nFig.
3.\r\nfigure 3\r\nOur Interactive Protocol for \r\n.\r\n\r\nFull size image\r\n4.4
Security\r\nRecall here that \r\n is \r\n-strong group, so there exist\r\n\r\n and
\r\n such that\r\n\r\n(12)\r\nDefinition 14\r\nFor \r\n and \r\n, we define \r\n
as i-th coordinate of \r\n, where \r\n is the isomorphism given by Eq. (12).\r\n\r\nLemma
3\r\nLet \r\n and \r\n. If \r\n, then\r\n\r\n\t(13)\r\nProof\r\nFix \r\n, \r\n and
y. Let some \r\n satisfy\r\n\r\n(14)\r\nUsing notation from Definition 14, we rewrite
Eq. (14) as a set of equations\r\n\r\nFor every \r\n, by reordering the terms, the
j-th equation becomes\r\n\r\n(15)\r\nIf \r\n, then \r\n. Further for every \r\n.
It follows that \r\n. Putting these two equations together gives us \r\n, which
contradicts our assumption \r\n.\r\n\r\nIt follows that there exists \r\n such that\r\n\r\n(16)\r\nThereafter
there exists \r\n such that \r\n divides \r\n and\r\n\r\n(17)\r\nFurthermore, from
Eq. (15), \r\n divides \r\n. Finally, dividing eq. Eq. (15) by \r\n, we get that
r is determined uniquely (\r\n),\r\n\r\nUsing the fact that \r\n, this uniqueness
of r upper bounds number of \r\n, such that Eq. (14) holds, to one. It follows that
the probability that Eq. (14) holds for r chosen randomly from the uniform distribution
over \r\n is less than \r\n. \r\n\r\nCorollary 2\r\nThe halving protocol will
turn an invalid input tuple (i.e. \r\n) into a valid output tuple (i.e. \r\n) with
probability less than \r\n.\r\n\r\nTheorem 3\r\nFor any computationally unbounded
prover who submits anything other than \r\n such that \r\n in phase 2 of the protocol,
the soundness error is upper-bounded by \r\n\r\nProof\r\nIn each round of the protocol,
T decreases to \r\n. It follows that the number of rounds of the halving protocol
before reaching \r\n is upper bounded by \r\n.\r\n\r\nIf the verifier accepts the
solution tuple \r\n in the last round, then the equality \r\n must hold. It follows
that the initial inequality must have turned into equality in some round of the
halving protocol. By Lemma 3, the probability of this event is bounded by \r\n.
Finally, using the union bound for all rounds, we obtain the upper bound (\r\n.
\ \r\n\r\n4.5 Our VDF\r\nAnalogously to the VDF of Pietrzak [42], we compile our
public-coin interactive proof given in Fig. 3 into a VDF using the Fiat-Shamir heuristic.
The complete construction is given in Fig. 4. For ease of exposition, we assume
that the time parameter T is always a power of two.\r\n\r\nFig. 4.\r\nfigure 4\r\n
based on Lucas sequences\r\n\r\nFull size image\r\nAs discussed in Sect. 4.3, it
is crucial for the security of the protocol that the prover computes a sequence
of powers of the a-th root of the challenge and the resulting value (as well as
the intermediate values) received from the prover is lifted to the appropriate group
by raising it to the a-th power. We use the tilde notation in Fig. 4 in order to
denote elements on the sequence relative to the a-th root.\r\n\r\nNote that, by
the construction, the output of our VDF is the \r\n-th power of the root of the
characteristic polynomial for Lucas sequence with parameters P and Q. Therefore,
the value of the delay function implicitly corresponds to the \r\n-th term of the
Lucas sequence.\r\n\r\nTheorem 4\r\nLet \r\n be the statistical security parameter.
The \r\n VDF defined in Fig. 4 is correct and statistically-sound with a negligible
soundness error if \r\n is modelled as a random oracle, against any adversary that
makes \r\n oracle queries.\r\n\r\nProof\r\nThe correctness follows directly by construction.\r\n\r\nTo
prove its statistical soundness, we proceed in a similar way to [42]. We cannot
apply Fiat-Shamir transformation directly, because our protocol does not have constant
number of rounds, thus we use Fiat-Shamir heuristic to each round separately.\r\n\r\nFirst,
we use a random oracle as the \r\n function. Second, if a malicious prover computed
a proof accepted by verifier for some tuple \r\n such that\r\n\r\n(19)\r\nthen he
must have succeeded in turning inequality from Eq. (19) into equality in some round.
By Lemma 3, probability of such a flipping is bounded by \r\n. Every such an attempt
requires one query to random oracle. Using a union bound, it follows that the probability
that a malicious prover who made q queries to random oracle succeeds in flipping
initial inequality into equality in some round is upper-bounded by \r\n.\r\n\r\nSince
q is \r\n, \r\n is a negligible function and thus the soundness error is negligible.
\ \r\n\r\nNotes\r\n1.\r\nNote that integer sequences like Fibonacci numbers and
Mersenne numbers are special cases of Lucas sequences.\r\n\r\n2.\r\nThe choice of
modulus N is said to be safe if \r\n for safe primes \r\n and \r\n, where \r\n and
\r\n are also prime.\r\n\r\n3.\r\nFurther, using the ideas from [14, 20], it is
possible to construct so-called continuous VDFs from Lucas sequences.\r\n\r\n4.\r\nSince
we set a to be at most polynomial in \r\n, its is possible to go over all possible
candidate values for a in time polynomial in \r\n. Thus, any algorithm that could
factor N using the knowledge of a can be efficiently simulated even without the
knowledge of a.\r\n\r\nReferences\r\nAbusalah, H., Kamath, C., Klein, K., Pietrzak,
K., Walter, M.: Reversible proofs of sequential work. In: Ishai, Y., Rijmen, V.
(eds.) EUROCRYPT 2019. LNCS, vol. 11477, pp. 277–291. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17656-3_10\r\n\r\nCrossRef\r\n
\r\nGoogle Scholar\r\n \r\n\r\nAggarwal, D., Maurer, U.: Breaking RSA generically
is equivalent to factoring. IEEE Trans. Inf. Theory 62(11), 6251–6259 (2016). https://doi.org/10.1109/TIT.2016.2594197\r\n\r\nCrossRef\r\n
\r\nMathSciNet\r\n \r\nMATH\r\n \r\nGoogle Scholar\r\n \r\n\r\nArun, A., Bonneau,
J., Clark, J.: Short-lived zero-knowledge proofs and signatures. In: Agrawal, S.,
Lin, D. (eds.) Advances in Cryptology – ASIACRYPT 2022. Lecture Notes in Computer
Science, vol. 13793, pp. 487–516. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-22969-5_17\r\n\r\nCrossRef\r\n
\r\nGoogle Scholar\r\n \r\n\r\nBernstein, D., Sorenson, J.: Modular exponentiation
via the explicit Chinese remainder theorem. Math. Comput. 76, 443–454 (2007). https://doi.org/10.1090/S0025-5718-06-01849-7\r\n\r\nCrossRef\r\n
\r\nMathSciNet\r\n \r\nMATH\r\n \r\nGoogle Scholar\r\n \r\n\r\nBitansky, N., et
al.: PPAD is as hard as LWE and iterated squaring. IACR Cryptol. ePrint Arch., p.
1072 (2022)\r\n\r\nGoogle Scholar\r\n \r\n\r\nBitansky, N., Goldwasser, S., Jain,
A., Paneth, O., Vaikuntanathan, V., Waters, B.: Time-lock puzzles from randomized
encodings. In: ITCS, pp. 345–356. ACM (2016)\r\n\r\nGoogle Scholar\r\n \r\n\r\nBleichenbacher,
D., Bosma, W., Lenstra, A.K.: Some remarks on Lucas-based cryptosystems. In: Coppersmith,
D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 386–396. Springer, Heidelberg (1995).
https://doi.org/10.1007/3-540-44750-4_31\r\n\r\nCrossRef\r\n \r\nGoogle Scholar\r\n
\r\n\r\nBlock, A.R., Holmgren, J., Rosen, A., Rothblum, R.D., Soni, P.: Time- and
space-efficient arguments from groups of unknown order. In: Malkin, T., Peikert,
C. (eds.) CRYPTO 2021. LNCS, vol. 12828, pp. 123–152. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84259-8_5\r\n\r\nCrossRef\r\n
\r\nGoogle Scholar\r\n \r\n\r\nBoneh, D., Bonneau, J., Bünz, B., Fisch, B.: Verifiable
delay functions. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10991,
pp. 757–788. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96884-1_25\r\n\r\nCrossRef\r\n
\r\nGoogle Scholar\r\n \r\n\r\nBoneh, D., Bünz, B., Fisch, B.: A survey of two verifiable
delay functions. IACR Cryptol. ePrint Arch. 2018, 712 (2018)\r\n\r\nMATH\r\n \r\nGoogle
Scholar\r\n \r\n\r\nBoneh, D., Venkatesan, R.: Breaking RSA may not be equivalent
to factoring. In: Nyberg, K. (ed.) Advances in Cryptology - EUROCRYPT ’98. Lecture
Notes in Computer Science, vol. 1403, pp. 59–71. Springer, Cham (1998). https://doi.org/10.1007/BFb0054117\r\n\r\nCrossRef\r\n
\r\nGoogle Scholar\r\n \r\n\r\nBuchmann, J., Williams, H.C.: A key-exchange system
based on imaginary quadratic fields. J. Cryptol. 1(2), 107–118 (1988). https://doi.org/10.1007/BF02351719\r\n\r\nCrossRef\r\n
\r\nMathSciNet\r\n \r\nMATH\r\n \r\nGoogle Scholar\r\n \r\n\r\nChavez-Saab, J.,
Rodríguez-Henríquez, F., Tibouchi, M.: Verifiable Isogeny walks: towards an isogeny-based
postquantum VDF. In: AlTawy, R., Hülsing, A. (eds.) SAC 2021. LNCS, vol. 13203,
pp. 441–460. Springer, Cham (2022). https://doi.org/10.1007/978-3-030-99277-4_21\r\n\r\nCrossRef\r\n
\r\nGoogle Scholar\r\n \r\n\r\nChoudhuri, A.R., Hubáček, P., Kamath, C., Pietrzak,
K., Rosen, A., Rothblum, G.N.: PPAD-hardness via iterated squaring modulo a composite.
IACR Cryptol. ePrint Arch. 2019, 667 (2019)\r\n\r\nGoogle Scholar\r\n \r\n\r\nCini,
V., Lai, R.W.F., Malavolta, G.: Lattice-based succinct arguments from vanishing
polynomials. In: Handschuh, H., Lysyanskaya, A. (eds.) Advances in Cryptology -
CRYPTO 2023. Lecture Notes in Computer Science, pp. 72–105. Springer Nature Switzerland,
Cham (2023). https://doi.org/10.1007/978-3-031-38545-2_3\r\n\r\nCrossRef\r\n \r\nGoogle
Scholar\r\n \r\n\r\nCohen, B., Pietrzak, K.: Simple proofs of sequential work. In:
Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10821, pp. 451–467.
Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78375-8_15\r\n\r\nCrossRef\r\n
\r\nGoogle Scholar\r\n \r\n\r\nCohen, B., Pietrzak, K.: The Chia network blockchain.
Technical report, Chia Network (2019). https://www.chia.net/assets/ChiaGreenPaper.pdf.
Accessed 29 July 2022\r\n\r\nDöttling, N., Garg, S., Malavolta, G., Vasudevan, P.N.:
Tight verifiable delay functions. In: Galdi, C., Kolesnikov, V. (eds.) SCN 2020.
LNCS, vol. 12238, pp. 65–84. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-57990-6_4\r\n\r\nCrossRef\r\n
\r\nGoogle Scholar\r\n \r\n\r\nDöttling, N., Lai, R.W.F., Malavolta, G.: Incremental
proofs of sequential work. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS,
vol. 11477, pp. 292–323. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17656-3_11\r\n\r\nCrossRef\r\n
\r\nGoogle Scholar\r\n \r\n\r\nEphraim, N., Freitag, C., Komargodski, I., Pass,
R.: Continuous verifiable delay functions. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT
2020. LNCS, vol. 12107, pp. 125–154. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45727-3_5\r\n\r\nCrossRef\r\n
\r\nGoogle Scholar\r\n \r\n\r\nDe Feo, L., Masson, S., Petit, C., Sanso, A.: Verifiable
delay functions from supersingular isogenies and pairings. In: Galbraith, S.D.,
Moriai, S. (eds.) ASIACRYPT 2019. LNCS, vol. 11921, pp. 248–277. Springer, Cham
(2019). https://doi.org/10.1007/978-3-030-34578-5_10\r\n\r\nCrossRef\r\n \r\nGoogle
Scholar\r\n \r\n\r\nFiat, A., Shamir, A.: How to prove yourself: practical solutions
to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS,
vol. 263, pp. 186–194. Springer, Heidelberg (1987). https://doi.org/10.1007/3-540-47721-7_12\r\n\r\nCrossRef\r\n
\r\nGoogle Scholar\r\n \r\n\r\nFreitag, C., Pass, R., Sirkin, N.: Parallelizable
delegation from LWE. IACR Cryptol. ePrint Arch., p. 1025 (2022)\r\n\r\nGoogle Scholar\r\n
\r\n\r\nGoldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive
proof systems. SIAM J. Comput. 18(1), 186–208 (1989)\r\n\r\nCrossRef\r\n \r\nMathSciNet\r\n
\r\nMATH\r\n \r\nGoogle Scholar\r\n \r\n\r\nHoffmann, C., Hubáček, P., Kamath, C.,
Klein, K., Pietrzak, K.: Practical statistically sound proofs of exponentiation
in any group. In: Dodis, Y., Shrimpton, T. (eds.) Advances in Cryptology – CRYPTO
2022. Lecture Notes in Computer Science, vol. 13508, pp. 1–30. Springer, Cham (2022).
https://doi.org/10.1007/978-3-031-15979-4_13\r\n\r\nCrossRef\r\n \r\nMATH\r\n \r\nGoogle
Scholar\r\n \r\n\r\nHofheinz, D., Kiltz, E.: The group of signed quadratic residues
and applications. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 637–653.
Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03356-8_37\r\n\r\nCrossRef\r\n
\r\nGoogle Scholar\r\n \r\n\r\nKatz, J., Loss, J., Xu, J.: On the security of time-lock
puzzles and timed commitments. In: Pass, R., Pietrzak, K. (eds.) TCC 2020, Part
III. LNCS, vol. 12552, pp. 390–413. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64381-2_14\r\n\r\nCrossRef\r\n
\r\nMATH\r\n \r\nGoogle Scholar\r\n \r\n\r\nLai, R.W.F., Malavolta, G.: Lattice-based
timed cryptography. In: Handschuh, H., Lysyanskaya, A. (eds.) Advances in Cryptology
- CRYPTO 2023. Lecture Notes in Computer Science, pp. 782–804. Springer Nature Switzerland,
Cham (2023). https://doi.org/10.1007/978-3-031-38554-4_25\r\n\r\nCrossRef\r\n \r\nGoogle
Scholar\r\n \r\n\r\nLehmer, D.H.: An extended theory of Lucas’ functions. Ann. Math.
31(3), 419–448 (1930). https://www.jstor.org/stable/1968235\r\n\r\nLennon, M.J.J.,
Smith, P.J.: LUC: A new public key system. In: Douglas, E.G. (ed.) Ninth IFIP Symposium
on Computer Security, pp. 103–117. Elsevier Science Publishers (1993)\r\n\r\nGoogle
Scholar\r\n \r\n\r\nLenstra, A.K., Wesolowski, B.: Trustworthy public randomness
with sloth, unicorn, and trx. IJACT 3(4), 330–343 (2017)\r\n\r\nCrossRef\r\n \r\nMathSciNet\r\n
\r\nMATH\r\n \r\nGoogle Scholar\r\n \r\n\r\nLipmaa, H.: On Diophantine complexity
and statistical zero-knowledge arguments. In: Laih, C.-S. (ed.) ASIACRYPT 2003.
LNCS, vol. 2894, pp. 398–415. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-40061-5_26\r\n\r\nCrossRef\r\n
\r\nGoogle Scholar\r\n \r\n\r\nLombardi, A., Vaikuntanathan, V.: Fiat-Shamir for
repeated squaring with applications to PPAD-hardness and VDFs. In: Micciancio, D.,
Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12172, pp. 632–651. Springer, Cham
(2020). https://doi.org/10.1007/978-3-030-56877-1_22\r\n\r\nCrossRef\r\n \r\nGoogle
Scholar\r\n \r\n\r\nLucas, E.: Théorie des fonctions numériques simplement périodiques.
Am. J. Math. 1(4), 289–321 (1878). https://www.jstor.org/stable/2369373\r\n\r\nLund,
C., Fortnow, L., Karloff, H.J., Nisan, N.: Algebraic methods for interactive proof
systems. J. ACM 39(4), 859–868 (1992)\r\n\r\nCrossRef\r\n \r\nMathSciNet\r\n \r\nMATH\r\n
\r\nGoogle Scholar\r\n \r\n\r\nMahmoody, M., Moran, T., Vadhan, S.P.: Publicly verifiable
proofs of sequential work. In: ITCS, pp. 373–388. ACM (2013)\r\n\r\nGoogle Scholar\r\n
\r\n\r\nMahmoody, M., Smith, C., Wu, D.J.: A note on the (Im)possibility of verifiable
delay functions in the random oracle model. IACR Cryptol. ePrint Arch. 2019, 663
(2019)\r\n\r\nGoogle Scholar\r\n \r\n\r\nMalavolta, G., Thyagarajan, S.A.K.: Homomorphic
time-lock puzzles and applications. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO
2019. LNCS, vol. 11692, pp. 620–649. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26948-7_22\r\n\r\nCrossRef\r\n
\r\nGoogle Scholar\r\n \r\n\r\nMüller, W.B., Nöbauer, W.: Some remarks on public-key
cryptosystems. Studia Sci. Math. Hungar. 16, 71–76 (1981)\r\n\r\nMathSciNet\r\n
\r\nMATH\r\n \r\nGoogle Scholar\r\n \r\n\r\nBressoud, D.M.: Factorization and primality
testing. Math. Comput. 56(193), 400 (1991)\r\n\r\nCrossRef\r\n \r\nGoogle Scholar\r\n
\r\n\r\nPietrzak, K.: Simple verifiable delay functions. IACR Cryptol. ePrint Arch.
2018, 627 (2018). https://eprint.iacr.org/2018/627/20180720:081000\r\n\r\nPietrzak,
K.: Simple verifiable delay functions. In: ITCS. LIPIcs, vol. 124, pp. 1–15. Schloss
Dagstuhl - Leibniz-Zentrum für Informatik (2019)\r\n\r\nGoogle Scholar\r\n \r\n\r\nRabin,
M.O.: Transaction protection by beacons. J. Comput. Syst. Sci. 27(2), 256–267 (1983)\r\n\r\nCrossRef\r\n
\r\nMathSciNet\r\n \r\nMATH\r\n \r\nGoogle Scholar\r\n \r\n\r\nRibenboim, P.: My
Numbers, My Friends: Popular Lectures on Number Theory. Springer-Verlag, New York
(2000)\r\n\r\nCrossRef\r\n \r\nMATH\r\n \r\nGoogle Scholar\r\n \r\n\r\nRiesel, H.:
Prime Numbers and Computer Methods for Factorization, Progress in Mathematics, vol.
57. Birkhäuser, Basel (1985)\r\n\r\nCrossRef\r\n \r\nMATH\r\n \r\nGoogle Scholar\r\n
\r\n\r\nRivest, R., Silverman, R.: Are ’strong’ primes needed for RSA. Cryptology
ePrint Archive, Report 2001/007 (2001). https://eprint.iacr.org/2001/007\r\n\r\nRivest,
R.L., Shamir, A., Adleman, L.M.: A method for obtaining digital signatures and public-key
cryptosystems (reprint). Commun. ACM 26(1), 96–99 (1983)\r\n\r\nCrossRef\r\n \r\nMATH\r\n
\r\nGoogle Scholar\r\n \r\n\r\nRivest, R.L., Shamir, A., Wagner, D.A.: Time-lock
puzzles and timed-release crypto. Technical report, Massachusetts Institute of Technology
(1996)\r\n\r\nGoogle Scholar\r\n \r\n\r\nRotem, L., Segev, G.: Generically speeding-up
repeated squaring is equivalent to factoring: sharp thresholds for all generic-ring
delay functions. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol.
12172, pp. 481–509. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56877-1_17\r\n\r\nCrossRef\r\n
\r\nGoogle Scholar\r\n \r\n\r\nRotem, L., Segev, G., Shahaf, I.: Generic-group delay
functions require hidden-order groups. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT
2020. LNCS, vol. 12107, pp. 155–180. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45727-3_6\r\n\r\nCrossRef\r\n
\r\nGoogle Scholar\r\n \r\n\r\nSchindler, P., Judmayer, A., Hittmeir, M., Stifter,
N., Weippl, E.R.: RandRunner: distributed randomness from trapdoor VDFs with strong
uniqueness. In: 28th Annual Network and Distributed System Security Symposium, NDSS
2021, virtually, 21–25 February 2021. The Internet Society (2021)\r\n\r\nGoogle
Scholar\r\n \r\n\r\nShani, B.: A note on isogeny-based hybrid verifiable delay functions.
IACR Cryptol. ePrint Arch. 2019, 205 (2019)\r\n\r\nGoogle Scholar\r\n \r\n\r\nValiant,
P.: Incrementally verifiable computation or proofs of knowledge imply time/space
efficiency. In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948, pp. 1–18. Springer,
Heidelberg (2008). https://doi.org/10.1007/978-3-540-78524-8_1\r\n\r\nCrossRef\r\n
\r\nMATH\r\n \r\nGoogle Scholar\r\n \r\n\r\nWesolowski, B.: Efficient verifiable
delay functions. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11478,
pp. 379–407. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17659-4_13\r\n\r\nCrossRef\r\n
\r\nGoogle Scholar\r\n \r\n\r\nWesolowski, B.: Efficient verifiable delay functions.
J. Cryptol. 33(4), 2113–2147 (2020). https://doi.org/10.1007/s00145-020-09364-x\r\n\r\nCrossRef\r\n
\r\nMathSciNet\r\n \r\nMATH\r\n \r\nGoogle Scholar\r\n \r\n\r\nWilliams, H.C.: A
\r\n method of factoring. Math. Comput. 39(159), 225–234 (1982)\r\n\r\nMathSciNet\r\n
\r\nMATH\r\n \r\nGoogle Scholar\r\n \r\n\r\nWilliams, H.C.: Édouard lucas and primality
testing. Math. Gaz. 83, 173 (1999)\r\n\r\nCrossRef\r\n \r\nGoogle Scholar\r\n \r\n\r\nDownload
references\r\n\r\nAcknowledgements\r\nWe thank Krzysztof Pietrzak and Alon Rosen
for several fruitful discussions about this work and the anonymous reviewers of
SCN 2022 and TCC 2023 for valuable suggestions.\r\n\r\nPavel Hubáček is supported
by the Czech Academy of Sciences (RVO 67985840), by the Grant Agency of the Czech
Republic under the grant agreement no. 19-27871X, and by the Charles University
project UNCE/SCI/004. Chethan Kamath is supported by Azrieli International Postdoctoral
Fellowship, by the European Research Council (ERC) under the European Union’s Horizon
Europe research and innovation programme (grant agreement No. 101042417, acronym
SPP), and by ISF grant 1789/19."
alternative_title:
- LNCS
article_processing_charge: No
author:
- first_name: Charlotte
full_name: Hoffmann, Charlotte
id: 0f78d746-dc7d-11ea-9b2f-83f92091afe7
last_name: Hoffmann
orcid: 0000-0003-2027-5549
- first_name: Pavel
full_name: Hubáček, Pavel
last_name: Hubáček
- first_name: Chethan
full_name: Kamath, Chethan
last_name: Kamath
- first_name: Tomáš
full_name: Krňák, Tomáš
last_name: Krňák
citation:
ama: 'Hoffmann C, Hubáček P, Kamath C, Krňák T. (Verifiable) delay functions from
Lucas sequences. In: 21st International Conference on Theory of Cryptography.
Vol 14372. Springer Nature; 2023:336-362. doi:10.1007/978-3-031-48624-1_13'
apa: 'Hoffmann, C., Hubáček, P., Kamath, C., & Krňák, T. (2023). (Verifiable)
delay functions from Lucas sequences. In 21st International Conference on Theory
of Cryptography (Vol. 14372, pp. 336–362). Taipei, Taiwan: Springer Nature.
https://doi.org/10.1007/978-3-031-48624-1_13'
chicago: Hoffmann, Charlotte, Pavel Hubáček, Chethan Kamath, and Tomáš Krňák. “(Verifiable)
Delay Functions from Lucas Sequences.” In 21st International Conference on
Theory of Cryptography, 14372:336–62. Springer Nature, 2023. https://doi.org/10.1007/978-3-031-48624-1_13.
ieee: C. Hoffmann, P. Hubáček, C. Kamath, and T. Krňák, “(Verifiable) delay functions
from Lucas sequences,” in 21st International Conference on Theory of Cryptography,
Taipei, Taiwan, 2023, vol. 14372, pp. 336–362.
ista: 'Hoffmann C, Hubáček P, Kamath C, Krňák T. 2023. (Verifiable) delay functions
from Lucas sequences. 21st International Conference on Theory of Cryptography.
TCC: Theory of Cryptography, LNCS, vol. 14372, 336–362.'
mla: Hoffmann, Charlotte, et al. “(Verifiable) Delay Functions from Lucas Sequences.”
21st International Conference on Theory of Cryptography, vol. 14372, Springer
Nature, 2023, pp. 336–62, doi:10.1007/978-3-031-48624-1_13.
short: C. Hoffmann, P. Hubáček, C. Kamath, T. Krňák, in:, 21st International Conference
on Theory of Cryptography, Springer Nature, 2023, pp. 336–362.
conference:
end_date: 2023-12-02
location: Taipei, Taiwan
name: 'TCC: Theory of Cryptography'
start_date: 2023-11-29
date_created: 2023-12-17T23:00:54Z
date_published: 2023-11-27T00:00:00Z
date_updated: 2023-12-18T09:00:00Z
day: '27'
department:
- _id: KrPi
doi: 10.1007/978-3-031-48624-1_13
intvolume: ' 14372'
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://eprint.iacr.org/2023/1404
month: '11'
oa: 1
oa_version: Preprint
page: 336-362
publication: 21st International Conference on Theory of Cryptography
publication_identifier:
eissn:
- 1611-3349
isbn:
- '9783031486234'
issn:
- 0302-9743
publisher: Springer Nature
quality_controlled: '1'
scopus_import: '1'
status: public
title: (Verifiable) delay functions from Lucas sequences
type: conference
user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87
volume: 14372
year: '2023'
...
---
_id: '14691'
abstract:
- lang: eng
text: "Continuous Group-Key Agreement (CGKA) allows a group of users to maintain
a shared key. It is the fundamental cryptographic primitive underlying group messaging
schemes and related protocols, most notably TreeKEM, the underlying key agreement
protocol of the Messaging Layer Security (MLS) protocol, a standard for group
messaging by the IETF. CKGA works in an asynchronous setting where parties only
occasionally must come online, and their messages are relayed by an untrusted
server. The most expensive operation provided by CKGA is that which allows for
a user to refresh their key material in order to achieve forward secrecy (old
messages are secure when a user is compromised) and post-compromise security (users
can heal from compromise). One caveat of early CGKA protocols is that these update
operations had to be performed sequentially, with any user wanting to update their
key material having had to receive and process all previous updates. Late versions
of TreeKEM do allow for concurrent updates at the cost of a communication overhead
per update message that is linear in the number of updating parties. This was
shown to be indeed necessary when achieving PCS in just two rounds of communication
by [Bienstock et al. TCC’20].\r\nThe recently proposed protocol CoCoA [Alwen et
al. Eurocrypt’22], however, shows that this overhead can be reduced if PCS requirements
are relaxed, and only a logarithmic number of rounds is required. The natural
question, thus, is whether CoCoA is optimal in this setting.\r\nIn this work we
answer this question, providing a lower bound on the cost (concretely, the amount
of data to be uploaded to the server) for CGKA protocols that heal in an arbitrary
k number of rounds, that shows that CoCoA is very close to optimal. Additionally,
we extend CoCoA to heal in an arbitrary number of rounds, and propose a modification
of it, with a reduced communication cost for certain k.\r\nWe prove our bound
in a combinatorial setting where the state of the protocol progresses in rounds,
and the state of the protocol in each round is captured by a set system, each
set specifying a set of users who share a secret key. We show this combinatorial
model is equivalent to a symbolic model capturing building blocks including PRFs
and public-key encryption, related to the one used by Bienstock et al.\r\nOur
lower bound is of order k•n1+1/(k-1)/log(k), where 2≤k≤log(n) is the number of
updates per user the protocol requires to heal. This generalizes the n2 bound
for k=2 from Bienstock et al.. This bound almost matches the k⋅n1+2/(k-1) or k2⋅n1+1/(k-1)
efficiency we get for the variants of the CoCoA protocol also introduced in this
paper."
alternative_title:
- LNCS
article_processing_charge: No
author:
- first_name: Benedikt
full_name: Auerbach, Benedikt
id: D33D2B18-E445-11E9-ABB7-15F4E5697425
last_name: Auerbach
orcid: 0000-0002-7553-6606
- first_name: Miguel
full_name: Cueto Noval, Miguel
id: ffc563a3-f6e0-11ea-865d-e3cce03d17cc
last_name: Cueto Noval
- first_name: Guillermo
full_name: Pascual Perez, Guillermo
id: 2D7ABD02-F248-11E8-B48F-1D18A9856A87
last_name: Pascual Perez
orcid: 0000-0001-8630-415X
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
citation:
ama: 'Auerbach B, Cueto Noval M, Pascual Perez G, Pietrzak KZ. On the cost of post-compromise
security in concurrent Continuous Group-Key Agreement. In: 21st International
Conference on Theory of Cryptography. Vol 14371. Springer Nature; 2023:271-300.
doi:10.1007/978-3-031-48621-0_10'
apa: 'Auerbach, B., Cueto Noval, M., Pascual Perez, G., & Pietrzak, K. Z. (2023).
On the cost of post-compromise security in concurrent Continuous Group-Key Agreement.
In 21st International Conference on Theory of Cryptography (Vol. 14371,
pp. 271–300). Taipei, Taiwan: Springer Nature. https://doi.org/10.1007/978-3-031-48621-0_10'
chicago: Auerbach, Benedikt, Miguel Cueto Noval, Guillermo Pascual Perez, and Krzysztof
Z Pietrzak. “On the Cost of Post-Compromise Security in Concurrent Continuous
Group-Key Agreement.” In 21st International Conference on Theory of Cryptography,
14371:271–300. Springer Nature, 2023. https://doi.org/10.1007/978-3-031-48621-0_10.
ieee: B. Auerbach, M. Cueto Noval, G. Pascual Perez, and K. Z. Pietrzak, “On the cost
of post-compromise security in concurrent Continuous Group-Key Agreement,” in
21st International Conference on Theory of Cryptography, Taipei, Taiwan,
2023, vol. 14371, pp. 271–300.
ista: 'Auerbach B, Cueto Noval M, Pascual Perez G, Pietrzak KZ. 2023. On the cost
of post-compromise security in concurrent Continuous Group-Key Agreement. 21st
International Conference on Theory of Cryptography. TCC: Theory of Cryptography,
LNCS, vol. 14371, 271–300.'
mla: Auerbach, Benedikt, et al. “On the Cost of Post-Compromise Security in Concurrent
Continuous Group-Key Agreement.” 21st International Conference on Theory of
Cryptography, vol. 14371, Springer Nature, 2023, pp. 271–300, doi:10.1007/978-3-031-48621-0_10.
short: B. Auerbach, M. Cueto Noval, G. Pascual Perez, K.Z. Pietrzak, in:, 21st International
Conference on Theory of Cryptography, Springer Nature, 2023, pp. 271–300.
conference:
end_date: 2023-12-02
location: Taipei, Taiwan
name: 'TCC: Theory of Cryptography'
start_date: 2023-11-29
date_created: 2023-12-17T23:00:53Z
date_published: 2023-11-27T00:00:00Z
date_updated: 2023-12-18T08:36:51Z
day: '27'
department:
- _id: KrPi
doi: 10.1007/978-3-031-48621-0_10
intvolume: ' 14371'
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://eprint.iacr.org/2023/1123
month: '11'
oa: 1
oa_version: Preprint
page: 271-300
publication: 21st International Conference on Theory of Cryptography
publication_identifier:
eissn:
- 1611-3349
isbn:
- '9783031486203'
issn:
- 0302-9743
publication_status: published
publisher: Springer Nature
quality_controlled: '1'
scopus_import: '1'
status: public
title: On the cost of post-compromise security in concurrent Continuous Group-Key
Agreement
type: conference
user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87
volume: 14371
year: '2023'
...
---
_id: '14692'
abstract:
- lang: eng
text: "The generic-group model (GGM) aims to capture algorithms working over groups
of prime order that only rely on the group operation, but do not exploit any additional
structure given by the concrete implementation of the group. In it, it is possible
to prove information-theoretic lower bounds on the hardness of problems like the
discrete logarithm (DL) or computational Diffie-Hellman (CDH). Thus, since its
introduction, it has served as a valuable tool to assess the concrete security
provided by cryptographic schemes based on such problems. A work on the related
algebraic-group model (AGM) introduced a method, used by many subsequent works,
to adapt GGM lower bounds for one problem to another, by means of conceptually
simple reductions.\r\nIn this work, we propose an alternative approach to extend
GGM bounds from one problem to another. Following an idea by Yun [EC15], we show
that, in the GGM, the security of a large class of problems can be reduced to
that of geometric search-problems. By reducing the security of the resulting geometric-search
problems to variants of the search-by-hypersurface problem, for which information
theoretic lower bounds exist, we give alternative proofs of several results that
used the AGM approach.\r\nThe main advantage of our approach is that our reduction
from geometric search-problems works, as well, for the GGM with preprocessing
(more precisely the bit-fixing GGM introduced by Coretti, Dodis and Guo [Crypto18]).
As a consequence, this opens up the possibility of transferring preprocessing
GGM bounds from one problem to another, also by means of simple reductions. Concretely,
we prove novel preprocessing bounds on the hardness of the d-strong discrete logarithm,
the d-strong Diffie-Hellman inversion, and multi-instance CDH problems, as well
as a large class of Uber assumptions. Additionally, our approach applies to Shoup’s
GGM without additional restrictions on the query behavior of the adversary, while
the recent works of Zhang, Zhou, and Katz [AC22] and Zhandry [Crypto22] highlight
that this is not the case for the AGM approach."
alternative_title:
- LNCS
article_processing_charge: No
author:
- first_name: Benedikt
full_name: Auerbach, Benedikt
id: D33D2B18-E445-11E9-ABB7-15F4E5697425
last_name: Auerbach
orcid: 0000-0002-7553-6606
- first_name: Charlotte
full_name: Hoffmann, Charlotte
id: 0f78d746-dc7d-11ea-9b2f-83f92091afe7
last_name: Hoffmann
orcid: 0000-0003-2027-5549
- first_name: Guillermo
full_name: Pascual Perez, Guillermo
id: 2D7ABD02-F248-11E8-B48F-1D18A9856A87
last_name: Pascual Perez
orcid: 0000-0001-8630-415X
citation:
ama: 'Auerbach B, Hoffmann C, Pascual Perez G. Generic-group lower bounds via reductions
between geometric-search problems: With and without preprocessing. In: 21st
International Conference on Theory of Cryptography. Vol 14371. Springer Nature;
2023:301-330. doi:10.1007/978-3-031-48621-0_11'
apa: 'Auerbach, B., Hoffmann, C., & Pascual Perez, G. (2023). Generic-group
lower bounds via reductions between geometric-search problems: With and without
preprocessing. In 21st International Conference on Theory of Cryptography
(Vol. 14371, pp. 301–330). Springer Nature. https://doi.org/10.1007/978-3-031-48621-0_11'
chicago: 'Auerbach, Benedikt, Charlotte Hoffmann, and Guillermo Pascual Perez. “Generic-Group
Lower Bounds via Reductions between Geometric-Search Problems: With and without
Preprocessing.” In 21st International Conference on Theory of Cryptography,
14371:301–30. Springer Nature, 2023. https://doi.org/10.1007/978-3-031-48621-0_11.'
ieee: 'B. Auerbach, C. Hoffmann, and G. Pascual Perez, “Generic-group lower bounds
via reductions between geometric-search problems: With and without preprocessing,”
in 21st International Conference on Theory of Cryptography, 2023, vol.
14371, pp. 301–330.'
ista: 'Auerbach B, Hoffmann C, Pascual Perez G. 2023. Generic-group lower bounds
via reductions between geometric-search problems: With and without preprocessing.
21st International Conference on Theory of Cryptography. , LNCS, vol. 14371, 301–330.'
mla: 'Auerbach, Benedikt, et al. “Generic-Group Lower Bounds via Reductions between
Geometric-Search Problems: With and without Preprocessing.” 21st International
Conference on Theory of Cryptography, vol. 14371, Springer Nature, 2023, pp.
301–30, doi:10.1007/978-3-031-48621-0_11.'
short: B. Auerbach, C. Hoffmann, G. Pascual Perez, in:, 21st International Conference
on Theory of Cryptography, Springer Nature, 2023, pp. 301–330.
date_created: 2023-12-17T23:00:54Z
date_published: 2023-11-27T00:00:00Z
date_updated: 2023-12-18T09:17:03Z
day: '27'
department:
- _id: KrPi
doi: 10.1007/978-3-031-48621-0_11
intvolume: ' 14371'
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://eprint.iacr.org/2023/808
month: '11'
oa: 1
oa_version: Preprint
page: 301-330
publication: 21st International Conference on Theory of Cryptography
publication_identifier:
eissn:
- 1611-3349
isbn:
- '9783031486203'
issn:
- 0302-9743
publication_status: published
publisher: Springer Nature
quality_controlled: '1'
scopus_import: '1'
status: public
title: 'Generic-group lower bounds via reductions between geometric-search problems:
With and without preprocessing'
type: conference
user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87
volume: 14371
year: '2023'
...
---
_id: '14736'
abstract:
- lang: eng
text: Payment channel networks (PCNs) are a promising technology to improve the
scalability of cryptocurrencies. PCNs, however, face the challenge that the frequent
usage of certain routes may deplete channels in one direction, and hence prevent
further transactions. In order to reap the full potential of PCNs, recharging
and rebalancing mechanisms are required to provision channels, as well as an admission
control logic to decide which transactions to reject in case capacity is insufficient.
This paper presents a formal model of this optimisation problem. In particular,
we consider an online algorithms perspective, where transactions arrive over time
in an unpredictable manner. Our main contributions are competitive online algorithms
which come with provable guarantees over time. We empirically evaluate our algorithms
on randomly generated transactions to compare the average performance of our algorithms
to our theoretical bounds. We also show how this model and approach differs from
related problems in classic communication networks.
acknowledgement: Supported by the German Federal Ministry of Education and Research
(BMBF), grant 16KISK020K (6G-RIC), 2021–2025, and ERC CoG 863818 (ForM-SMArt).
alternative_title:
- LNCS
article_processing_charge: No
author:
- first_name: Mahsa
full_name: Bastankhah, Mahsa
last_name: Bastankhah
- first_name: Krishnendu
full_name: Chatterjee, Krishnendu
id: 2E5DCA20-F248-11E8-B48F-1D18A9856A87
last_name: Chatterjee
orcid: 0000-0002-4561-241X
- first_name: Mohammad Ali
full_name: Maddah-Ali, Mohammad Ali
last_name: Maddah-Ali
- first_name: Stefan
full_name: Schmid, Stefan
last_name: Schmid
- first_name: Jakub
full_name: Svoboda, Jakub
id: 130759D2-D7DD-11E9-87D2-DE0DE6697425
last_name: Svoboda
orcid: 0000-0002-1419-3267
- first_name: Michelle X
full_name: Yeo, Michelle X
id: 2D82B818-F248-11E8-B48F-1D18A9856A87
last_name: Yeo
citation:
ama: 'Bastankhah M, Chatterjee K, Maddah-Ali MA, Schmid S, Svoboda J, Yeo MX. R2:
Boosting liquidity in payment channel networks with online admission control.
In: 27th International Conference on Financial Cryptography and Data Security.
Vol 13950. Springer Nature; 2023:309-325. doi:10.1007/978-3-031-47754-6_18'
apa: 'Bastankhah, M., Chatterjee, K., Maddah-Ali, M. A., Schmid, S., Svoboda, J.,
& Yeo, M. X. (2023). R2: Boosting liquidity in payment channel networks with online
admission control. In 27th International Conference on Financial Cryptography
and Data Security (Vol. 13950, pp. 309–325). Bol, Brac, Croatia: Springer
Nature. https://doi.org/10.1007/978-3-031-47754-6_18'
chicago: 'Bastankhah, Mahsa, Krishnendu Chatterjee, Mohammad Ali Maddah-Ali, Stefan
Schmid, Jakub Svoboda, and Michelle X Yeo. “R2: Boosting Liquidity in Payment
Channel Networks with Online Admission Control.” In 27th International Conference
on Financial Cryptography and Data Security, 13950:309–25. Springer Nature,
2023. https://doi.org/10.1007/978-3-031-47754-6_18.'
ieee: 'M. Bastankhah, K. Chatterjee, M. A. Maddah-Ali, S. Schmid, J. Svoboda, and
M. X. Yeo, “R2: Boosting liquidity in payment channel networks with online admission
control,” in 27th International Conference on Financial Cryptography and Data
Security, Bol, Brac, Croatia, 2023, vol. 13950, pp. 309–325.'
ista: 'Bastankhah M, Chatterjee K, Maddah-Ali MA, Schmid S, Svoboda J, Yeo MX. 2023.
R2: Boosting liquidity in payment channel networks with online admission control.
27th International Conference on Financial Cryptography and Data Security. FC:
Financial Cryptography and Data Security, LNCS, vol. 13950, 309–325.'
mla: 'Bastankhah, Mahsa, et al. “R2: Boosting Liquidity in Payment Channel Networks
with Online Admission Control.” 27th International Conference on Financial
Cryptography and Data Security, vol. 13950, Springer Nature, 2023, pp. 309–25,
doi:10.1007/978-3-031-47754-6_18.'
short: M. Bastankhah, K. Chatterjee, M.A. Maddah-Ali, S. Schmid, J. Svoboda, M.X.
Yeo, in:, 27th International Conference on Financial Cryptography and Data Security,
Springer Nature, 2023, pp. 309–325.
conference:
end_date: 2023-05-05
location: Bol, Brac, Croatia
name: 'FC: Financial Cryptography and Data Security'
start_date: 2023-05-01
date_created: 2024-01-08T09:30:22Z
date_published: 2023-12-01T00:00:00Z
date_updated: 2024-01-08T09:36:36Z
day: '01'
department:
- _id: KrCh
- _id: KrPi
doi: 10.1007/978-3-031-47754-6_18
ec_funded: 1
intvolume: ' 13950'
language:
- iso: eng
month: '12'
oa_version: None
page: 309-325
project:
- _id: 0599E47C-7A3F-11EA-A408-12923DDC885E
call_identifier: H2020
grant_number: '863818'
name: 'Formal Methods for Stochastic Models: Algorithms and Applications'
publication: 27th International Conference on Financial Cryptography and Data Security
publication_identifier:
eisbn:
- '9783031477546'
eissn:
- 1611-3349
isbn:
- '9783031477539'
issn:
- 0302-9743
publication_status: published
publisher: Springer Nature
quality_controlled: '1'
status: public
title: 'R2: Boosting liquidity in payment channel networks with online admission control'
type: conference
user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87
volume: 13950
year: '2023'
...
---
_id: '11476'
abstract:
- lang: eng
text: "Messaging platforms like Signal are widely deployed and provide strong security
in an asynchronous setting. It is a challenging problem to construct a protocol
with similar security guarantees that can efficiently scale to large groups. A
major bottleneck are the frequent key rotations users need to perform to achieve
post compromise forward security.\r\n\r\nIn current proposals – most notably in
TreeKEM (which is part of the IETF’s Messaging Layer Security (MLS) protocol draft)
– for users in a group of size n to rotate their keys, they must each craft a
message of size log(n) to be broadcast to the group using an (untrusted) delivery
server.\r\n\r\nIn larger groups, having users sequentially rotate their keys requires
too much bandwidth (or takes too long), so variants allowing any T≤n users to
simultaneously rotate their keys in just 2 communication rounds have been suggested
(e.g. “Propose and Commit” by MLS). Unfortunately, 2-round concurrent updates
are either damaging or expensive (or both); i.e. they either result in future
operations being more costly (e.g. via “blanking” or “tainting”) or are costly
themselves requiring Ω(T) communication for each user [Bienstock et al., TCC’20].\r\n\r\nIn
this paper we propose CoCoA; a new scheme that allows for T concurrent updates
that are neither damaging nor costly. That is, they add no cost to future operations
yet they only require Ω(log2(n)) communication per user. To circumvent the [Bienstock
et al.] lower bound, CoCoA increases the number of rounds needed to complete all
updates from 2 up to (at most) log(n); though typically fewer rounds are needed.\r\n\r\nThe
key insight of our protocol is the following: in the (non-concurrent version of)
TreeKEM, a delivery server which gets T concurrent update requests will approve
one and reject the remaining T−1. In contrast, our server attempts to apply all
of them. If more than one user requests to rotate the same key during a round,
the server arbitrarily picks a winner. Surprisingly, we prove that regardless
of how the server chooses the winners, all previously compromised users will recover
after at most log(n) such update rounds.\r\n\r\nTo keep the communication complexity
low, CoCoA is a server-aided CGKA. That is, the delivery server no longer blindly
forwards packets, but instead actively computes individualized packets tailored
to each user. As the server is untrusted, this change requires us to develop new
mechanisms ensuring robustness of the protocol."
acknowledgement: We thank Marta Mularczyk and Yiannis Tselekounis for their very helpful
feedback on an earlier draft of this paper.
alternative_title:
- LNCS
article_processing_charge: No
author:
- first_name: Joël
full_name: Alwen, Joël
last_name: Alwen
- first_name: Benedikt
full_name: Auerbach, Benedikt
id: D33D2B18-E445-11E9-ABB7-15F4E5697425
last_name: Auerbach
orcid: 0000-0002-7553-6606
- first_name: Miguel
full_name: Cueto Noval, Miguel
id: ffc563a3-f6e0-11ea-865d-e3cce03d17cc
last_name: Cueto Noval
- first_name: Karen
full_name: Klein, Karen
id: 3E83A2F8-F248-11E8-B48F-1D18A9856A87
last_name: Klein
- first_name: Guillermo
full_name: Pascual Perez, Guillermo
id: 2D7ABD02-F248-11E8-B48F-1D18A9856A87
last_name: Pascual Perez
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
- first_name: Michael
full_name: Walter, Michael
last_name: Walter
citation:
ama: 'Alwen J, Auerbach B, Cueto Noval M, et al. CoCoA: Concurrent continuous group
key agreement. In: Advances in Cryptology – EUROCRYPT 2022. Vol 13276.
Cham: Springer Nature; 2022:815–844. doi:10.1007/978-3-031-07085-3_28'
apa: 'Alwen, J., Auerbach, B., Cueto Noval, M., Klein, K., Pascual Perez, G., Pietrzak,
K. Z., & Walter, M. (2022). CoCoA: Concurrent continuous group key agreement.
In Advances in Cryptology – EUROCRYPT 2022 (Vol. 13276, pp. 815–844). Cham:
Springer Nature. https://doi.org/10.1007/978-3-031-07085-3_28'
chicago: 'Alwen, Joël, Benedikt Auerbach, Miguel Cueto Noval, Karen Klein, Guillermo
Pascual Perez, Krzysztof Z Pietrzak, and Michael Walter. “CoCoA: Concurrent Continuous
Group Key Agreement.” In Advances in Cryptology – EUROCRYPT 2022, 13276:815–844.
Cham: Springer Nature, 2022. https://doi.org/10.1007/978-3-031-07085-3_28.'
ieee: 'J. Alwen et al., “CoCoA: Concurrent continuous group key agreement,”
in Advances in Cryptology – EUROCRYPT 2022, Trondheim, Norway, 2022, vol.
13276, pp. 815–844.'
ista: 'Alwen J, Auerbach B, Cueto Noval M, Klein K, Pascual Perez G, Pietrzak KZ,
Walter M. 2022. CoCoA: Concurrent continuous group key agreement. Advances in
Cryptology – EUROCRYPT 2022. EUROCRYPT: Annual International Conference on the
Theory and Applications of Cryptology and Information Security, LNCS, vol. 13276,
815–844.'
mla: 'Alwen, Joël, et al. “CoCoA: Concurrent Continuous Group Key Agreement.” Advances
in Cryptology – EUROCRYPT 2022, vol. 13276, Springer Nature, 2022, pp. 815–844,
doi:10.1007/978-3-031-07085-3_28.'
short: J. Alwen, B. Auerbach, M. Cueto Noval, K. Klein, G. Pascual Perez, K.Z. Pietrzak,
M. Walter, in:, Advances in Cryptology – EUROCRYPT 2022, Springer Nature, Cham,
2022, pp. 815–844.
conference:
end_date: 2022-06-03
location: Trondheim, Norway
name: 'EUROCRYPT: Annual International Conference on the Theory and Applications
of Cryptology and Information Security'
start_date: 2022-05-30
date_created: 2022-06-30T16:48:00Z
date_published: 2022-05-25T00:00:00Z
date_updated: 2023-08-03T07:25:02Z
day: '25'
department:
- _id: GradSch
- _id: KrPi
doi: 10.1007/978-3-031-07085-3_28
ec_funded: 1
external_id:
isi:
- '000832305300028'
intvolume: ' 13276'
isi: 1
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://eprint.iacr.org/2022/251
month: '05'
oa: 1
oa_version: Preprint
page: 815–844
place: Cham
project:
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
call_identifier: H2020
grant_number: '682815'
name: Teaching Old Crypto New Tricks
- _id: 2564DBCA-B435-11E9-9278-68D0E5697425
call_identifier: H2020
grant_number: '665385'
name: International IST Doctoral Program
publication: Advances in Cryptology – EUROCRYPT 2022
publication_identifier:
eisbn:
- '9783031070853'
eissn:
- 1611-3349
isbn:
- '9783031070846'
issn:
- 0302-9743
publication_status: published
publisher: Springer Nature
quality_controlled: '1'
scopus_import: '1'
status: public
title: 'CoCoA: Concurrent continuous group key agreement'
type: conference
user_id: 4359f0d1-fa6c-11eb-b949-802e58b17ae8
volume: 13276
year: '2022'
...
---
_id: '12516'
abstract:
- lang: eng
text: "The homogeneous continuous LWE (hCLWE) problem is to distinguish samples
of a specific high-dimensional Gaussian mixture from standard normal samples.
It was shown to be at least as hard as Learning with Errors, but no reduction
in the other direction is currently known.\r\nWe present four new public-key encryption
schemes based on the hardness of hCLWE, with varying tradeoffs between decryption
and security errors, and different discretization techniques. Our schemes yield
a polynomial-time algorithm for solving hCLWE using a Statistical Zero-Knowledge
oracle."
acknowledgement: "We are grateful to Devika Sharma and Luca Trevisan for their insight
and advice and to an anonymous reviewer for helpful comments.\r\n\r\nThis work was
supported by the European Research Council (ERC) under the European Union’s Horizon
2020 research and innovation programme (Grant agreement No. 101019547). The first
author was additionally supported by RGC GRF CUHK14209920 and the fourth author
was additionally supported by ISF grant No. 1399/17, project PROMETHEUS (Grant 780701),
and Cariplo CRYPTONOMEX grant."
alternative_title:
- LNCS
article_processing_charge: No
author:
- first_name: Andrej
full_name: Bogdanov, Andrej
last_name: Bogdanov
- first_name: Miguel
full_name: Cueto Noval, Miguel
id: ffc563a3-f6e0-11ea-865d-e3cce03d17cc
last_name: Cueto Noval
- first_name: Charlotte
full_name: Hoffmann, Charlotte
id: 0f78d746-dc7d-11ea-9b2f-83f92091afe7
last_name: Hoffmann
- first_name: Alon
full_name: Rosen, Alon
last_name: Rosen
citation:
ama: 'Bogdanov A, Cueto Noval M, Hoffmann C, Rosen A. Public-Key Encryption from Homogeneous
CLWE. In: Theory of Cryptography. Vol 13748. Springer Nature; 2022:565-592.
doi:10.1007/978-3-031-22365-5_20'
apa: 'Bogdanov, A., Cueto Noval, M., Hoffmann, C., & Rosen, A. (2022). Public-Key
Encryption from Homogeneous CLWE. In Theory of Cryptography (Vol. 13748,
pp. 565–592). Chicago, IL, United States: Springer Nature. https://doi.org/10.1007/978-3-031-22365-5_20'
chicago: Bogdanov, Andrej, Miguel Cueto Noval, Charlotte Hoffmann, and Alon Rosen.
“Public-Key Encryption from Homogeneous CLWE.” In Theory of Cryptography,
13748:565–92. Springer Nature, 2022. https://doi.org/10.1007/978-3-031-22365-5_20.
ieee: A. Bogdanov, M. Cueto Noval, C. Hoffmann, and A. Rosen, “Public-Key Encryption
from Homogeneous CLWE,” in Theory of Cryptography, Chicago, IL, United
States, 2022, vol. 13748, pp. 565–592.
ista: 'Bogdanov A, Cueto Noval M, Hoffmann C, Rosen A. 2022. Public-Key Encryption
from Homogeneous CLWE. Theory of Cryptography. TCC: Theory of Cryptography, LNCS,
vol. 13748, 565–592.'
mla: Bogdanov, Andrej, et al. “Public-Key Encryption from Homogeneous CLWE.” Theory
of Cryptography, vol. 13748, Springer Nature, 2022, pp. 565–92, doi:10.1007/978-3-031-22365-5_20.
short: A. Bogdanov, M. Cueto Noval, C. Hoffmann, A. Rosen, in:, Theory of Cryptography,
Springer Nature, 2022, pp. 565–592.
conference:
end_date: 2022-11-10
location: Chicago, IL, United States
name: 'TCC: Theory of Cryptography'
start_date: 2022-11-07
date_created: 2023-02-05T23:01:00Z
date_published: 2022-12-21T00:00:00Z
date_updated: 2023-08-04T10:39:30Z
day: '21'
department:
- _id: KrPi
doi: 10.1007/978-3-031-22365-5_20
external_id:
isi:
- '000921318200020'
intvolume: ' 13748'
isi: 1
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://eprint.iacr.org/2022/093
month: '12'
oa: 1
oa_version: Preprint
page: 565-592
publication: Theory of Cryptography
publication_identifier:
eissn:
- 1611-3349
isbn:
- '9783031223648'
issn:
- 0302-9743
publication_status: published
publisher: Springer Nature
quality_controlled: '1'
scopus_import: '1'
status: public
title: Public-Key Encryption from Homogeneous CLWE
type: conference
user_id: 4359f0d1-fa6c-11eb-b949-802e58b17ae8
volume: 13748
year: '2022'
...
---
_id: '12167'
abstract:
- lang: eng
text: "Payment channels effectively move the transaction load off-chain thereby
successfully addressing the inherent scalability problem most cryptocurrencies
face. A major drawback of payment channels is the need to “top up” funds on-chain
when a channel is depleted. Rebalancing was proposed to alleviate this issue,
where parties with depleting channels move their funds along a cycle to replenish
their channels off-chain. Protocols for rebalancing so far either introduce local
solutions or compromise privacy.\r\nIn this work, we present an opt-in rebalancing
protocol that is both private and globally optimal, meaning our protocol maximizes
the total amount of rebalanced funds. We study rebalancing from the framework
of linear programming. To obtain full privacy guarantees, we leverage multi-party
computation in solving the linear program, which is executed by selected participants
to maintain efficiency. Finally, we efficiently decompose the rebalancing solution
into incentive-compatible cycles which conserve user balances when executed atomically."
alternative_title:
- LNCS
article_processing_charge: No
author:
- first_name: Georgia
full_name: Avarikioti, Georgia
id: c20482a0-3b89-11eb-9862-88cf6404b88c
last_name: Avarikioti
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
- first_name: Iosif
full_name: Salem, Iosif
last_name: Salem
- first_name: Stefan
full_name: Schmid, Stefan
last_name: Schmid
- first_name: Samarth
full_name: Tiwari, Samarth
last_name: Tiwari
- first_name: Michelle X
full_name: Yeo, Michelle X
id: 2D82B818-F248-11E8-B48F-1D18A9856A87
last_name: Yeo
citation:
ama: 'Avarikioti G, Pietrzak KZ, Salem I, Schmid S, Tiwari S, Yeo MX. Hide &
Seek: Privacy-preserving rebalancing on payment channel networks. In: Financial
Cryptography and Data Security. Vol 13411. Springer Nature; 2022:358-373.
doi:10.1007/978-3-031-18283-9_17'
apa: 'Avarikioti, G., Pietrzak, K. Z., Salem, I., Schmid, S., Tiwari, S., &
Yeo, M. X. (2022). Hide & Seek: Privacy-preserving rebalancing on payment
channel networks. In Financial Cryptography and Data Security (Vol. 13411,
pp. 358–373). Grenada: Springer Nature. https://doi.org/10.1007/978-3-031-18283-9_17'
chicago: 'Avarikioti, Georgia, Krzysztof Z Pietrzak, Iosif Salem, Stefan Schmid,
Samarth Tiwari, and Michelle X Yeo. “Hide & Seek: Privacy-Preserving Rebalancing
on Payment Channel Networks.” In Financial Cryptography and Data Security,
13411:358–73. Springer Nature, 2022. https://doi.org/10.1007/978-3-031-18283-9_17.'
ieee: 'G. Avarikioti, K. Z. Pietrzak, I. Salem, S. Schmid, S. Tiwari, and M. X.
Yeo, “Hide & Seek: Privacy-preserving rebalancing on payment channel networks,”
in Financial Cryptography and Data Security, Grenada, 2022, vol. 13411,
pp. 358–373.'
ista: 'Avarikioti G, Pietrzak KZ, Salem I, Schmid S, Tiwari S, Yeo MX. 2022. Hide
& Seek: Privacy-preserving rebalancing on payment channel networks. Financial
Cryptography and Data Security. FC: Financial Cryptography and Data Security,
LNCS, vol. 13411, 358–373.'
mla: 'Avarikioti, Georgia, et al. “Hide & Seek: Privacy-Preserving Rebalancing
on Payment Channel Networks.” Financial Cryptography and Data Security,
vol. 13411, Springer Nature, 2022, pp. 358–73, doi:10.1007/978-3-031-18283-9_17.'
short: G. Avarikioti, K.Z. Pietrzak, I. Salem, S. Schmid, S. Tiwari, M.X. Yeo, in:,
Financial Cryptography and Data Security, Springer Nature, 2022, pp. 358–373.
conference:
end_date: 2022-05-06
location: Grenada
name: 'FC: Financial Cryptography and Data Security'
start_date: 2022-05-02
date_created: 2023-01-12T12:10:38Z
date_published: 2022-10-22T00:00:00Z
date_updated: 2023-09-05T15:10:57Z
day: '22'
department:
- _id: KrPi
doi: 10.1007/978-3-031-18283-9_17
external_id:
arxiv:
- '2110.08848'
intvolume: ' 13411'
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://doi.org/10.48550/arXiv.2110.08848
month: '10'
oa: 1
oa_version: Preprint
page: 358-373
publication: Financial Cryptography and Data Security
publication_identifier:
eisbn:
- '9783031182839'
eissn:
- 1611-3349
isbn:
- '9783031182822'
issn:
- 0302-9743
publication_status: published
publisher: Springer Nature
quality_controlled: '1'
scopus_import: '1'
status: public
title: 'Hide & Seek: Privacy-preserving rebalancing on payment channel networks'
type: conference
user_id: c635000d-4b10-11ee-a964-aac5a93f6ac1
volume: 13411
year: '2022'
...
---
_id: '12176'
abstract:
- lang: eng
text: "A proof of exponentiation (PoE) in a group G of unknown order allows a prover
to convince a verifier that a tuple (x,q,T,y)∈G×N×N×G satisfies xqT=y. This primitive
has recently found exciting applications in the constructions of verifiable delay
functions and succinct arguments of knowledge. The most practical PoEs only achieve
soundness either under computational assumptions, i.e., they are arguments (Wesolowski,
Journal of Cryptology 2020), or in groups that come with the promise of not having
any small subgroups (Pietrzak, ITCS 2019). The only statistically-sound PoE in
general groups of unknown order is due to Block et al. (CRYPTO 2021), and can
be seen as an elaborate parallel repetition of Pietrzak’s PoE: to achieve λ bits
of security, say λ=80, the number of repetitions required (and thus the blow-up
in communication) is as large as λ.\r\n\r\nIn this work, we propose a statistically-sound
PoE for the case where the exponent q is the product of all primes up to some
bound B. We show that, in this case, it suffices to run only λ/log(B) parallel
instances of Pietrzak’s PoE, which reduces the concrete proof-size compared to
Block et al. by an order of magnitude. Furthermore, we show that in the known
applications where PoEs are used as a building block such structured exponents
are viable. Finally, we also discuss batching of our PoE, showing that many proofs
(for the same G and q but different x and T) can be batched by adding only a single
element to the proof per additional statement."
acknowledgement: "We would like to thank the authors of [BHR+21] for clarifying several
questions we had\r\nregarding their results. Pavel Hubá£ek was supported by the
Grant Agency of the Czech\r\nRepublic under the grant agreement no. 19-27871X and
by the Charles University project\r\nUNCE/SCI/004. Chethan Kamath is supported by
Azrieli International Postdoctoral Fellowship\r\nand ISF grants 484/18 and 1789/19.
Karen Klein was supported in part by ERC CoG grant\r\n724307 and conducted part
of this work at Institute of Science and Technology Austria."
alternative_title:
- LNCS
article_processing_charge: No
author:
- first_name: Charlotte
full_name: Hoffmann, Charlotte
id: 0f78d746-dc7d-11ea-9b2f-83f92091afe7
last_name: Hoffmann
orcid: 0000-0003-2027-5549
- first_name: Pavel
full_name: Hubáček, Pavel
last_name: Hubáček
- first_name: Chethan
full_name: Kamath, Chethan
last_name: Kamath
- first_name: Karen
full_name: Klein, Karen
last_name: Klein
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
citation:
ama: 'Hoffmann C, Hubáček P, Kamath C, Klein K, Pietrzak KZ. Practical statistically-sound
proofs of exponentiation in any group. In: Advances in Cryptology – CRYPTO
2022. Vol 13508. Springer Nature; 2022:370-399. doi:10.1007/978-3-031-15979-4_13'
apa: 'Hoffmann, C., Hubáček, P., Kamath, C., Klein, K., & Pietrzak, K. Z. (2022).
Practical statistically-sound proofs of exponentiation in any group. In Advances
in Cryptology – CRYPTO 2022 (Vol. 13508, pp. 370–399). Santa Barbara, CA,
United States: Springer Nature. https://doi.org/10.1007/978-3-031-15979-4_13'
chicago: Hoffmann, Charlotte, Pavel Hubáček, Chethan Kamath, Karen Klein, and Krzysztof
Z Pietrzak. “Practical Statistically-Sound Proofs of Exponentiation in Any Group.”
In Advances in Cryptology – CRYPTO 2022, 13508:370–99. Springer Nature,
2022. https://doi.org/10.1007/978-3-031-15979-4_13.
ieee: C. Hoffmann, P. Hubáček, C. Kamath, K. Klein, and K. Z. Pietrzak, “Practical
statistically-sound proofs of exponentiation in any group,” in Advances in
Cryptology – CRYPTO 2022, Santa Barbara, CA, United States, 2022, vol. 13508,
pp. 370–399.
ista: 'Hoffmann C, Hubáček P, Kamath C, Klein K, Pietrzak KZ. 2022. Practical statistically-sound
proofs of exponentiation in any group. Advances in Cryptology – CRYPTO 2022. CRYYPTO:
International Cryptology Conference, LNCS, vol. 13508, 370–399.'
mla: Hoffmann, Charlotte, et al. “Practical Statistically-Sound Proofs of Exponentiation
in Any Group.” Advances in Cryptology – CRYPTO 2022, vol. 13508, Springer
Nature, 2022, pp. 370–99, doi:10.1007/978-3-031-15979-4_13.
short: C. Hoffmann, P. Hubáček, C. Kamath, K. Klein, K.Z. Pietrzak, in:, Advances
in Cryptology – CRYPTO 2022, Springer Nature, 2022, pp. 370–399.
conference:
end_date: 2022-08-18
location: Santa Barbara, CA, United States
name: 'CRYYPTO: International Cryptology Conference'
start_date: 2022-08-15
date_created: 2023-01-12T12:12:07Z
date_published: 2022-10-13T00:00:00Z
date_updated: 2023-09-05T15:12:27Z
day: '13'
department:
- _id: KrPi
doi: 10.1007/978-3-031-15979-4_13
external_id:
isi:
- '000886792700013'
intvolume: ' 13508'
isi: 1
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://eprint.iacr.org/2022/1021
month: '10'
oa: 1
oa_version: Preprint
page: 370-399
publication: Advances in Cryptology – CRYPTO 2022
publication_identifier:
eisbn:
- '9783031159794'
eissn:
- 1611-3349
isbn:
- '9783031159787'
issn:
- 0302-9743
publication_status: published
publisher: Springer Nature
quality_controlled: '1'
scopus_import: '1'
status: public
title: Practical statistically-sound proofs of exponentiation in any group
type: conference
user_id: c635000d-4b10-11ee-a964-aac5a93f6ac1
volume: 13508
year: '2022'
...
---
_id: '9466'
abstract:
- lang: eng
text: In this work, we apply the dynamical systems analysis of Hanrot et al. (CRYPTO’11)
to a class of lattice block reduction algorithms that includes (natural variants
of) slide reduction and block-Rankin reduction. This implies sharper bounds on
the polynomial running times (in the query model) for these algorithms and opens
the door to faster practical variants of slide reduction. We give heuristic arguments
showing that such variants can indeed speed up slide reduction significantly in
practice. This is confirmed by experimental evidence, which also shows that our
variants are competitive with state-of-the-art reduction algorithms.
acknowledgement: 'This work was initiated in discussions with Léo Ducas, when the
author was visiting the Simons Institute for the Theory of Computation during the
program “Lattices: Algorithms, Complexity, and Cryptography”. We thank Thomas Espitau
for pointing out a bug in a proof in an earlier version of this manuscript.'
alternative_title:
- LNCS
article_processing_charge: No
author:
- first_name: Michael
full_name: Walter, Michael
id: 488F98B0-F248-11E8-B48F-1D18A9856A87
last_name: Walter
orcid: 0000-0003-3186-2482
citation:
ama: 'Walter M. The convergence of slide-type reductions. In: Public-Key Cryptography
– PKC 2021. Vol 12710. Springer Nature; 2021:45-67. doi:10.1007/978-3-030-75245-3_3'
apa: 'Walter, M. (2021). The convergence of slide-type reductions. In Public-Key
Cryptography – PKC 2021 (Vol. 12710, pp. 45–67). Virtual: Springer Nature.
https://doi.org/10.1007/978-3-030-75245-3_3'
chicago: Walter, Michael. “The Convergence of Slide-Type Reductions.” In Public-Key
Cryptography – PKC 2021, 12710:45–67. Springer Nature, 2021. https://doi.org/10.1007/978-3-030-75245-3_3.
ieee: M. Walter, “The convergence of slide-type reductions,” in Public-Key Cryptography
– PKC 2021, Virtual, 2021, vol. 12710, pp. 45–67.
ista: 'Walter M. 2021. The convergence of slide-type reductions. Public-Key Cryptography
– PKC 2021. PKC: IACR International Conference on Practice and Theory of Public
Key Cryptography, LNCS, vol. 12710, 45–67.'
mla: Walter, Michael. “The Convergence of Slide-Type Reductions.” Public-Key
Cryptography – PKC 2021, vol. 12710, Springer Nature, 2021, pp. 45–67, doi:10.1007/978-3-030-75245-3_3.
short: M. Walter, in:, Public-Key Cryptography – PKC 2021, Springer Nature, 2021,
pp. 45–67.
conference:
end_date: 2021-05-13
location: Virtual
name: 'PKC: IACR International Conference on Practice and Theory of Public Key Cryptography'
start_date: 2021-05-10
date_created: 2021-06-06T22:01:29Z
date_published: 2021-05-01T00:00:00Z
date_updated: 2023-02-23T13:58:47Z
day: '01'
ddc:
- '000'
department:
- _id: KrPi
doi: 10.1007/978-3-030-75245-3_3
ec_funded: 1
file:
- access_level: open_access
checksum: 413e564d645ed93d7318672361d9d470
content_type: application/pdf
creator: dernst
date_created: 2022-05-27T09:48:31Z
date_updated: 2022-05-27T09:48:31Z
file_id: '11416'
file_name: 2021_PKC_Walter.pdf
file_size: 489017
relation: main_file
success: 1
file_date_updated: 2022-05-27T09:48:31Z
has_accepted_license: '1'
intvolume: ' 12710'
language:
- iso: eng
month: '05'
oa: 1
oa_version: Published Version
page: 45-67
project:
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
call_identifier: H2020
grant_number: '682815'
name: Teaching Old Crypto New Tricks
publication: Public-Key Cryptography – PKC 2021
publication_identifier:
eissn:
- '16113349'
isbn:
- '9783030752446'
issn:
- '03029743'
publication_status: published
publisher: Springer Nature
quality_controlled: '1'
scopus_import: '1'
status: public
title: The convergence of slide-type reductions
tmp:
image: /images/cc_by.png
legal_code_url: https://creativecommons.org/licenses/by/4.0/legalcode
name: Creative Commons Attribution 4.0 International Public License (CC-BY 4.0)
short: CC BY (4.0)
type: conference
user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87
volume: 12710
year: '2021'
...
---
_id: '9826'
abstract:
- lang: eng
text: "Automated contract tracing aims at supporting manual contact tracing during
pandemics by alerting users of encounters with infected people. There are currently
many proposals for protocols (like the “decentralized” DP-3T and PACT or the “centralized”
ROBERT and DESIRE) to be run on mobile phones, where the basic idea is to regularly
broadcast (using low energy Bluetooth) some values, and at the same time store
(a function of) incoming messages broadcasted by users in their proximity. In
the existing proposals one can trigger false positives on a massive scale by an
“inverse-Sybil” attack, where a large number of devices (malicious users or hacked
phones) pretend to be the same user, such that later, just a single person needs
to be diagnosed (and allowed to upload) to trigger an alert for all users who
were in proximity to any of this large group of devices.\r\n\r\nWe propose the
first protocols that do not succumb to such attacks assuming the devices involved
in the attack do not constantly communicate, which we observe is a necessary assumption.
The high level idea of the protocols is to derive the values to be broadcasted
by a hash chain, so that two (or more) devices who want to launch an inverse-Sybil
attack will not be able to connect their respective chains and thus only one of
them will be able to upload. Our protocols also achieve security against replay,
belated replay, and one of them even against relay attacks."
acknowledgement: Guillermo Pascual-Perez and Michelle Yeo were funded by the European
Union’s Horizon 2020 research and innovation programme under the Marie Skłodowska–Curie
Grant Agreement No. 665385; the remaining contributors to this project have received
funding from the European Research Council (ERC) under the European Union’s Horizon
2020 research and innovation programme (682815 - TOCNeT).
alternative_title:
- LNCS
article_processing_charge: No
author:
- first_name: Benedikt
full_name: Auerbach, Benedikt
id: D33D2B18-E445-11E9-ABB7-15F4E5697425
last_name: Auerbach
orcid: 0000-0002-7553-6606
- first_name: Suvradip
full_name: Chakraborty, Suvradip
id: B9CD0494-D033-11E9-B219-A439E6697425
last_name: Chakraborty
- first_name: Karen
full_name: Klein, Karen
id: 3E83A2F8-F248-11E8-B48F-1D18A9856A87
last_name: Klein
- first_name: Guillermo
full_name: Pascual Perez, Guillermo
id: 2D7ABD02-F248-11E8-B48F-1D18A9856A87
last_name: Pascual Perez
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
- first_name: Michael
full_name: Walter, Michael
id: 488F98B0-F248-11E8-B48F-1D18A9856A87
last_name: Walter
orcid: 0000-0003-3186-2482
- first_name: Michelle X
full_name: Yeo, Michelle X
id: 2D82B818-F248-11E8-B48F-1D18A9856A87
last_name: Yeo
citation:
ama: 'Auerbach B, Chakraborty S, Klein K, et al. Inverse-Sybil attacks in automated
contact tracing. In: Topics in Cryptology – CT-RSA 2021. Vol 12704. Springer
Nature; 2021:399-421. doi:10.1007/978-3-030-75539-3_17'
apa: 'Auerbach, B., Chakraborty, S., Klein, K., Pascual Perez, G., Pietrzak, K.
Z., Walter, M., & Yeo, M. X. (2021). Inverse-Sybil attacks in automated contact
tracing. In Topics in Cryptology – CT-RSA 2021 (Vol. 12704, pp. 399–421).
Virtual Event: Springer Nature. https://doi.org/10.1007/978-3-030-75539-3_17'
chicago: Auerbach, Benedikt, Suvradip Chakraborty, Karen Klein, Guillermo Pascual
Perez, Krzysztof Z Pietrzak, Michael Walter, and Michelle X Yeo. “Inverse-Sybil
Attacks in Automated Contact Tracing.” In Topics in Cryptology – CT-RSA 2021,
12704:399–421. Springer Nature, 2021. https://doi.org/10.1007/978-3-030-75539-3_17.
ieee: B. Auerbach et al., “Inverse-Sybil attacks in automated contact tracing,”
in Topics in Cryptology – CT-RSA 2021, Virtual Event, 2021, vol. 12704,
pp. 399–421.
ista: 'Auerbach B, Chakraborty S, Klein K, Pascual Perez G, Pietrzak KZ, Walter
M, Yeo MX. 2021. Inverse-Sybil attacks in automated contact tracing. Topics in
Cryptology – CT-RSA 2021. CT-RSA: Cryptographers’ Track at the RSA Conference,
LNCS, vol. 12704, 399–421.'
mla: Auerbach, Benedikt, et al. “Inverse-Sybil Attacks in Automated Contact Tracing.”
Topics in Cryptology – CT-RSA 2021, vol. 12704, Springer Nature, 2021,
pp. 399–421, doi:10.1007/978-3-030-75539-3_17.
short: B. Auerbach, S. Chakraborty, K. Klein, G. Pascual Perez, K.Z. Pietrzak, M.
Walter, M.X. Yeo, in:, Topics in Cryptology – CT-RSA 2021, Springer Nature, 2021,
pp. 399–421.
conference:
end_date: 2021-05-20
location: Virtual Event
name: 'CT-RSA: Cryptographers’ Track at the RSA Conference'
start_date: 2021-05-17
date_created: 2021-08-08T22:01:30Z
date_published: 2021-05-11T00:00:00Z
date_updated: 2023-02-23T14:09:56Z
day: '11'
department:
- _id: KrPi
- _id: GradSch
doi: 10.1007/978-3-030-75539-3_17
ec_funded: 1
intvolume: ' 12704'
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://eprint.iacr.org/2020/670
month: '05'
oa: 1
oa_version: Submitted Version
page: 399-421
project:
- _id: 2564DBCA-B435-11E9-9278-68D0E5697425
call_identifier: H2020
grant_number: '665385'
name: International IST Doctoral Program
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
call_identifier: H2020
grant_number: '682815'
name: Teaching Old Crypto New Tricks
publication: Topics in Cryptology – CT-RSA 2021
publication_identifier:
eissn:
- '16113349'
isbn:
- '9783030755386'
issn:
- '03029743'
publication_status: published
publisher: Springer Nature
quality_controlled: '1'
scopus_import: '1'
status: public
title: Inverse-Sybil attacks in automated contact tracing
type: conference
user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87
volume: 12704
year: '2021'
...
---
_id: '9825'
abstract:
- lang: eng
text: "The dual attack has long been considered a relevant attack on lattice-based
cryptographic schemes relying on the hardness of learning with errors (LWE) and
its structured variants. As solving LWE corresponds to finding a nearest point
on a lattice, one may naturally wonder how efficient this dual approach is for
solving more general closest vector problems, such as the classical closest vector
problem (CVP), the variants bounded distance decoding (BDD) and approximate CVP,
and preprocessing versions of these problems. While primal, sieving-based solutions
to these problems (with preprocessing) were recently studied in a series of works
on approximate Voronoi cells [Laa16b, DLdW19, Laa20, DLvW20], for the dual attack
no such overview exists, especially for problems with preprocessing. With one
of the take-away messages of the approximate Voronoi cell line of work being that
primal attacks work well for approximate CVP(P) but scale poorly for BDD(P), one
may further wonder if the dual attack suffers the same drawbacks, or if it is
perhaps a better solution when trying to solve BDD(P).\r\n\r\nIn this work we
provide an overview of cost estimates for dual algorithms for solving these “classical”
closest lattice vector problems. Heuristically we expect to solve the search version
of average-case CVPP in time and space 20.293\U0001D451+\U0001D45C(\U0001D451)
\ in the single-target model. The distinguishing version of average-case CVPP,
where we wish to distinguish between random targets and targets planted at distance
(say) 0.99⋅\U0001D454\U0001D451 from the lattice, has the same complexity in
the single-target model, but can be solved in time and space 20.195\U0001D451+\U0001D45C(\U0001D451)
\ in the multi-target setting, when given a large number of targets from either
target distribution. This suggests an inequivalence between distinguishing and
searching, as we do not expect a similar improvement in the multi-target setting
to hold for search-CVPP. We analyze three slightly different decoders, both for
distinguishing and searching, and experimentally obtain concrete cost estimates
for the dual attack in dimensions 50 to 80, which confirm our heuristic assumptions,
and show that the hidden order terms in the asymptotic estimates are quite small.\r\n\r\nOur
main take-away message is that the dual attack appears to mirror the approximate
Voronoi cell line of work – whereas using approximate Voronoi cells works well
for approximate CVP(P) but scales poorly for BDD(P), the dual approach scales
well for BDD(P) instances but performs poorly on approximate CVP(P)."
acknowledgement: The authors thank Sauvik Bhattacharya, L´eo Ducas, Rachel Player,
and Christine van Vredendaal for early discussions on this topic and on preliminary
results. The authors further thank the reviewers of CT-RSA 2021 for their valuable
feedback.
alternative_title:
- LNCS
article_processing_charge: No
author:
- first_name: Thijs
full_name: Laarhoven, Thijs
last_name: Laarhoven
- first_name: Michael
full_name: Walter, Michael
id: 488F98B0-F248-11E8-B48F-1D18A9856A87
last_name: Walter
orcid: 0000-0003-3186-2482
citation:
ama: 'Laarhoven T, Walter M. Dual lattice attacks for closest vector problems (with
preprocessing). In: Topics in Cryptology – CT-RSA 2021. Vol 12704. Springer
Nature; 2021:478-502. doi:10.1007/978-3-030-75539-3_20'
apa: 'Laarhoven, T., & Walter, M. (2021). Dual lattice attacks for closest vector
problems (with preprocessing). In Topics in Cryptology – CT-RSA 2021 (Vol.
12704, pp. 478–502). Virtual Event: Springer Nature. https://doi.org/10.1007/978-3-030-75539-3_20'
chicago: Laarhoven, Thijs, and Michael Walter. “Dual Lattice Attacks for Closest
Vector Problems (with Preprocessing).” In Topics in Cryptology – CT-RSA 2021,
12704:478–502. Springer Nature, 2021. https://doi.org/10.1007/978-3-030-75539-3_20.
ieee: T. Laarhoven and M. Walter, “Dual lattice attacks for closest vector problems
(with preprocessing),” in Topics in Cryptology – CT-RSA 2021, Virtual Event,
2021, vol. 12704, pp. 478–502.
ista: 'Laarhoven T, Walter M. 2021. Dual lattice attacks for closest vector problems
(with preprocessing). Topics in Cryptology – CT-RSA 2021. CT-RSA: Cryptographers’
Track at the RSA Conference, LNCS, vol. 12704, 478–502.'
mla: Laarhoven, Thijs, and Michael Walter. “Dual Lattice Attacks for Closest Vector
Problems (with Preprocessing).” Topics in Cryptology – CT-RSA 2021, vol.
12704, Springer Nature, 2021, pp. 478–502, doi:10.1007/978-3-030-75539-3_20.
short: T. Laarhoven, M. Walter, in:, Topics in Cryptology – CT-RSA 2021, Springer
Nature, 2021, pp. 478–502.
conference:
end_date: 2021-05-20
location: Virtual Event
name: 'CT-RSA: Cryptographers’ Track at the RSA Conference'
start_date: 2021-05-17
date_created: 2021-08-08T22:01:30Z
date_published: 2021-05-11T00:00:00Z
date_updated: 2023-02-23T14:09:54Z
day: '11'
department:
- _id: KrPi
doi: 10.1007/978-3-030-75539-3_20
intvolume: ' 12704'
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://eprint.iacr.org/2021/557
month: '05'
oa: 1
oa_version: Preprint
page: 478-502
publication: Topics in Cryptology – CT-RSA 2021
publication_identifier:
eissn:
- '16113349'
isbn:
- '9783030755386'
issn:
- '03029743'
publication_status: published
publisher: Springer Nature
quality_controlled: '1'
scopus_import: '1'
status: public
title: Dual lattice attacks for closest vector problems (with preprocessing)
type: conference
user_id: 6785fbc1-c503-11eb-8a32-93094b40e1cf
volume: 12704
year: '2021'
...
---
_id: '10407'
abstract:
- lang: eng
text: Digital hardware Trojans are integrated circuits whose implementation differ
from the specification in an arbitrary and malicious way. For example, the circuit
can differ from its specified input/output behavior after some fixed number of
queries (known as “time bombs”) or on some particular input (known as “cheat codes”).
To detect such Trojans, countermeasures using multiparty computation (MPC) or
verifiable computation (VC) have been proposed. On a high level, to realize a
circuit with specification F one has more sophisticated circuits F⋄ manufactured
(where F⋄ specifies a MPC or VC of F ), and then embeds these F⋄ ’s into
a master circuit which must be trusted but is relatively simple compared to F
. Those solutions impose a significant overhead as F⋄ is much more complex
than F , also the master circuits are not exactly trivial. In this work, we
show that in restricted settings, where F has no evolving state and is queried
on independent inputs, we can achieve a relaxed security notion using very simple
constructions. In particular, we do not change the specification of the circuit
at all (i.e., F=F⋄ ). Moreover the master circuit basically just queries a subset
of its manufactured circuits and checks if they’re all the same. The security
we achieve guarantees that, if the manufactured circuits are initially tested
on up to T inputs, the master circuit will catch Trojans that try to deviate on
significantly more than a 1/T fraction of the inputs. This bound is optimal for
the type of construction considered, and we provably achieve it using a construction
where 12 instantiations of F need to be embedded into the master. We also discuss
an extremely simple construction with just 2 instantiations for which we conjecture
that it already achieves the optimal bound.
alternative_title:
- LNCS
article_processing_charge: No
author:
- first_name: Suvradip
full_name: Chakraborty, Suvradip
id: B9CD0494-D033-11E9-B219-A439E6697425
last_name: Chakraborty
- first_name: Stefan
full_name: Dziembowski, Stefan
last_name: Dziembowski
- first_name: Małgorzata
full_name: Gałązka, Małgorzata
last_name: Gałązka
- first_name: Tomasz
full_name: Lizurej, Tomasz
last_name: Lizurej
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
- first_name: Michelle X
full_name: Yeo, Michelle X
id: 2D82B818-F248-11E8-B48F-1D18A9856A87
last_name: Yeo
citation:
ama: 'Chakraborty S, Dziembowski S, Gałązka M, Lizurej T, Pietrzak KZ, Yeo MX. Trojan-resilience
without cryptography. In: Vol 13043. Springer Nature; 2021:397-428. doi:10.1007/978-3-030-90453-1_14'
apa: 'Chakraborty, S., Dziembowski, S., Gałązka, M., Lizurej, T., Pietrzak, K. Z.,
& Yeo, M. X. (2021). Trojan-resilience without cryptography (Vol. 13043, pp.
397–428). Presented at the TCC: Theory of Cryptography Conference, Raleigh, NC,
United States: Springer Nature. https://doi.org/10.1007/978-3-030-90453-1_14'
chicago: Chakraborty, Suvradip, Stefan Dziembowski, Małgorzata Gałązka, Tomasz Lizurej,
Krzysztof Z Pietrzak, and Michelle X Yeo. “Trojan-Resilience without Cryptography,”
13043:397–428. Springer Nature, 2021. https://doi.org/10.1007/978-3-030-90453-1_14.
ieee: 'S. Chakraborty, S. Dziembowski, M. Gałązka, T. Lizurej, K. Z. Pietrzak, and
M. X. Yeo, “Trojan-resilience without cryptography,” presented at the TCC: Theory
of Cryptography Conference, Raleigh, NC, United States, 2021, vol. 13043, pp.
397–428.'
ista: 'Chakraborty S, Dziembowski S, Gałązka M, Lizurej T, Pietrzak KZ, Yeo MX.
2021. Trojan-resilience without cryptography. TCC: Theory of Cryptography Conference,
LNCS, vol. 13043, 397–428.'
mla: Chakraborty, Suvradip, et al. Trojan-Resilience without Cryptography.
Vol. 13043, Springer Nature, 2021, pp. 397–428, doi:10.1007/978-3-030-90453-1_14.
short: S. Chakraborty, S. Dziembowski, M. Gałązka, T. Lizurej, K.Z. Pietrzak, M.X.
Yeo, in:, Springer Nature, 2021, pp. 397–428.
conference:
end_date: 2021-11-11
location: Raleigh, NC, United States
name: 'TCC: Theory of Cryptography Conference'
start_date: 2021-11-08
date_created: 2021-12-05T23:01:42Z
date_published: 2021-11-04T00:00:00Z
date_updated: 2023-08-14T13:07:46Z
day: '04'
department:
- _id: KrPi
doi: 10.1007/978-3-030-90453-1_14
ec_funded: 1
external_id:
isi:
- '000728364000014'
intvolume: ' 13043'
isi: 1
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://eprint.iacr.org/2021/1224
month: '11'
oa: 1
oa_version: Preprint
page: 397-428
project:
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
call_identifier: H2020
grant_number: '682815'
name: Teaching Old Crypto New Tricks
publication_identifier:
eissn:
- 1611-3349
isbn:
- 9-783-0309-0452-4
issn:
- 0302-9743
publication_status: published
publisher: Springer Nature
quality_controlled: '1'
scopus_import: '1'
status: public
title: Trojan-resilience without cryptography
type: conference
user_id: 4359f0d1-fa6c-11eb-b949-802e58b17ae8
volume: 13043
year: '2021'
...
---
_id: '10408'
abstract:
- lang: eng
text: 'Key trees are often the best solution in terms of transmission cost and storage
requirements for managing keys in a setting where a group needs to share a secret
key, while being able to efficiently rotate the key material of users (in order
to recover from a potential compromise, or to add or remove users). Applications
include multicast encryption protocols like LKH (Logical Key Hierarchies) or group
messaging like the current IETF proposal TreeKEM. A key tree is a (typically balanced)
binary tree, where each node is identified with a key: leaf nodes hold users’
secret keys while the root is the shared group key. For a group of size N, each
user just holds log(N) keys (the keys on the path from its leaf to the root)
and its entire key material can be rotated by broadcasting 2log(N) ciphertexts
(encrypting each fresh key on the path under the keys of its parents). In this
work we consider the natural setting where we have many groups with partially
overlapping sets of users, and ask if we can find solutions where the cost of
rotating a key is better than in the trivial one where we have a separate key
tree for each group. We show that in an asymptotic setting (where the number m
of groups is fixed while the number N of users grows) there exist more general
key graphs whose cost converges to the cost of a single group, thus saving a factor
linear in the number of groups over the trivial solution. As our asymptotic “solution”
converges very slowly and performs poorly on concrete examples, we propose an
algorithm that uses a natural heuristic to compute a key graph for any given group
structure. Our algorithm combines two greedy algorithms, and is thus very efficient:
it first converts the group structure into a “lattice graph”, which is then turned
into a key graph by repeatedly applying the algorithm for constructing a Huffman
code. To better understand how far our proposal is from an optimal solution, we
prove lower bounds on the update cost of continuous group-key agreement and multicast
encryption in a symbolic model admitting (asymmetric) encryption, pseudorandom
generators, and secret sharing as building blocks.'
acknowledgement: B. Auerbach, M.A. Baig and K. Pietrzak—received funding from the
European Research Council (ERC) under the European Union’s Horizon 2020 research
and innovation programme (682815 - TOCNeT); Karen Klein was supported in part by
ERC CoG grant 724307 and conducted part of this work at IST Austria, funded by the
ERC under the European Union’s Horizon 2020 research and innovation programme (682815
- TOCNeT); Guillermo Pascual-Perez was funded by the European Union’s Horizon 2020
research and innovation programme under the Marie Skłodowska-Curie Grant Agreement
No. 665385; Michael Walter conducted part of this work at IST Austria, funded by
the ERC under the European Union’s Horizon 2020 research and innovation programme
(682815 - TOCNeT).
alternative_title:
- LNCS
article_processing_charge: No
author:
- first_name: Joel F
full_name: Alwen, Joel F
id: 2A8DFA8C-F248-11E8-B48F-1D18A9856A87
last_name: Alwen
- first_name: Benedikt
full_name: Auerbach, Benedikt
id: D33D2B18-E445-11E9-ABB7-15F4E5697425
last_name: Auerbach
orcid: 0000-0002-7553-6606
- first_name: Mirza Ahad
full_name: Baig, Mirza Ahad
id: 3EDE6DE4-AA5A-11E9-986D-341CE6697425
last_name: Baig
- first_name: Miguel
full_name: Cueto Noval, Miguel
id: ffc563a3-f6e0-11ea-865d-e3cce03d17cc
last_name: Cueto Noval
- first_name: Karen
full_name: Klein, Karen
id: 3E83A2F8-F248-11E8-B48F-1D18A9856A87
last_name: Klein
- first_name: Guillermo
full_name: Pascual Perez, Guillermo
id: 2D7ABD02-F248-11E8-B48F-1D18A9856A87
last_name: Pascual Perez
orcid: 0000-0001-8630-415X
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
- first_name: Michael
full_name: Walter, Michael
id: 488F98B0-F248-11E8-B48F-1D18A9856A87
last_name: Walter
orcid: 0000-0003-3186-2482
citation:
ama: 'Alwen JF, Auerbach B, Baig MA, et al. Grafting key trees: Efficient key management
for overlapping groups. In: 19th International Conference. Vol 13044. Springer
Nature; 2021:222-253. doi:10.1007/978-3-030-90456-2_8'
apa: 'Alwen, J. F., Auerbach, B., Baig, M. A., Cueto Noval, M., Klein, K., Pascual
Perez, G., … Walter, M. (2021). Grafting key trees: Efficient key management for
overlapping groups. In 19th International Conference (Vol. 13044, pp. 222–253).
Raleigh, NC, United States: Springer Nature. https://doi.org/10.1007/978-3-030-90456-2_8'
chicago: 'Alwen, Joel F, Benedikt Auerbach, Mirza Ahad Baig, Miguel Cueto Noval,
Karen Klein, Guillermo Pascual Perez, Krzysztof Z Pietrzak, and Michael Walter.
“Grafting Key Trees: Efficient Key Management for Overlapping Groups.” In 19th
International Conference, 13044:222–53. Springer Nature, 2021. https://doi.org/10.1007/978-3-030-90456-2_8.'
ieee: 'J. F. Alwen et al., “Grafting key trees: Efficient key management
for overlapping groups,” in 19th International Conference, Raleigh, NC,
United States, 2021, vol. 13044, pp. 222–253.'
ista: 'Alwen JF, Auerbach B, Baig MA, Cueto Noval M, Klein K, Pascual Perez G, Pietrzak
KZ, Walter M. 2021. Grafting key trees: Efficient key management for overlapping
groups. 19th International Conference. TCC: Theory of Cryptography, LNCS, vol.
13044, 222–253.'
mla: 'Alwen, Joel F., et al. “Grafting Key Trees: Efficient Key Management for Overlapping
Groups.” 19th International Conference, vol. 13044, Springer Nature, 2021,
pp. 222–53, doi:10.1007/978-3-030-90456-2_8.'
short: J.F. Alwen, B. Auerbach, M.A. Baig, M. Cueto Noval, K. Klein, G. Pascual
Perez, K.Z. Pietrzak, M. Walter, in:, 19th International Conference, Springer
Nature, 2021, pp. 222–253.
conference:
end_date: 2021-11-11
location: Raleigh, NC, United States
name: 'TCC: Theory of Cryptography'
start_date: 2021-11-08
date_created: 2021-12-05T23:01:42Z
date_published: 2021-11-04T00:00:00Z
date_updated: 2023-08-14T13:19:39Z
day: '04'
department:
- _id: KrPi
doi: 10.1007/978-3-030-90456-2_8
ec_funded: 1
external_id:
isi:
- '000728363700008'
intvolume: ' 13044'
isi: 1
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://eprint.iacr.org/2021/1158
month: '11'
oa: 1
oa_version: Preprint
page: 222-253
project:
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
call_identifier: H2020
grant_number: '682815'
name: Teaching Old Crypto New Tricks
- _id: 2564DBCA-B435-11E9-9278-68D0E5697425
call_identifier: H2020
grant_number: '665385'
name: International IST Doctoral Program
publication: 19th International Conference
publication_identifier:
eisbn:
- 978-3-030-90456-2
eissn:
- 1611-3349
isbn:
- 9-783-0309-0455-5
issn:
- 0302-9743
publication_status: published
publisher: Springer Nature
quality_controlled: '1'
scopus_import: '1'
status: public
title: 'Grafting key trees: Efficient key management for overlapping groups'
type: conference
user_id: 4359f0d1-fa6c-11eb-b949-802e58b17ae8
volume: 13044
year: '2021'
...
---
_id: '10409'
abstract:
- lang: eng
text: We show that Yao’s garbling scheme is adaptively indistinguishable for the
class of Boolean circuits of size S and treewidth w with only a SO(w) loss
in security. For instance, circuits with constant treewidth are as a result adaptively
indistinguishable with only a polynomial loss. This (partially) complements a
negative result of Applebaum et al. (Crypto 2013), which showed (assuming one-way
functions) that Yao’s garbling scheme cannot be adaptively simulatable. As main
technical contributions, we introduce a new pebble game that abstracts out our
security reduction and then present a pebbling strategy for this game where the
number of pebbles used is roughly O(δwlog(S)) , δ being the fan-out of the
circuit. The design of the strategy relies on separators, a graph-theoretic notion
with connections to circuit complexity. with only a SO(w) loss in security.
For instance, circuits with constant treewidth are as a result adaptively indistinguishable
with only a polynomial loss. This (partially) complements a negative result of
Applebaum et al. (Crypto 2013), which showed (assuming one-way functions) that
Yao’s garbling scheme cannot be adaptively simulatable. As main technical contributions,
we introduce a new pebble game that abstracts out our security reduction and then
present a pebbling strategy for this game where the number of pebbles used is
roughly O(δwlog(S)) , δ being the fan-out of the circuit. The design of the
strategy relies on separators, a graph-theoretic notion with connections to circuit
complexity.
acknowledgement: We are grateful to Daniel Wichs for helpful discussions on the landscape
of adaptive security of Yao’s garbling. We would also like to thank Crypto 2021
and TCC 2021 reviewers for their detailed review and suggestions, which helped improve
presentation considerably.
alternative_title:
- LNCS
article_processing_charge: No
author:
- first_name: Chethan
full_name: Kamath Hosdurg, Chethan
id: 4BD3F30E-F248-11E8-B48F-1D18A9856A87
last_name: Kamath Hosdurg
- first_name: Karen
full_name: Klein, Karen
id: 3E83A2F8-F248-11E8-B48F-1D18A9856A87
last_name: Klein
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
citation:
ama: 'Kamath Hosdurg C, Klein K, Pietrzak KZ. On treewidth, separators and Yao’s
garbling. In: 19th International Conference. Vol 13043. Springer Nature;
2021:486-517. doi:10.1007/978-3-030-90453-1_17'
apa: 'Kamath Hosdurg, C., Klein, K., & Pietrzak, K. Z. (2021). On treewidth,
separators and Yao’s garbling. In 19th International Conference (Vol. 13043,
pp. 486–517). Raleigh, NC, United States: Springer Nature. https://doi.org/10.1007/978-3-030-90453-1_17'
chicago: Kamath Hosdurg, Chethan, Karen Klein, and Krzysztof Z Pietrzak. “On Treewidth,
Separators and Yao’s Garbling.” In 19th International Conference, 13043:486–517.
Springer Nature, 2021. https://doi.org/10.1007/978-3-030-90453-1_17.
ieee: C. Kamath Hosdurg, K. Klein, and K. Z. Pietrzak, “On treewidth, separators
and Yao’s garbling,” in 19th International Conference, Raleigh, NC, United
States, 2021, vol. 13043, pp. 486–517.
ista: 'Kamath Hosdurg C, Klein K, Pietrzak KZ. 2021. On treewidth, separators and
Yao’s garbling. 19th International Conference. TCC: Theory of Cryptography, LNCS,
vol. 13043, 486–517.'
mla: Kamath Hosdurg, Chethan, et al. “On Treewidth, Separators and Yao’s Garbling.”
19th International Conference, vol. 13043, Springer Nature, 2021, pp. 486–517,
doi:10.1007/978-3-030-90453-1_17.
short: C. Kamath Hosdurg, K. Klein, K.Z. Pietrzak, in:, 19th International Conference,
Springer Nature, 2021, pp. 486–517.
conference:
end_date: 2021-11-11
location: Raleigh, NC, United States
name: 'TCC: Theory of Cryptography'
start_date: 2021-11-08
date_created: 2021-12-05T23:01:43Z
date_published: 2021-11-04T00:00:00Z
date_updated: 2023-08-17T06:21:38Z
day: '04'
department:
- _id: KrPi
doi: 10.1007/978-3-030-90453-1_17
ec_funded: 1
external_id:
isi:
- '000728364000017'
isi: 1
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://eprint.iacr.org/2021/926
month: '11'
oa: 1
oa_version: Preprint
page: 486-517
project:
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
call_identifier: H2020
grant_number: '682815'
name: Teaching Old Crypto New Tricks
publication: 19th International Conference
publication_identifier:
eissn:
- 1611-3349
isbn:
- 9-783-0309-0452-4
issn:
- 0302-9743
publication_status: published
publisher: Springer Nature
quality_controlled: '1'
related_material:
record:
- id: '10044'
relation: earlier_version
status: public
scopus_import: '1'
status: public
title: On treewidth, separators and Yao’s garbling
type: conference
user_id: 4359f0d1-fa6c-11eb-b949-802e58b17ae8
volume: '13043 '
year: '2021'
...
---
_id: '10609'
abstract:
- lang: eng
text: "We study Multi-party computation (MPC) in the setting of subversion, where
the adversary tampers with the machines of honest parties. Our goal is to construct
actively secure MPC protocols where parties are corrupted adaptively by an adversary
(as in the standard adaptive security setting), and in addition, honest parties’
machines are compromised.\r\nThe idea of reverse firewalls (RF) was introduced
at EUROCRYPT’15 by Mironov and Stephens-Davidowitz as an approach to protecting
protocols against corruption of honest parties’ devices. Intuitively, an RF for
a party P is an external entity that sits between P and the outside world
and whose scope is to sanitize P ’s incoming and outgoing messages in the face
of subversion of their computer. Mironov and Stephens-Davidowitz constructed a
protocol for passively-secure two-party computation. At CRYPTO’20, Chakraborty,
Dziembowski and Nielsen constructed a protocol for secure computation with firewalls
that improved on this result, both by extending it to multi-party computation
protocol, and considering active security in the presence of static corruptions.
In this paper, we initiate the study of RF for MPC in the adaptive setting. We
put forward a definition for adaptively secure MPC in the reverse firewall setting,
explore relationships among the security notions, and then construct reverse firewalls
for MPC in this stronger setting of adaptive security. We also resolve the open
question of Chakraborty, Dziembowski and Nielsen by removing the need for a trusted
setup in constructing RF for MPC. Towards this end, we construct reverse firewalls
for adaptively secure augmented coin tossing and adaptively secure zero-knowledge
protocols and obtain a constant round adaptively secure MPC protocol in the reverse
firewall setting without setup. Along the way, we propose a new multi-party adaptively
secure coin tossing protocol in the plain model, that is of independent interest."
alternative_title:
- LNCS
article_processing_charge: No
author:
- first_name: Suvradip
full_name: Chakraborty, Suvradip
id: B9CD0494-D033-11E9-B219-A439E6697425
last_name: Chakraborty
- first_name: Chaya
full_name: Ganesh, Chaya
last_name: Ganesh
- first_name: Mahak
full_name: Pancholi, Mahak
last_name: Pancholi
- first_name: Pratik
full_name: Sarkar, Pratik
last_name: Sarkar
citation:
ama: 'Chakraborty S, Ganesh C, Pancholi M, Sarkar P. Reverse firewalls for adaptively
secure MPC without setup. In: 27th International Conference on the Theory and
Application of Cryptology and Information Security. Vol 13091. Springer Nature;
2021:335-364. doi:10.1007/978-3-030-92075-3_12'
apa: 'Chakraborty, S., Ganesh, C., Pancholi, M., & Sarkar, P. (2021). Reverse
firewalls for adaptively secure MPC without setup. In 27th International Conference
on the Theory and Application of Cryptology and Information Security (Vol.
13091, pp. 335–364). Virtual, Singapore: Springer Nature. https://doi.org/10.1007/978-3-030-92075-3_12'
chicago: Chakraborty, Suvradip, Chaya Ganesh, Mahak Pancholi, and Pratik Sarkar.
“Reverse Firewalls for Adaptively Secure MPC without Setup.” In 27th International
Conference on the Theory and Application of Cryptology and Information Security,
13091:335–64. Springer Nature, 2021. https://doi.org/10.1007/978-3-030-92075-3_12.
ieee: S. Chakraborty, C. Ganesh, M. Pancholi, and P. Sarkar, “Reverse firewalls
for adaptively secure MPC without setup,” in 27th International Conference
on the Theory and Application of Cryptology and Information Security, Virtual,
Singapore, 2021, vol. 13091, pp. 335–364.
ista: 'Chakraborty S, Ganesh C, Pancholi M, Sarkar P. 2021. Reverse firewalls for
adaptively secure MPC without setup. 27th International Conference on the Theory
and Application of Cryptology and Information Security. ASIACRYPT: International
Conference on Cryptology in Asia, LNCS, vol. 13091, 335–364.'
mla: Chakraborty, Suvradip, et al. “Reverse Firewalls for Adaptively Secure MPC
without Setup.” 27th International Conference on the Theory and Application
of Cryptology and Information Security, vol. 13091, Springer Nature, 2021,
pp. 335–64, doi:10.1007/978-3-030-92075-3_12.
short: S. Chakraborty, C. Ganesh, M. Pancholi, P. Sarkar, in:, 27th International
Conference on the Theory and Application of Cryptology and Information Security,
Springer Nature, 2021, pp. 335–364.
conference:
end_date: 2021-12-10
location: Virtual, Singapore
name: 'ASIACRYPT: International Conference on Cryptology in Asia'
start_date: 2021-12-06
date_created: 2022-01-09T23:01:27Z
date_published: 2021-12-01T00:00:00Z
date_updated: 2023-08-17T06:34:41Z
day: '01'
department:
- _id: KrPi
doi: 10.1007/978-3-030-92075-3_12
ec_funded: 1
external_id:
isi:
- '000927876200012'
intvolume: ' 13091'
isi: 1
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://eprint.iacr.org/2021/1262
month: '12'
oa: 1
oa_version: Preprint
page: 335-364
project:
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
call_identifier: H2020
grant_number: '682815'
name: Teaching Old Crypto New Tricks
publication: 27th International Conference on the Theory and Application of Cryptology
and Information Security
publication_identifier:
eisbn:
- 978-3-030-92075-3
eissn:
- 1611-3349
isbn:
- 978-3-030-92074-6
issn:
- 0302-9743
publication_status: published
publisher: Springer Nature
quality_controlled: '1'
scopus_import: '1'
status: public
title: Reverse firewalls for adaptively secure MPC without setup
type: conference
user_id: 4359f0d1-fa6c-11eb-b949-802e58b17ae8
volume: 13091
year: '2021'
...
---
_id: '10041'
abstract:
- lang: eng
text: Yao’s garbling scheme is one of the most fundamental cryptographic constructions.
Lindell and Pinkas (Journal of Cryptograhy 2009) gave a formal proof of security
in the selective setting where the adversary chooses the challenge inputs before
seeing the garbled circuit assuming secure symmetric-key encryption (and hence
one-way functions). This was followed by results, both positive and negative,
concerning its security in the, stronger, adaptive setting. Applebaum et al. (Crypto
2013) showed that it cannot satisfy adaptive security as is, due to a simple incompressibility
argument. Jafargholi and Wichs (TCC 2017) considered a natural adaptation of Yao’s
scheme (where the output mapping is sent in the online phase, together with the
garbled input) that circumvents this negative result, and proved that it is adaptively
secure, at least for shallow circuits. In particular, they showed that for the
class of circuits of depth δ , the loss in security is at most exponential in δ
. The above results all concern the simulation-based notion of security. In this
work, we show that the upper bound of Jafargholi and Wichs is basically optimal
in a strong sense. As our main result, we show that there exists a family of Boolean
circuits, one for each depth δ∈N , such that any black-box reduction proving
the adaptive indistinguishability of the natural adaptation of Yao’s scheme from
any symmetric-key encryption has to lose a factor that is exponential in δ√
. Since indistinguishability is a weaker notion than simulation, our bound also
applies to adaptive simulation. To establish our results, we build on the recent
approach of Kamath et al. (Eprint 2021), which uses pebbling lower bounds in conjunction
with oracle separations to prove fine-grained lower bounds on loss in cryptographic
security.
acknowledgement: We would like to thank the anonymous reviewers of Crypto’21 whose
detailed comments helped us considerably improve the presentation of the paper.
alternative_title:
- LCNS
article_processing_charge: No
author:
- first_name: Chethan
full_name: Kamath Hosdurg, Chethan
id: 4BD3F30E-F248-11E8-B48F-1D18A9856A87
last_name: Kamath Hosdurg
- first_name: Karen
full_name: Klein, Karen
id: 3E83A2F8-F248-11E8-B48F-1D18A9856A87
last_name: Klein
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
- first_name: Daniel
full_name: Wichs, Daniel
last_name: Wichs
citation:
ama: 'Kamath Hosdurg C, Klein K, Pietrzak KZ, Wichs D. Limits on the Adaptive Security
of Yao’s Garbling. In: 41st Annual International Cryptology Conference, Part
II . Vol 12826. Cham: Springer Nature; 2021:486-515. doi:10.1007/978-3-030-84245-1_17'
apa: 'Kamath Hosdurg, C., Klein, K., Pietrzak, K. Z., & Wichs, D. (2021). Limits
on the Adaptive Security of Yao’s Garbling. In 41st Annual International Cryptology
Conference, Part II (Vol. 12826, pp. 486–515). Cham: Springer Nature. https://doi.org/10.1007/978-3-030-84245-1_17'
chicago: 'Kamath Hosdurg, Chethan, Karen Klein, Krzysztof Z Pietrzak, and Daniel
Wichs. “Limits on the Adaptive Security of Yao’s Garbling.” In 41st Annual
International Cryptology Conference, Part II , 12826:486–515. Cham: Springer
Nature, 2021. https://doi.org/10.1007/978-3-030-84245-1_17.'
ieee: C. Kamath Hosdurg, K. Klein, K. Z. Pietrzak, and D. Wichs, “Limits on the
Adaptive Security of Yao’s Garbling,” in 41st Annual International Cryptology
Conference, Part II , Virtual, 2021, vol. 12826, pp. 486–515.
ista: 'Kamath Hosdurg C, Klein K, Pietrzak KZ, Wichs D. 2021. Limits on the Adaptive
Security of Yao’s Garbling. 41st Annual International Cryptology Conference, Part
II . CRYPTO: Annual International Cryptology Conference, LCNS, vol. 12826, 486–515.'
mla: Kamath Hosdurg, Chethan, et al. “Limits on the Adaptive Security of Yao’s Garbling.”
41st Annual International Cryptology Conference, Part II , vol. 12826,
Springer Nature, 2021, pp. 486–515, doi:10.1007/978-3-030-84245-1_17.
short: C. Kamath Hosdurg, K. Klein, K.Z. Pietrzak, D. Wichs, in:, 41st Annual International
Cryptology Conference, Part II , Springer Nature, Cham, 2021, pp. 486–515.
conference:
end_date: 2021-08-20
location: Virtual
name: 'CRYPTO: Annual International Cryptology Conference'
start_date: 2021-08-16
date_created: 2021-09-23T14:06:15Z
date_published: 2021-08-11T00:00:00Z
date_updated: 2023-09-07T13:32:11Z
day: '11'
department:
- _id: KrPi
doi: 10.1007/978-3-030-84245-1_17
ec_funded: 1
intvolume: ' 12826'
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://eprint.iacr.org/2021/945
month: '08'
oa: 1
oa_version: Preprint
page: 486-515
place: Cham
project:
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
call_identifier: H2020
grant_number: '682815'
name: Teaching Old Crypto New Tricks
publication: '41st Annual International Cryptology Conference, Part II '
publication_identifier:
eisbn:
- 978-3-030-84245-1
eissn:
- 1611-3349
isbn:
- 978-3-030-84244-4
issn:
- 0302-9743
publication_status: published
publisher: Springer Nature
quality_controlled: '1'
related_material:
record:
- id: '10035'
relation: dissertation_contains
status: public
status: public
title: Limits on the Adaptive Security of Yao’s Garbling
type: conference
user_id: c635000d-4b10-11ee-a964-aac5a93f6ac1
volume: 12826
year: '2021'
...
---
_id: '10049'
abstract:
- lang: eng
text: While messaging systems with strong security guarantees are widely used in
practice, designing a protocol that scales efficiently to large groups and enjoys
similar security guarantees remains largely open. The two existing proposals to
date are ART (Cohn-Gordon et al., CCS18) and TreeKEM (IETF, The Messaging Layer
Security Protocol, draft). TreeKEM is the currently considered candidate by the
IETF MLS working group, but dynamic group operations (i.e. adding and removing
users) can cause efficiency issues. In this paper we formalize and analyze a variant
of TreeKEM which we term Tainted TreeKEM (TTKEM for short). The basic idea underlying
TTKEM was suggested by Millican (MLS mailing list, February 2018). This version
is more efficient than TreeKEM for some natural distributions of group operations,
we quantify this through simulations.Our second contribution is two security proofs
for TTKEM which establish post compromise and forward secrecy even against adaptive
attackers. The security loss (to the underlying PKE) in the Random Oracle Model
is a polynomial factor, and a quasipolynomial one in the Standard Model. Our proofs
can be adapted to TreeKEM as well. Before our work no security proof for any TreeKEM-like
protocol establishing tight security against an adversary who can adaptively choose
the sequence of operations was known. We also are the first to prove (or even
formalize) active security where the server can arbitrarily deviate from the protocol
specification. Proving fully active security – where also the users can arbitrarily
deviate – remains open.
acknowledgement: The first three authors contributed equally to this work. Funded
by the European Research Council (ERC) under the European Union’s Horizon2020 research
and innovation programme (682815-TOCNeT). Funded by the European Union’s Horizon
2020 research and innovation programme under the Marie Skłodowska-Curie Grant Agreement
No.665385.
article_processing_charge: No
author:
- first_name: Karen
full_name: Klein, Karen
id: 3E83A2F8-F248-11E8-B48F-1D18A9856A87
last_name: Klein
- first_name: Guillermo
full_name: Pascual Perez, Guillermo
id: 2D7ABD02-F248-11E8-B48F-1D18A9856A87
last_name: Pascual Perez
orcid: 0000-0001-8630-415X
- first_name: Michael
full_name: Walter, Michael
id: 488F98B0-F248-11E8-B48F-1D18A9856A87
last_name: Walter
orcid: 0000-0003-3186-2482
- first_name: Chethan
full_name: Kamath Hosdurg, Chethan
id: 4BD3F30E-F248-11E8-B48F-1D18A9856A87
last_name: Kamath Hosdurg
- first_name: Margarita
full_name: Capretto, Margarita
last_name: Capretto
- first_name: Miguel
full_name: Cueto Noval, Miguel
id: ffc563a3-f6e0-11ea-865d-e3cce03d17cc
last_name: Cueto Noval
- first_name: Ilia
full_name: Markov, Ilia
id: D0CF4148-C985-11E9-8066-0BDEE5697425
last_name: Markov
- first_name: Michelle X
full_name: Yeo, Michelle X
id: 2D82B818-F248-11E8-B48F-1D18A9856A87
last_name: Yeo
- first_name: Joel F
full_name: Alwen, Joel F
id: 2A8DFA8C-F248-11E8-B48F-1D18A9856A87
last_name: Alwen
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
citation:
ama: 'Klein K, Pascual Perez G, Walter M, et al. Keep the dirt: tainted TreeKEM,
adaptively and actively secure continuous group key agreement. In: 2021 IEEE
Symposium on Security and Privacy . IEEE; 2021:268-284. doi:10.1109/sp40001.2021.00035'
apa: 'Klein, K., Pascual Perez, G., Walter, M., Kamath Hosdurg, C., Capretto, M.,
Cueto Noval, M., … Pietrzak, K. Z. (2021). Keep the dirt: tainted TreeKEM, adaptively
and actively secure continuous group key agreement. In 2021 IEEE Symposium
on Security and Privacy (pp. 268–284). San Francisco, CA, United States:
IEEE. https://doi.org/10.1109/sp40001.2021.00035'
chicago: 'Klein, Karen, Guillermo Pascual Perez, Michael Walter, Chethan Kamath
Hosdurg, Margarita Capretto, Miguel Cueto Noval, Ilia Markov, Michelle X Yeo,
Joel F Alwen, and Krzysztof Z Pietrzak. “Keep the Dirt: Tainted TreeKEM, Adaptively
and Actively Secure Continuous Group Key Agreement.” In 2021 IEEE Symposium
on Security and Privacy , 268–84. IEEE, 2021. https://doi.org/10.1109/sp40001.2021.00035.'
ieee: 'K. Klein et al., “Keep the dirt: tainted TreeKEM, adaptively and actively
secure continuous group key agreement,” in 2021 IEEE Symposium on Security
and Privacy , San Francisco, CA, United States, 2021, pp. 268–284.'
ista: 'Klein K, Pascual Perez G, Walter M, Kamath Hosdurg C, Capretto M, Cueto Noval
M, Markov I, Yeo MX, Alwen JF, Pietrzak KZ. 2021. Keep the dirt: tainted TreeKEM,
adaptively and actively secure continuous group key agreement. 2021 IEEE Symposium
on Security and Privacy . SP: Symposium on Security and Privacy, 268–284.'
mla: 'Klein, Karen, et al. “Keep the Dirt: Tainted TreeKEM, Adaptively and Actively
Secure Continuous Group Key Agreement.” 2021 IEEE Symposium on Security and
Privacy , IEEE, 2021, pp. 268–84, doi:10.1109/sp40001.2021.00035.'
short: K. Klein, G. Pascual Perez, M. Walter, C. Kamath Hosdurg, M. Capretto, M.
Cueto Noval, I. Markov, M.X. Yeo, J.F. Alwen, K.Z. Pietrzak, in:, 2021 IEEE Symposium
on Security and Privacy , IEEE, 2021, pp. 268–284.
conference:
end_date: 2021-05-27
location: San Francisco, CA, United States
name: 'SP: Symposium on Security and Privacy'
start_date: 2021-05-24
date_created: 2021-09-27T13:46:27Z
date_published: 2021-08-26T00:00:00Z
date_updated: 2023-09-07T13:32:11Z
day: '26'
department:
- _id: KrPi
- _id: DaAl
doi: 10.1109/sp40001.2021.00035
ec_funded: 1
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://eprint.iacr.org/2019/1489
month: '08'
oa: 1
oa_version: Preprint
page: 268-284
project:
- _id: 2564DBCA-B435-11E9-9278-68D0E5697425
call_identifier: H2020
grant_number: '665385'
name: International IST Doctoral Program
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
call_identifier: H2020
grant_number: '682815'
name: Teaching Old Crypto New Tricks
publication: '2021 IEEE Symposium on Security and Privacy '
publication_status: published
publisher: IEEE
quality_controlled: '1'
related_material:
record:
- id: '10035'
relation: dissertation_contains
status: public
status: public
title: 'Keep the dirt: tainted TreeKEM, adaptively and actively secure continuous
group key agreement'
type: conference
user_id: 8b945eb4-e2f2-11eb-945a-df72226e66a9
year: '2021'
...
---
_id: '10044'
abstract:
- lang: eng
text: We show that Yao’s garbling scheme is adaptively indistinguishable for the
class of Boolean circuits of size S and treewidth w with only a S^O(w) loss in
security. For instance, circuits with constant treewidth are as a result adaptively
indistinguishable with only a polynomial loss. This (partially) complements a
negative result of Applebaum et al. (Crypto 2013), which showed (assuming one-way
functions) that Yao’s garbling scheme cannot be adaptively simulatable. As main
technical contributions, we introduce a new pebble game that abstracts out our
security reduction and then present a pebbling strategy for this game where the
number of pebbles used is roughly O(d w log(S)), d being the fan-out of the circuit.
The design of the strategy relies on separators, a graph-theoretic notion with
connections to circuit complexity.
acknowledgement: 'We would like to thank Daniel Wichs for helpful discussions on the
landscape of adaptive security of Yao’s garbling. '
article_number: 2021/926
article_processing_charge: No
author:
- first_name: Chethan
full_name: Kamath Hosdurg, Chethan
id: 4BD3F30E-F248-11E8-B48F-1D18A9856A87
last_name: Kamath Hosdurg
- first_name: Karen
full_name: Klein, Karen
id: 3E83A2F8-F248-11E8-B48F-1D18A9856A87
last_name: Klein
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
citation:
ama: 'Kamath Hosdurg C, Klein K, Pietrzak KZ. On treewidth, separators and Yao’s
garbling. In: 19th Theory of Cryptography Conference 2021. International
Association for Cryptologic Research; 2021.'
apa: 'Kamath Hosdurg, C., Klein, K., & Pietrzak, K. Z. (2021). On treewidth,
separators and Yao’s garbling. In 19th Theory of Cryptography Conference 2021.
Raleigh, NC, United States: International Association for Cryptologic Research.'
chicago: Kamath Hosdurg, Chethan, Karen Klein, and Krzysztof Z Pietrzak. “On Treewidth,
Separators and Yao’s Garbling.” In 19th Theory of Cryptography Conference 2021.
International Association for Cryptologic Research, 2021.
ieee: C. Kamath Hosdurg, K. Klein, and K. Z. Pietrzak, “On treewidth, separators
and Yao’s garbling,” in 19th Theory of Cryptography Conference 2021, Raleigh,
NC, United States, 2021.
ista: 'Kamath Hosdurg C, Klein K, Pietrzak KZ. 2021. On treewidth, separators and
Yao’s garbling. 19th Theory of Cryptography Conference 2021. TCC: Theory of Cryptography
Conference, 2021/926.'
mla: Kamath Hosdurg, Chethan, et al. “On Treewidth, Separators and Yao’s Garbling.”
19th Theory of Cryptography Conference 2021, 2021/926, International Association
for Cryptologic Research, 2021.
short: C. Kamath Hosdurg, K. Klein, K.Z. Pietrzak, in:, 19th Theory of Cryptography
Conference 2021, International Association for Cryptologic Research, 2021.
conference:
end_date: 2021-11-11
location: Raleigh, NC, United States
name: 'TCC: Theory of Cryptography Conference'
start_date: 2021-11-08
date_created: 2021-09-24T12:01:34Z
date_published: 2021-07-08T00:00:00Z
date_updated: 2023-09-07T13:32:11Z
day: '08'
department:
- _id: KrPi
ec_funded: 1
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://eprint.iacr.org/2021/926
month: '07'
oa: 1
oa_version: Preprint
project:
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
call_identifier: H2020
grant_number: '682815'
name: Teaching Old Crypto New Tricks
publication: 19th Theory of Cryptography Conference 2021
publication_status: published
publisher: International Association for Cryptologic Research
quality_controlled: '1'
related_material:
record:
- id: '10409'
relation: later_version
status: public
- id: '10035'
relation: dissertation_contains
status: public
status: public
title: On treewidth, separators and Yao's garbling
type: conference
user_id: 8b945eb4-e2f2-11eb-945a-df72226e66a9
year: '2021'
...
---
_id: '10035'
abstract:
- lang: eng
text: 'Many security definitions come in two flavors: a stronger “adaptive” flavor,
where the adversary can arbitrarily make various choices during the course of
the attack, and a weaker “selective” flavor where the adversary must commit to
some or all of their choices a-priori. For example, in the context of identity-based
encryption, selective security requires the adversary to decide on the identity
of the attacked party at the very beginning of the game whereas adaptive security
allows the attacker to first see the master public key and some secret keys before
making this choice. Often, it appears to be much easier to achieve selective security
than it is to achieve adaptive security. A series of several recent works shows
how to cleverly achieve adaptive security in several such scenarios including
generalized selective decryption [Pan07][FJP15], constrained PRFs [FKPR14], and
Yao’s garbled circuits [JW16]. Although the above works expressed vague intuition
that they share a common technique, the connection was never made precise. In
this work we present a new framework (published at Crypto ’17 [JKK+17a]) that
connects all of these works and allows us to present them in a unified and simplified
fashion. Having the framework in place, we show how to achieve adaptive security
for proxy re-encryption schemes (published at PKC ’19 [FKKP19]) and provide the
first adaptive security proofs for continuous group key agreement protocols (published
at S&P ’21 [KPW+21]). Questioning optimality of our framework, we then show that
currently used proof techniques cannot lead to significantly better security guarantees
for "graph-building" games (published at TCC ’21 [KKPW21a]). These games cover
generalized selective decryption, as well as the security of prominent constructions
for constrained PRFs, continuous group key agreement, and proxy re-encryption.
Finally, we revisit the adaptive security of Yao’s garbled circuits and extend
the analysis of Jafargholi and Wichs in two directions: While they prove adaptive
security only for a modified construction with increased online complexity, we
provide the first positive results for the original construction by Yao (published
at TCC ’21 [KKP21a]). On the negative side, we prove that the results of Jafargholi
and Wichs are essentially optimal by showing that no black-box reduction can provide
a significantly better security bound (published at Crypto ’21 [KKPW21c]).'
acknowledgement: "I want to acknowledge the funding by the European Research Council
(ERC) under the European Union’s Horizon 2020 research and innovation programme
(682815 - TOCNeT).\r\n"
alternative_title:
- ISTA Thesis
article_processing_charge: No
author:
- first_name: Karen
full_name: Klein, Karen
id: 3E83A2F8-F248-11E8-B48F-1D18A9856A87
last_name: Klein
citation:
ama: Klein K. On the adaptive security of graph-based games. 2021. doi:10.15479/at:ista:10035
apa: Klein, K. (2021). On the adaptive security of graph-based games. Institute
of Science and Technology Austria. https://doi.org/10.15479/at:ista:10035
chicago: Klein, Karen. “On the Adaptive Security of Graph-Based Games.” Institute
of Science and Technology Austria, 2021. https://doi.org/10.15479/at:ista:10035.
ieee: K. Klein, “On the adaptive security of graph-based games,” Institute of Science
and Technology Austria, 2021.
ista: Klein K. 2021. On the adaptive security of graph-based games. Institute of
Science and Technology Austria.
mla: Klein, Karen. On the Adaptive Security of Graph-Based Games. Institute
of Science and Technology Austria, 2021, doi:10.15479/at:ista:10035.
short: K. Klein, On the Adaptive Security of Graph-Based Games, Institute of Science
and Technology Austria, 2021.
date_created: 2021-09-23T07:31:44Z
date_published: 2021-09-23T00:00:00Z
date_updated: 2023-10-17T09:24:07Z
day: '23'
ddc:
- '519'
degree_awarded: PhD
department:
- _id: GradSch
- _id: KrPi
doi: 10.15479/at:ista:10035
ec_funded: 1
file:
- access_level: open_access
checksum: 73a44345c683e81f3e765efbf86fdcc5
content_type: application/pdf
creator: cchlebak
date_created: 2021-10-04T12:22:33Z
date_updated: 2021-10-04T12:22:33Z
file_id: '10082'
file_name: thesis_pdfa.pdf
file_size: 2104726
relation: main_file
success: 1
- access_level: closed
checksum: 7b80df30a0e686c3ef6a56d4e1c59e29
content_type: application/x-zip-compressed
creator: cchlebak
date_created: 2021-10-05T07:04:37Z
date_updated: 2022-03-10T12:15:18Z
file_id: '10085'
file_name: thesis_final (1).zip
file_size: 9538359
relation: source_file
file_date_updated: 2022-03-10T12:15:18Z
has_accepted_license: '1'
language:
- iso: eng
month: '09'
oa: 1
oa_version: Published Version
page: '276'
project:
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
call_identifier: H2020
grant_number: '682815'
name: Teaching Old Crypto New Tricks
publication_identifier:
issn:
- 2663-337X
publication_status: published
publisher: Institute of Science and Technology Austria
related_material:
record:
- id: '10044'
relation: part_of_dissertation
status: public
- id: '10049'
relation: part_of_dissertation
status: public
- id: '637'
relation: part_of_dissertation
status: public
- id: '10041'
relation: part_of_dissertation
status: public
- id: '6430'
relation: part_of_dissertation
status: public
- id: '10048'
relation: part_of_dissertation
status: public
status: public
supervisor:
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
title: On the adaptive security of graph-based games
tmp:
image: /images/cc_by.png
legal_code_url: https://creativecommons.org/licenses/by/4.0/legalcode
name: Creative Commons Attribution 4.0 International Public License (CC-BY 4.0)
short: CC BY (4.0)
type: dissertation
user_id: c635000d-4b10-11ee-a964-aac5a93f6ac1
year: '2021'
...
---
_id: '10410'
abstract:
- lang: eng
text: The security of cryptographic primitives and protocols against adversaries
that are allowed to make adaptive choices (e.g., which parties to corrupt or which
queries to make) is notoriously difficult to establish. A broad theoretical framework
was introduced by Jafargholi et al. [Crypto’17] for this purpose. In this paper
we initiate the study of lower bounds on loss in adaptive security for certain
cryptographic protocols considered in the framework. We prove lower bounds that
almost match the upper bounds (proven using the framework) for proxy re-encryption,
prefix-constrained PRFs and generalized selective decryption, a security game
that captures the security of certain group messaging and broadcast encryption
schemes. Those primitives have in common that their security game involves an
underlying graph that can be adaptively built by the adversary. Some of our lower
bounds only apply to a restricted class of black-box reductions which we term
“oblivious” (the existing upper bounds are of this restricted type), some apply
to the broader but still restricted class of non-rewinding reductions, while our
lower bound for proxy re-encryption applies to all black-box reductions. The fact
that some of our lower bounds seem to crucially rely on obliviousness or at least
a non-rewinding reduction hints to the exciting possibility that the existing
upper bounds can be improved by using more sophisticated reductions. Our main
conceptual contribution is a two-player multi-stage game called the Builder-Pebbler
Game. We can translate bounds on the winning probabilities for various instantiations
of this game into cryptographic lower bounds for the above-mentioned primitives
using oracle separation techniques.
acknowledgement: C. Kamath—Supported by Azrieli International Postdoctoral Fellowship.
Most of the work was done while the author was at Northeastern University and Charles
University, funded by the IARPA grant IARPA/2019-19-020700009 and project PRIMUS/17/SCI/9,
respectively. K. Klein—Supported in part by ERC CoG grant 724307. Most of the work
was done while the author was at IST Austria funded by the European Research Council
(ERC) under the European Union’s Horizon 2020 research and innovation programme
(682815 - TOCNeT). K. Pietrzak—Funded by the European Research Council (ERC) under
the European Union’s Horizon 2020 research and innovation programme (682815 - TOCNeT).
alternative_title:
- LNCS
article_processing_charge: No
author:
- first_name: Chethan
full_name: Kamath Hosdurg, Chethan
id: 4BD3F30E-F248-11E8-B48F-1D18A9856A87
last_name: Kamath Hosdurg
- first_name: Karen
full_name: Klein, Karen
id: 3E83A2F8-F248-11E8-B48F-1D18A9856A87
last_name: Klein
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
- first_name: Michael
full_name: Walter, Michael
id: 488F98B0-F248-11E8-B48F-1D18A9856A87
last_name: Walter
orcid: 0000-0003-3186-2482
citation:
ama: 'Kamath Hosdurg C, Klein K, Pietrzak KZ, Walter M. The cost of adaptivity in
security games on graphs. In: 19th International Conference. Vol 13043.
Springer Nature; 2021:550-581. doi:10.1007/978-3-030-90453-1_19'
apa: 'Kamath Hosdurg, C., Klein, K., Pietrzak, K. Z., & Walter, M. (2021). The
cost of adaptivity in security games on graphs. In 19th International Conference
(Vol. 13043, pp. 550–581). Raleigh, NC, United States: Springer Nature. https://doi.org/10.1007/978-3-030-90453-1_19'
chicago: Kamath Hosdurg, Chethan, Karen Klein, Krzysztof Z Pietrzak, and Michael
Walter. “The Cost of Adaptivity in Security Games on Graphs.” In 19th International
Conference, 13043:550–81. Springer Nature, 2021. https://doi.org/10.1007/978-3-030-90453-1_19.
ieee: C. Kamath Hosdurg, K. Klein, K. Z. Pietrzak, and M. Walter, “The cost of adaptivity
in security games on graphs,” in 19th International Conference, Raleigh,
NC, United States, 2021, vol. 13043, pp. 550–581.
ista: 'Kamath Hosdurg C, Klein K, Pietrzak KZ, Walter M. 2021. The cost of adaptivity
in security games on graphs. 19th International Conference. TCC: Theory of Cryptography,
LNCS, vol. 13043, 550–581.'
mla: Kamath Hosdurg, Chethan, et al. “The Cost of Adaptivity in Security Games on
Graphs.” 19th International Conference, vol. 13043, Springer Nature, 2021,
pp. 550–81, doi:10.1007/978-3-030-90453-1_19.
short: C. Kamath Hosdurg, K. Klein, K.Z. Pietrzak, M. Walter, in:, 19th International
Conference, Springer Nature, 2021, pp. 550–581.
conference:
end_date: 2021-11-11
location: Raleigh, NC, United States
name: 'TCC: Theory of Cryptography'
start_date: 2021-11-08
date_created: 2021-12-05T23:01:43Z
date_published: 2021-11-04T00:00:00Z
date_updated: 2023-10-17T09:24:07Z
day: '04'
department:
- _id: KrPi
doi: 10.1007/978-3-030-90453-1_19
ec_funded: 1
external_id:
isi:
- '000728364000019'
intvolume: ' 13043'
isi: 1
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://ia.cr/2021/059
month: '11'
oa: 1
oa_version: Preprint
page: 550-581
project:
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
call_identifier: H2020
grant_number: '682815'
name: Teaching Old Crypto New Tricks
publication: 19th International Conference
publication_identifier:
eissn:
- 1611-3349
isbn:
- 9-783-0309-0452-4
issn:
- 0302-9743
publication_status: published
publisher: Springer Nature
quality_controlled: '1'
related_material:
record:
- id: '10048'
relation: earlier_version
status: public
scopus_import: '1'
status: public
title: The cost of adaptivity in security games on graphs
type: conference
user_id: 4359f0d1-fa6c-11eb-b949-802e58b17ae8
volume: 13043
year: '2021'
...
---
_id: '10048'
abstract:
- lang: eng
text: "The security of cryptographic primitives and protocols against adversaries
that are allowed to make adaptive choices (e.g., which parties to corrupt or which
queries to make) is notoriously difficult to establish. A broad theoretical\r\nframework
was introduced by Jafargholi et al. [Crypto’17] for this purpose. In this paper
we initiate the study of lower bounds on loss in adaptive security for certain
cryptographic protocols considered in the framework. We prove lower\r\nbounds
that almost match the upper bounds (proven using the framework) for proxy re-encryption,
prefix-constrained PRFs and generalized selective decryption, a security game
that captures the security of certain group messaging and\r\nbroadcast encryption
schemes. Those primitives have in common that their security game involves an
underlying graph that can be adaptively built by the adversary. Some of our lower
bounds only apply to a restricted class of black-box reductions which we term
“oblivious” (the existing upper bounds are of this restricted type), some apply
to the broader but still restricted class of non-rewinding reductions, while our
lower bound for proxy re-encryption applies to all black-box reductions. The fact
that some of our lower bounds seem to crucially rely on obliviousness or at least
a non-rewinding reduction hints to the exciting possibility that the existing
upper bounds can be improved by using more sophisticated reductions. Our main
conceptual contribution is a two-player multi-stage game called the Builder-Pebbler
Game. We can translate bounds on the winning probabilities for various instantiations
of this game into cryptographic lower bounds for the above-mentioned primitives
using oracle separation techniques.\r\n"
article_processing_charge: No
author:
- first_name: Chethan
full_name: Kamath Hosdurg, Chethan
id: 4BD3F30E-F248-11E8-B48F-1D18A9856A87
last_name: Kamath Hosdurg
- first_name: Karen
full_name: Klein, Karen
id: 3E83A2F8-F248-11E8-B48F-1D18A9856A87
last_name: Klein
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
- first_name: Michael
full_name: Walter, Michael
id: 488F98B0-F248-11E8-B48F-1D18A9856A87
last_name: Walter
orcid: 0000-0003-3186-2482
citation:
ama: 'Kamath Hosdurg C, Klein K, Pietrzak KZ, Walter M. The cost of adaptivity in
security games on graphs. In: 19th Theory of Cryptography Conference 2021.
International Association for Cryptologic Research; 2021.'
apa: 'Kamath Hosdurg, C., Klein, K., Pietrzak, K. Z., & Walter, M. (2021). The
cost of adaptivity in security games on graphs. In 19th Theory of Cryptography
Conference 2021. Raleigh, NC, United States: International Association for
Cryptologic Research.'
chicago: Kamath Hosdurg, Chethan, Karen Klein, Krzysztof Z Pietrzak, and Michael
Walter. “The Cost of Adaptivity in Security Games on Graphs.” In 19th Theory
of Cryptography Conference 2021. International Association for Cryptologic
Research, 2021.
ieee: C. Kamath Hosdurg, K. Klein, K. Z. Pietrzak, and M. Walter, “The cost of adaptivity
in security games on graphs,” in 19th Theory of Cryptography Conference 2021,
Raleigh, NC, United States, 2021.
ista: 'Kamath Hosdurg C, Klein K, Pietrzak KZ, Walter M. 2021. The cost of adaptivity
in security games on graphs. 19th Theory of Cryptography Conference 2021. TCC:
Theory of Cryptography Conference.'
mla: Kamath Hosdurg, Chethan, et al. “The Cost of Adaptivity in Security Games on
Graphs.” 19th Theory of Cryptography Conference 2021, International Association
for Cryptologic Research, 2021.
short: C. Kamath Hosdurg, K. Klein, K.Z. Pietrzak, M. Walter, in:, 19th Theory of
Cryptography Conference 2021, International Association for Cryptologic Research,
2021.
conference:
end_date: 2021-11-11
location: Raleigh, NC, United States
name: 'TCC: Theory of Cryptography Conference'
start_date: 2021-11-08
date_created: 2021-09-27T12:52:05Z
date_published: 2021-07-08T00:00:00Z
date_updated: 2023-10-17T09:24:08Z
day: '08'
department:
- _id: KrPi
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://ia.cr/2021/059
month: '07'
oa: 1
oa_version: Preprint
publication: 19th Theory of Cryptography Conference 2021
publication_status: published
publisher: International Association for Cryptologic Research
quality_controlled: '1'
related_material:
record:
- id: '10410'
relation: later_version
status: public
- id: '10035'
relation: dissertation_contains
status: public
status: public
title: The cost of adaptivity in security games on graphs
type: conference
user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87
year: '2021'
...
---
_id: '9969'
abstract:
- lang: eng
text: 'Payment channel networks are a promising approach to improve the scalability
of cryptocurrencies: they allow to perform transactions in a peer-to-peer fashion,
along multihop routes in the network, without requiring consensus on the blockchain.
However, during the discovery of cost-efficient routes for the transaction, critical
information may be revealed about the transacting entities. This paper initiates
the study of privacy-preserving route discovery mechanisms for payment channel
networks. In particular, we present LightPIR, an approach which allows a client
to learn the shortest (or cheapest in terms of fees) path between two nodes without
revealing any information about the endpoints of the transaction to the servers.
The two main observations which allow for an efficient solution in LightPIR are
that: (1) surprisingly, hub labelling algorithms – which were developed to preprocess
“street network like” graphs so one can later efficiently compute shortest paths
– also perform well for the graphs underlying payment channel networks, and that
(2) hub labelling algorithms can be conveniently combined with private information
retrieval. LightPIR relies on a simple hub labeling heuristic on top of existing
hub labeling algorithms which leverages the specific topological features of cryptocurrency
networks to further minimize storage and bandwidth overheads. In a case study
considering the Lightning network, we show that our approach is an order of magnitude
more efficient compared to a privacy-preserving baseline based on using private
information retrieval on a database that stores all pairs shortest paths.'
article_processing_charge: No
author:
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
- first_name: Iosif
full_name: Salem, Iosif
last_name: Salem
- first_name: Stefan
full_name: Schmid, Stefan
last_name: Schmid
- first_name: Michelle X
full_name: Yeo, Michelle X
id: 2D82B818-F248-11E8-B48F-1D18A9856A87
last_name: Yeo
citation:
ama: 'Pietrzak KZ, Salem I, Schmid S, Yeo MX. LightPIR: Privacy-preserving route
discovery for payment channel networks. In: IEEE; 2021. doi:10.23919/IFIPNetworking52078.2021.9472205'
apa: 'Pietrzak, K. Z., Salem, I., Schmid, S., & Yeo, M. X. (2021). LightPIR:
Privacy-preserving route discovery for payment channel networks. Presented at
the 2021 IFIP Networking Conference (IFIP Networking), Espoo and Helsinki, Finland:
IEEE. https://doi.org/10.23919/IFIPNetworking52078.2021.9472205'
chicago: 'Pietrzak, Krzysztof Z, Iosif Salem, Stefan Schmid, and Michelle X Yeo.
“LightPIR: Privacy-Preserving Route Discovery for Payment Channel Networks.” IEEE,
2021. https://doi.org/10.23919/IFIPNetworking52078.2021.9472205.'
ieee: 'K. Z. Pietrzak, I. Salem, S. Schmid, and M. X. Yeo, “LightPIR: Privacy-preserving
route discovery for payment channel networks,” presented at the 2021 IFIP Networking
Conference (IFIP Networking), Espoo and Helsinki, Finland, 2021.'
ista: 'Pietrzak KZ, Salem I, Schmid S, Yeo MX. 2021. LightPIR: Privacy-preserving
route discovery for payment channel networks. 2021 IFIP Networking Conference
(IFIP Networking).'
mla: 'Pietrzak, Krzysztof Z., et al. LightPIR: Privacy-Preserving Route Discovery
for Payment Channel Networks. IEEE, 2021, doi:10.23919/IFIPNetworking52078.2021.9472205.'
short: K.Z. Pietrzak, I. Salem, S. Schmid, M.X. Yeo, in:, IEEE, 2021.
conference:
end_date: 2021-06-24
location: Espoo and Helsinki, Finland
name: 2021 IFIP Networking Conference (IFIP Networking)
start_date: 2021-06-21
date_created: 2021-08-29T22:01:16Z
date_published: 2021-06-21T00:00:00Z
date_updated: 2023-11-30T10:54:50Z
day: '21'
department:
- _id: KrPi
doi: 10.23919/IFIPNetworking52078.2021.9472205
ec_funded: 1
external_id:
arxiv:
- '2104.04293'
isi:
- '000853016800008'
isi: 1
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://arxiv.org/abs/2104.04293
month: '06'
oa: 1
oa_version: Submitted Version
project:
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
call_identifier: H2020
grant_number: '682815'
name: Teaching Old Crypto New Tricks
publication_identifier:
eisbn:
- 978-3-9031-7639-3
eissn:
- 1861-2288
isbn:
- 978-1-6654-4501-6
publication_status: published
publisher: IEEE
quality_controlled: '1'
related_material:
record:
- id: '14506'
relation: dissertation_contains
status: public
scopus_import: '1'
status: public
title: 'LightPIR: Privacy-preserving route discovery for payment channel networks'
type: conference
user_id: 4359f0d1-fa6c-11eb-b949-802e58b17ae8
year: '2021'
...
---
_id: '8322'
abstract:
- lang: eng
text: "Reverse firewalls were introduced at Eurocrypt 2015 by Miro-nov and Stephens-Davidowitz,
as a method for protecting cryptographic protocols against attacks on the devices
of the honest parties. In a nutshell: a reverse firewall is placed outside of
a device and its goal is to “sanitize” the messages sent by it, in such a way
that a malicious device cannot leak its secrets to the outside world. It is typically
assumed that the cryptographic devices are attacked in a “functionality-preserving
way” (i.e. informally speaking, the functionality of the protocol remains unchanged
under this attacks). In their paper, Mironov and Stephens-Davidowitz construct
a protocol for passively-secure two-party computations with firewalls, leaving
extension of this result to stronger models as an open question.\r\nIn this paper,
we address this problem by constructing a protocol for secure computation with
firewalls that has two main advantages over the original protocol from Eurocrypt
2015. Firstly, it is a multiparty computation protocol (i.e. it works for an arbitrary
number n of the parties, and not just for 2). Secondly, it is secure in much stronger
corruption settings, namely in the active corruption model. More precisely: we
consider an adversary that can fully corrupt up to \U0001D45B−1 parties, while
the remaining parties are corrupt in a functionality-preserving way.\r\nOur core
techniques are: malleable commitments and malleable non-interactive zero-knowledge,
which in particular allow us to create a novel protocol for multiparty augmented
coin-tossing into the well with reverse firewalls (that is based on a protocol
of Lindell from Crypto 2001)."
acknowledgement: We would like to thank the anonymous reviewers for their helpful
comments and suggestions. The work was initiated while the first author was in IIT
Madras, India. Part of this work was done while the author was visiting the University
of Warsaw. This project has received funding from the European Research Council
(ERC) under the European Union’s Horizon 2020 research and innovation programme
(682815 - TOCNeT) and from the Foundation for Polish Science under grant TEAM/2016-1/4
founded within the UE 2014–2020 Smart Growth Operational Program. The last author
was supported by the Independent Research Fund Denmark project BETHE and the Concordium
Blockchain Research Center, Aarhus University, Denmark.
alternative_title:
- LNCS
article_processing_charge: No
author:
- first_name: Suvradip
full_name: Chakraborty, Suvradip
id: B9CD0494-D033-11E9-B219-A439E6697425
last_name: Chakraborty
- first_name: Stefan
full_name: Dziembowski, Stefan
last_name: Dziembowski
- first_name: Jesper Buus
full_name: Nielsen, Jesper Buus
last_name: Nielsen
citation:
ama: 'Chakraborty S, Dziembowski S, Nielsen JB. Reverse firewalls for actively secure MPCs.
In: Advances in Cryptology – CRYPTO 2020. Vol 12171. Springer Nature; 2020:732-762.
doi:10.1007/978-3-030-56880-1_26'
apa: 'Chakraborty, S., Dziembowski, S., & Nielsen, J. B. (2020). Reverse firewalls for actively secure MPCs.
In Advances in Cryptology – CRYPTO 2020 (Vol. 12171, pp. 732–762). Santa
Barbara, CA, United States: Springer Nature. https://doi.org/10.1007/978-3-030-56880-1_26'
chicago: Chakraborty, Suvradip, Stefan Dziembowski, and Jesper Buus Nielsen. “Reverse Firewalls for Actively Secure MPCs.”
In Advances in Cryptology – CRYPTO 2020, 12171:732–62. Springer Nature,
2020. https://doi.org/10.1007/978-3-030-56880-1_26.
ieee: S. Chakraborty, S. Dziembowski, and J. B. Nielsen, “Reverse firewalls for actively secure MPCs,”
in Advances in Cryptology – CRYPTO 2020, Santa Barbara, CA, United States,
2020, vol. 12171, pp. 732–762.
ista: 'Chakraborty S, Dziembowski S, Nielsen JB. 2020. Reverse firewalls for actively secure MPCs.
Advances in Cryptology – CRYPTO 2020. CRYPTO: Annual International Cryptology
Conference, LNCS, vol. 12171, 732–762.'
mla: Chakraborty, Suvradip, et al. “Reverse Firewalls for Actively Secure MPCs.”
Advances in Cryptology – CRYPTO 2020, vol. 12171, Springer Nature, 2020,
pp. 732–62, doi:10.1007/978-3-030-56880-1_26.
short: S. Chakraborty, S. Dziembowski, J.B. Nielsen, in:, Advances in Cryptology
– CRYPTO 2020, Springer Nature, 2020, pp. 732–762.
conference:
end_date: 2020-08-21
location: Santa Barbara, CA, United States
name: 'CRYPTO: Annual International Cryptology Conference'
start_date: 2020-08-17
date_created: 2020-08-30T22:01:12Z
date_published: 2020-08-10T00:00:00Z
date_updated: 2021-01-12T08:18:08Z
day: '10'
department:
- _id: KrPi
doi: 10.1007/978-3-030-56880-1_26
ec_funded: 1
intvolume: ' 12171'
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://eprint.iacr.org/2019/1317
month: '08'
oa: 1
oa_version: Preprint
page: 732-762
project:
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
call_identifier: H2020
grant_number: '682815'
name: Teaching Old Crypto New Tricks
publication: Advances in Cryptology – CRYPTO 2020
publication_identifier:
eissn:
- '16113349'
isbn:
- '9783030568795'
issn:
- '03029743'
publication_status: published
publisher: Springer Nature
quality_controlled: '1'
scopus_import: '1'
status: public
title: Reverse firewalls for actively secure MPCs
type: conference
user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87
volume: 12171
year: '2020'
...
---
_id: '8339'
abstract:
- lang: eng
text: "Discrete Gaussian distributions over lattices are central to lattice-based
cryptography, and to the computational and mathematical aspects of lattices more
broadly. The literature contains a wealth of useful theorems about the behavior
of discrete Gaussians under convolutions and related operations. Yet despite their
structural similarities, most of these theorems are formally incomparable, and
their proofs tend to be monolithic and written nearly “from scratch,” making them
unnecessarily hard to verify, understand, and extend.\r\nIn this work we present
a modular framework for analyzing linear operations on discrete Gaussian distributions.
The framework abstracts away the particulars of Gaussians, and usually reduces
proofs to the choice of appropriate linear transformations and elementary linear
algebra. To showcase the approach, we establish several general properties of
discrete Gaussians, and show how to obtain all prior convolution theorems (along
with some new ones) as straightforward corollaries. As another application, we
describe a self-reduction for Learning With Errors (LWE) that uses a fixed number
of samples to generate an unlimited number of additional ones (having somewhat
larger error). The distinguishing features of our reduction are its simple analysis
in our framework, and its exclusive use of discrete Gaussians without any loss
in parameters relative to a prior mixed discrete-and-continuous approach.\r\nAs
a contribution of independent interest, for subgaussian random matrices we prove
a singular value concentration bound with explicitly stated constants, and we
give tighter heuristics for specific distributions that are commonly used for
generating lattice trapdoors. These bounds yield improvements in the concrete
bit-security estimates for trapdoor lattice cryptosystems."
alternative_title:
- LNCS
article_processing_charge: No
author:
- first_name: Nicholas
full_name: Genise, Nicholas
last_name: Genise
- first_name: Daniele
full_name: Micciancio, Daniele
last_name: Micciancio
- first_name: Chris
full_name: Peikert, Chris
last_name: Peikert
- first_name: Michael
full_name: Walter, Michael
id: 488F98B0-F248-11E8-B48F-1D18A9856A87
last_name: Walter
orcid: 0000-0003-3186-2482
citation:
ama: 'Genise N, Micciancio D, Peikert C, Walter M. Improved discrete Gaussian and
subgaussian analysis for lattice cryptography. In: 23rd IACR International
Conference on the Practice and Theory of Public-Key Cryptography. Vol 12110.
Springer Nature; 2020:623-651. doi:10.1007/978-3-030-45374-9_21'
apa: 'Genise, N., Micciancio, D., Peikert, C., & Walter, M. (2020). Improved
discrete Gaussian and subgaussian analysis for lattice cryptography. In 23rd
IACR International Conference on the Practice and Theory of Public-Key Cryptography
(Vol. 12110, pp. 623–651). Edinburgh, United Kingdom: Springer Nature. https://doi.org/10.1007/978-3-030-45374-9_21'
chicago: Genise, Nicholas, Daniele Micciancio, Chris Peikert, and Michael Walter.
“Improved Discrete Gaussian and Subgaussian Analysis for Lattice Cryptography.”
In 23rd IACR International Conference on the Practice and Theory of Public-Key
Cryptography, 12110:623–51. Springer Nature, 2020. https://doi.org/10.1007/978-3-030-45374-9_21.
ieee: N. Genise, D. Micciancio, C. Peikert, and M. Walter, “Improved discrete Gaussian
and subgaussian analysis for lattice cryptography,” in 23rd IACR International
Conference on the Practice and Theory of Public-Key Cryptography, Edinburgh,
United Kingdom, 2020, vol. 12110, pp. 623–651.
ista: 'Genise N, Micciancio D, Peikert C, Walter M. 2020. Improved discrete Gaussian
and subgaussian analysis for lattice cryptography. 23rd IACR International Conference
on the Practice and Theory of Public-Key Cryptography. PKC: Public-Key Cryptography,
LNCS, vol. 12110, 623–651.'
mla: Genise, Nicholas, et al. “Improved Discrete Gaussian and Subgaussian Analysis
for Lattice Cryptography.” 23rd IACR International Conference on the Practice
and Theory of Public-Key Cryptography, vol. 12110, Springer Nature, 2020,
pp. 623–51, doi:10.1007/978-3-030-45374-9_21.
short: N. Genise, D. Micciancio, C. Peikert, M. Walter, in:, 23rd IACR International
Conference on the Practice and Theory of Public-Key Cryptography, Springer Nature,
2020, pp. 623–651.
conference:
end_date: 2020-05-07
location: Edinburgh, United Kingdom
name: 'PKC: Public-Key Cryptography'
start_date: 2020-05-04
date_created: 2020-09-06T22:01:13Z
date_published: 2020-05-15T00:00:00Z
date_updated: 2023-02-23T13:31:06Z
day: '15'
department:
- _id: KrPi
doi: 10.1007/978-3-030-45374-9_21
ec_funded: 1
intvolume: ' 12110'
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://eprint.iacr.org/2020/337
month: '05'
oa: 1
oa_version: Preprint
page: 623-651
project:
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
call_identifier: H2020
grant_number: '682815'
name: Teaching Old Crypto New Tricks
publication: 23rd IACR International Conference on the Practice and Theory of Public-Key
Cryptography
publication_identifier:
eissn:
- '16113349'
isbn:
- '9783030453732'
issn:
- '03029743'
publication_status: published
publisher: Springer Nature
quality_controlled: '1'
scopus_import: '1'
status: public
title: Improved discrete Gaussian and subgaussian analysis for lattice cryptography
type: conference
user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87
volume: 12110
year: '2020'
...
---
_id: '8987'
abstract:
- lang: eng
text: "Currently several projects aim at designing and implementing protocols for
privacy preserving automated contact tracing to help fight the current pandemic.
Those proposal are quite similar, and in their most basic form basically propose
an app for mobile phones which broadcasts frequently changing pseudorandom identifiers
via (low energy) Bluetooth, and at the same time, the app stores IDs broadcast
by phones in its proximity. Only if a user is tested positive, they upload either
the beacons they did broadcast (which is the case in decentralized proposals as
DP-3T, east and west coast PACT or Covid watch) or received (as in Popp-PT or
ROBERT) during the last two weeks or so.\r\n\r\nVaudenay [eprint 2020/399] observes
that this basic scheme (he considers the DP-3T proposal) succumbs to relay and
even replay attacks, and proposes more complex interactive schemes which prevent
those attacks without giving up too many privacy aspects. Unfortunately interaction
is problematic for this application for efficiency and security reasons. The countermeasures
that have been suggested so far are either not practical or give up on key privacy
aspects. We propose a simple non-interactive variant of the basic protocol that\r\n(security)
Provably prevents replay and (if location data is available) relay attacks.\r\n(privacy)
The data of all parties (even jointly) reveals no information on the location
or time where encounters happened.\r\n(efficiency) The broadcasted message can
fit into 128 bits and uses only basic crypto (commitments and secret key authentication).\r\n\r\nTowards
this end we introduce the concept of “delayed authentication”, which basically
is a message authentication code where verification can be done in two steps,
where the first doesn’t require the key, and the second doesn’t require the message."
article_processing_charge: No
author:
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
citation:
ama: 'Pietrzak KZ. Delayed authentication: Preventing replay and relay attacks in
private contact tracing. In: Progress in Cryptology. Vol 12578. LNCS. Springer
Nature; 2020:3-15. doi:10.1007/978-3-030-65277-7_1'
apa: 'Pietrzak, K. Z. (2020). Delayed authentication: Preventing replay and relay
attacks in private contact tracing. In Progress in Cryptology (Vol. 12578,
pp. 3–15). Bangalore, India: Springer Nature. https://doi.org/10.1007/978-3-030-65277-7_1'
chicago: 'Pietrzak, Krzysztof Z. “Delayed Authentication: Preventing Replay and
Relay Attacks in Private Contact Tracing.” In Progress in Cryptology, 12578:3–15.
LNCS. Springer Nature, 2020. https://doi.org/10.1007/978-3-030-65277-7_1.'
ieee: 'K. Z. Pietrzak, “Delayed authentication: Preventing replay and relay attacks
in private contact tracing,” in Progress in Cryptology, Bangalore, India,
2020, vol. 12578, pp. 3–15.'
ista: 'Pietrzak KZ. 2020. Delayed authentication: Preventing replay and relay attacks
in private contact tracing. Progress in Cryptology. INDOCRYPT: International Conference
on Cryptology in IndiaLNCS vol. 12578, 3–15.'
mla: 'Pietrzak, Krzysztof Z. “Delayed Authentication: Preventing Replay and Relay
Attacks in Private Contact Tracing.” Progress in Cryptology, vol. 12578,
Springer Nature, 2020, pp. 3–15, doi:10.1007/978-3-030-65277-7_1.'
short: K.Z. Pietrzak, in:, Progress in Cryptology, Springer Nature, 2020, pp. 3–15.
conference:
end_date: 2020-12-16
location: Bangalore, India
name: 'INDOCRYPT: International Conference on Cryptology in India'
start_date: 2020-12-13
date_created: 2021-01-03T23:01:23Z
date_published: 2020-12-08T00:00:00Z
date_updated: 2023-08-24T11:08:58Z
day: '08'
department:
- _id: KrPi
doi: 10.1007/978-3-030-65277-7_1
ec_funded: 1
external_id:
isi:
- '000927592800001'
intvolume: ' 12578'
isi: 1
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://eprint.iacr.org/2020/418
month: '12'
oa: 1
oa_version: Preprint
page: 3-15
project:
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
call_identifier: H2020
grant_number: '682815'
name: Teaching Old Crypto New Tricks
publication: Progress in Cryptology
publication_identifier:
eissn:
- '16113349'
isbn:
- '9783030652760'
issn:
- '03029743'
publication_status: published
publisher: Springer Nature
quality_controlled: '1'
scopus_import: '1'
series_title: LNCS
status: public
title: 'Delayed authentication: Preventing replay and relay attacks in private contact
tracing'
type: conference
user_id: 4359f0d1-fa6c-11eb-b949-802e58b17ae8
volume: 12578
year: '2020'
...
---
_id: '7966'
abstract:
- lang: eng
text: "For 1≤m≤n, we consider a natural m-out-of-n multi-instance scenario for a
public-key encryption (PKE) scheme. An adversary, given n independent instances
of PKE, wins if he breaks at least m out of the n instances. In this work, we
are interested in the scaling factor of PKE schemes, SF, which measures how well
the difficulty of breaking m out of the n instances scales in m. That is, a scaling
factor SF=ℓ indicates that breaking m out of n instances is at least ℓ times more
difficult than breaking one single instance. A PKE scheme with small scaling factor
hence provides an ideal target for mass surveillance. In fact, the Logjam attack
(CCS 2015) implicitly exploited, among other things, an almost constant scaling
factor of ElGamal over finite fields (with shared group parameters).\r\n\r\nFor
Hashed ElGamal over elliptic curves, we use the generic group model to argue that
the scaling factor depends on the scheme's granularity. In low granularity, meaning
each public key contains its independent group parameter, the scheme has optimal
scaling factor SF=m; In medium and high granularity, meaning all public keys share
the same group parameter, the scheme still has a reasonable scaling factor SF=√m.
Our findings underline that instantiating ElGamal over elliptic curves should
be preferred to finite fields in a multi-instance scenario.\r\n\r\nAs our main
technical contribution, we derive new generic-group lower bounds of Ω(√(mp)) on
the difficulty of solving both the m-out-of-n Gap Discrete Logarithm and the m-out-of-n
Gap Computational Diffie-Hellman problem over groups of prime order p, extending
a recent result by Yun (EUROCRYPT 2015). We establish the lower bound by studying
the hardness of a related computational problem which we call the search-by-hypersurface
problem."
alternative_title:
- LNCS
article_processing_charge: No
author:
- first_name: Benedikt
full_name: Auerbach, Benedikt
id: D33D2B18-E445-11E9-ABB7-15F4E5697425
last_name: Auerbach
orcid: 0000-0002-7553-6606
- first_name: Federico
full_name: Giacon, Federico
last_name: Giacon
- first_name: Eike
full_name: Kiltz, Eike
last_name: Kiltz
citation:
ama: 'Auerbach B, Giacon F, Kiltz E. Everybody’s a target: Scalability in public-key
encryption. In: Advances in Cryptology – EUROCRYPT 2020. Vol 12107. Springer
Nature; 2020:475-506. doi:10.1007/978-3-030-45727-3_16'
apa: 'Auerbach, B., Giacon, F., & Kiltz, E. (2020). Everybody’s a target: Scalability
in public-key encryption. In Advances in Cryptology – EUROCRYPT 2020 (Vol.
12107, pp. 475–506). Springer Nature. https://doi.org/10.1007/978-3-030-45727-3_16'
chicago: 'Auerbach, Benedikt, Federico Giacon, and Eike Kiltz. “Everybody’s a Target:
Scalability in Public-Key Encryption.” In Advances in Cryptology – EUROCRYPT
2020, 12107:475–506. Springer Nature, 2020. https://doi.org/10.1007/978-3-030-45727-3_16.'
ieee: 'B. Auerbach, F. Giacon, and E. Kiltz, “Everybody’s a target: Scalability
in public-key encryption,” in Advances in Cryptology – EUROCRYPT 2020,
2020, vol. 12107, pp. 475–506.'
ista: 'Auerbach B, Giacon F, Kiltz E. 2020. Everybody’s a target: Scalability in
public-key encryption. Advances in Cryptology – EUROCRYPT 2020. EUROCRYPT: Theory
and Applications of Cryptographic Techniques, LNCS, vol. 12107, 475–506.'
mla: 'Auerbach, Benedikt, et al. “Everybody’s a Target: Scalability in Public-Key
Encryption.” Advances in Cryptology – EUROCRYPT 2020, vol. 12107, Springer
Nature, 2020, pp. 475–506, doi:10.1007/978-3-030-45727-3_16.'
short: B. Auerbach, F. Giacon, E. Kiltz, in:, Advances in Cryptology – EUROCRYPT
2020, Springer Nature, 2020, pp. 475–506.
conference:
end_date: 2020-05-15
name: 'EUROCRYPT: Theory and Applications of Cryptographic Techniques'
start_date: 2020-05-11
date_created: 2020-06-15T07:13:37Z
date_published: 2020-05-01T00:00:00Z
date_updated: 2023-09-05T15:06:40Z
day: '01'
department:
- _id: KrPi
doi: 10.1007/978-3-030-45727-3_16
ec_funded: 1
external_id:
isi:
- '000828688000016'
intvolume: ' 12107'
isi: 1
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://eprint.iacr.org/2019/364
month: '05'
oa: 1
oa_version: Submitted Version
page: 475-506
project:
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
call_identifier: H2020
grant_number: '682815'
name: Teaching Old Crypto New Tricks
publication: Advances in Cryptology – EUROCRYPT 2020
publication_identifier:
eissn:
- 1611-3349
isbn:
- '9783030457266'
- '9783030457273'
issn:
- 0302-9743
publication_status: published
publisher: Springer Nature
quality_controlled: '1'
status: public
title: 'Everybody’s a target: Scalability in public-key encryption'
type: conference
user_id: c635000d-4b10-11ee-a964-aac5a93f6ac1
volume: 12107
year: '2020'
...
---
_id: '7896'
abstract:
- lang: eng
text: "A search problem lies in the complexity class FNP if a solution to the given
instance of the problem can be verified efficiently. The complexity class TFNP
consists of all search problems in FNP that are total in the sense that a solution
is guaranteed to exist. TFNP contains a host of interesting problems from fields
such as algorithmic game theory, computational topology, number theory and combinatorics.
Since TFNP is a semantic class, it is unlikely to have a complete problem. Instead,
one studies its syntactic subclasses which are defined based on the combinatorial
principle used to argue totality. Of particular interest is the subclass PPAD,
which contains important problems\r\nlike computing Nash equilibrium for bimatrix
games and computational counterparts of several fixed-point theorems as complete.
In the thesis, we undertake the study of averagecase hardness of TFNP, and in
particular its subclass PPAD.\r\nAlmost nothing was known about average-case hardness
of PPAD before a series of recent results showed how to achieve it using a cryptographic
primitive called program obfuscation.\r\nHowever, it is currently not known how
to construct program obfuscation from standard cryptographic assumptions. Therefore,
it is desirable to relax the assumption under which average-case hardness of PPAD
can be shown. In the thesis we take a step in this direction. First, we show that
assuming the (average-case) hardness of a numbertheoretic\r\nproblem related to
factoring of integers, which we call Iterated-Squaring, PPAD is hard-on-average
in the random-oracle model. Then we strengthen this result to show that the average-case
hardness of PPAD reduces to the (adaptive) soundness of the Fiat-Shamir Transform,
a well-known technique used to compile a public-coin interactive protocol into
a non-interactive one. As a corollary, we obtain average-case hardness for PPAD
in the random-oracle model assuming the worst-case hardness of #SAT. Moreover,
the above results can all be strengthened to obtain average-case hardness for
the class CLS ⊆ PPAD.\r\nOur main technical contribution is constructing incrementally-verifiable
procedures for computing Iterated-Squaring and #SAT. By incrementally-verifiable,
we mean that every intermediate state of the computation includes a proof of its
correctness, and the proof can be updated and verified in polynomial time. Previous
constructions of such procedures relied on strong, non-standard assumptions. Instead,
we introduce a technique called recursive proof-merging to obtain the same from
weaker assumptions. "
alternative_title:
- ISTA Thesis
article_processing_charge: No
author:
- first_name: Chethan
full_name: Kamath Hosdurg, Chethan
id: 4BD3F30E-F248-11E8-B48F-1D18A9856A87
last_name: Kamath Hosdurg
citation:
ama: Kamath Hosdurg C. On the average-case hardness of total search problems. 2020.
doi:10.15479/AT:ISTA:7896
apa: Kamath Hosdurg, C. (2020). On the average-case hardness of total search
problems. Institute of Science and Technology Austria. https://doi.org/10.15479/AT:ISTA:7896
chicago: Kamath Hosdurg, Chethan. “On the Average-Case Hardness of Total Search
Problems.” Institute of Science and Technology Austria, 2020. https://doi.org/10.15479/AT:ISTA:7896.
ieee: C. Kamath Hosdurg, “On the average-case hardness of total search problems,”
Institute of Science and Technology Austria, 2020.
ista: Kamath Hosdurg C. 2020. On the average-case hardness of total search problems.
Institute of Science and Technology Austria.
mla: Kamath Hosdurg, Chethan. On the Average-Case Hardness of Total Search Problems.
Institute of Science and Technology Austria, 2020, doi:10.15479/AT:ISTA:7896.
short: C. Kamath Hosdurg, On the Average-Case Hardness of Total Search Problems,
Institute of Science and Technology Austria, 2020.
date_created: 2020-05-26T14:08:55Z
date_published: 2020-05-25T00:00:00Z
date_updated: 2023-09-07T13:15:55Z
day: '25'
ddc:
- '000'
degree_awarded: PhD
department:
- _id: KrPi
doi: 10.15479/AT:ISTA:7896
ec_funded: 1
file:
- access_level: open_access
checksum: b39e2e1c376f5819b823fb7077491c64
content_type: application/pdf
creator: dernst
date_created: 2020-05-26T14:08:13Z
date_updated: 2020-07-14T12:48:04Z
file_id: '7897'
file_name: 2020_Thesis_Kamath.pdf
file_size: 1622742
relation: main_file
- access_level: closed
checksum: 8b26ba729c1a85ac6bea775f5d73cdc7
content_type: application/x-zip-compressed
creator: dernst
date_created: 2020-05-26T14:08:23Z
date_updated: 2020-07-14T12:48:04Z
file_id: '7898'
file_name: Thesis_Kamath.zip
file_size: 15301529
relation: source_file
file_date_updated: 2020-07-14T12:48:04Z
has_accepted_license: '1'
language:
- iso: eng
month: '05'
oa: 1
oa_version: Published Version
page: '126'
project:
- _id: 258C570E-B435-11E9-9278-68D0E5697425
call_identifier: FP7
grant_number: '259668'
name: Provable Security for Physical Cryptography
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
call_identifier: H2020
grant_number: '682815'
name: Teaching Old Crypto New Tricks
publication_identifier:
issn:
- 2663-337X
publication_status: published
publisher: Institute of Science and Technology Austria
related_material:
record:
- id: '6677'
relation: part_of_dissertation
status: public
status: public
supervisor:
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
title: On the average-case hardness of total search problems
tmp:
image: /images/cc_by.png
legal_code_url: https://creativecommons.org/licenses/by/4.0/legalcode
name: Creative Commons Attribution 4.0 International Public License (CC-BY 4.0)
short: CC BY (4.0)
type: dissertation
user_id: c635000d-4b10-11ee-a964-aac5a93f6ac1
year: '2020'
...
---
_id: '5887'
abstract:
- lang: eng
text: 'Cryptographic security is usually defined as a guarantee that holds except
when a bad event with negligible probability occurs, and nothing is guaranteed
in that bad case. However, in settings where such failure can happen with substantial
probability, one needs to provide guarantees even for the bad case. A typical
example is where a (possibly weak) password is used instead of a secure cryptographic
key to protect a session, the bad event being that the adversary correctly guesses
the password. In a situation with multiple such sessions, a per-session guarantee
is desired: any session for which the password has not been guessed remains secure,
independently of whether other sessions have been compromised. A new formalism
for stating such gracefully degrading security guarantees is introduced and applied
to analyze the examples of password-based message authentication and password-based
encryption. While a natural per-message guarantee is achieved for authentication,
the situation of password-based encryption is more delicate: a per-session confidentiality
guarantee only holds against attackers for which the distribution of password-guessing
effort over the sessions is known in advance. In contrast, for more general attackers
without such a restriction, a strong, composable notion of security cannot be
achieved.'
article_processing_charge: No
article_type: original
author:
- first_name: Gregory
full_name: Demay, Gregory
last_name: Demay
- first_name: Peter
full_name: Gazi, Peter
id: 3E0BFE38-F248-11E8-B48F-1D18A9856A87
last_name: Gazi
- first_name: Ueli
full_name: Maurer, Ueli
last_name: Maurer
- first_name: Bjorn
full_name: Tackmann, Bjorn
last_name: Tackmann
citation:
ama: 'Demay G, Gazi P, Maurer U, Tackmann B. Per-session security: Password-based
cryptography revisited. Journal of Computer Security. 2019;27(1):75-111.
doi:10.3233/JCS-181131'
apa: 'Demay, G., Gazi, P., Maurer, U., & Tackmann, B. (2019). Per-session security:
Password-based cryptography revisited. Journal of Computer Security. IOS
Press. https://doi.org/10.3233/JCS-181131'
chicago: 'Demay, Gregory, Peter Gazi, Ueli Maurer, and Bjorn Tackmann. “Per-Session
Security: Password-Based Cryptography Revisited.” Journal of Computer Security.
IOS Press, 2019. https://doi.org/10.3233/JCS-181131.'
ieee: 'G. Demay, P. Gazi, U. Maurer, and B. Tackmann, “Per-session security: Password-based
cryptography revisited,” Journal of Computer Security, vol. 27, no. 1.
IOS Press, pp. 75–111, 2019.'
ista: 'Demay G, Gazi P, Maurer U, Tackmann B. 2019. Per-session security: Password-based
cryptography revisited. Journal of Computer Security. 27(1), 75–111.'
mla: 'Demay, Gregory, et al. “Per-Session Security: Password-Based Cryptography
Revisited.” Journal of Computer Security, vol. 27, no. 1, IOS Press, 2019,
pp. 75–111, doi:10.3233/JCS-181131.'
short: G. Demay, P. Gazi, U. Maurer, B. Tackmann, Journal of Computer Security 27
(2019) 75–111.
date_created: 2019-01-27T22:59:10Z
date_published: 2019-01-01T00:00:00Z
date_updated: 2021-01-12T08:05:08Z
day: '1'
department:
- _id: KrPi
doi: 10.3233/JCS-181131
ec_funded: 1
intvolume: ' 27'
issue: '1'
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://eprint.iacr.org/2016/166
month: '01'
oa: 1
oa_version: Preprint
page: 75-111
project:
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
call_identifier: H2020
grant_number: '682815'
name: Teaching Old Crypto New Tricks
publication: Journal of Computer Security
publication_identifier:
issn:
- 0926227X
publication_status: published
publisher: IOS Press
quality_controlled: '1'
scopus_import: '1'
status: public
title: 'Per-session security: Password-based cryptography revisited'
type: journal_article
user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87
volume: 27
year: '2019'
...
---
_id: '6528'
abstract:
- lang: eng
text: We construct a verifiable delay function (VDF) by showing how the Rivest-Shamir-Wagner
time-lock puzzle can be made publicly verifiable. Concretely, we give a statistically
sound public-coin protocol to prove that a tuple (N,x,T,y) satisfies y=x2T (mod
N) where the prover doesn’t know the factorization of N and its running time is
dominated by solving the puzzle, that is, compute x2T, which is conjectured to
require T sequential squarings. To get a VDF we make this protocol non-interactive
using the Fiat-Shamir heuristic.The motivation for this work comes from the Chia
blockchain design, which uses a VDF as akey ingredient. For typical parameters
(T≤2 40, N= 2048), our proofs are of size around 10K B, verification cost around
three RSA exponentiations and computing the proof is 8000 times faster than solving
the puzzle even without any parallelism.
alternative_title:
- LIPIcs
article_number: '60'
article_processing_charge: No
author:
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
citation:
ama: 'Pietrzak KZ. Simple verifiable delay functions. In: 10th Innovations in
Theoretical Computer Science Conference. Vol 124. Schloss Dagstuhl - Leibniz-Zentrum
für Informatik; 2019. doi:10.4230/LIPICS.ITCS.2019.60'
apa: 'Pietrzak, K. Z. (2019). Simple verifiable delay functions. In 10th Innovations
in Theoretical Computer Science Conference (Vol. 124). San Diego, CA, United
States: Schloss Dagstuhl - Leibniz-Zentrum für Informatik. https://doi.org/10.4230/LIPICS.ITCS.2019.60'
chicago: Pietrzak, Krzysztof Z. “Simple Verifiable Delay Functions.” In 10th
Innovations in Theoretical Computer Science Conference, Vol. 124. Schloss
Dagstuhl - Leibniz-Zentrum für Informatik, 2019. https://doi.org/10.4230/LIPICS.ITCS.2019.60.
ieee: K. Z. Pietrzak, “Simple verifiable delay functions,” in 10th Innovations
in Theoretical Computer Science Conference, San Diego, CA, United States,
2019, vol. 124.
ista: 'Pietrzak KZ. 2019. Simple verifiable delay functions. 10th Innovations in
Theoretical Computer Science Conference. ITCS 2019: Innovations in Theoretical
Computer Science, LIPIcs, vol. 124, 60.'
mla: Pietrzak, Krzysztof Z. “Simple Verifiable Delay Functions.” 10th Innovations
in Theoretical Computer Science Conference, vol. 124, 60, Schloss Dagstuhl
- Leibniz-Zentrum für Informatik, 2019, doi:10.4230/LIPICS.ITCS.2019.60.
short: K.Z. Pietrzak, in:, 10th Innovations in Theoretical Computer Science Conference,
Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 2019.
conference:
end_date: 2019-01-12
location: San Diego, CA, United States
name: 'ITCS 2019: Innovations in Theoretical Computer Science'
start_date: 2019-01-10
date_created: 2019-06-06T14:12:36Z
date_published: 2019-01-10T00:00:00Z
date_updated: 2021-01-12T08:07:53Z
day: '10'
ddc:
- '000'
department:
- _id: KrPi
doi: 10.4230/LIPICS.ITCS.2019.60
ec_funded: 1
file:
- access_level: open_access
checksum: f0ae1bb161431d9db3dea5ace082bfb5
content_type: application/pdf
creator: dernst
date_created: 2019-06-06T14:22:04Z
date_updated: 2020-07-14T12:47:33Z
file_id: '6529'
file_name: 2019_LIPIcs_Pietrzak.pdf
file_size: 558770
relation: main_file
file_date_updated: 2020-07-14T12:47:33Z
has_accepted_license: '1'
intvolume: ' 124'
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://eprint.iacr.org/2018/627
month: '01'
oa: 1
oa_version: Published Version
project:
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
call_identifier: H2020
grant_number: '682815'
name: Teaching Old Crypto New Tricks
publication: 10th Innovations in Theoretical Computer Science Conference
publication_identifier:
isbn:
- 978-3-95977-095-8
issn:
- 1868-8969
publication_status: published
publisher: Schloss Dagstuhl - Leibniz-Zentrum für Informatik
quality_controlled: '1'
scopus_import: 1
status: public
title: Simple verifiable delay functions
tmp:
image: /images/cc_by.png
legal_code_url: https://creativecommons.org/licenses/by/4.0/legalcode
name: Creative Commons Attribution 4.0 International Public License (CC-BY 4.0)
short: CC BY (4.0)
type: conference
user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87
volume: 124
year: '2019'
...
---
_id: '6726'
abstract:
- lang: eng
text: Randomness is an essential part of any secure cryptosystem, but many constructions
rely on distributions that are not uniform. This is particularly true for lattice
based cryptosystems, which more often than not make use of discrete Gaussian distributions
over the integers. For practical purposes it is crucial to evaluate the impact
that approximation errors have on the security of a scheme to provide the best
possible trade-off between security and performance. Recent years have seen surprising
results allowing to use relatively low precision while maintaining high levels
of security. A key insight in these results is that sampling a distribution with
low relative error can provide very strong security guarantees. Since floating
point numbers provide guarantees on the relative approximation error, they seem
a suitable tool in this setting, but it is not obvious which sampling algorithms
can actually profit from them. While previous works have shown that inversion
sampling can be adapted to provide a low relative error (Pöppelmann et al., CHES
2014; Prest, ASIACRYPT 2017), other works have called into question if this is
possible for other sampling techniques (Zheng et al., Eprint report 2018/309).
In this work, we consider all sampling algorithms that are popular in the cryptographic
setting and analyze the relationship of floating point precision and the resulting
relative error. We show that all of the algorithms either natively achieve a low
relative error or can be adapted to do so.
article_processing_charge: No
author:
- first_name: Michael
full_name: Walter, Michael
id: 488F98B0-F248-11E8-B48F-1D18A9856A87
last_name: Walter
orcid: 0000-0003-3186-2482
citation:
ama: 'Walter M. Sampling the integers with low relative error. In: Buchmann J, Nitaj
A, Rachidi T, eds. Progress in Cryptology – AFRICACRYPT 2019. Vol 11627.
LNCS. Cham: Springer Nature; 2019:157-180. doi:10.1007/978-3-030-23696-0_9'
apa: 'Walter, M. (2019). Sampling the integers with low relative error. In J. Buchmann,
A. Nitaj, & T. Rachidi (Eds.), Progress in Cryptology – AFRICACRYPT 2019
(Vol. 11627, pp. 157–180). Cham: Springer Nature. https://doi.org/10.1007/978-3-030-23696-0_9'
chicago: 'Walter, Michael. “Sampling the Integers with Low Relative Error.” In Progress
in Cryptology – AFRICACRYPT 2019, edited by J Buchmann, A Nitaj, and T Rachidi,
11627:157–80. LNCS. Cham: Springer Nature, 2019. https://doi.org/10.1007/978-3-030-23696-0_9.'
ieee: 'M. Walter, “Sampling the integers with low relative error,” in Progress
in Cryptology – AFRICACRYPT 2019, vol. 11627, J. Buchmann, A. Nitaj, and T.
Rachidi, Eds. Cham: Springer Nature, 2019, pp. 157–180.'
ista: 'Walter M. 2019.Sampling the integers with low relative error. In: Progress
in Cryptology – AFRICACRYPT 2019. vol. 11627, 157–180.'
mla: Walter, Michael. “Sampling the Integers with Low Relative Error.” Progress
in Cryptology – AFRICACRYPT 2019, edited by J Buchmann et al., vol. 11627,
Springer Nature, 2019, pp. 157–80, doi:10.1007/978-3-030-23696-0_9.
short: M. Walter, in:, J. Buchmann, A. Nitaj, T. Rachidi (Eds.), Progress in Cryptology
– AFRICACRYPT 2019, Springer Nature, Cham, 2019, pp. 157–180.
conference:
end_date: 2019-07-11
location: Rabat, Morocco
name: 'AFRICACRYPT: International Conference on Cryptology in Africa'
start_date: 2019-07-09
date_created: 2019-07-29T12:25:31Z
date_published: 2019-06-29T00:00:00Z
date_updated: 2023-02-23T12:50:15Z
day: '29'
department:
- _id: KrPi
doi: 10.1007/978-3-030-23696-0_9
ec_funded: 1
editor:
- first_name: J
full_name: Buchmann, J
last_name: Buchmann
- first_name: A
full_name: Nitaj, A
last_name: Nitaj
- first_name: T
full_name: Rachidi, T
last_name: Rachidi
intvolume: ' 11627'
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://eprint.iacr.org/2019/068
month: '06'
oa: 1
oa_version: Preprint
page: 157-180
place: Cham
project:
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
call_identifier: H2020
grant_number: '682815'
name: Teaching Old Crypto New Tricks
publication: Progress in Cryptology – AFRICACRYPT 2019
publication_identifier:
eisbn:
- 978-3-0302-3696-0
isbn:
- 978-3-0302-3695-3
issn:
- 0302-9743
- 1611-3349
publication_status: published
publisher: Springer Nature
quality_controlled: '1'
scopus_import: '1'
series_title: LNCS
status: public
title: Sampling the integers with low relative error
type: book_chapter
user_id: 8b945eb4-e2f2-11eb-945a-df72226e66a9
volume: 11627
year: '2019'
...
---
_id: '7136'
abstract:
- lang: eng
text: "It is well established that the notion of min-entropy fails to satisfy the
\\emph{chain rule} of the form H(X,Y)=H(X|Y)+H(Y), known for Shannon Entropy.
Such a property would help to analyze how min-entropy is split among smaller blocks.
Problems of this kind arise for example when constructing extractors and dispersers.\r\nWe
show that any sequence of variables exhibits a very strong strong block-source
structure (conditional distributions of blocks are nearly flat) when we \\emph{spoil
few correlated bits}. This implies, conditioned on the spoiled bits, that \\emph{splitting-recombination
properties} hold. In particular, we have many nice properties that min-entropy
doesn't obey in general, for example strong chain rules, \"information can't hurt\"
inequalities, equivalences of average and worst-case conditional entropy definitions
and others. Quantitatively, for any sequence X1,…,Xt of random variables over
an alphabet X we prove that, when conditioned on m=t⋅O(loglog|X|+loglog(1/ϵ)+logt)
bits of auxiliary information, all conditional distributions of the form Xi|X2019 IEEE International Symposium on Information Theory. IEEE; 2019. doi:10.1109/isit.2019.8849240'
apa: 'Skórski, M. (2019). Strong chain rules for min-entropy under few bits spoiled.
In 2019 IEEE International Symposium on Information Theory. Paris, France:
IEEE. https://doi.org/10.1109/isit.2019.8849240'
chicago: Skórski, Maciej. “Strong Chain Rules for Min-Entropy under Few Bits Spoiled.”
In 2019 IEEE International Symposium on Information Theory. IEEE, 2019.
https://doi.org/10.1109/isit.2019.8849240.
ieee: M. Skórski, “Strong chain rules for min-entropy under few bits spoiled,” in
2019 IEEE International Symposium on Information Theory, Paris, France,
2019.
ista: 'Skórski M. 2019. Strong chain rules for min-entropy under few bits spoiled.
2019 IEEE International Symposium on Information Theory. ISIT: International Symposium
on Information Theory, 8849240.'
mla: Skórski, Maciej. “Strong Chain Rules for Min-Entropy under Few Bits Spoiled.”
2019 IEEE International Symposium on Information Theory, 8849240, IEEE,
2019, doi:10.1109/isit.2019.8849240.
short: M. Skórski, in:, 2019 IEEE International Symposium on Information Theory,
IEEE, 2019.
conference:
end_date: 2019-07-12
location: Paris, France
name: 'ISIT: International Symposium on Information Theory'
start_date: 2019-07-07
date_created: 2019-11-28T10:19:21Z
date_published: 2019-07-01T00:00:00Z
date_updated: 2023-09-06T11:15:41Z
day: '01'
department:
- _id: KrPi
doi: 10.1109/isit.2019.8849240
external_id:
arxiv:
- '1702.08476'
isi:
- '000489100301043'
isi: 1
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://arxiv.org/abs/1702.08476
month: '07'
oa: 1
oa_version: Preprint
publication: 2019 IEEE International Symposium on Information Theory
publication_identifier:
isbn:
- '9781538692912'
publication_status: published
publisher: IEEE
quality_controlled: '1'
scopus_import: '1'
status: public
title: Strong chain rules for min-entropy under few bits spoiled
type: conference
user_id: c635000d-4b10-11ee-a964-aac5a93f6ac1
year: '2019'
...
---
_id: '7411'
abstract:
- lang: eng
text: "Proofs of sequential work (PoSW) are proof systems where a prover, upon receiving
a statement χ and a time parameter T computes a proof ϕ(χ,T) which is efficiently
and publicly verifiable. The proof can be computed in T sequential steps, but
not much less, even by a malicious party having large parallelism. A PoSW thus
serves as a proof that T units of time have passed since χ\r\n\r\nwas received.\r\n\r\nPoSW
were introduced by Mahmoody, Moran and Vadhan [MMV11], a simple and practical
construction was only recently proposed by Cohen and Pietrzak [CP18].\r\n\r\nIn
this work we construct a new simple PoSW in the random permutation model which
is almost as simple and efficient as [CP18] but conceptually very different. Whereas
the structure underlying [CP18] is a hash tree, our construction is based on skip
lists and has the interesting property that computing the PoSW is a reversible
computation.\r\nThe fact that the construction is reversible can potentially be
used for new applications like constructing proofs of replication. We also show
how to “embed” the sloth function of Lenstra and Weselowski [LW17] into our PoSW
to get a PoSW where one additionally can verify correctness of the output much
more efficiently than recomputing it (though recent constructions of “verifiable
delay functions” subsume most of the applications this construction was aiming
at)."
alternative_title:
- LNCS
article_processing_charge: No
author:
- first_name: Hamza M
full_name: Abusalah, Hamza M
id: 40297222-F248-11E8-B48F-1D18A9856A87
last_name: Abusalah
- first_name: Chethan
full_name: Kamath Hosdurg, Chethan
id: 4BD3F30E-F248-11E8-B48F-1D18A9856A87
last_name: Kamath Hosdurg
- first_name: Karen
full_name: Klein, Karen
id: 3E83A2F8-F248-11E8-B48F-1D18A9856A87
last_name: Klein
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
- first_name: Michael
full_name: Walter, Michael
id: 488F98B0-F248-11E8-B48F-1D18A9856A87
last_name: Walter
orcid: 0000-0003-3186-2482
citation:
ama: 'Abusalah HM, Kamath Hosdurg C, Klein K, Pietrzak KZ, Walter M. Reversible
proofs of sequential work. In: Advances in Cryptology – EUROCRYPT 2019.
Vol 11477. Springer International Publishing; 2019:277-291. doi:10.1007/978-3-030-17656-3_10'
apa: 'Abusalah, H. M., Kamath Hosdurg, C., Klein, K., Pietrzak, K. Z., & Walter,
M. (2019). Reversible proofs of sequential work. In Advances in Cryptology
– EUROCRYPT 2019 (Vol. 11477, pp. 277–291). Darmstadt, Germany: Springer International
Publishing. https://doi.org/10.1007/978-3-030-17656-3_10'
chicago: Abusalah, Hamza M, Chethan Kamath Hosdurg, Karen Klein, Krzysztof Z Pietrzak,
and Michael Walter. “Reversible Proofs of Sequential Work.” In Advances in
Cryptology – EUROCRYPT 2019, 11477:277–91. Springer International Publishing,
2019. https://doi.org/10.1007/978-3-030-17656-3_10.
ieee: H. M. Abusalah, C. Kamath Hosdurg, K. Klein, K. Z. Pietrzak, and M. Walter,
“Reversible proofs of sequential work,” in Advances in Cryptology – EUROCRYPT
2019, Darmstadt, Germany, 2019, vol. 11477, pp. 277–291.
ista: Abusalah HM, Kamath Hosdurg C, Klein K, Pietrzak KZ, Walter M. 2019. Reversible
proofs of sequential work. Advances in Cryptology – EUROCRYPT 2019. International
Conference on the Theory and Applications of Cryptographic Techniques, LNCS, vol.
11477, 277–291.
mla: Abusalah, Hamza M., et al. “Reversible Proofs of Sequential Work.” Advances
in Cryptology – EUROCRYPT 2019, vol. 11477, Springer International Publishing,
2019, pp. 277–91, doi:10.1007/978-3-030-17656-3_10.
short: H.M. Abusalah, C. Kamath Hosdurg, K. Klein, K.Z. Pietrzak, M. Walter, in:,
Advances in Cryptology – EUROCRYPT 2019, Springer International Publishing, 2019,
pp. 277–291.
conference:
end_date: 2019-05-23
location: Darmstadt, Germany
name: International Conference on the Theory and Applications of Cryptographic Techniques
start_date: 2019-05-19
date_created: 2020-01-30T09:26:14Z
date_published: 2019-04-24T00:00:00Z
date_updated: 2023-09-06T15:26:06Z
day: '24'
department:
- _id: KrPi
doi: 10.1007/978-3-030-17656-3_10
ec_funded: 1
external_id:
isi:
- '000483516200010'
intvolume: ' 11477'
isi: 1
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://eprint.iacr.org/2019/252
month: '04'
oa: 1
oa_version: Submitted Version
page: 277-291
project:
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
call_identifier: H2020
grant_number: '682815'
name: Teaching Old Crypto New Tricks
publication: Advances in Cryptology – EUROCRYPT 2019
publication_identifier:
eissn:
- 1611-3349
isbn:
- '9783030176556'
- '9783030176563'
issn:
- 0302-9743
publication_status: published
publisher: Springer International Publishing
quality_controlled: '1'
scopus_import: '1'
status: public
title: Reversible proofs of sequential work
type: conference
user_id: c635000d-4b10-11ee-a964-aac5a93f6ac1
volume: 11477
year: '2019'
...
---
_id: '6677'
abstract:
- lang: eng
text: "The Fiat-Shamir heuristic transforms a public-coin interactive proof into
a non-interactive argument, by replacing the verifier with a cryptographic hash
function that is applied to the protocol’s transcript. Constructing hash functions
for which this transformation is sound is a central and long-standing open question
in cryptography.\r\n\r\nWe show that solving the END−OF−METERED−LINE problem is
no easier than breaking the soundness of the Fiat-Shamir transformation when applied
to the sumcheck protocol. In particular, if the transformed protocol is sound,
then any hard problem in #P gives rise to a hard distribution in the class CLS,
which is contained in PPAD. Our result opens up the possibility of sampling moderately-sized
games for which it is hard to find a Nash equilibrium, by reducing the inversion
of appropriately chosen one-way functions to #SAT.\r\n\r\nOur main technical contribution
is a stateful incrementally verifiable procedure that, given a SAT instance over
n variables, counts the number of satisfying assignments. This is accomplished
via an exponential sequence of small steps, each computable in time poly(n). Incremental
verifiability means that each intermediate state includes a sumcheck-based proof
of its correctness, and the proof can be updated and verified in time poly(n)."
article_processing_charge: No
author:
- first_name: Arka Rai
full_name: Choudhuri, Arka Rai
last_name: Choudhuri
- first_name: Pavel
full_name: Hubáček, Pavel
last_name: Hubáček
- first_name: Chethan
full_name: Kamath Hosdurg, Chethan
id: 4BD3F30E-F248-11E8-B48F-1D18A9856A87
last_name: Kamath Hosdurg
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
- first_name: Alon
full_name: Rosen, Alon
last_name: Rosen
- first_name: Guy N.
full_name: Rothblum, Guy N.
last_name: Rothblum
citation:
ama: 'Choudhuri AR, Hubáček P, Kamath Hosdurg C, Pietrzak KZ, Rosen A, Rothblum
GN. Finding a Nash equilibrium is no easier than breaking Fiat-Shamir. In: Proceedings
of the 51st Annual ACM SIGACT Symposium on Theory of Computing - STOC 2019.
ACM Press; 2019:1103-1114. doi:10.1145/3313276.3316400'
apa: 'Choudhuri, A. R., Hubáček, P., Kamath Hosdurg, C., Pietrzak, K. Z., Rosen,
A., & Rothblum, G. N. (2019). Finding a Nash equilibrium is no easier than
breaking Fiat-Shamir. In Proceedings of the 51st Annual ACM SIGACT Symposium
on Theory of Computing - STOC 2019 (pp. 1103–1114). Phoenix, AZ, United States:
ACM Press. https://doi.org/10.1145/3313276.3316400'
chicago: Choudhuri, Arka Rai, Pavel Hubáček, Chethan Kamath Hosdurg, Krzysztof Z
Pietrzak, Alon Rosen, and Guy N. Rothblum. “Finding a Nash Equilibrium Is No Easier
than Breaking Fiat-Shamir.” In Proceedings of the 51st Annual ACM SIGACT Symposium
on Theory of Computing - STOC 2019, 1103–14. ACM Press, 2019. https://doi.org/10.1145/3313276.3316400.
ieee: A. R. Choudhuri, P. Hubáček, C. Kamath Hosdurg, K. Z. Pietrzak, A. Rosen,
and G. N. Rothblum, “Finding a Nash equilibrium is no easier than breaking Fiat-Shamir,”
in Proceedings of the 51st Annual ACM SIGACT Symposium on Theory of Computing
- STOC 2019, Phoenix, AZ, United States, 2019, pp. 1103–1114.
ista: 'Choudhuri AR, Hubáček P, Kamath Hosdurg C, Pietrzak KZ, Rosen A, Rothblum
GN. 2019. Finding a Nash equilibrium is no easier than breaking Fiat-Shamir. Proceedings
of the 51st Annual ACM SIGACT Symposium on Theory of Computing - STOC 2019. STOC:
Symposium on Theory of Computing, 1103–1114.'
mla: Choudhuri, Arka Rai, et al. “Finding a Nash Equilibrium Is No Easier than Breaking
Fiat-Shamir.” Proceedings of the 51st Annual ACM SIGACT Symposium on Theory
of Computing - STOC 2019, ACM Press, 2019, pp. 1103–14, doi:10.1145/3313276.3316400.
short: A.R. Choudhuri, P. Hubáček, C. Kamath Hosdurg, K.Z. Pietrzak, A. Rosen, G.N.
Rothblum, in:, Proceedings of the 51st Annual ACM SIGACT Symposium on Theory of
Computing - STOC 2019, ACM Press, 2019, pp. 1103–1114.
conference:
end_date: 2019-06-26
location: Phoenix, AZ, United States
name: 'STOC: Symposium on Theory of Computing'
start_date: 2019-06-23
date_created: 2019-07-24T09:20:53Z
date_published: 2019-06-01T00:00:00Z
date_updated: 2023-09-07T13:15:55Z
day: '01'
department:
- _id: KrPi
doi: 10.1145/3313276.3316400
ec_funded: 1
external_id:
isi:
- '000523199100100'
isi: 1
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://eprint.iacr.org/2019/549
month: '06'
oa: 1
oa_version: Preprint
page: 1103-1114
project:
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
call_identifier: H2020
grant_number: '682815'
name: Teaching Old Crypto New Tricks
publication: Proceedings of the 51st Annual ACM SIGACT Symposium on Theory of Computing -
STOC 2019
publication_identifier:
isbn:
- '9781450367059'
publication_status: published
publisher: ACM Press
quality_controlled: '1'
related_material:
record:
- id: '7896'
relation: dissertation_contains
status: public
scopus_import: '1'
status: public
title: Finding a Nash equilibrium is no easier than breaking Fiat-Shamir
type: conference
user_id: 4359f0d1-fa6c-11eb-b949-802e58b17ae8
year: '2019'
...
---
_id: '6430'
abstract:
- lang: eng
text: "A proxy re-encryption (PRE) scheme is a public-key encryption scheme that
allows the holder of a key pk to derive a re-encryption key for any other key
\U0001D45D\U0001D458′. This re-encryption key lets anyone transform ciphertexts
under pk into ciphertexts under \U0001D45D\U0001D458′ without having to know the
underlying message, while transformations from \U0001D45D\U0001D458′ to pk should
not be possible (unidirectional). Security is defined in a multi-user setting
against an adversary that gets the users’ public keys and can ask for re-encryption
keys and can corrupt users by requesting their secret keys. Any ciphertext that
the adversary cannot trivially decrypt given the obtained secret and re-encryption
keys should be secure.\r\n\r\nAll existing security proofs for PRE only show selective
security, where the adversary must first declare the users it wants to corrupt.
This can be lifted to more meaningful adaptive security by guessing the set of
corrupted users among the n users, which loses a factor exponential in Open image
in new window , rendering the result meaningless already for moderate Open image
in new window .\r\n\r\nJafargholi et al. (CRYPTO’17) proposed a framework that
in some cases allows to give adaptive security proofs for schemes which were previously
only known to be selectively secure, while avoiding the exponential loss that
results from guessing the adaptive choices made by an adversary. We apply their
framework to PREs that satisfy some natural additional properties. Concretely,
we give a more fine-grained reduction for several unidirectional PREs, proving
adaptive security at a much smaller loss. The loss depends on the graph of users
whose edges represent the re-encryption keys queried by the adversary. For trees
and chains the loss is quasi-polynomial in the size and for general graphs it
is exponential in their depth and indegree (instead of their size as for previous
reductions). Fortunately, trees and low-depth graphs cover many, if not most,
interesting applications.\r\n\r\nOur results apply e.g. to the bilinear-map based
PRE schemes by Ateniese et al. (NDSS’05 and CT-RSA’09), Gentry’s FHE-based scheme
(STOC’09) and the LWE-based scheme by Chandran et al. (PKC’14)."
alternative_title:
- LNCS
article_processing_charge: No
author:
- first_name: Georg
full_name: Fuchsbauer, Georg
id: 46B4C3EE-F248-11E8-B48F-1D18A9856A87
last_name: Fuchsbauer
- first_name: Chethan
full_name: Kamath Hosdurg, Chethan
id: 4BD3F30E-F248-11E8-B48F-1D18A9856A87
last_name: Kamath Hosdurg
- first_name: Karen
full_name: Klein, Karen
id: 3E83A2F8-F248-11E8-B48F-1D18A9856A87
last_name: Klein
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
citation:
ama: 'Fuchsbauer G, Kamath Hosdurg C, Klein K, Pietrzak KZ. Adaptively secure proxy
re-encryption. In: Vol 11443. Springer Nature; 2019:317-346. doi:10.1007/978-3-030-17259-6_11'
apa: 'Fuchsbauer, G., Kamath Hosdurg, C., Klein, K., & Pietrzak, K. Z. (2019).
Adaptively secure proxy re-encryption (Vol. 11443, pp. 317–346). Presented at
the PKC: Public-Key Cryptograhy, Beijing, China: Springer Nature. https://doi.org/10.1007/978-3-030-17259-6_11'
chicago: Fuchsbauer, Georg, Chethan Kamath Hosdurg, Karen Klein, and Krzysztof Z
Pietrzak. “Adaptively Secure Proxy Re-Encryption,” 11443:317–46. Springer Nature,
2019. https://doi.org/10.1007/978-3-030-17259-6_11.
ieee: 'G. Fuchsbauer, C. Kamath Hosdurg, K. Klein, and K. Z. Pietrzak, “Adaptively
secure proxy re-encryption,” presented at the PKC: Public-Key Cryptograhy, Beijing,
China, 2019, vol. 11443, pp. 317–346.'
ista: 'Fuchsbauer G, Kamath Hosdurg C, Klein K, Pietrzak KZ. 2019. Adaptively secure
proxy re-encryption. PKC: Public-Key Cryptograhy, LNCS, vol. 11443, 317–346.'
mla: Fuchsbauer, Georg, et al. Adaptively Secure Proxy Re-Encryption. Vol.
11443, Springer Nature, 2019, pp. 317–46, doi:10.1007/978-3-030-17259-6_11.
short: G. Fuchsbauer, C. Kamath Hosdurg, K. Klein, K.Z. Pietrzak, in:, Springer
Nature, 2019, pp. 317–346.
conference:
end_date: 2019-04-17
location: Beijing, China
name: 'PKC: Public-Key Cryptograhy'
start_date: 2019-04-14
date_created: 2019-05-13T08:13:46Z
date_published: 2019-04-06T00:00:00Z
date_updated: 2023-09-08T11:33:20Z
day: '06'
department:
- _id: KrPi
doi: 10.1007/978-3-030-17259-6_11
ec_funded: 1
intvolume: ' 11443'
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://eprint.iacr.org/2018/426
month: '04'
oa: 1
oa_version: Preprint
page: 317-346
project:
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
call_identifier: H2020
grant_number: '682815'
name: Teaching Old Crypto New Tricks
publication_identifier:
eissn:
- '16113349'
isbn:
- '9783030172589'
issn:
- '03029743'
publication_status: published
publisher: Springer Nature
quality_controlled: '1'
related_material:
record:
- id: '10035'
relation: dissertation_contains
status: public
scopus_import: '1'
status: public
title: Adaptively secure proxy re-encryption
type: conference
user_id: c635000d-4b10-11ee-a964-aac5a93f6ac1
volume: 11443
year: '2019'
...
---
_id: '10286'
abstract:
- lang: eng
text: 'In this paper, we evaluate clock signals generated in ring oscillators and
self-timed rings and the way their jitter can be transformed into random numbers.
We show that counting the periods of the jittery clock signal produces random
numbers of significantly better quality than the methods in which the jittery
signal is simply sampled (the case in almost all current methods). Moreover, we
use the counter values to characterize and continuously monitor the source of
randomness. However, instead of using the widely used statistical variance, we
propose to use Allan variance to do so. There are two main advantages: Allan variance
is insensitive to low frequency noises such as flicker noise that are known to
be autocorrelated and significantly less circuitry is required for its computation
than that used to compute commonly used variance. We also show that it is essential
to use a differential principle of randomness extraction from the jitter based
on the use of two identical oscillators to avoid autocorrelations originating
from external and internal global jitter sources and that this fact is valid for
both kinds of rings. Last but not least, we propose a method of statistical testing
based on high order Markov model to show the reduced dependencies when the proposed
randomness extraction is applied.'
article_processing_charge: No
article_type: original
author:
- first_name: Elie Noumon
full_name: Allini, Elie Noumon
last_name: Allini
- first_name: Maciej
full_name: Skórski, Maciej
id: EC09FA6A-02D0-11E9-8223-86B7C91467DD
last_name: Skórski
- first_name: Oto
full_name: Petura, Oto
last_name: Petura
- first_name: Florent
full_name: Bernard, Florent
last_name: Bernard
- first_name: Marek
full_name: Laban, Marek
last_name: Laban
- first_name: Viktor
full_name: Fischer, Viktor
last_name: Fischer
citation:
ama: Allini EN, Skórski M, Petura O, Bernard F, Laban M, Fischer V. Evaluation and
monitoring of free running oscillators serving as source of randomness. IACR
Transactions on Cryptographic Hardware and Embedded Systems. 2018;2018(3):214-242.
doi:10.13154/tches.v2018.i3.214-242
apa: Allini, E. N., Skórski, M., Petura, O., Bernard, F., Laban, M., & Fischer,
V. (2018). Evaluation and monitoring of free running oscillators serving as source
of randomness. IACR Transactions on Cryptographic Hardware and Embedded Systems.
International Association for Cryptologic Research. https://doi.org/10.13154/tches.v2018.i3.214-242
chicago: Allini, Elie Noumon, Maciej Skórski, Oto Petura, Florent Bernard, Marek
Laban, and Viktor Fischer. “Evaluation and Monitoring of Free Running Oscillators
Serving as Source of Randomness.” IACR Transactions on Cryptographic Hardware
and Embedded Systems. International Association for Cryptologic Research,
2018. https://doi.org/10.13154/tches.v2018.i3.214-242.
ieee: E. N. Allini, M. Skórski, O. Petura, F. Bernard, M. Laban, and V. Fischer,
“Evaluation and monitoring of free running oscillators serving as source of randomness,”
IACR Transactions on Cryptographic Hardware and Embedded Systems, vol.
2018, no. 3. International Association for Cryptologic Research, pp. 214–242,
2018.
ista: Allini EN, Skórski M, Petura O, Bernard F, Laban M, Fischer V. 2018. Evaluation
and monitoring of free running oscillators serving as source of randomness. IACR
Transactions on Cryptographic Hardware and Embedded Systems. 2018(3), 214–242.
mla: Allini, Elie Noumon, et al. “Evaluation and Monitoring of Free Running Oscillators
Serving as Source of Randomness.” IACR Transactions on Cryptographic Hardware
and Embedded Systems, vol. 2018, no. 3, International Association for Cryptologic
Research, 2018, pp. 214–42, doi:10.13154/tches.v2018.i3.214-242.
short: E.N. Allini, M. Skórski, O. Petura, F. Bernard, M. Laban, V. Fischer, IACR
Transactions on Cryptographic Hardware and Embedded Systems 2018 (2018) 214–242.
date_created: 2021-11-14T23:01:25Z
date_published: 2018-01-01T00:00:00Z
date_updated: 2021-11-15T10:48:49Z
day: '01'
ddc:
- '000'
department:
- _id: KrPi
doi: 10.13154/tches.v2018.i3.214-242
file:
- access_level: open_access
checksum: b816b848f046c48a8357700d9305dce5
content_type: application/pdf
creator: cchlebak
date_created: 2021-11-15T10:27:29Z
date_updated: 2021-11-15T10:27:29Z
file_id: '10289'
file_name: 2018_IACR_Allini.pdf
file_size: 955755
relation: main_file
success: 1
file_date_updated: 2021-11-15T10:27:29Z
has_accepted_license: '1'
intvolume: ' 2018'
issue: '3'
language:
- iso: eng
month: '01'
oa: 1
oa_version: Published Version
page: 214-242
publication: IACR Transactions on Cryptographic Hardware and Embedded Systems
publication_identifier:
eissn:
- 2569-2925
publication_status: published
publisher: International Association for Cryptologic Research
quality_controlled: '1'
scopus_import: '1'
status: public
title: Evaluation and monitoring of free running oscillators serving as source of
randomness
tmp:
image: /images/cc_by.png
legal_code_url: https://creativecommons.org/licenses/by/4.0/legalcode
name: Creative Commons Attribution 4.0 International Public License (CC-BY 4.0)
short: CC BY (4.0)
type: journal_article
user_id: 8b945eb4-e2f2-11eb-945a-df72226e66a9
volume: 2018
year: '2018'
...
---
_id: '7407'
abstract:
- lang: eng
text: 'Proofs of space (PoS) [Dziembowski et al., CRYPTO''15] are proof systems
where a prover can convince a verifier that he "wastes" disk space. PoS were introduced
as a more ecological and economical replacement for proofs of work which are currently
used to secure blockchains like Bitcoin. In this work we investigate extensions
of PoS which allow the prover to embed useful data into the dedicated space, which
later can be recovered. Our first contribution is a security proof for the original
PoS from CRYPTO''15 in the random oracle model (the original proof only applied
to a restricted class of adversaries which can store a subset of the data an honest
prover would store). When this PoS is instantiated with recent constructions of
maximally depth robust graphs, our proof implies basically optimal security. As
a second contribution we show three different extensions of this PoS where useful
data can be embedded into the space required by the prover. Our security proof
for the PoS extends (non-trivially) to these constructions. We discuss how some
of these variants can be used as proofs of catalytic space (PoCS), a notion we
put forward in this work, and which basically is a PoS where most of the space
required by the prover can be used to backup useful data. Finally we discuss how
one of the extensions is a candidate construction for a proof of replication (PoR),
a proof system recently suggested in the Filecoin whitepaper. '
alternative_title:
- LIPIcs
article_processing_charge: No
author:
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
citation:
ama: 'Pietrzak KZ. Proofs of catalytic space. In: 10th Innovations in Theoretical
Computer Science Conference (ITCS 2019). Vol 124. Schloss Dagstuhl - Leibniz-Zentrum
für Informatik; 2018:59:1-59:25. doi:10.4230/LIPICS.ITCS.2019.59'
apa: 'Pietrzak, K. Z. (2018). Proofs of catalytic space. In 10th Innovations
in Theoretical Computer Science Conference (ITCS 2019) (Vol. 124, p. 59:1-59:25).
San Diego, CA, United States: Schloss Dagstuhl - Leibniz-Zentrum für Informatik.
https://doi.org/10.4230/LIPICS.ITCS.2019.59'
chicago: Pietrzak, Krzysztof Z. “Proofs of Catalytic Space.” In 10th Innovations
in Theoretical Computer Science Conference (ITCS 2019), 124:59:1-59:25. Schloss
Dagstuhl - Leibniz-Zentrum für Informatik, 2018. https://doi.org/10.4230/LIPICS.ITCS.2019.59.
ieee: K. Z. Pietrzak, “Proofs of catalytic space,” in 10th Innovations in Theoretical
Computer Science Conference (ITCS 2019), San Diego, CA, United States, 2018,
vol. 124, p. 59:1-59:25.
ista: 'Pietrzak KZ. 2018. Proofs of catalytic space. 10th Innovations in Theoretical
Computer Science Conference (ITCS 2019). ITCS: Innovations in theoretical Computer
Science Conference, LIPIcs, vol. 124, 59:1-59:25.'
mla: Pietrzak, Krzysztof Z. “Proofs of Catalytic Space.” 10th Innovations in
Theoretical Computer Science Conference (ITCS 2019), vol. 124, Schloss Dagstuhl
- Leibniz-Zentrum für Informatik, 2018, p. 59:1-59:25, doi:10.4230/LIPICS.ITCS.2019.59.
short: K.Z. Pietrzak, in:, 10th Innovations in Theoretical Computer Science Conference
(ITCS 2019), Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 2018, p. 59:1-59:25.
conference:
end_date: 2019-01-12
location: San Diego, CA, United States
name: 'ITCS: Innovations in theoretical Computer Science Conference'
start_date: 2019-01-10
date_created: 2020-01-30T09:16:05Z
date_published: 2018-12-31T00:00:00Z
date_updated: 2021-01-12T08:13:26Z
day: '31'
ddc:
- '000'
department:
- _id: KrPi
doi: 10.4230/LIPICS.ITCS.2019.59
ec_funded: 1
file:
- access_level: open_access
checksum: 5cebb7f7849a3beda898f697d755dd96
content_type: application/pdf
creator: dernst
date_created: 2020-02-04T08:17:52Z
date_updated: 2020-07-14T12:47:57Z
file_id: '7443'
file_name: 2018_LIPIcs_Pietrzak.pdf
file_size: 822884
relation: main_file
file_date_updated: 2020-07-14T12:47:57Z
has_accepted_license: '1'
intvolume: ' 124'
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://eprint.iacr.org/2018/194
month: '12'
oa: 1
oa_version: Published Version
page: 59:1-59:25
project:
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
call_identifier: H2020
grant_number: '682815'
name: Teaching Old Crypto New Tricks
publication: 10th Innovations in Theoretical Computer Science Conference (ITCS 2019)
publication_identifier:
isbn:
- 978-3-95977-095-8
issn:
- 1868-8969
publication_status: published
publisher: Schloss Dagstuhl - Leibniz-Zentrum für Informatik
quality_controlled: '1'
scopus_import: 1
status: public
title: Proofs of catalytic space
tmp:
image: /images/cc_by.png
legal_code_url: https://creativecommons.org/licenses/by/4.0/legalcode
name: Creative Commons Attribution 4.0 International Public License (CC-BY 4.0)
short: CC BY (4.0)
type: conference
user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87
volume: 124
year: '2018'
...
---
_id: '83'
abstract:
- lang: eng
text: "A proof system is a protocol between a prover and a verifier over a common
input in which an honest prover convinces the verifier of the validity of true
statements. Motivated by the success of decentralized cryptocurrencies, exemplified
by Bitcoin, the focus of this thesis will be on proof systems which found applications
in some sustainable alternatives to Bitcoin, such as the Spacemint and Chia cryptocurrencies.
In particular, we focus on proofs of space and proofs of sequential work.\r\nProofs
of space (PoSpace) were suggested as more ecological, economical, and egalitarian
alternative to the energy-wasteful proof-of-work mining of Bitcoin. However, the
state-of-the-art constructions of PoSpace are based on sophisticated graph pebbling
lower bounds, and are therefore complex. Moreover, when these PoSpace are used
in cryptocurrencies like Spacemint, miners can only start mining after ensuring
that a commitment to their space is already added in a special transaction to
the blockchain. Proofs of sequential work (PoSW) are proof systems in which a
prover, upon receiving a statement x and a time parameter T, computes a proof
which convinces the verifier that T time units had passed since x was received.
Whereas Spacemint assumes synchrony to retain some interesting Bitcoin dynamics,
Chia requires PoSW with unique proofs, i.e., PoSW in which it is hard to come
up with more than one accepting proof for any true statement. In this thesis we
construct simple and practically-efficient PoSpace and PoSW. When using our PoSpace
in cryptocurrencies, miners can start mining on the fly, like in Bitcoin, and
unlike current constructions of PoSW, which either achieve efficient verification
of sequential work, or faster-than-recomputing verification of correctness of
proofs, but not both at the same time, ours achieve the best of these two worlds."
alternative_title:
- ISTA Thesis
article_processing_charge: No
author:
- first_name: Hamza M
full_name: Abusalah, Hamza M
id: 40297222-F248-11E8-B48F-1D18A9856A87
last_name: Abusalah
citation:
ama: Abusalah HM. Proof systems for sustainable decentralized cryptocurrencies.
2018. doi:10.15479/AT:ISTA:TH_1046
apa: Abusalah, H. M. (2018). Proof systems for sustainable decentralized cryptocurrencies.
Institute of Science and Technology Austria. https://doi.org/10.15479/AT:ISTA:TH_1046
chicago: Abusalah, Hamza M. “Proof Systems for Sustainable Decentralized Cryptocurrencies.”
Institute of Science and Technology Austria, 2018. https://doi.org/10.15479/AT:ISTA:TH_1046.
ieee: H. M. Abusalah, “Proof systems for sustainable decentralized cryptocurrencies,”
Institute of Science and Technology Austria, 2018.
ista: Abusalah HM. 2018. Proof systems for sustainable decentralized cryptocurrencies.
Institute of Science and Technology Austria.
mla: Abusalah, Hamza M. Proof Systems for Sustainable Decentralized Cryptocurrencies.
Institute of Science and Technology Austria, 2018, doi:10.15479/AT:ISTA:TH_1046.
short: H.M. Abusalah, Proof Systems for Sustainable Decentralized Cryptocurrencies,
Institute of Science and Technology Austria, 2018.
date_created: 2018-12-11T11:44:32Z
date_published: 2018-09-05T00:00:00Z
date_updated: 2023-09-07T12:30:23Z
day: '05'
ddc:
- '004'
degree_awarded: PhD
department:
- _id: KrPi
doi: 10.15479/AT:ISTA:TH_1046
ec_funded: 1
file:
- access_level: open_access
checksum: c4b5f7d111755d1396787f41886fc674
content_type: application/pdf
creator: dernst
date_created: 2019-04-09T06:43:41Z
date_updated: 2020-07-14T12:48:11Z
file_id: '6245'
file_name: 2018_Thesis_Abusalah.pdf
file_size: 876241
relation: main_file
- access_level: closed
checksum: 0f382ac56b471c48fd907d63eb87dafe
content_type: application/x-gzip
creator: dernst
date_created: 2019-04-09T06:43:41Z
date_updated: 2020-07-14T12:48:11Z
file_id: '6246'
file_name: 2018_Thesis_Abusalah_source.tar.gz
file_size: 2029190
relation: source_file
file_date_updated: 2020-07-14T12:48:11Z
has_accepted_license: '1'
language:
- iso: eng
month: '09'
oa: 1
oa_version: Published Version
page: '59'
project:
- _id: 258C570E-B435-11E9-9278-68D0E5697425
call_identifier: FP7
grant_number: '259668'
name: Provable Security for Physical Cryptography
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
call_identifier: H2020
grant_number: '682815'
name: Teaching Old Crypto New Tricks
publication_identifier:
issn:
- 2663-337X
publication_status: published
publisher: Institute of Science and Technology Austria
publist_id: '7971'
pubrep_id: '1046'
related_material:
record:
- id: '1229'
relation: part_of_dissertation
status: public
- id: '1235'
relation: part_of_dissertation
status: public
- id: '1236'
relation: part_of_dissertation
status: public
- id: '559'
relation: part_of_dissertation
status: public
status: public
supervisor:
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
title: Proof systems for sustainable decentralized cryptocurrencies
type: dissertation
user_id: c635000d-4b10-11ee-a964-aac5a93f6ac1
year: '2018'
...
---
_id: '108'
abstract:
- lang: eng
text: Universal hashing found a lot of applications in computer science. In cryptography
the most important fact about universal families is the so called Leftover Hash
Lemma, proved by Impagliazzo, Levin and Luby. In the language of modern cryptography
it states that almost universal families are good extractors. In this work we
provide a somewhat surprising characterization in the opposite direction. Namely,
every extractor with sufficiently good parameters yields a universal family on
a noticeable fraction of its inputs. Our proof technique is based on tools from
extremal graph theory applied to the \'collision graph\' induced by the extractor,
and may be of independent interest. We discuss possible applications to the theory
of randomness extractors and non-malleable codes.
alternative_title:
- ISIT Proceedings
article_processing_charge: No
author:
- first_name: Marciej
full_name: Obremski, Marciej
last_name: Obremski
- first_name: Maciej
full_name: Skorski, Maciej
id: EC09FA6A-02D0-11E9-8223-86B7C91467DD
last_name: Skorski
citation:
ama: 'Obremski M, Skórski M. Inverted leftover hash lemma. In: Vol 2018. IEEE; 2018.
doi:10.1109/ISIT.2018.8437654'
apa: 'Obremski, M., & Skórski, M. (2018). Inverted leftover hash lemma (Vol.
2018). Presented at the ISIT: International Symposium on Information Theory, Vail,
CO, USA: IEEE. https://doi.org/10.1109/ISIT.2018.8437654'
chicago: Obremski, Marciej, and Maciej Skórski. “Inverted Leftover Hash Lemma,”
Vol. 2018. IEEE, 2018. https://doi.org/10.1109/ISIT.2018.8437654.
ieee: 'M. Obremski and M. Skórski, “Inverted leftover hash lemma,” presented at
the ISIT: International Symposium on Information Theory, Vail, CO, USA, 2018,
vol. 2018.'
ista: 'Obremski M, Skórski M. 2018. Inverted leftover hash lemma. ISIT: International
Symposium on Information Theory, ISIT Proceedings, vol. 2018.'
mla: Obremski, Marciej, and Maciej Skórski. Inverted Leftover Hash Lemma.
Vol. 2018, IEEE, 2018, doi:10.1109/ISIT.2018.8437654.
short: M. Obremski, M. Skórski, in:, IEEE, 2018.
conference:
end_date: 2018-06-22
location: Vail, CO, USA
name: 'ISIT: International Symposium on Information Theory'
start_date: '2018-06-17 '
date_created: 2018-12-11T11:44:40Z
date_published: 2018-08-16T00:00:00Z
date_updated: 2023-09-13T08:23:18Z
day: '16'
department:
- _id: KrPi
doi: 10.1109/ISIT.2018.8437654
external_id:
isi:
- '000448139300368'
intvolume: ' 2018'
isi: 1
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://eprint.iacr.org/2017/507
month: '08'
oa: 1
oa_version: Submitted Version
publication_status: published
publisher: IEEE
publist_id: '7946'
quality_controlled: '1'
scopus_import: '1'
status: public
title: Inverted leftover hash lemma
type: conference
user_id: c635000d-4b10-11ee-a964-aac5a93f6ac1
volume: 2018
year: '2018'
...
---
_id: '107'
abstract:
- lang: eng
text: 'We introduce the notion of “non-malleable codes” which relaxes the notion
of error correction and error detection. Informally, a code is non-malleable if
the message contained in a modified codeword is either the original message, or
a completely unrelated value. In contrast to error correction and error detection,
non-malleability can be achieved for very rich classes of modifications. We construct
an efficient code that is non-malleable with respect to modifications that affect
each bit of the codeword arbitrarily (i.e., leave it untouched, flip it, or set
it to either 0 or 1), but independently of the value of the other bits of the
codeword. Using the probabilistic method, we also show a very strong and general
statement: there exists a non-malleable code for every “small enough” family F
of functions via which codewords can be modified. Although this probabilistic
method argument does not directly yield efficient constructions, it gives us efficient
non-malleable codes in the random-oracle model for very general classes of tampering
functions—e.g., functions where every bit in the tampered codeword can depend
arbitrarily on any 99% of the bits in the original codeword. As an application
of non-malleable codes, we show that they provide an elegant algorithmic solution
to the task of protecting functionalities implemented in hardware (e.g., signature
cards) against “tampering attacks.” In such attacks, the secret state of a physical
system is tampered, in the hopes that future interaction with the modified system
will reveal some secret information. This problem was previously studied in the
work of Gennaro et al. in 2004 under the name “algorithmic tamper proof security”
(ATP). We show that non-malleable codes can be used to achieve important improvements
over the prior work. In particular, we show that any functionality can be made
secure against a large class of tampering attacks, simply by encoding the secret
state with a non-malleable code while it is stored in memory.'
article_number: '20'
article_processing_charge: No
article_type: original
author:
- first_name: Stefan
full_name: Dziembowski, Stefan
last_name: Dziembowski
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
- first_name: Daniel
full_name: Wichs, Daniel
last_name: Wichs
citation:
ama: Dziembowski S, Pietrzak KZ, Wichs D. Non-malleable codes. Journal of the
ACM. 2018;65(4). doi:10.1145/3178432
apa: Dziembowski, S., Pietrzak, K. Z., & Wichs, D. (2018). Non-malleable codes.
Journal of the ACM. ACM. https://doi.org/10.1145/3178432
chicago: Dziembowski, Stefan, Krzysztof Z Pietrzak, and Daniel Wichs. “Non-Malleable
Codes.” Journal of the ACM. ACM, 2018. https://doi.org/10.1145/3178432.
ieee: S. Dziembowski, K. Z. Pietrzak, and D. Wichs, “Non-malleable codes,” Journal
of the ACM, vol. 65, no. 4. ACM, 2018.
ista: Dziembowski S, Pietrzak KZ, Wichs D. 2018. Non-malleable codes. Journal of
the ACM. 65(4), 20.
mla: Dziembowski, Stefan, et al. “Non-Malleable Codes.” Journal of the ACM,
vol. 65, no. 4, 20, ACM, 2018, doi:10.1145/3178432.
short: S. Dziembowski, K.Z. Pietrzak, D. Wichs, Journal of the ACM 65 (2018).
date_created: 2018-12-11T11:44:40Z
date_published: 2018-08-01T00:00:00Z
date_updated: 2023-09-13T09:05:17Z
day: '01'
department:
- _id: KrPi
doi: 10.1145/3178432
ec_funded: 1
external_id:
isi:
- '000442938200004'
intvolume: ' 65'
isi: 1
issue: '4'
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://eprint.iacr.org/2009/608
month: '08'
oa: 1
oa_version: Preprint
project:
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
call_identifier: H2020
grant_number: '682815'
name: Teaching Old Crypto New Tricks
- _id: 258C570E-B435-11E9-9278-68D0E5697425
call_identifier: FP7
grant_number: '259668'
name: Provable Security for Physical Cryptography
publication: Journal of the ACM
publication_status: published
publisher: ACM
publist_id: '7947'
quality_controlled: '1'
scopus_import: '1'
status: public
title: Non-malleable codes
type: journal_article
user_id: c635000d-4b10-11ee-a964-aac5a93f6ac1
volume: 65
year: '2018'
...
---
_id: '193'
abstract:
- lang: eng
text: 'We show attacks on five data-independent memory-hard functions (iMHF) that
were submitted to the password hashing competition (PHC). Informally, an MHF is
a function which cannot be evaluated on dedicated hardware, like ASICs, at significantly
lower hardware and/or energy cost than evaluating a single instance on a standard
single-core architecture. Data-independent means the memory access pattern of
the function is independent of the input; this makes iMHFs harder to construct
than data-dependent ones, but the latter can be attacked by various side-channel
attacks. Following [Alwen-Blocki''16], we capture the evaluation of an iMHF as
a directed acyclic graph (DAG). The cumulative parallel pebbling complexity of
this DAG is a measure for the hardware cost of evaluating the iMHF on an ASIC.
Ideally, one would like the complexity of a DAG underlying an iMHF to be as close
to quadratic in the number of nodes of the graph as possible. Instead, we show
that (the DAGs underlying) the following iMHFs are far from this bound: Rig.v2,
TwoCats and Gambit each having an exponent no more than 1.75. Moreover, we show
that the complexity of the iMHF modes of the PHC finalists Pomelo and Lyra2 have
exponents at most 1.83 and 1.67 respectively. To show this we investigate a combinatorial
property of each underlying DAG (called its depth-robustness. By establishing
upper bounds on this property we are then able to apply the general technique
of [Alwen-Block''16] for analyzing the hardware costs of an iMHF.'
acknowledgement: Leonid Reyzin was supported in part by IST Austria and by US NSF
grants 1012910, 1012798, and 1422965; this research was performed while he was visiting
IST Austria.
article_processing_charge: No
author:
- first_name: Joel F
full_name: Alwen, Joel F
id: 2A8DFA8C-F248-11E8-B48F-1D18A9856A87
last_name: Alwen
- first_name: Peter
full_name: Gazi, Peter
last_name: Gazi
- first_name: Chethan
full_name: Kamath Hosdurg, Chethan
id: 4BD3F30E-F248-11E8-B48F-1D18A9856A87
last_name: Kamath Hosdurg
- first_name: Karen
full_name: Klein, Karen
id: 3E83A2F8-F248-11E8-B48F-1D18A9856A87
last_name: Klein
- first_name: Georg F
full_name: Osang, Georg F
id: 464B40D6-F248-11E8-B48F-1D18A9856A87
last_name: Osang
orcid: 0000-0002-8882-5116
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
- first_name: Lenoid
full_name: Reyzin, Lenoid
last_name: Reyzin
- first_name: Michal
full_name: Rolinek, Michal
id: 3CB3BC06-F248-11E8-B48F-1D18A9856A87
last_name: Rolinek
- first_name: Michal
full_name: Rybar, Michal
id: 2B3E3DE8-F248-11E8-B48F-1D18A9856A87
last_name: Rybar
citation:
ama: 'Alwen JF, Gazi P, Kamath Hosdurg C, et al. On the memory hardness of data
independent password hashing functions. In: Proceedings of the 2018 on Asia
Conference on Computer and Communication Security. ACM; 2018:51-65. doi:10.1145/3196494.3196534'
apa: 'Alwen, J. F., Gazi, P., Kamath Hosdurg, C., Klein, K., Osang, G. F., Pietrzak,
K. Z., … Rybar, M. (2018). On the memory hardness of data independent password
hashing functions. In Proceedings of the 2018 on Asia Conference on Computer
and Communication Security (pp. 51–65). Incheon, Republic of Korea: ACM. https://doi.org/10.1145/3196494.3196534'
chicago: Alwen, Joel F, Peter Gazi, Chethan Kamath Hosdurg, Karen Klein, Georg F
Osang, Krzysztof Z Pietrzak, Lenoid Reyzin, Michal Rolinek, and Michal Rybar.
“On the Memory Hardness of Data Independent Password Hashing Functions.” In Proceedings
of the 2018 on Asia Conference on Computer and Communication Security, 51–65.
ACM, 2018. https://doi.org/10.1145/3196494.3196534.
ieee: J. F. Alwen et al., “On the memory hardness of data independent password
hashing functions,” in Proceedings of the 2018 on Asia Conference on Computer
and Communication Security, Incheon, Republic of Korea, 2018, pp. 51–65.
ista: 'Alwen JF, Gazi P, Kamath Hosdurg C, Klein K, Osang GF, Pietrzak KZ, Reyzin
L, Rolinek M, Rybar M. 2018. On the memory hardness of data independent password
hashing functions. Proceedings of the 2018 on Asia Conference on Computer and
Communication Security. ASIACCS: Asia Conference on Computer and Communications
Security , 51–65.'
mla: Alwen, Joel F., et al. “On the Memory Hardness of Data Independent Password
Hashing Functions.” Proceedings of the 2018 on Asia Conference on Computer
and Communication Security, ACM, 2018, pp. 51–65, doi:10.1145/3196494.3196534.
short: J.F. Alwen, P. Gazi, C. Kamath Hosdurg, K. Klein, G.F. Osang, K.Z. Pietrzak,
L. Reyzin, M. Rolinek, M. Rybar, in:, Proceedings of the 2018 on Asia Conference
on Computer and Communication Security, ACM, 2018, pp. 51–65.
conference:
end_date: 2018-06-08
location: Incheon, Republic of Korea
name: 'ASIACCS: Asia Conference on Computer and Communications Security '
start_date: 2018-06-04
date_created: 2018-12-11T11:45:07Z
date_published: 2018-06-01T00:00:00Z
date_updated: 2023-09-13T09:13:12Z
day: '01'
department:
- _id: KrPi
- _id: HeEd
- _id: VlKo
doi: 10.1145/3196494.3196534
ec_funded: 1
external_id:
isi:
- '000516620100005'
isi: 1
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://eprint.iacr.org/2016/783
month: '06'
oa: 1
oa_version: Submitted Version
page: 51 - 65
project:
- _id: 25FBA906-B435-11E9-9278-68D0E5697425
call_identifier: FP7
grant_number: '616160'
name: 'Discrete Optimization in Computer Vision: Theory and Practice'
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
call_identifier: H2020
grant_number: '682815'
name: Teaching Old Crypto New Tricks
publication: Proceedings of the 2018 on Asia Conference on Computer and Communication
Security
publication_status: published
publisher: ACM
publist_id: '7723'
quality_controlled: '1'
scopus_import: '1'
status: public
title: On the memory hardness of data independent password hashing functions
type: conference
user_id: c635000d-4b10-11ee-a964-aac5a93f6ac1
year: '2018'
...
---
_id: '300'
abstract:
- lang: eng
text: We introduce a formal quantitative notion of “bit security” for a general
type of cryptographic games (capturing both decision and search problems), aimed
at capturing the intuition that a cryptographic primitive with k-bit security
is as hard to break as an ideal cryptographic function requiring a brute force
attack on a k-bit key space. Our new definition matches the notion of bit security
commonly used by cryptographers and cryptanalysts when studying search (e.g.,
key recovery) problems, where the use of the traditional definition is well established.
However, it produces a quantitatively different metric in the case of decision
(indistinguishability) problems, where the use of (a straightforward generalization
of) the traditional definition is more problematic and leads to a number of paradoxical
situations or mismatches between theoretical/provable security and practical/common
sense intuition. Key to our new definition is to consider adversaries that may
explicitly declare failure of the attack. We support and justify the new definition
by proving a number of technical results, including tight reductions between several
standard cryptographic problems, a new hybrid theorem that preserves bit security,
and an application to the security analysis of indistinguishability primitives
making use of (approximate) floating point numbers. This is the first result showing
that (standard precision) 53-bit floating point numbers can be used to achieve
100-bit security in the context of cryptographic primitives with general indistinguishability-based
security definitions. Previous results of this type applied only to search problems,
or special types of decision problems.
acknowledgement: Research supported in part by the Defense Advanced Research Projects
Agency (DARPA) and the U.S. Army Research Office under the SafeWare program. Opinions,
findings and conclusions or recommendations expressed in this material are those
of the author(s) and do not necessarily reflect the views, position or policy of
the Government. The second author was also supported by the European Research Council,
ERC consolidator grant (682815 - TOCNeT).
alternative_title:
- LNCS
article_processing_charge: No
author:
- first_name: Daniele
full_name: Micciancio, Daniele
last_name: Micciancio
- first_name: Michael
full_name: Walter, Michael
id: 488F98B0-F248-11E8-B48F-1D18A9856A87
last_name: Walter
orcid: 0000-0003-3186-2482
citation:
ama: 'Micciancio D, Walter M. On the bit security of cryptographic primitives. In:
Vol 10820. Springer; 2018:3-28. doi:10.1007/978-3-319-78381-9_1'
apa: 'Micciancio, D., & Walter, M. (2018). On the bit security of cryptographic
primitives (Vol. 10820, pp. 3–28). Presented at the Eurocrypt: Advances in Cryptology,
Tel Aviv, Israel: Springer. https://doi.org/10.1007/978-3-319-78381-9_1'
chicago: Micciancio, Daniele, and Michael Walter. “On the Bit Security of Cryptographic
Primitives,” 10820:3–28. Springer, 2018. https://doi.org/10.1007/978-3-319-78381-9_1.
ieee: 'D. Micciancio and M. Walter, “On the bit security of cryptographic primitives,”
presented at the Eurocrypt: Advances in Cryptology, Tel Aviv, Israel, 2018, vol.
10820, pp. 3–28.'
ista: 'Micciancio D, Walter M. 2018. On the bit security of cryptographic primitives.
Eurocrypt: Advances in Cryptology, LNCS, vol. 10820, 3–28.'
mla: Micciancio, Daniele, and Michael Walter. On the Bit Security of Cryptographic
Primitives. Vol. 10820, Springer, 2018, pp. 3–28, doi:10.1007/978-3-319-78381-9_1.
short: D. Micciancio, M. Walter, in:, Springer, 2018, pp. 3–28.
conference:
end_date: 2018-05-03
location: Tel Aviv, Israel
name: 'Eurocrypt: Advances in Cryptology'
start_date: 2018-04-29
date_created: 2018-12-11T11:45:42Z
date_published: 2018-03-31T00:00:00Z
date_updated: 2023-09-13T09:12:04Z
day: '31'
department:
- _id: KrPi
doi: 10.1007/978-3-319-78381-9_1
ec_funded: 1
external_id:
isi:
- '000517097500001'
intvolume: ' 10820'
isi: 1
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://eprint.iacr.org/2018/077
month: '03'
oa: 1
oa_version: Submitted Version
page: 3 - 28
project:
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
call_identifier: H2020
grant_number: '682815'
name: Teaching Old Crypto New Tricks
publication_status: published
publisher: Springer
publist_id: '7581'
quality_controlled: '1'
scopus_import: '1'
status: public
title: On the bit security of cryptographic primitives
type: conference
user_id: c635000d-4b10-11ee-a964-aac5a93f6ac1
volume: 10820
year: '2018'
...