--- _id: '1647' abstract: - lang: eng text: Round-optimal blind signatures are notoriously hard to construct in the standard model, especially in the malicious-signer model, where blindness must hold under adversarially chosen keys. This is substantiated by several impossibility results. The only construction that can be termed theoretically efficient, by Garg and Gupta (Eurocrypt’14), requires complexity leveraging, inducing an exponential security loss. We present a construction of practically efficient round-optimal blind signatures in the standard model. It is conceptually simple and builds on the recent structure-preserving signatures on equivalence classes (SPSEQ) from Asiacrypt’14. While the traditional notion of blindness follows from standard assumptions, we prove blindness under adversarially chosen keys under an interactive variant of DDH. However, we neither require non-uniform assumptions nor complexity leveraging. We then show how to extend our construction to partially blind signatures and to blind signatures on message vectors, which yield a construction of one-show anonymous credentials à la “anonymous credentials light” (CCS’13) in the standard model. Furthermore, we give the first SPS-EQ construction under noninteractive assumptions and show how SPS-EQ schemes imply conventional structure-preserving signatures, which allows us to apply optimality results for the latter to SPS-EQ. alternative_title: - LNCS article_processing_charge: No author: - first_name: Georg full_name: Fuchsbauer, Georg id: 46B4C3EE-F248-11E8-B48F-1D18A9856A87 last_name: Fuchsbauer - first_name: Christian full_name: Hanser, Christian last_name: Hanser - first_name: Daniel full_name: Slamanig, Daniel last_name: Slamanig citation: ama: 'Fuchsbauer G, Hanser C, Slamanig D. Practical round-optimal blind signatures in the standard model. In: Vol 9216. Springer; 2015:233-253. doi:10.1007/978-3-662-48000-7_12' apa: 'Fuchsbauer, G., Hanser, C., & Slamanig, D. (2015). Practical round-optimal blind signatures in the standard model (Vol. 9216, pp. 233–253). Presented at the CRYPTO: International Cryptology Conference, Santa Barbara, CA, United States: Springer. https://doi.org/10.1007/978-3-662-48000-7_12' chicago: Fuchsbauer, Georg, Christian Hanser, and Daniel Slamanig. “Practical Round-Optimal Blind Signatures in the Standard Model,” 9216:233–53. Springer, 2015. https://doi.org/10.1007/978-3-662-48000-7_12. ieee: 'G. Fuchsbauer, C. Hanser, and D. Slamanig, “Practical round-optimal blind signatures in the standard model,” presented at the CRYPTO: International Cryptology Conference, Santa Barbara, CA, United States, 2015, vol. 9216, pp. 233–253.' ista: 'Fuchsbauer G, Hanser C, Slamanig D. 2015. Practical round-optimal blind signatures in the standard model. CRYPTO: International Cryptology Conference, LNCS, vol. 9216, 233–253.' mla: Fuchsbauer, Georg, et al. Practical Round-Optimal Blind Signatures in the Standard Model. Vol. 9216, Springer, 2015, pp. 233–53, doi:10.1007/978-3-662-48000-7_12. short: G. Fuchsbauer, C. Hanser, D. Slamanig, in:, Springer, 2015, pp. 233–253. conference: end_date: 2015-08-20 location: Santa Barbara, CA, United States name: 'CRYPTO: International Cryptology Conference' start_date: 2015-08-16 date_created: 2018-12-11T11:53:14Z date_published: 2015-08-01T00:00:00Z date_updated: 2023-02-21T16:44:51Z day: '01' department: - _id: KrPi doi: 10.1007/978-3-662-48000-7_12 ec_funded: 1 intvolume: ' 9216' language: - iso: eng main_file_link: - open_access: '1' url: https://eprint.iacr.org/2015/626.pdf month: '08' oa: 1 oa_version: Submitted Version page: 233 - 253 project: - _id: 258C570E-B435-11E9-9278-68D0E5697425 call_identifier: FP7 grant_number: '259668' name: Provable Security for Physical Cryptography publication_status: published publisher: Springer publist_id: '5503' quality_controlled: '1' related_material: record: - id: '1225' relation: later_version status: public scopus_import: 1 status: public title: Practical round-optimal blind signatures in the standard model type: conference user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87 volume: 9216 year: '2015' ... --- _id: '1645' abstract: - lang: eng text: Secret-key constructions are often proved secure in a model where one or more underlying components are replaced by an idealized oracle accessible to the attacker. This model gives rise to information-theoretic security analyses, and several advances have been made in this area over the last few years. This paper provides a systematic overview of what is achievable in this model, and how existing works fit into this view. article_number: '7133163' author: - first_name: Peter full_name: Gazi, Peter id: 3E0BFE38-F248-11E8-B48F-1D18A9856A87 last_name: Gazi - first_name: Stefano full_name: Tessaro, Stefano last_name: Tessaro citation: ama: 'Gazi P, Tessaro S. Secret-key cryptography from ideal primitives: A systematic verview. In: 2015 IEEE Information Theory Workshop. IEEE; 2015. doi:10.1109/ITW.2015.7133163' apa: 'Gazi, P., & Tessaro, S. (2015). Secret-key cryptography from ideal primitives: A systematic verview. In 2015 IEEE Information Theory Workshop. Jerusalem, Israel: IEEE. https://doi.org/10.1109/ITW.2015.7133163' chicago: 'Gazi, Peter, and Stefano Tessaro. “Secret-Key Cryptography from Ideal Primitives: A Systematic Verview.” In 2015 IEEE Information Theory Workshop. IEEE, 2015. https://doi.org/10.1109/ITW.2015.7133163.' ieee: 'P. Gazi and S. Tessaro, “Secret-key cryptography from ideal primitives: A systematic verview,” in 2015 IEEE Information Theory Workshop, Jerusalem, Israel, 2015.' ista: 'Gazi P, Tessaro S. 2015. Secret-key cryptography from ideal primitives: A systematic verview. 2015 IEEE Information Theory Workshop. ITW 2015: IEEE Information Theory Workshop, 7133163.' mla: 'Gazi, Peter, and Stefano Tessaro. “Secret-Key Cryptography from Ideal Primitives: A Systematic Verview.” 2015 IEEE Information Theory Workshop, 7133163, IEEE, 2015, doi:10.1109/ITW.2015.7133163.' short: P. Gazi, S. Tessaro, in:, 2015 IEEE Information Theory Workshop, IEEE, 2015. conference: end_date: 2015-05-01 location: Jerusalem, Israel name: 'ITW 2015: IEEE Information Theory Workshop' start_date: 2015-04-26 date_created: 2018-12-11T11:53:13Z date_published: 2015-06-24T00:00:00Z date_updated: 2021-01-12T06:52:13Z day: '24' department: - _id: KrPi doi: 10.1109/ITW.2015.7133163 ec_funded: 1 language: - iso: eng month: '06' oa_version: None project: - _id: 258C570E-B435-11E9-9278-68D0E5697425 call_identifier: FP7 grant_number: '259668' name: Provable Security for Physical Cryptography publication: 2015 IEEE Information Theory Workshop publication_status: published publisher: IEEE publist_id: '5506' quality_controlled: '1' scopus_import: 1 status: public title: 'Secret-key cryptography from ideal primitives: A systematic verview' type: conference user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87 year: '2015' ... --- _id: '1654' abstract: - lang: eng text: "HMAC and its variant NMAC are the most popular approaches to deriving a MAC (and more generally, a PRF) from a cryptographic hash function. Despite nearly two decades of research, their exact security still remains far from understood in many different contexts. Indeed, recent works have re-surfaced interest for {\\em generic} attacks, i.e., attacks that treat the compression function of the underlying hash function as a black box.\r\n\r\nGeneric security can be proved in a model where the underlying compression function is modeled as a random function -- yet, to date, the question of proving tight, non-trivial bounds on the generic security of HMAC/NMAC even as a PRF remains a challenging open question.\r\n\r\nIn this paper, we ask the question of whether a small modification to HMAC and NMAC can allow us to exactly characterize the security of the resulting constructions, while only incurring little penalty with respect to efficiency. To this end, we present simple variants of NMAC and HMAC, for which we prove tight bounds on the generic PRF security, expressed in terms of numbers of construction and compression function queries necessary to break the construction. All of our constructions are obtained via a (near) {\\em black-box} modification of NMAC and HMAC, which can be interpreted as an initial step of key-dependent message pre-processing.\r\n\r\nWhile our focus is on PRF security, a further attractive feature of our new constructions is that they clearly defeat all recent generic attacks against properties such as state recovery and universal forgery. These exploit properties of the so-called ``functional graph'' which are not directly accessible in our new constructions. " alternative_title: - LNCS author: - first_name: Peter full_name: Gazi, Peter id: 3E0BFE38-F248-11E8-B48F-1D18A9856A87 last_name: Gazi - first_name: Krzysztof Z full_name: Pietrzak, Krzysztof Z id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87 last_name: Pietrzak orcid: 0000-0002-9139-1654 - first_name: Stefano full_name: Tessaro, Stefano last_name: Tessaro citation: ama: Gazi P, Pietrzak KZ, Tessaro S. Generic security of NMAC and HMAC with input whitening. 2015;9453:85-109. doi:10.1007/978-3-662-48800-3_4 apa: 'Gazi, P., Pietrzak, K. Z., & Tessaro, S. (2015). Generic security of NMAC and HMAC with input whitening. Presented at the ASIACRYPT: Theory and Application of Cryptology and Information Security, Auckland, New Zealand: Springer. https://doi.org/10.1007/978-3-662-48800-3_4' chicago: Gazi, Peter, Krzysztof Z Pietrzak, and Stefano Tessaro. “Generic Security of NMAC and HMAC with Input Whitening.” Lecture Notes in Computer Science. Springer, 2015. https://doi.org/10.1007/978-3-662-48800-3_4. ieee: P. Gazi, K. Z. Pietrzak, and S. Tessaro, “Generic security of NMAC and HMAC with input whitening,” vol. 9453. Springer, pp. 85–109, 2015. ista: Gazi P, Pietrzak KZ, Tessaro S. 2015. Generic security of NMAC and HMAC with input whitening. 9453, 85–109. mla: Gazi, Peter, et al. Generic Security of NMAC and HMAC with Input Whitening. Vol. 9453, Springer, 2015, pp. 85–109, doi:10.1007/978-3-662-48800-3_4. short: P. Gazi, K.Z. Pietrzak, S. Tessaro, 9453 (2015) 85–109. conference: end_date: 2015-12-03 location: Auckland, New Zealand name: 'ASIACRYPT: Theory and Application of Cryptology and Information Security' start_date: 2015-11-29 date_created: 2018-12-11T11:53:17Z date_published: 2015-12-30T00:00:00Z date_updated: 2021-01-12T06:52:16Z day: '30' ddc: - '004' - '005' department: - _id: KrPi doi: 10.1007/978-3-662-48800-3_4 ec_funded: 1 file: - access_level: open_access checksum: d1e53203db2d8573a560995ccdffac62 content_type: application/pdf creator: system date_created: 2018-12-12T10:09:09Z date_updated: 2020-07-14T12:45:08Z file_id: '4732' file_name: IST-2016-676-v1+1_881.pdf file_size: 512071 relation: main_file file_date_updated: 2020-07-14T12:45:08Z has_accepted_license: '1' intvolume: ' 9453' language: - iso: eng month: '12' oa: 1 oa_version: Submitted Version page: 85 - 109 project: - _id: 258C570E-B435-11E9-9278-68D0E5697425 call_identifier: FP7 grant_number: '259668' name: Provable Security for Physical Cryptography publication_status: published publisher: Springer publist_id: '5496' pubrep_id: '676' quality_controlled: '1' scopus_import: 1 series_title: Lecture Notes in Computer Science status: public title: Generic security of NMAC and HMAC with input whitening type: conference user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87 volume: 9453 year: '2015' ... --- _id: '1650' abstract: - lang: eng text: "We consider the task of deriving a key with high HILL entropy (i.e., being computationally indistinguishable from a key with high min-entropy) from an unpredictable source.\r\n\r\nPrevious to this work, the only known way to transform unpredictability into a key that was ϵ indistinguishable from having min-entropy was via pseudorandomness, for example by Goldreich-Levin (GL) hardcore bits. This approach has the inherent limitation that from a source with k bits of unpredictability entropy one can derive a key of length (and thus HILL entropy) at most k−2log(1/ϵ) bits. In many settings, e.g. when dealing with biometric data, such a 2log(1/ϵ) bit entropy loss in not an option. Our main technical contribution is a theorem that states that in the high entropy regime, unpredictability implies HILL entropy. Concretely, any variable K with |K|−d bits of unpredictability entropy has the same amount of so called metric entropy (against real-valued, deterministic distinguishers), which is known to imply the same amount of HILL entropy. The loss in circuit size in this argument is exponential in the entropy gap d, and thus this result only applies for small d (i.e., where the size of distinguishers considered is exponential in d).\r\n\r\nTo overcome the above restriction, we investigate if it’s possible to first “condense” unpredictability entropy and make the entropy gap small. We show that any source with k bits of unpredictability can be condensed into a source of length k with k−3 bits of unpredictability entropy. Our condenser simply “abuses" the GL construction and derives a k bit key from a source with k bits of unpredicatibily. The original GL theorem implies nothing when extracting that many bits, but we show that in this regime, GL still behaves like a “condenser" for unpredictability. This result comes with two caveats (1) the loss in circuit size is exponential in k and (2) we require that the source we start with has no HILL entropy (equivalently, one can efficiently check if a guess is correct). We leave it as an intriguing open problem to overcome these restrictions or to prove they’re inherent." alternative_title: - LNCS author: - first_name: Maciej full_name: Skórski, Maciej last_name: Skórski - first_name: Alexander full_name: Golovnev, Alexander last_name: Golovnev - first_name: Krzysztof Z full_name: Pietrzak, Krzysztof Z id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87 last_name: Pietrzak orcid: 0000-0002-9139-1654 citation: ama: 'Skórski M, Golovnev A, Pietrzak KZ. Condensed unpredictability . In: Vol 9134. Springer; 2015:1046-1057. doi:10.1007/978-3-662-47672-7_85' apa: 'Skórski, M., Golovnev, A., & Pietrzak, K. Z. (2015). Condensed unpredictability (Vol. 9134, pp. 1046–1057). Presented at the ICALP: Automata, Languages and Programming, Kyoto, Japan: Springer. https://doi.org/10.1007/978-3-662-47672-7_85' chicago: Skórski, Maciej, Alexander Golovnev, and Krzysztof Z Pietrzak. “Condensed Unpredictability ,” 9134:1046–57. Springer, 2015. https://doi.org/10.1007/978-3-662-47672-7_85. ieee: 'M. Skórski, A. Golovnev, and K. Z. Pietrzak, “Condensed unpredictability ,” presented at the ICALP: Automata, Languages and Programming, Kyoto, Japan, 2015, vol. 9134, pp. 1046–1057.' ista: 'Skórski M, Golovnev A, Pietrzak KZ. 2015. Condensed unpredictability . ICALP: Automata, Languages and Programming, LNCS, vol. 9134, 1046–1057.' mla: Skórski, Maciej, et al. Condensed Unpredictability . Vol. 9134, Springer, 2015, pp. 1046–57, doi:10.1007/978-3-662-47672-7_85. short: M. Skórski, A. Golovnev, K.Z. Pietrzak, in:, Springer, 2015, pp. 1046–1057. conference: end_date: 2015-07-10 location: Kyoto, Japan name: 'ICALP: Automata, Languages and Programming' start_date: 2015-07-06 date_created: 2018-12-11T11:53:15Z date_published: 2015-06-20T00:00:00Z date_updated: 2021-01-12T06:52:15Z day: '20' ddc: - '000' - '005' department: - _id: KrPi doi: 10.1007/978-3-662-47672-7_85 ec_funded: 1 file: - access_level: open_access checksum: e808c7eecb631336fc9f9bf2e8d4ecae content_type: application/pdf creator: system date_created: 2018-12-12T10:08:32Z date_updated: 2020-07-14T12:45:08Z file_id: '4693' file_name: IST-2016-675-v1+1_384.pdf file_size: 525503 relation: main_file file_date_updated: 2020-07-14T12:45:08Z has_accepted_license: '1' intvolume: ' 9134' language: - iso: eng month: '06' oa: 1 oa_version: Published Version page: 1046 - 1057 project: - _id: 258C570E-B435-11E9-9278-68D0E5697425 call_identifier: FP7 grant_number: '259668' name: Provable Security for Physical Cryptography publication_status: published publisher: Springer publist_id: '5500' pubrep_id: '675' quality_controlled: '1' scopus_import: 1 status: public title: 'Condensed unpredictability ' tmp: image: /images/cc_by.png legal_code_url: https://creativecommons.org/licenses/by/4.0/legalcode name: Creative Commons Attribution 4.0 International Public License (CC-BY 4.0) short: CC BY (4.0) type: conference user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87 volume: 9134 year: '2015' ... --- _id: '1651' abstract: - lang: eng text: Cryptographic e-cash allows off-line electronic transactions between a bank, users and merchants in a secure and anonymous fashion. A plethora of e-cash constructions has been proposed in the literature; however, these traditional e-cash schemes only allow coins to be transferred once between users and merchants. Ideally, we would like users to be able to transfer coins between each other multiple times before deposit, as happens with physical cash. “Transferable” e-cash schemes are the solution to this problem. Unfortunately, the currently proposed schemes are either completely impractical or do not achieve the desirable anonymity properties without compromises, such as assuming the existence of a trusted “judge” who can trace all coins and users in the system. This paper presents the first efficient and fully anonymous transferable e-cash scheme without any trusted third parties. We start by revising the security and anonymity properties of transferable e-cash to capture issues that were previously overlooked. For our construction we use the recently proposed malleable signatures by Chase et al. to allow the secure and anonymous transfer of coins, combined with a new efficient double-spending detection mechanism. Finally, we discuss an instantiation of our construction. acknowledgement: Work done as an intern in Microsoft Research Redmond and as a student at Brown University, where supported by NSF grant 0964379. Supported by the European Research Council, ERC Starting Grant (259668-PSPC). alternative_title: - LNCS article_processing_charge: No author: - first_name: Foteini full_name: Baldimtsi, Foteini last_name: Baldimtsi - first_name: Melissa full_name: Chase, Melissa last_name: Chase - first_name: Georg full_name: Fuchsbauer, Georg id: 46B4C3EE-F248-11E8-B48F-1D18A9856A87 last_name: Fuchsbauer - first_name: Markulf full_name: Kohlweiss, Markulf last_name: Kohlweiss citation: ama: 'Baldimtsi F, Chase M, Fuchsbauer G, Kohlweiss M. Anonymous transferable e-cash. In: Public-Key Cryptography - PKC 2015. Vol 9020. Springer; 2015:101-124. doi:10.1007/978-3-662-46447-2_5' apa: 'Baldimtsi, F., Chase, M., Fuchsbauer, G., & Kohlweiss, M. (2015). Anonymous transferable e-cash. In Public-Key Cryptography - PKC 2015 (Vol. 9020, pp. 101–124). Gaithersburg, MD, United States: Springer. https://doi.org/10.1007/978-3-662-46447-2_5' chicago: Baldimtsi, Foteini, Melissa Chase, Georg Fuchsbauer, and Markulf Kohlweiss. “Anonymous Transferable E-Cash.” In Public-Key Cryptography - PKC 2015, 9020:101–24. Springer, 2015. https://doi.org/10.1007/978-3-662-46447-2_5. ieee: F. Baldimtsi, M. Chase, G. Fuchsbauer, and M. Kohlweiss, “Anonymous transferable e-cash,” in Public-Key Cryptography - PKC 2015, Gaithersburg, MD, United States, 2015, vol. 9020, pp. 101–124. ista: 'Baldimtsi F, Chase M, Fuchsbauer G, Kohlweiss M. 2015. Anonymous transferable e-cash. Public-Key Cryptography - PKC 2015. PKC: Public Key Crypography, LNCS, vol. 9020, 101–124.' mla: Baldimtsi, Foteini, et al. “Anonymous Transferable E-Cash.” Public-Key Cryptography - PKC 2015, vol. 9020, Springer, 2015, pp. 101–24, doi:10.1007/978-3-662-46447-2_5. short: F. Baldimtsi, M. Chase, G. Fuchsbauer, M. Kohlweiss, in:, Public-Key Cryptography - PKC 2015, Springer, 2015, pp. 101–124. conference: end_date: 2015-04-01 location: Gaithersburg, MD, United States name: 'PKC: Public Key Crypography' start_date: 2015-03-30 date_created: 2018-12-11T11:53:15Z date_published: 2015-03-17T00:00:00Z date_updated: 2022-05-23T10:08:37Z day: '17' department: - _id: KrPi doi: 10.1007/978-3-662-46447-2_5 ec_funded: 1 intvolume: ' 9020' language: - iso: eng main_file_link: - open_access: '1' url: https://doi.org/10.1007/978-3-662-46447-2_5 month: '03' oa: 1 oa_version: Published Version page: 101 - 124 project: - _id: 258C570E-B435-11E9-9278-68D0E5697425 call_identifier: FP7 grant_number: '259668' name: Provable Security for Physical Cryptography publication: Public-Key Cryptography - PKC 2015 publication_identifier: isbn: - 978-3-662-46446-5 publication_status: published publisher: Springer publist_id: '5499' quality_controlled: '1' scopus_import: '1' status: public title: Anonymous transferable e-cash type: conference user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87 volume: 9020 year: '2015' ... --- _id: '1652' abstract: - lang: eng text: We develop new theoretical tools for proving lower-bounds on the (amortized) complexity of certain functions in models of parallel computation. We apply the tools to construct a class of functions with high amortized memory complexity in the parallel Random Oracle Model (pROM); a variant of the standard ROM allowing for batches of simultaneous queries. In particular we obtain a new, more robust, type of Memory-Hard Functions (MHF); a security primitive which has recently been gaining acceptance in practice as an effective means of countering brute-force attacks on security relevant functions. Along the way we also demonstrate an important shortcoming of previous definitions of MHFs and give a new definition addressing the problem. The tools we develop represent an adaptation of the powerful pebbling paradigm (initially introduced by Hewitt and Paterson [HP70] and Cook [Coo73]) to a simple and intuitive parallel setting. We define a simple pebbling game Gp over graphs which aims to abstract parallel computation in an intuitive way. As a conceptual contribution we define a measure of pebbling complexity for graphs called cumulative complexity (CC) and show how it overcomes a crucial shortcoming (in the parallel setting) exhibited by more traditional complexity measures used in the past. As a main technical contribution we give an explicit construction of a constant in-degree family of graphs whose CC in Gp approaches maximality to within a polylogarithmic factor for any graph of equal size (analogous to the graphs of Tarjan et. al. [PTC76, LT82] for sequential pebbling games). Finally, for a given graph G and related function fG, we derive a lower-bound on the amortized memory complexity of fG in the pROM in terms of the CC of G in the game Gp. author: - first_name: Joel F full_name: Alwen, Joel F id: 2A8DFA8C-F248-11E8-B48F-1D18A9856A87 last_name: Alwen - first_name: Vladimir full_name: Serbinenko, Vladimir last_name: Serbinenko citation: ama: 'Alwen JF, Serbinenko V. High parallel complexity graphs and memory-hard functions. In: Proceedings of the 47th Annual ACM Symposium on Theory of Computing. ACM; 2015:595-603. doi:10.1145/2746539.2746622' apa: 'Alwen, J. F., & Serbinenko, V. (2015). High parallel complexity graphs and memory-hard functions. In Proceedings of the 47th annual ACM symposium on Theory of computing (pp. 595–603). Portland, OR, United States: ACM. https://doi.org/10.1145/2746539.2746622' chicago: Alwen, Joel F, and Vladimir Serbinenko. “High Parallel Complexity Graphs and Memory-Hard Functions.” In Proceedings of the 47th Annual ACM Symposium on Theory of Computing, 595–603. ACM, 2015. https://doi.org/10.1145/2746539.2746622. ieee: J. F. Alwen and V. Serbinenko, “High parallel complexity graphs and memory-hard functions,” in Proceedings of the 47th annual ACM symposium on Theory of computing, Portland, OR, United States, 2015, pp. 595–603. ista: 'Alwen JF, Serbinenko V. 2015. High parallel complexity graphs and memory-hard functions. Proceedings of the 47th annual ACM symposium on Theory of computing. STOC: Symposium on the Theory of Computing, 595–603.' mla: Alwen, Joel F., and Vladimir Serbinenko. “High Parallel Complexity Graphs and Memory-Hard Functions.” Proceedings of the 47th Annual ACM Symposium on Theory of Computing, ACM, 2015, pp. 595–603, doi:10.1145/2746539.2746622. short: J.F. Alwen, V. Serbinenko, in:, Proceedings of the 47th Annual ACM Symposium on Theory of Computing, ACM, 2015, pp. 595–603. conference: end_date: 2015-06-17 location: Portland, OR, United States name: 'STOC: Symposium on the Theory of Computing' start_date: 2015-06-14 date_created: 2018-12-11T11:53:16Z date_published: 2015-06-01T00:00:00Z date_updated: 2021-01-12T06:52:16Z day: '01' department: - _id: KrPi doi: 10.1145/2746539.2746622 ec_funded: 1 language: - iso: eng main_file_link: - open_access: '1' url: http://eprint.iacr.org/2014/238 month: '06' oa: 1 oa_version: Submitted Version page: 595 - 603 project: - _id: 258C570E-B435-11E9-9278-68D0E5697425 call_identifier: FP7 grant_number: '259668' name: Provable Security for Physical Cryptography publication: Proceedings of the 47th annual ACM symposium on Theory of computing publication_status: published publisher: ACM publist_id: '5498' quality_controlled: '1' scopus_import: 1 status: public title: High parallel complexity graphs and memory-hard functions type: conference user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87 year: '2015' ... --- _id: '1672' abstract: - lang: eng text: Composable notions of incoercibility aim to forbid a coercer from using anything beyond the coerced parties’ inputs and outputs to catch them when they try to deceive him. Existing definitions are restricted to weak coercion types, and/or are not universally composable. Furthermore, they often make too strong assumptions on the knowledge of coerced parties—e.g., they assume they known the identities and/or the strategies of other coerced parties, or those of corrupted parties— which makes them unsuitable for applications of incoercibility such as e-voting, where colluding adversarial parties may attempt to coerce honest voters, e.g., by offering them money for a promised vote, and use their own view to check that the voter keeps his end of the bargain. In this work we put forward the first universally composable notion of incoercible multi-party computation, which satisfies the above intuition and does not assume collusions among coerced parties or knowledge of the corrupted set. We define natural notions of UC incoercibility corresponding to standard coercion-types, i.e., receipt-freeness and resistance to full-active coercion. Importantly, our suggested notion has the unique property that it builds on top of the well studied UC framework by Canetti instead of modifying it. This guarantees backwards compatibility, and allows us to inherit results from the rich UC literature. We then present MPC protocols which realize our notions of UC incoercibility given access to an arguably minimal setup—namely honestly generate tamper-proof hardware performing a very simple cryptographic operation—e.g., a smart card. This is, to our knowledge, the first proposed construction of an MPC protocol (for more than two parties) that is incoercibly secure and universally composable, and therefore the first construction of a universally composable receipt-free e-voting protocol. acknowledgement: Joël Alwen was supported by the ERC starting grant (259668-PSPC). Rafail Ostrovsky was supported in part by NSF grants 09165174, 1065276, 1118126 and 1136174, US-Israel BSF grant 2008411, OKAWA Foundation Research Award, IBM Faculty Research Award, Xerox Faculty Research Award, B. John Garrick Foundation Award, Teradata Research Award, Lockheed-Martin Corporation Research Award, and the Defense Advanced Research Projects Agency through the U.S. Office of Naval Research under Contract N00014 -11 -1-0392. The views expressed are those of the author and do not reflect the official policy or position of the Department of Defense or the U.S. Government. Vassilis Zikas was supported in part by the Swiss National Science Foundation (SNF) via the Ambizione grant PZ00P-2142549. alternative_title: - LNCS article_processing_charge: No author: - first_name: Joel F full_name: Alwen, Joel F id: 2A8DFA8C-F248-11E8-B48F-1D18A9856A87 last_name: Alwen - first_name: Rafail full_name: Ostrovsky, Rafail last_name: Ostrovsky - first_name: Hongsheng full_name: Zhou, Hongsheng last_name: Zhou - first_name: Vassilis full_name: Zikas, Vassilis last_name: Zikas citation: ama: 'Alwen JF, Ostrovsky R, Zhou H, Zikas V. Incoercible multi-party computation and universally composable receipt-free voting. In: Advances in Cryptology - CRYPTO 2015. Vol 9216. Lecture Notes in Computer Science. Springer; 2015:763-780. doi:10.1007/978-3-662-48000-7_37' apa: 'Alwen, J. F., Ostrovsky, R., Zhou, H., & Zikas, V. (2015). Incoercible multi-party computation and universally composable receipt-free voting. In Advances in Cryptology - CRYPTO 2015 (Vol. 9216, pp. 763–780). Santa Barbara, CA, United States: Springer. https://doi.org/10.1007/978-3-662-48000-7_37' chicago: Alwen, Joel F, Rafail Ostrovsky, Hongsheng Zhou, and Vassilis Zikas. “Incoercible Multi-Party Computation and Universally Composable Receipt-Free Voting.” In Advances in Cryptology - CRYPTO 2015, 9216:763–80. Lecture Notes in Computer Science. Springer, 2015. https://doi.org/10.1007/978-3-662-48000-7_37. ieee: J. F. Alwen, R. Ostrovsky, H. Zhou, and V. Zikas, “Incoercible multi-party computation and universally composable receipt-free voting,” in Advances in Cryptology - CRYPTO 2015, Santa Barbara, CA, United States, 2015, vol. 9216, pp. 763–780. ista: 'Alwen JF, Ostrovsky R, Zhou H, Zikas V. 2015. Incoercible multi-party computation and universally composable receipt-free voting. Advances in Cryptology - CRYPTO 2015. CRYPTO: International Cryptology ConferenceLecture Notes in Computer Science, LNCS, vol. 9216, 763–780.' mla: Alwen, Joel F., et al. “Incoercible Multi-Party Computation and Universally Composable Receipt-Free Voting.” Advances in Cryptology - CRYPTO 2015, vol. 9216, Springer, 2015, pp. 763–80, doi:10.1007/978-3-662-48000-7_37. short: J.F. Alwen, R. Ostrovsky, H. Zhou, V. Zikas, in:, Advances in Cryptology - CRYPTO 2015, Springer, 2015, pp. 763–780. conference: end_date: 2015-08-20 location: Santa Barbara, CA, United States name: 'CRYPTO: International Cryptology Conference' start_date: 2015-08-16 date_created: 2018-12-11T11:53:23Z date_published: 2015-08-01T00:00:00Z date_updated: 2022-06-07T09:51:55Z day: '01' ddc: - '000' department: - _id: KrPi doi: 10.1007/978-3-662-48000-7_37 ec_funded: 1 file: - access_level: open_access checksum: 5b6649e80d1f781a8910f7cce6427f78 content_type: application/pdf creator: dernst date_created: 2020-05-15T08:55:29Z date_updated: 2020-07-14T12:45:11Z file_id: '7853' file_name: 2015_CRYPTO_Alwen.pdf file_size: 397363 relation: main_file file_date_updated: 2020-07-14T12:45:11Z has_accepted_license: '1' intvolume: ' 9216' language: - iso: eng month: '08' oa: 1 oa_version: Submitted Version page: 763 - 780 project: - _id: 258C570E-B435-11E9-9278-68D0E5697425 call_identifier: FP7 grant_number: '259668' name: Provable Security for Physical Cryptography publication: Advances in Cryptology - CRYPTO 2015 publication_identifier: eisbn: - 978-3-662-48000-7 isbn: - 978-3-662-47999-5 publication_status: published publisher: Springer publist_id: '5476' quality_controlled: '1' scopus_import: '1' series_title: Lecture Notes in Computer Science status: public title: Incoercible multi-party computation and universally composable receipt-free voting type: conference user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87 volume: 9216 year: '2015' ... --- _id: '1669' abstract: - lang: eng text: Computational notions of entropy (a.k.a. pseudoentropy) have found many applications, including leakage-resilient cryptography, deterministic encryption or memory delegation. The most important tools to argue about pseudoentropy are chain rules, which quantify by how much (in terms of quantity and quality) the pseudoentropy of a given random variable X decreases when conditioned on some other variable Z (think for example of X as a secret key and Z as information leaked by a side-channel). In this paper we give a very simple and modular proof of the chain rule for HILL pseudoentropy, improving best known parameters. Our version allows for increasing the acceptable length of leakage in applications up to a constant factor compared to the best previous bounds. As a contribution of independent interest, we provide a comprehensive study of all known versions of the chain rule, comparing their worst-case strength and limitations. alternative_title: - LNCS author: - first_name: Krzysztof Z full_name: Pietrzak, Krzysztof Z id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87 last_name: Pietrzak orcid: 0000-0002-9139-1654 - first_name: Maciej full_name: Skórski, Maciej last_name: Skórski citation: ama: Pietrzak KZ, Skórski M. The chain rule for HILL pseudoentropy, revisited. 2015;9230:81-98. doi:10.1007/978-3-319-22174-8_5 apa: 'Pietrzak, K. Z., & Skórski, M. (2015). The chain rule for HILL pseudoentropy, revisited. Presented at the LATINCRYPT: Cryptology and Information Security in Latin America, Guadalajara, Mexico: Springer. https://doi.org/10.1007/978-3-319-22174-8_5' chicago: Pietrzak, Krzysztof Z, and Maciej Skórski. “The Chain Rule for HILL Pseudoentropy, Revisited.” Lecture Notes in Computer Science. Springer, 2015. https://doi.org/10.1007/978-3-319-22174-8_5. ieee: K. Z. Pietrzak and M. Skórski, “The chain rule for HILL pseudoentropy, revisited,” vol. 9230. Springer, pp. 81–98, 2015. ista: Pietrzak KZ, Skórski M. 2015. The chain rule for HILL pseudoentropy, revisited. 9230, 81–98. mla: Pietrzak, Krzysztof Z., and Maciej Skórski. The Chain Rule for HILL Pseudoentropy, Revisited. Vol. 9230, Springer, 2015, pp. 81–98, doi:10.1007/978-3-319-22174-8_5. short: K.Z. Pietrzak, M. Skórski, 9230 (2015) 81–98. conference: end_date: 2015-08-26 location: Guadalajara, Mexico name: 'LATINCRYPT: Cryptology and Information Security in Latin America' start_date: 2015-08-23 date_created: 2018-12-11T11:53:22Z date_published: 2015-08-15T00:00:00Z date_updated: 2021-01-12T06:52:24Z day: '15' ddc: - '005' department: - _id: KrPi doi: 10.1007/978-3-319-22174-8_5 ec_funded: 1 file: - access_level: open_access checksum: 8cd4215b83efba720e8cf27c23ff4781 content_type: application/pdf creator: system date_created: 2018-12-12T10:18:29Z date_updated: 2020-07-14T12:45:11Z file_id: '5351' file_name: IST-2016-669-v1+1_599.pdf file_size: 443340 relation: main_file file_date_updated: 2020-07-14T12:45:11Z has_accepted_license: '1' intvolume: ' 9230' language: - iso: eng month: '08' oa: 1 oa_version: Submitted Version page: 81 - 98 project: - _id: 258C570E-B435-11E9-9278-68D0E5697425 call_identifier: FP7 grant_number: '259668' name: Provable Security for Physical Cryptography publication_status: published publisher: Springer publist_id: '5480' pubrep_id: '669' quality_controlled: '1' scopus_import: 1 series_title: Lecture Notes in Computer Science status: public title: The chain rule for HILL pseudoentropy, revisited type: conference user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87 volume: 9230 year: '2015' ... --- _id: '1671' abstract: - lang: eng text: This paper studies the concrete security of PRFs and MACs obtained by keying hash functions based on the sponge paradigm. One such hash function is KECCAK, selected as NIST’s new SHA-3 standard. In contrast to other approaches like HMAC, the exact security of keyed sponges is not well understood. Indeed, recent security analyses delivered concrete security bounds which are far from existing attacks. This paper aims to close this gap. We prove (nearly) exact bounds on the concrete PRF security of keyed sponges using a random permutation. These bounds are tight for the most relevant ranges of parameters, i.e., for messages of length (roughly) l ≤ min{2n/4, 2r} blocks, where n is the state size and r is the desired output length; and for l ≤ q queries (to the construction or the underlying permutation). Moreover, we also improve standard-model bounds. As an intermediate step of independent interest, we prove tight bounds on the PRF security of the truncated CBC-MAC construction, which operates as plain CBC-MAC, but only returns a prefix of the output. alternative_title: - LNCS author: - first_name: Peter full_name: Gazi, Peter id: 3E0BFE38-F248-11E8-B48F-1D18A9856A87 last_name: Gazi - first_name: Krzysztof Z full_name: Pietrzak, Krzysztof Z id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87 last_name: Pietrzak orcid: 0000-0002-9139-1654 - first_name: Stefano full_name: Tessaro, Stefano last_name: Tessaro citation: ama: 'Gazi P, Pietrzak KZ, Tessaro S. The exact PRF security of truncation: Tight bounds for keyed sponges and truncated CBC. In: Vol 9215. Springer; 2015:368-387. doi:10.1007/978-3-662-47989-6_18' apa: 'Gazi, P., Pietrzak, K. Z., & Tessaro, S. (2015). The exact PRF security of truncation: Tight bounds for keyed sponges and truncated CBC (Vol. 9215, pp. 368–387). Presented at the CRYPTO: International Cryptology Conference, Santa Barbara, CA, United States: Springer. https://doi.org/10.1007/978-3-662-47989-6_18' chicago: 'Gazi, Peter, Krzysztof Z Pietrzak, and Stefano Tessaro. “The Exact PRF Security of Truncation: Tight Bounds for Keyed Sponges and Truncated CBC,” 9215:368–87. Springer, 2015. https://doi.org/10.1007/978-3-662-47989-6_18.' ieee: 'P. Gazi, K. Z. Pietrzak, and S. Tessaro, “The exact PRF security of truncation: Tight bounds for keyed sponges and truncated CBC,” presented at the CRYPTO: International Cryptology Conference, Santa Barbara, CA, United States, 2015, vol. 9215, pp. 368–387.' ista: 'Gazi P, Pietrzak KZ, Tessaro S. 2015. The exact PRF security of truncation: Tight bounds for keyed sponges and truncated CBC. CRYPTO: International Cryptology Conference, LNCS, vol. 9215, 368–387.' mla: 'Gazi, Peter, et al. The Exact PRF Security of Truncation: Tight Bounds for Keyed Sponges and Truncated CBC. Vol. 9215, Springer, 2015, pp. 368–87, doi:10.1007/978-3-662-47989-6_18.' short: P. Gazi, K.Z. Pietrzak, S. Tessaro, in:, Springer, 2015, pp. 368–387. conference: end_date: 2015-08-20 location: Santa Barbara, CA, United States name: 'CRYPTO: International Cryptology Conference' start_date: 2015-08-16 date_created: 2018-12-11T11:53:23Z date_published: 2015-08-01T00:00:00Z date_updated: 2021-01-12T06:52:25Z day: '01' ddc: - '004' - '005' department: - _id: KrPi doi: 10.1007/978-3-662-47989-6_18 ec_funded: 1 file: - access_level: open_access checksum: 17d854227b3b753fd34f5d29e5b5a32e content_type: application/pdf creator: system date_created: 2018-12-12T10:10:38Z date_updated: 2020-07-14T12:45:11Z file_id: '4827' file_name: IST-2016-673-v1+1_053.pdf file_size: 592296 relation: main_file file_date_updated: 2020-07-14T12:45:11Z has_accepted_license: '1' intvolume: ' 9215' language: - iso: eng month: '08' oa: 1 oa_version: Submitted Version page: 368 - 387 project: - _id: 258C570E-B435-11E9-9278-68D0E5697425 call_identifier: FP7 grant_number: '259668' name: Provable Security for Physical Cryptography publication_status: published publisher: Springer publist_id: '5478' pubrep_id: '673' quality_controlled: '1' scopus_import: 1 status: public title: 'The exact PRF security of truncation: Tight bounds for keyed sponges and truncated CBC' type: conference user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87 volume: 9215 year: '2015' ... --- _id: '1668' abstract: - lang: eng text: "We revisit the security (as a pseudorandom permutation) of cascading-based constructions for block-cipher key-length extension. Previous works typically considered the extreme case where the adversary is given the entire codebook of the construction, the only complexity measure being the number qe of queries to the underlying ideal block cipher, representing adversary’s secret-key-independent computation. Here, we initiate a systematic study of the more natural case of an adversary restricted to adaptively learning a number qc of plaintext/ciphertext pairs that is less than the entire codebook. For any such qc, we aim to determine the highest number of block-cipher queries qe the adversary can issue without being able to successfully distinguish the construction (under a secret key) from a random permutation.\r\nMore concretely, we show the following results for key-length extension schemes using a block cipher with n-bit blocks and κ-bit keys:\r\nPlain cascades of length ℓ=2r+1 are secure whenever qcqre≪2r(κ+n), qc≪2κ and qe≪22κ. The bound for r=1 also applies to two-key triple encryption (as used within Triple DES).\r\nThe r-round XOR-cascade is secure as long as qcqre≪2r(κ+n), matching an attack by Gaži (CRYPTO 2013).\r\nWe fully characterize the security of Gaži and Tessaro’s two-call " alternative_title: - LNCS author: - first_name: Peter full_name: Gazi, Peter id: 3E0BFE38-F248-11E8-B48F-1D18A9856A87 last_name: Gazi - first_name: Jooyoung full_name: Lee, Jooyoung last_name: Lee - first_name: Yannick full_name: Seurin, Yannick last_name: Seurin - first_name: John full_name: Steinberger, John last_name: Steinberger - first_name: Stefano full_name: Tessaro, Stefano last_name: Tessaro citation: ama: 'Gazi P, Lee J, Seurin Y, Steinberger J, Tessaro S. Relaxing full-codebook security: A refined analysis of key-length extension schemes. 2015;9054:319-341. doi:10.1007/978-3-662-48116-5_16' apa: 'Gazi, P., Lee, J., Seurin, Y., Steinberger, J., & Tessaro, S. (2015). Relaxing full-codebook security: A refined analysis of key-length extension schemes. Presented at the FSE: Fast Software Encryption, Istanbul, Turkey: Springer. https://doi.org/10.1007/978-3-662-48116-5_16' chicago: 'Gazi, Peter, Jooyoung Lee, Yannick Seurin, John Steinberger, and Stefano Tessaro. “Relaxing Full-Codebook Security: A Refined Analysis of Key-Length Extension Schemes.” Lecture Notes in Computer Science. Springer, 2015. https://doi.org/10.1007/978-3-662-48116-5_16.' ieee: 'P. Gazi, J. Lee, Y. Seurin, J. Steinberger, and S. Tessaro, “Relaxing full-codebook security: A refined analysis of key-length extension schemes,” vol. 9054. Springer, pp. 319–341, 2015.' ista: 'Gazi P, Lee J, Seurin Y, Steinberger J, Tessaro S. 2015. Relaxing full-codebook security: A refined analysis of key-length extension schemes. 9054, 319–341.' mla: 'Gazi, Peter, et al. Relaxing Full-Codebook Security: A Refined Analysis of Key-Length Extension Schemes. Vol. 9054, Springer, 2015, pp. 319–41, doi:10.1007/978-3-662-48116-5_16.' short: P. Gazi, J. Lee, Y. Seurin, J. Steinberger, S. Tessaro, 9054 (2015) 319–341. conference: end_date: 2015-03-11 location: Istanbul, Turkey name: 'FSE: Fast Software Encryption' start_date: 2015-03-08 date_created: 2018-12-11T11:53:22Z date_published: 2015-08-12T00:00:00Z date_updated: 2020-08-11T10:09:26Z day: '12' department: - _id: KrPi doi: 10.1007/978-3-662-48116-5_16 ec_funded: 1 intvolume: ' 9054' language: - iso: eng main_file_link: - open_access: '1' url: http://eprint.iacr.org/2015/397 month: '08' oa: 1 oa_version: Submitted Version page: 319 - 341 project: - _id: 258C570E-B435-11E9-9278-68D0E5697425 call_identifier: FP7 grant_number: '259668' name: Provable Security for Physical Cryptography publication_status: published publisher: Springer publist_id: '5481' quality_controlled: '1' scopus_import: 1 series_title: Lecture Notes in Computer Science status: public title: 'Relaxing full-codebook security: A refined analysis of key-length extension schemes' type: conference user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87 volume: 9054 year: '2015' ... --- _id: '1675' abstract: - lang: eng text: Proofs of work (PoW) have been suggested by Dwork and Naor (Crypto’92) as protection to a shared resource. The basic idea is to ask the service requestor to dedicate some non-trivial amount of computational work to every request. The original applications included prevention of spam and protection against denial of service attacks. More recently, PoWs have been used to prevent double spending in the Bitcoin digital currency system. In this work, we put forward an alternative concept for PoWs - so-called proofs of space (PoS), where a service requestor must dedicate a significant amount of disk space as opposed to computation. We construct secure PoS schemes in the random oracle model (with one additional mild assumption required for the proof to go through), using graphs with high “pebbling complexity” and Merkle hash-trees. We discuss some applications, including follow-up work where a decentralized digital currency scheme called Spacecoin is constructed that uses PoS (instead of wasteful PoW like in Bitcoin) to prevent double spending. The main technical contribution of this work is the construction of (directed, loop-free) graphs on N vertices with in-degree O(log logN) such that even if one places Θ(N) pebbles on the nodes of the graph, there’s a constant fraction of nodes that needs Θ(N) steps to be pebbled (where in every step one can put a pebble on a node if all its parents have a pebble). alternative_title: - LNCS article_processing_charge: No author: - first_name: Stefan full_name: Dziembowski, Stefan last_name: Dziembowski - first_name: Sebastian full_name: Faust, Sebastian last_name: Faust - first_name: Vladimir full_name: Kolmogorov, Vladimir id: 3D50B0BA-F248-11E8-B48F-1D18A9856A87 last_name: Kolmogorov - first_name: Krzysztof Z full_name: Pietrzak, Krzysztof Z id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87 last_name: Pietrzak orcid: 0000-0002-9139-1654 citation: ama: 'Dziembowski S, Faust S, Kolmogorov V, Pietrzak KZ. Proofs of space. In: 35th Annual Cryptology Conference. Vol 9216. Springer; 2015:585-605. doi:10.1007/978-3-662-48000-7_29' apa: 'Dziembowski, S., Faust, S., Kolmogorov, V., & Pietrzak, K. Z. (2015). Proofs of space. In 35th Annual Cryptology Conference (Vol. 9216, pp. 585–605). Santa Barbara, CA, United States: Springer. https://doi.org/10.1007/978-3-662-48000-7_29' chicago: Dziembowski, Stefan, Sebastian Faust, Vladimir Kolmogorov, and Krzysztof Z Pietrzak. “Proofs of Space.” In 35th Annual Cryptology Conference, 9216:585–605. Springer, 2015. https://doi.org/10.1007/978-3-662-48000-7_29. ieee: S. Dziembowski, S. Faust, V. Kolmogorov, and K. Z. Pietrzak, “Proofs of space,” in 35th Annual Cryptology Conference, Santa Barbara, CA, United States, 2015, vol. 9216, pp. 585–605. ista: 'Dziembowski S, Faust S, Kolmogorov V, Pietrzak KZ. 2015. Proofs of space. 35th Annual Cryptology Conference. CRYPTO: International Cryptology Conference, LNCS, vol. 9216, 585–605.' mla: Dziembowski, Stefan, et al. “Proofs of Space.” 35th Annual Cryptology Conference, vol. 9216, Springer, 2015, pp. 585–605, doi:10.1007/978-3-662-48000-7_29. short: S. Dziembowski, S. Faust, V. Kolmogorov, K.Z. Pietrzak, in:, 35th Annual Cryptology Conference, Springer, 2015, pp. 585–605. conference: end_date: 2015-08-20 location: Santa Barbara, CA, United States name: 'CRYPTO: International Cryptology Conference' start_date: 2015-08-16 date_created: 2018-12-11T11:53:24Z date_published: 2015-08-01T00:00:00Z date_updated: 2024-03-20T08:31:49Z day: '01' department: - _id: VlKo - _id: KrPi doi: 10.1007/978-3-662-48000-7_29 ec_funded: 1 intvolume: ' 9216' language: - iso: eng main_file_link: - open_access: '1' url: https://eprint.iacr.org/2013/796.pdf month: '08' oa: 1 oa_version: Preprint page: 585 - 605 project: - _id: 25FBA906-B435-11E9-9278-68D0E5697425 call_identifier: FP7 grant_number: '616160' name: 'Discrete Optimization in Computer Vision: Theory and Practice' - _id: 258C570E-B435-11E9-9278-68D0E5697425 call_identifier: FP7 grant_number: '259668' name: Provable Security for Physical Cryptography publication: 35th Annual Cryptology Conference publication_identifier: isbn: - '9783662479995' issn: - 0302-9743 publication_status: published publisher: Springer publist_id: '5474' pubrep_id: '671' quality_controlled: '1' related_material: record: - id: '2274' relation: earlier_version status: public scopus_import: '1' status: public title: Proofs of space type: conference user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87 volume: 9216 year: '2015' ... --- _id: '1643' abstract: - lang: eng text: We extend the notion of verifiable random functions (VRF) to constrained VRFs, which generalize the concept of constrained pseudorandom functions, put forward by Boneh and Waters (Asiacrypt’13), and independently by Kiayias et al. (CCS’13) and Boyle et al. (PKC’14), who call them delegatable PRFs and functional PRFs, respectively. In a standard VRF the secret key sk allows one to evaluate a pseudorandom function at any point of its domain; in addition, it enables computation of a non-interactive proof that the function value was computed correctly. In a constrained VRF from the key sk one can derive constrained keys skS for subsets S of the domain, which allow computation of function values and proofs only at points in S. After formally defining constrained VRFs, we derive instantiations from the multilinear-maps-based constrained PRFs by Boneh and Waters, yielding a VRF with constrained keys for any set that can be decided by a polynomial-size circuit. Our VRFs have the same function values as the Boneh-Waters PRFs and are proved secure under the same hardness assumption, showing that verifiability comes at no cost. Constrained (functional) VRFs were stated as an open problem by Boyle et al. alternative_title: - LNCS author: - first_name: Georg full_name: Fuchsbauer, Georg id: 46B4C3EE-F248-11E8-B48F-1D18A9856A87 last_name: Fuchsbauer citation: ama: 'Fuchsbauer G. Constrained Verifiable Random Functions . In: Abdalla M, De Prisco R, eds. SCN 2014. Vol 8642. Springer; 2014:95-114. doi:10.1007/978-3-319-10879-7_7' apa: 'Fuchsbauer, G. (2014). Constrained Verifiable Random Functions . In M. Abdalla & R. De Prisco (Eds.), SCN 2014 (Vol. 8642, pp. 95–114). Amalfi, Italy: Springer. https://doi.org/10.1007/978-3-319-10879-7_7' chicago: Fuchsbauer, Georg. “Constrained Verifiable Random Functions .” In SCN 2014, edited by Michel Abdalla and Roberto De Prisco, 8642:95–114. Springer, 2014. https://doi.org/10.1007/978-3-319-10879-7_7. ieee: G. Fuchsbauer, “Constrained Verifiable Random Functions ,” in SCN 2014, Amalfi, Italy, 2014, vol. 8642, pp. 95–114. ista: 'Fuchsbauer G. 2014. Constrained Verifiable Random Functions . SCN 2014. SCN: Security and Cryptography for Networks, LNCS, vol. 8642, 95–114.' mla: Fuchsbauer, Georg. “Constrained Verifiable Random Functions .” SCN 2014, edited by Michel Abdalla and Roberto De Prisco, vol. 8642, Springer, 2014, pp. 95–114, doi:10.1007/978-3-319-10879-7_7. short: G. Fuchsbauer, in:, M. Abdalla, R. De Prisco (Eds.), SCN 2014, Springer, 2014, pp. 95–114. conference: end_date: 2014-09-05 location: Amalfi, Italy name: 'SCN: Security and Cryptography for Networks' start_date: 2014-09-03 date_created: 2018-12-11T11:53:13Z date_published: 2014-01-01T00:00:00Z date_updated: 2021-01-12T06:52:12Z day: '01' department: - _id: KrPi doi: 10.1007/978-3-319-10879-7_7 ec_funded: 1 editor: - first_name: Michel full_name: Abdalla, Michel last_name: Abdalla - first_name: Roberto full_name: De Prisco, Roberto last_name: De Prisco intvolume: ' 8642' language: - iso: eng main_file_link: - open_access: '1' url: http://eprint.iacr.org/2014/537 month: '01' oa: 1 oa_version: Submitted Version page: 95 - 114 project: - _id: 258C570E-B435-11E9-9278-68D0E5697425 call_identifier: FP7 grant_number: '259668' name: Provable Security for Physical Cryptography publication: SCN 2014 publication_status: published publisher: Springer publist_id: '5509' scopus_import: 1 status: public title: 'Constrained Verifiable Random Functions ' type: conference user_id: 4435EBFC-F248-11E8-B48F-1D18A9856A87 volume: 8642 year: '2014' ... --- _id: '1907' abstract: - lang: eng text: 'Most cryptographic security proofs require showing that two systems are indistinguishable. A central tool in such proofs is that of a game, where winning the game means provoking a certain condition, and it is shown that the two systems considered cannot be distinguished unless this condition is provoked. Upper bounding the probability of winning such a game, i.e., provoking this condition, for an arbitrary strategy is usually hard, except in the special case where the best strategy for winning such a game is known to be non-adaptive. A sufficient criterion for ensuring the optimality of non-adaptive strategies is that of conditional equivalence to a system, a notion introduced in [1]. In this paper, we show that this criterion is not necessary to ensure the optimality of non-adaptive strategies by giving two results of independent interest: 1) the optimality of non-adaptive strategies is not preserved under parallel composition; 2) in contrast, conditional equivalence is preserved under parallel composition.' article_number: '6875125' author: - first_name: Grégory full_name: Demay, Grégory last_name: Demay - first_name: Peter full_name: Gazi, Peter id: 3E0BFE38-F248-11E8-B48F-1D18A9856A87 last_name: Gazi - first_name: Ueli full_name: Maurer, Ueli last_name: Maurer - first_name: Björn full_name: Tackmann, Björn last_name: Tackmann citation: ama: 'Demay G, Gazi P, Maurer U, Tackmann B. Optimality of non-adaptive strategies: The case of parallel games. In: IEEE International Symposium on Information Theory. IEEE; 2014. doi:10.1109/ISIT.2014.6875125' apa: 'Demay, G., Gazi, P., Maurer, U., & Tackmann, B. (2014). Optimality of non-adaptive strategies: The case of parallel games. In IEEE International Symposium on Information Theory. Honolulu, USA: IEEE. https://doi.org/10.1109/ISIT.2014.6875125' chicago: 'Demay, Grégory, Peter Gazi, Ueli Maurer, and Björn Tackmann. “Optimality of Non-Adaptive Strategies: The Case of Parallel Games.” In IEEE International Symposium on Information Theory. IEEE, 2014. https://doi.org/10.1109/ISIT.2014.6875125.' ieee: 'G. Demay, P. Gazi, U. Maurer, and B. Tackmann, “Optimality of non-adaptive strategies: The case of parallel games,” in IEEE International Symposium on Information Theory, Honolulu, USA, 2014.' ista: 'Demay G, Gazi P, Maurer U, Tackmann B. 2014. Optimality of non-adaptive strategies: The case of parallel games. IEEE International Symposium on Information Theory. IEEE International Symposium on Information Theory Proceedings, 6875125.' mla: 'Demay, Grégory, et al. “Optimality of Non-Adaptive Strategies: The Case of Parallel Games.” IEEE International Symposium on Information Theory, 6875125, IEEE, 2014, doi:10.1109/ISIT.2014.6875125.' short: G. Demay, P. Gazi, U. Maurer, B. Tackmann, in:, IEEE International Symposium on Information Theory, IEEE, 2014. conference: end_date: 2014-07-04 location: Honolulu, USA name: IEEE International Symposium on Information Theory Proceedings start_date: 2014-06-29 date_created: 2018-12-11T11:54:39Z date_published: 2014-01-01T00:00:00Z date_updated: 2021-01-12T06:53:59Z day: '01' department: - _id: KrPi doi: 10.1109/ISIT.2014.6875125 language: - iso: eng main_file_link: - open_access: '1' url: https://eprint.iacr.org/2014/299 month: '01' oa: 1 oa_version: Submitted Version publication: IEEE International Symposium on Information Theory publication_status: published publisher: IEEE publist_id: '5188' quality_controlled: '1' scopus_import: 1 status: public title: 'Optimality of non-adaptive strategies: The case of parallel games' type: conference user_id: 4435EBFC-F248-11E8-B48F-1D18A9856A87 year: '2014' ... --- _id: '2045' abstract: - lang: eng text: 'We introduce and study a new notion of enhanced chosen-ciphertext security (ECCA) for public-key encryption. Loosely speaking, in the ECCA security experiment, the decryption oracle provided to the adversary is augmented to return not only the output of the decryption algorithm on a queried ciphertext but also of a randomness-recovery algorithm associated to the scheme. Our results mainly concern the case where the randomness-recovery algorithm is efficient. We provide constructions of ECCA-secure encryption from adaptive trapdoor functions as defined by Kiltz et al. (EUROCRYPT 2010), resulting in ECCA encryption from standard number-theoretic assumptions. We then give two applications of ECCA-secure encryption: (1) We use it as a unifying concept in showing equivalence of adaptive trapdoor functions and tag-based adaptive trapdoor functions, resolving an open question of Kiltz et al. (2) We show that ECCA-secure encryption can be used to securely realize an approach to public-key encryption with non-interactive opening (PKENO) originally suggested by Damgård and Thorbek (EUROCRYPT 2007), resulting in new and practical PKENO schemes quite different from those in prior work. Our results demonstrate that ECCA security is of both practical and theoretical interest.' acknowledgement: The second author was supported by EPSRC grant EP/H043454/1. alternative_title: - LNCS author: - first_name: Dana full_name: Dachman Soled, Dana last_name: Dachman Soled - first_name: Georg full_name: Fuchsbauer, Georg id: 46B4C3EE-F248-11E8-B48F-1D18A9856A87 last_name: Fuchsbauer - first_name: Payman full_name: Mohassel, Payman last_name: Mohassel - first_name: Adam full_name: O’Neill, Adam last_name: O’Neill citation: ama: 'Dachman Soled D, Fuchsbauer G, Mohassel P, O’Neill A. Enhanced chosen-ciphertext security and applications. In: Krawczyk H, ed. Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). Vol 8383. Springer; 2014:329-344. doi:10.1007/978-3-642-54631-0_19' apa: 'Dachman Soled, D., Fuchsbauer, G., Mohassel, P., & O’Neill, A. (2014). Enhanced chosen-ciphertext security and applications. In H. Krawczyk (Ed.), Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 8383, pp. 329–344). Buenos Aires, Argentina: Springer. https://doi.org/10.1007/978-3-642-54631-0_19' chicago: Dachman Soled, Dana, Georg Fuchsbauer, Payman Mohassel, and Adam O’Neill. “Enhanced Chosen-Ciphertext Security and Applications.” In Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), edited by Hugo Krawczyk, 8383:329–44. Springer, 2014. https://doi.org/10.1007/978-3-642-54631-0_19. ieee: D. Dachman Soled, G. Fuchsbauer, P. Mohassel, and A. O’Neill, “Enhanced chosen-ciphertext security and applications,” in Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), Buenos Aires, Argentina, 2014, vol. 8383, pp. 329–344. ista: 'Dachman Soled D, Fuchsbauer G, Mohassel P, O’Neill A. 2014. Enhanced chosen-ciphertext security and applications. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). PKC: Public Key Crypography, LNCS, vol. 8383, 329–344.' mla: Dachman Soled, Dana, et al. “Enhanced Chosen-Ciphertext Security and Applications.” Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), edited by Hugo Krawczyk, vol. 8383, Springer, 2014, pp. 329–44, doi:10.1007/978-3-642-54631-0_19. short: D. Dachman Soled, G. Fuchsbauer, P. Mohassel, A. O’Neill, in:, H. Krawczyk (Ed.), Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), Springer, 2014, pp. 329–344. conference: end_date: 2014-03-28 location: Buenos Aires, Argentina name: 'PKC: Public Key Crypography' start_date: 2014-03-26 date_created: 2018-12-11T11:55:24Z date_published: 2014-01-01T00:00:00Z date_updated: 2021-01-12T06:54:57Z day: '01' department: - _id: KrPi doi: 10.1007/978-3-642-54631-0_19 ec_funded: 1 editor: - first_name: Hugo full_name: Krawczyk, Hugo last_name: Krawczyk intvolume: ' 8383' language: - iso: eng main_file_link: - open_access: '1' url: https://eprint.iacr.org/2012/543 month: '01' oa: 1 oa_version: Submitted Version page: 329 - 344 project: - _id: 258C570E-B435-11E9-9278-68D0E5697425 call_identifier: FP7 grant_number: '259668' name: Provable Security for Physical Cryptography publication: Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) publication_status: published publisher: Springer publist_id: '5006' quality_controlled: '1' scopus_import: 1 status: public title: Enhanced chosen-ciphertext security and applications type: conference user_id: 4435EBFC-F248-11E8-B48F-1D18A9856A87 volume: 8383 year: '2014' ... --- _id: '2047' abstract: - lang: eng text: Following the publication of an attack on genome-wide association studies (GWAS) data proposed by Homer et al., considerable attention has been given to developing methods for releasing GWAS data in a privacy-preserving way. Here, we develop an end-to-end differentially private method for solving regression problems with convex penalty functions and selecting the penalty parameters by cross-validation. In particular, we focus on penalized logistic regression with elastic-net regularization, a method widely used to in GWAS analyses to identify disease-causing genes. We show how a differentially private procedure for penalized logistic regression with elastic-net regularization can be applied to the analysis of GWAS data and evaluate our method’s performance. acknowledgement: This research was partially supported by BCS- 0941518 to the Department of Statistics at Carnegie Mellon University. alternative_title: - LNCS author: - first_name: Fei full_name: Yu, Fei last_name: Yu - first_name: Michal full_name: Rybar, Michal id: 2B3E3DE8-F248-11E8-B48F-1D18A9856A87 last_name: Rybar - first_name: Caroline full_name: Uhler, Caroline id: 49ADD78E-F248-11E8-B48F-1D18A9856A87 last_name: Uhler orcid: 0000-0002-7008-0216 - first_name: Stephen full_name: Fienberg, Stephen last_name: Fienberg citation: ama: 'Yu F, Rybar M, Uhler C, Fienberg S. Differentially-private logistic regression for detecting multiple-SNP association in GWAS databases. In: Domingo Ferrer J, ed. Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). Vol 8744. Springer; 2014:170-184. doi:10.1007/978-3-319-11257-2_14' apa: 'Yu, F., Rybar, M., Uhler, C., & Fienberg, S. (2014). Differentially-private logistic regression for detecting multiple-SNP association in GWAS databases. In J. Domingo Ferrer (Ed.), Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 8744, pp. 170–184). Ibiza, Spain: Springer. https://doi.org/10.1007/978-3-319-11257-2_14' chicago: Yu, Fei, Michal Rybar, Caroline Uhler, and Stephen Fienberg. “Differentially-Private Logistic Regression for Detecting Multiple-SNP Association in GWAS Databases.” In Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), edited by Josep Domingo Ferrer, 8744:170–84. Springer, 2014. https://doi.org/10.1007/978-3-319-11257-2_14. ieee: F. Yu, M. Rybar, C. Uhler, and S. Fienberg, “Differentially-private logistic regression for detecting multiple-SNP association in GWAS databases,” in Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), Ibiza, Spain, 2014, vol. 8744, pp. 170–184. ista: 'Yu F, Rybar M, Uhler C, Fienberg S. 2014. Differentially-private logistic regression for detecting multiple-SNP association in GWAS databases. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). PSD: Privacy in Statistical Databases, LNCS, vol. 8744, 170–184.' mla: Yu, Fei, et al. “Differentially-Private Logistic Regression for Detecting Multiple-SNP Association in GWAS Databases.” Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), edited by Josep Domingo Ferrer, vol. 8744, Springer, 2014, pp. 170–84, doi:10.1007/978-3-319-11257-2_14. short: F. Yu, M. Rybar, C. Uhler, S. Fienberg, in:, J. Domingo Ferrer (Ed.), Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), Springer, 2014, pp. 170–184. conference: end_date: 2014-09-19 location: Ibiza, Spain name: 'PSD: Privacy in Statistical Databases' start_date: 2014-09-17 date_created: 2018-12-11T11:55:24Z date_published: 2014-01-01T00:00:00Z date_updated: 2021-01-12T06:54:57Z day: '01' department: - _id: KrPi - _id: CaUh doi: 10.1007/978-3-319-11257-2_14 editor: - first_name: Josep full_name: Domingo Ferrer, Josep last_name: Domingo Ferrer external_id: arxiv: - '1407.8067' intvolume: ' 8744' language: - iso: eng main_file_link: - open_access: '1' url: http://arxiv.org/abs/1407.8067 month: '01' oa: 1 oa_version: Submitted Version page: 170 - 184 project: - _id: 25636330-B435-11E9-9278-68D0E5697425 grant_number: 11-NSF-1070 name: ROOTS Genome-wide Analysis of Root Traits publication: Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) publication_status: published publisher: Springer publist_id: '5004' quality_controlled: '1' scopus_import: 1 status: public title: Differentially-private logistic regression for detecting multiple-SNP association in GWAS databases type: conference user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87 volume: 8744 year: '2014' ... --- _id: '2046' abstract: - lang: eng text: 'We introduce policy-based signatures (PBS), where a signer can only sign messages conforming to some authority-specified policy. The main requirements are unforgeability and privacy, the latter meaning that signatures not reveal the policy. PBS offers value along two fronts: (1) On the practical side, they allow a corporation to control what messages its employees can sign under the corporate key. (2) On the theoretical side, they unify existing work, capturing other forms of signatures as special cases or allowing them to be easily built. Our work focuses on definitions of PBS, proofs that this challenging primitive is realizable for arbitrary policies, efficient constructions for specific policies, and a few representative applications.' acknowledgement: Part of his work was done while at Bristol University, supported by EPSRC grant EP/H043454/1. alternative_title: - LNCS author: - first_name: Mihir full_name: Bellare, Mihir last_name: Bellare - first_name: Georg full_name: Fuchsbauer, Georg id: 46B4C3EE-F248-11E8-B48F-1D18A9856A87 last_name: Fuchsbauer citation: ama: 'Bellare M, Fuchsbauer G. Policy-based signatures. In: Krawczyk H, ed. Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). Vol 8383. Springer; 2014:520-537. doi:10.1007/978-3-642-54631-0_30' apa: 'Bellare, M., & Fuchsbauer, G. (2014). Policy-based signatures. In H. Krawczyk (Ed.), Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 8383, pp. 520–537). Buenos Aires, Argentina: Springer. https://doi.org/10.1007/978-3-642-54631-0_30' chicago: Bellare, Mihir, and Georg Fuchsbauer. “Policy-Based Signatures.” In Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), edited by Hugo Krawczyk, 8383:520–37. Springer, 2014. https://doi.org/10.1007/978-3-642-54631-0_30. ieee: M. Bellare and G. Fuchsbauer, “Policy-based signatures,” in Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), Buenos Aires, Argentina, 2014, vol. 8383, pp. 520–537. ista: 'Bellare M, Fuchsbauer G. 2014. Policy-based signatures. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). PKC: Public Key Crypography, LNCS, vol. 8383, 520–537.' mla: Bellare, Mihir, and Georg Fuchsbauer. “Policy-Based Signatures.” Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), edited by Hugo Krawczyk, vol. 8383, Springer, 2014, pp. 520–37, doi:10.1007/978-3-642-54631-0_30. short: M. Bellare, G. Fuchsbauer, in:, H. Krawczyk (Ed.), Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), Springer, 2014, pp. 520–537. conference: end_date: 2014-05-28 location: Buenos Aires, Argentina name: 'PKC: Public Key Crypography' start_date: 2014-05-26 date_created: 2018-12-11T11:55:24Z date_published: 2014-01-01T00:00:00Z date_updated: 2021-01-12T06:54:57Z day: '01' department: - _id: KrPi doi: 10.1007/978-3-642-54631-0_30 ec_funded: 1 editor: - first_name: Hugo full_name: Krawczyk, Hugo last_name: Krawczyk intvolume: ' 8383' language: - iso: eng main_file_link: - open_access: '1' url: https://eprint.iacr.org/2013/413 month: '01' oa: 1 oa_version: Submitted Version page: 520 - 537 project: - _id: 258C570E-B435-11E9-9278-68D0E5697425 call_identifier: FP7 grant_number: '259668' name: Provable Security for Physical Cryptography publication: Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) publication_status: published publisher: Springer publist_id: '5005' quality_controlled: '1' scopus_import: 1 status: public title: Policy-based signatures type: conference user_id: 4435EBFC-F248-11E8-B48F-1D18A9856A87 volume: 8383 year: '2014' ... --- _id: '2185' abstract: - lang: eng text: 'We revisit the classical problem of converting an imperfect source of randomness into a usable cryptographic key. Assume that we have some cryptographic application P that expects a uniformly random m-bit key R and ensures that the best attack (in some complexity class) against P(R) has success probability at most δ. Our goal is to design a key-derivation function (KDF) h that converts any random source X of min-entropy k into a sufficiently "good" key h(X), guaranteeing that P(h(X)) has comparable security δ′ which is ''close'' to δ. Seeded randomness extractors provide a generic way to solve this problem for all applications P, with resulting security δ′ = O(δ), provided that we start with entropy k ≥ m + 2 log (1/δ) - O(1). By a result of Radhakrishnan and Ta-Shma, this bound on k (called the "RT-bound") is also known to be tight in general. Unfortunately, in many situations the loss of 2 log (1/δ) bits of entropy is unacceptable. This motivates the study KDFs with less entropy waste by placing some restrictions on the source X or the application P. In this work we obtain the following new positive and negative results in this regard: - Efficient samplability of the source X does not help beat the RT-bound for general applications. This resolves the SRT (samplable RT) conjecture of Dachman-Soled et al. [DGKM12] in the affirmative, and also shows that the existence of computationally-secure extractors beating the RT-bound implies the existence of one-way functions. - We continue in the line of work initiated by Barak et al. [BDK+11] and construct new information-theoretic KDFs which beat the RT-bound for large but restricted classes of applications. Specifically, we design efficient KDFs that work for all unpredictability applications P (e.g., signatures, MACs, one-way functions, etc.) and can either: (1) extract all of the entropy k = m with a very modest security loss δ′ = O(δ·log (1/δ)), or alternatively, (2) achieve essentially optimal security δ′ = O(δ) with a very modest entropy loss k ≥ m + loglog (1/δ). In comparison, the best prior results from [BDK+11] for this class of applications would only guarantee δ′ = O(√δ) when k = m, and would need k ≥ m + log (1/δ) to get δ′ = O(δ). - The weaker bounds of [BDK+11] hold for a larger class of so-called "square- friendly" applications (which includes all unpredictability, but also some important indistinguishability, applications). Unfortunately, we show that these weaker bounds are tight for the larger class of applications. - We abstract out a clean, information-theoretic notion of (k,δ,δ′)- unpredictability extractors, which guarantee "induced" security δ′ for any δ-secure unpredictability application P, and characterize the parameters achievable for such unpredictability extractors. Of independent interest, we also relate this notion to the previously-known notion of (min-entropy) condensers, and improve the state-of-the-art parameters for such condensers.' alternative_title: - LNCS author: - first_name: Yevgeniy full_name: Dodis, Yevgeniy last_name: Dodis - first_name: Krzysztof Z full_name: Pietrzak, Krzysztof Z id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87 last_name: Pietrzak orcid: 0000-0002-9139-1654 - first_name: Daniel full_name: Wichs, Daniel last_name: Wichs citation: ama: 'Dodis Y, Pietrzak KZ, Wichs D. Key derivation without entropy waste. In: Nguyen P, Oswald E, eds. Vol 8441. Springer; 2014:93-110. doi:10.1007/978-3-642-55220-5_6' apa: 'Dodis, Y., Pietrzak, K. Z., & Wichs, D. (2014). Key derivation without entropy waste. In P. Nguyen & E. Oswald (Eds.) (Vol. 8441, pp. 93–110). Presented at the EUROCRYPT: Theory and Applications of Cryptographic Techniques, Copenhagen, Denmark: Springer. https://doi.org/10.1007/978-3-642-55220-5_6' chicago: Dodis, Yevgeniy, Krzysztof Z Pietrzak, and Daniel Wichs. “Key Derivation without Entropy Waste.” edited by Phong Nguyen and Elisabeth Oswald, 8441:93–110. Springer, 2014. https://doi.org/10.1007/978-3-642-55220-5_6. ieee: 'Y. Dodis, K. Z. Pietrzak, and D. Wichs, “Key derivation without entropy waste,” presented at the EUROCRYPT: Theory and Applications of Cryptographic Techniques, Copenhagen, Denmark, 2014, vol. 8441, pp. 93–110.' ista: 'Dodis Y, Pietrzak KZ, Wichs D. 2014. Key derivation without entropy waste. EUROCRYPT: Theory and Applications of Cryptographic Techniques, LNCS, vol. 8441, 93–110.' mla: Dodis, Yevgeniy, et al. Key Derivation without Entropy Waste. Edited by Phong Nguyen and Elisabeth Oswald, vol. 8441, Springer, 2014, pp. 93–110, doi:10.1007/978-3-642-55220-5_6. short: Y. Dodis, K.Z. Pietrzak, D. Wichs, in:, P. Nguyen, E. Oswald (Eds.), Springer, 2014, pp. 93–110. conference: end_date: 2014-05-15 location: Copenhagen, Denmark name: 'EUROCRYPT: Theory and Applications of Cryptographic Techniques' start_date: 2014-05-11 date_created: 2018-12-11T11:56:12Z date_published: 2014-04-01T00:00:00Z date_updated: 2021-01-12T06:55:51Z day: '01' ddc: - '000' - '004' department: - _id: KrPi doi: 10.1007/978-3-642-55220-5_6 editor: - first_name: Phong full_name: Nguyen, Phong last_name: Nguyen - first_name: Elisabeth full_name: Oswald, Elisabeth last_name: Oswald file: - access_level: open_access checksum: da1aa01221086083b23c92e547b48ff4 content_type: application/pdf creator: system date_created: 2018-12-12T10:08:43Z date_updated: 2020-07-14T12:45:31Z file_id: '4705' file_name: IST-2016-680-v1+1_708.pdf file_size: 505389 relation: main_file file_date_updated: 2020-07-14T12:45:31Z has_accepted_license: '1' intvolume: ' 8441' language: - iso: eng month: '04' oa: 1 oa_version: Submitted Version page: 93 - 110 publication_status: published publisher: Springer publist_id: '4795' pubrep_id: '680' quality_controlled: '1' scopus_import: 1 status: public title: Key derivation without entropy waste type: conference user_id: 4435EBFC-F248-11E8-B48F-1D18A9856A87 volume: 8441 year: '2014' ... --- _id: '2219' abstract: - lang: eng text: Recently, Döttling et al. (ASIACRYPT 2012) proposed the first chosen-ciphertext (IND-CCA) secure public-key encryption scheme from the learning parity with noise (LPN) assumption. In this work we give an alternative scheme which is conceptually simpler and more efficient. At the core of our construction is a trapdoor technique originally proposed for lattices by Micciancio and Peikert (EUROCRYPT 2012), which we adapt to the LPN setting. The main technical tool is a new double-trapdoor mechanism, together with a trapdoor switching lemma based on a computational variant of the leftover hash lemma. alternative_title: - LNCS author: - first_name: Eike full_name: Kiltz, Eike last_name: Kiltz - first_name: Daniel full_name: Masny, Daniel last_name: Masny - first_name: Krzysztof Z full_name: Pietrzak, Krzysztof Z id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87 last_name: Pietrzak orcid: 0000-0002-9139-1654 citation: ama: 'Kiltz E, Masny D, Pietrzak KZ. Simple chosen-ciphertext security from low noise LPN. In: Vol 8383. Springer; 2014:1-18. doi:10.1007/978-3-642-54631-0_1' apa: 'Kiltz, E., Masny, D., & Pietrzak, K. Z. (2014). Simple chosen-ciphertext security from low noise LPN (Vol. 8383, pp. 1–18). Presented at the IACR: International Conference on Practice and Theory in Public-Key Cryptography, Springer. https://doi.org/10.1007/978-3-642-54631-0_1' chicago: Kiltz, Eike, Daniel Masny, and Krzysztof Z Pietrzak. “Simple Chosen-Ciphertext Security from Low Noise LPN,” 8383:1–18. Springer, 2014. https://doi.org/10.1007/978-3-642-54631-0_1. ieee: 'E. Kiltz, D. Masny, and K. Z. Pietrzak, “Simple chosen-ciphertext security from low noise LPN,” presented at the IACR: International Conference on Practice and Theory in Public-Key Cryptography, 2014, vol. 8383, pp. 1–18.' ista: 'Kiltz E, Masny D, Pietrzak KZ. 2014. Simple chosen-ciphertext security from low noise LPN. IACR: International Conference on Practice and Theory in Public-Key Cryptography, LNCS, vol. 8383, 1–18.' mla: Kiltz, Eike, et al. Simple Chosen-Ciphertext Security from Low Noise LPN. Vol. 8383, Springer, 2014, pp. 1–18, doi:10.1007/978-3-642-54631-0_1. short: E. Kiltz, D. Masny, K.Z. Pietrzak, in:, Springer, 2014, pp. 1–18. conference: name: 'IACR: International Conference on Practice and Theory in Public-Key Cryptography' date_created: 2018-12-11T11:56:24Z date_published: 2014-03-01T00:00:00Z date_updated: 2021-01-12T06:56:05Z day: '01' department: - _id: KrPi doi: 10.1007/978-3-642-54631-0_1 intvolume: ' 8383' language: - iso: eng main_file_link: - open_access: '1' url: https://eprint.iacr.org/2015/401 month: '03' oa: 1 oa_version: Submitted Version page: 1 - 18 publication_identifier: isbn: - 978-364254630-3 publication_status: published publisher: Springer publist_id: '4748' quality_controlled: '1' scopus_import: 1 status: public title: Simple chosen-ciphertext security from low noise LPN type: conference user_id: 4435EBFC-F248-11E8-B48F-1D18A9856A87 volume: 8383 year: '2014' ... --- _id: '2236' abstract: - lang: eng text: Consider a joint distribution (X,A) on a set. We show that for any family of distinguishers, there exists a simulator such that 1 no function in can distinguish (X,A) from (X,h(X)) with advantage ε, 2 h is only O(2 3ℓ ε -2) times less efficient than the functions in. For the most interesting settings of the parameters (in particular, the cryptographic case where X has superlogarithmic min-entropy, ε > 0 is negligible and consists of circuits of polynomial size), we can make the simulator h deterministic. As an illustrative application of our theorem, we give a new security proof for the leakage-resilient stream-cipher from Eurocrypt'09. Our proof is simpler and quantitatively much better than the original proof using the dense model theorem, giving meaningful security guarantees if instantiated with a standard blockcipher like AES. Subsequent to this work, Chung, Lui and Pass gave an interactive variant of our main theorem, and used it to investigate weak notions of Zero-Knowledge. Vadhan and Zheng give a more constructive version of our theorem using their new uniform min-max theorem. alternative_title: - LNCS author: - first_name: Dimitar full_name: Jetchev, Dimitar last_name: Jetchev - first_name: Krzysztof Z full_name: Pietrzak, Krzysztof Z id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87 last_name: Pietrzak orcid: 0000-0002-9139-1654 citation: ama: 'Jetchev D, Pietrzak KZ. How to fake auxiliary input. In: Lindell Y, ed. Vol 8349. Springer; 2014:566-590. doi:10.1007/978-3-642-54242-8_24' apa: 'Jetchev, D., & Pietrzak, K. Z. (2014). How to fake auxiliary input. In Y. Lindell (Ed.) (Vol. 8349, pp. 566–590). Presented at the TCC: Theory of Cryptography Conference, San Diego, USA: Springer. https://doi.org/10.1007/978-3-642-54242-8_24' chicago: Jetchev, Dimitar, and Krzysztof Z Pietrzak. “How to Fake Auxiliary Input.” edited by Yehuda Lindell, 8349:566–90. Springer, 2014. https://doi.org/10.1007/978-3-642-54242-8_24. ieee: 'D. Jetchev and K. Z. Pietrzak, “How to fake auxiliary input,” presented at the TCC: Theory of Cryptography Conference, San Diego, USA, 2014, vol. 8349, pp. 566–590.' ista: 'Jetchev D, Pietrzak KZ. 2014. How to fake auxiliary input. TCC: Theory of Cryptography Conference, LNCS, vol. 8349, 566–590.' mla: Jetchev, Dimitar, and Krzysztof Z. Pietrzak. How to Fake Auxiliary Input. Edited by Yehuda Lindell, vol. 8349, Springer, 2014, pp. 566–90, doi:10.1007/978-3-642-54242-8_24. short: D. Jetchev, K.Z. Pietrzak, in:, Y. Lindell (Ed.), Springer, 2014, pp. 566–590. conference: end_date: 2014-02-26 location: San Diego, USA name: 'TCC: Theory of Cryptography Conference' start_date: 2014-02-24 date_created: 2018-12-11T11:56:29Z date_published: 2014-02-01T00:00:00Z date_updated: 2021-01-12T06:56:12Z day: '01' ddc: - '004' department: - _id: KrPi doi: 10.1007/978-3-642-54242-8_24 ec_funded: 1 editor: - first_name: Yehuda full_name: Lindell, Yehuda last_name: Lindell file: - access_level: open_access checksum: 42960325c29dcd8d832edadcc3ce0045 content_type: application/pdf creator: system date_created: 2018-12-12T10:17:21Z date_updated: 2020-07-14T12:45:34Z file_id: '5275' file_name: IST-2016-681-v1+1_869_1_.pdf file_size: 313528 relation: main_file file_date_updated: 2020-07-14T12:45:34Z has_accepted_license: '1' intvolume: ' 8349' language: - iso: eng main_file_link: - open_access: '1' url: https://repository.ist.ac.at/id/eprint/681 month: '02' oa: 1 oa_version: Submitted Version page: 566 - 590 project: - _id: 258C570E-B435-11E9-9278-68D0E5697425 call_identifier: FP7 grant_number: '259668' name: Provable Security for Physical Cryptography publication_identifier: isbn: - 978-364254241-1 publication_status: published publisher: Springer publist_id: '4725' pubrep_id: '681' quality_controlled: '1' status: public title: How to fake auxiliary input type: conference user_id: 4435EBFC-F248-11E8-B48F-1D18A9856A87 volume: 8349 year: '2014' ... --- _id: '2852' abstract: - lang: eng text: A robust combiner for hash functions takes two candidate implementations and constructs a hash function which is secure as long as at least one of the candidates is secure. So far, hash function combiners only aim at preserving a single property such as collision-resistance or pseudorandomness. However, when hash functions are used in protocols like TLS they are often required to provide several properties simultaneously. We therefore put forward the notion of robust multi-property combiners and elaborate on different definitions for such combiners. We then propose a combiner that provably preserves (target) collision-resistance, pseudorandomness, and being a secure message authentication code. This combiner satisfies the strongest notion we propose, which requires that the combined function satisfies every security property which is satisfied by at least one of the underlying hash function. If the underlying hash functions have output length n, the combiner has output length 2 n. This basically matches a known lower bound for black-box combiners for collision-resistance only, thus the other properties can be achieved without penalizing the length of the hash values. We then propose a combiner which also preserves the property of being indifferentiable from a random oracle, slightly increasing the output length to 2 n+ω(log n). Moreover, we show how to augment our constructions in order to make them also robust for the one-wayness property, but in this case require an a priory upper bound on the input length. author: - first_name: Marc full_name: Fischlin, Marc last_name: Fischlin - first_name: Anja full_name: Lehmann, Anja last_name: Lehmann - first_name: Krzysztof Z full_name: Pietrzak, Krzysztof Z id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87 last_name: Pietrzak orcid: 0000-0002-9139-1654 citation: ama: Fischlin M, Lehmann A, Pietrzak KZ. Robust multi-property combiners for hash functions. Journal of Cryptology. 2014;27(3):397-428. doi:10.1007/s00145-013-9148-7 apa: Fischlin, M., Lehmann, A., & Pietrzak, K. Z. (2014). Robust multi-property combiners for hash functions. Journal of Cryptology. Springer. https://doi.org/10.1007/s00145-013-9148-7 chicago: Fischlin, Marc, Anja Lehmann, and Krzysztof Z Pietrzak. “Robust Multi-Property Combiners for Hash Functions.” Journal of Cryptology. Springer, 2014. https://doi.org/10.1007/s00145-013-9148-7. ieee: M. Fischlin, A. Lehmann, and K. Z. Pietrzak, “Robust multi-property combiners for hash functions,” Journal of Cryptology, vol. 27, no. 3. Springer, pp. 397–428, 2014. ista: Fischlin M, Lehmann A, Pietrzak KZ. 2014. Robust multi-property combiners for hash functions. Journal of Cryptology. 27(3), 397–428. mla: Fischlin, Marc, et al. “Robust Multi-Property Combiners for Hash Functions.” Journal of Cryptology, vol. 27, no. 3, Springer, 2014, pp. 397–428, doi:10.1007/s00145-013-9148-7. short: M. Fischlin, A. Lehmann, K.Z. Pietrzak, Journal of Cryptology 27 (2014) 397–428. date_created: 2018-12-11T11:59:56Z date_published: 2014-07-01T00:00:00Z date_updated: 2023-02-23T11:17:53Z day: '01' department: - _id: KrPi doi: 10.1007/s00145-013-9148-7 intvolume: ' 27' issue: '3' language: - iso: eng month: '07' oa_version: None page: 397 - 428 publication: Journal of Cryptology publication_status: published publisher: Springer publist_id: '3940' quality_controlled: '1' related_material: record: - id: '3225' relation: earlier_version status: public scopus_import: 1 status: public title: Robust multi-property combiners for hash functions type: journal_article user_id: 3FFCCD3A-F248-11E8-B48F-1D18A9856A87 volume: 27 year: '2014' ... --- _id: '2082' abstract: - lang: eng text: 'NMAC is a mode of operation which turns a fixed input-length keyed hash function f into a variable input-length function. A practical single-key variant of NMAC called HMAC is a very popular and widely deployed message authentication code (MAC). Security proofs and attacks for NMAC can typically be lifted to HMAC. NMAC was introduced by Bellare, Canetti and Krawczyk [Crypto''96], who proved it to be a secure pseudorandom function (PRF), and thus also a MAC, assuming that (1) f is a PRF and (2) the function we get when cascading f is weakly collision-resistant. Unfortunately, HMAC is typically instantiated with cryptographic hash functions like MD5 or SHA-1 for which (2) has been found to be wrong. To restore the provable guarantees for NMAC, Bellare [Crypto''06] showed its security based solely on the assumption that f is a PRF, albeit via a non-uniform reduction. - Our first contribution is a simpler and uniform proof for this fact: If f is an ε-secure PRF (against q queries) and a δ-non-adaptively secure PRF (against q queries), then NMAC f is an (ε+ℓqδ)-secure PRF against q queries of length at most ℓ blocks each. - We then show that this ε+ℓqδ bound is basically tight. For the most interesting case where ℓqδ ≥ ε we prove this by constructing an f for which an attack with advantage ℓqδ exists. This also violates the bound O(ℓε) on the PRF-security of NMAC recently claimed by Koblitz and Menezes. - Finally, we analyze the PRF-security of a modification of NMAC called NI [An and Bellare, Crypto''99] that differs mainly by using a compression function with an additional keying input. This avoids the constant rekeying on multi-block messages in NMAC and allows for a security proof starting by the standard switch from a PRF to a random function, followed by an information-theoretic analysis. We carry out such an analysis, obtaining a tight ℓq2/2 c bound for this step, improving over the trivial bound of ℓ2q2/2c. The proof borrows combinatorial techniques originally developed for proving the security of CBC-MAC [Bellare et al., Crypto''05].' alternative_title: - LNCS author: - first_name: Peter full_name: Gazi, Peter id: 3E0BFE38-F248-11E8-B48F-1D18A9856A87 last_name: Gazi - first_name: Krzysztof Z full_name: Pietrzak, Krzysztof Z id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87 last_name: Pietrzak orcid: 0000-0002-9139-1654 - first_name: Michal full_name: Rybar, Michal id: 2B3E3DE8-F248-11E8-B48F-1D18A9856A87 last_name: Rybar citation: ama: 'Gazi P, Pietrzak KZ, Rybar M. The exact PRF-security of NMAC and HMAC. In: Garay J, Gennaro R, eds. Vol 8616. Springer; 2014:113-130. doi:10.1007/978-3-662-44371-2_7' apa: 'Gazi, P., Pietrzak, K. Z., & Rybar, M. (2014). The exact PRF-security of NMAC and HMAC. In J. Garay & R. Gennaro (Eds.) (Vol. 8616, pp. 113–130). Presented at the CRYPTO: International Cryptology Conference, Santa Barbara, USA: Springer. https://doi.org/10.1007/978-3-662-44371-2_7' chicago: Gazi, Peter, Krzysztof Z Pietrzak, and Michal Rybar. “The Exact PRF-Security of NMAC and HMAC.” edited by Juan Garay and Rosario Gennaro, 8616:113–30. Springer, 2014. https://doi.org/10.1007/978-3-662-44371-2_7. ieee: 'P. Gazi, K. Z. Pietrzak, and M. Rybar, “The exact PRF-security of NMAC and HMAC,” presented at the CRYPTO: International Cryptology Conference, Santa Barbara, USA, 2014, vol. 8616, no. 1, pp. 113–130.' ista: 'Gazi P, Pietrzak KZ, Rybar M. 2014. The exact PRF-security of NMAC and HMAC. CRYPTO: International Cryptology Conference, LNCS, vol. 8616, 113–130.' mla: Gazi, Peter, et al. The Exact PRF-Security of NMAC and HMAC. Edited by Juan Garay and Rosario Gennaro, vol. 8616, no. 1, Springer, 2014, pp. 113–30, doi:10.1007/978-3-662-44371-2_7. short: P. Gazi, K.Z. Pietrzak, M. Rybar, in:, J. Garay, R. Gennaro (Eds.), Springer, 2014, pp. 113–130. conference: end_date: 2014-08-21 location: Santa Barbara, USA name: 'CRYPTO: International Cryptology Conference' start_date: 2014-08-17 date_created: 2018-12-11T11:55:36Z date_published: 2014-01-01T00:00:00Z date_updated: 2023-09-07T12:02:27Z day: '01' ddc: - '000' - '004' department: - _id: KrPi doi: 10.1007/978-3-662-44371-2_7 ec_funded: 1 editor: - first_name: Juan full_name: Garay, Juan last_name: Garay - first_name: Rosario full_name: Gennaro, Rosario last_name: Gennaro file: - access_level: open_access checksum: dab6ab36a5f6af94f2b597e6404ed11d content_type: application/pdf creator: system date_created: 2018-12-12T10:13:17Z date_updated: 2020-07-14T12:45:28Z file_id: '4999' file_name: IST-2016-682-v1+1_578.pdf file_size: 492310 relation: main_file file_date_updated: 2020-07-14T12:45:28Z has_accepted_license: '1' intvolume: ' 8616' issue: '1' language: - iso: eng month: '01' oa: 1 oa_version: Submitted Version page: 113 - 130 project: - _id: 258C570E-B435-11E9-9278-68D0E5697425 call_identifier: FP7 grant_number: '259668' name: Provable Security for Physical Cryptography publication_status: published publisher: Springer publist_id: '4955' pubrep_id: '682' quality_controlled: '1' related_material: record: - id: '838' relation: dissertation_contains status: public status: public title: The exact PRF-security of NMAC and HMAC type: conference user_id: 4435EBFC-F248-11E8-B48F-1D18A9856A87 volume: 8616 year: '2014' ... --- _id: '2259' abstract: - lang: eng text: "The learning with rounding (LWR) problem, introduced by Banerjee, Peikert and Rosen at EUROCRYPT ’12, is a variant of learning with errors (LWE), where one replaces random errors with deterministic rounding. The LWR problem was shown to be as hard as LWE for a setting of parameters where the modulus and modulus-to-error ratio are super-polynomial. In this work we resolve the main open problem and give a new reduction that works for a larger range of parameters, allowing for a polynomial modulus and modulus-to-error ratio. In particular, a smaller modulus gives us greater efficiency, and a smaller modulus-to-error ratio gives us greater security, which now follows from the worst-case hardness of GapSVP with polynomial (rather than super-polynomial) approximation factors.\r\n\r\nAs a tool in the reduction, we show that there is a “lossy mode” for the LWR problem, in which LWR samples only reveal partial information about the secret. This property gives us several interesting new applications, including a proof that LWR remains secure with weakly random secrets of sufficient min-entropy, and very simple constructions of deterministic encryption, lossy trapdoor functions and reusable extractors.\r\n\r\nOur approach is inspired by a technique of Goldwasser et al. from ICS ’10, which implicitly showed the existence of a “lossy mode” for LWE. By refining this technique, we also improve on the parameters of that work to only requiring a polynomial (instead of super-polynomial) modulus and modulus-to-error ratio.\r\n" alternative_title: - LNCS author: - first_name: Joel F full_name: Alwen, Joel F id: 2A8DFA8C-F248-11E8-B48F-1D18A9856A87 last_name: Alwen - first_name: Stephan full_name: Krenn, Stephan id: 329FCCF0-F248-11E8-B48F-1D18A9856A87 last_name: Krenn orcid: 0000-0003-2835-9093 - first_name: Krzysztof Z full_name: Pietrzak, Krzysztof Z id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87 last_name: Pietrzak orcid: 0000-0002-9139-1654 - first_name: Daniel full_name: Wichs, Daniel last_name: Wichs citation: ama: 'Alwen JF, Krenn S, Pietrzak KZ, Wichs D. Learning with rounding, revisited: New reduction properties and applications. 2013;8042(1):57-74. doi:10.1007/978-3-642-40041-4_4' apa: 'Alwen, J. F., Krenn, S., Pietrzak, K. Z., & Wichs, D. (2013). Learning with rounding, revisited: New reduction properties and applications. Presented at the CRYPTO: International Cryptology Conference, Santa Barbara, CA, United States: Springer. https://doi.org/10.1007/978-3-642-40041-4_4' chicago: 'Alwen, Joel F, Stephan Krenn, Krzysztof Z Pietrzak, and Daniel Wichs. “Learning with Rounding, Revisited: New Reduction Properties and Applications.” Lecture Notes in Computer Science. Springer, 2013. https://doi.org/10.1007/978-3-642-40041-4_4.' ieee: 'J. F. Alwen, S. Krenn, K. Z. Pietrzak, and D. Wichs, “Learning with rounding, revisited: New reduction properties and applications,” vol. 8042, no. 1. Springer, pp. 57–74, 2013.' ista: 'Alwen JF, Krenn S, Pietrzak KZ, Wichs D. 2013. Learning with rounding, revisited: New reduction properties and applications. 8042(1), 57–74.' mla: 'Alwen, Joel F., et al. Learning with Rounding, Revisited: New Reduction Properties and Applications. Vol. 8042, no. 1, Springer, 2013, pp. 57–74, doi:10.1007/978-3-642-40041-4_4.' short: J.F. Alwen, S. Krenn, K.Z. Pietrzak, D. Wichs, 8042 (2013) 57–74. conference: end_date: 2013-08-22 location: Santa Barbara, CA, United States name: 'CRYPTO: International Cryptology Conference' start_date: 2013-08-18 date_created: 2018-12-11T11:56:37Z date_published: 2013-01-01T00:00:00Z date_updated: 2021-01-12T06:56:21Z day: '01' ddc: - '000' - '004' department: - _id: KrPi doi: 10.1007/978-3-642-40041-4_4 ec_funded: 1 file: - access_level: open_access checksum: 16d428408a806b8e49eecc607deab115 content_type: application/pdf creator: system date_created: 2018-12-12T10:11:55Z date_updated: 2020-07-14T12:45:35Z file_id: '4912' file_name: IST-2016-684-v1+1_098.pdf file_size: 587898 relation: main_file file_date_updated: 2020-07-14T12:45:35Z has_accepted_license: '1' intvolume: ' 8042' issue: '1' language: - iso: eng month: '01' oa: 1 oa_version: Published Version page: 57 - 74 project: - _id: 258C570E-B435-11E9-9278-68D0E5697425 call_identifier: FP7 grant_number: '259668' name: Provable Security for Physical Cryptography publication_status: published publisher: Springer publist_id: '4687' pubrep_id: '684' quality_controlled: '1' scopus_import: 1 series_title: Lecture Notes in Computer Science status: public title: 'Learning with rounding, revisited: New reduction properties and applications' type: conference user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87 volume: 8042 year: '2013' ... --- _id: '2258' abstract: - lang: eng text: "In a digital signature scheme with message recovery, rather than transmitting the message m and its signature σ, a single enhanced signature τ is transmitted. The verifier is able to recover m from τ and at the same time verify its authenticity. The two most important parameters of such a scheme are its security and overhead |τ| − |m|. A simple argument shows that for any scheme with “n bits security” |τ| − |m| ≥ n, i.e., the overhead is lower bounded by the security parameter n. Currently, the best known constructions in the random oracle model are far from this lower bound requiring an overhead of n + logq h , where q h is the number of queries to the random oracle. In this paper we give a construction which basically matches the n bit lower bound. We propose a simple digital signature scheme with n + o(logq h ) bits overhead, where q h denotes the number of random oracle queries.\r\n\r\nOur construction works in two steps. First, we propose a signature scheme with message recovery having optimal overhead in a new ideal model, the random invertible function model. Second, we show that a four-round Feistel network with random oracles as round functions is tightly “public-indifferentiable” from a random invertible function. At the core of our indifferentiability proof is an almost tight upper bound for the expected number of edges of the densest “small” subgraph of a random Cayley graph, which may be of independent interest.\r\n" alternative_title: - LNCS author: - first_name: Eike full_name: Kiltz, Eike last_name: Kiltz - first_name: Krzysztof Z full_name: Pietrzak, Krzysztof Z id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87 last_name: Pietrzak orcid: 0000-0002-9139-1654 - first_name: Mario full_name: Szegedy, Mario last_name: Szegedy citation: ama: Kiltz E, Pietrzak KZ, Szegedy M. Digital signatures with minimal overhead from indifferentiable random invertible functions. 2013;8042:571-588. doi:10.1007/978-3-642-40041-4_31 apa: 'Kiltz, E., Pietrzak, K. Z., & Szegedy, M. (2013). Digital signatures with minimal overhead from indifferentiable random invertible functions. Presented at the CRYPTO: International Cryptology Conference, Santa Barbara, CA, United States: Springer. https://doi.org/10.1007/978-3-642-40041-4_31' chicago: Kiltz, Eike, Krzysztof Z Pietrzak, and Mario Szegedy. “Digital Signatures with Minimal Overhead from Indifferentiable Random Invertible Functions.” Lecture Notes in Computer Science. Springer, 2013. https://doi.org/10.1007/978-3-642-40041-4_31. ieee: E. Kiltz, K. Z. Pietrzak, and M. Szegedy, “Digital signatures with minimal overhead from indifferentiable random invertible functions,” vol. 8042. Springer, pp. 571–588, 2013. ista: Kiltz E, Pietrzak KZ, Szegedy M. 2013. Digital signatures with minimal overhead from indifferentiable random invertible functions. 8042, 571–588. mla: Kiltz, Eike, et al. Digital Signatures with Minimal Overhead from Indifferentiable Random Invertible Functions. Vol. 8042, Springer, 2013, pp. 571–88, doi:10.1007/978-3-642-40041-4_31. short: E. Kiltz, K.Z. Pietrzak, M. Szegedy, 8042 (2013) 571–588. conference: end_date: 2013-08-22 location: Santa Barbara, CA, United States name: 'CRYPTO: International Cryptology Conference' start_date: 2013-08-18 date_created: 2018-12-11T11:56:37Z date_published: 2013-01-01T00:00:00Z date_updated: 2021-01-12T06:56:21Z day: '01' ddc: - '000' - '004' department: - _id: KrPi doi: 10.1007/978-3-642-40041-4_31 ec_funded: 1 file: - access_level: open_access checksum: 18a3f602cb41de184dc0e16a0e907633 content_type: application/pdf creator: system date_created: 2018-12-12T10:09:20Z date_updated: 2020-07-14T12:45:35Z file_id: '4744' file_name: IST-2016-685-v1+1_658.pdf file_size: 493175 relation: main_file file_date_updated: 2020-07-14T12:45:35Z has_accepted_license: '1' intvolume: ' 8042' language: - iso: eng month: '01' oa: 1 oa_version: Submitted Version page: 571 - 588 project: - _id: 258C570E-B435-11E9-9278-68D0E5697425 call_identifier: FP7 grant_number: '259668' name: Provable Security for Physical Cryptography publication_status: published publisher: Springer publist_id: '4688' pubrep_id: '685' quality_controlled: '1' scopus_import: 1 series_title: Lecture Notes in Computer Science status: public title: Digital signatures with minimal overhead from indifferentiable random invertible functions type: conference user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87 volume: 8042 year: '2013' ... --- _id: '2260' abstract: - lang: eng text: "Direct Anonymous Attestation (DAA) is one of the most complex cryptographic protocols deployed in practice. It allows an embedded secure processor known as a Trusted Platform Module (TPM) to attest to the configuration of its host computer without violating the owner’s privacy. DAA has been standardized by the Trusted Computing Group and ISO/IEC.\r\n\r\nThe security of the DAA standard and all existing schemes is analyzed in the random-oracle model. We provide the first constructions of DAA in the standard model, that is, without relying on random oracles. Our constructions use new building blocks, including the first efficient signatures of knowledge in the standard model, which have many applications beyond DAA.\r\n" alternative_title: - LNCS author: - first_name: David full_name: Bernhard, David last_name: Bernhard - first_name: Georg full_name: Fuchsbauer, Georg id: 46B4C3EE-F248-11E8-B48F-1D18A9856A87 last_name: Fuchsbauer - first_name: Essam full_name: Ghadafi, Essam last_name: Ghadafi citation: ama: Bernhard D, Fuchsbauer G, Ghadafi E. Efficient signatures of knowledge and DAA in the standard model. 2013;7954:518-533. doi:10.1007/978-3-642-38980-1_33 apa: 'Bernhard, D., Fuchsbauer, G., & Ghadafi, E. (2013). Efficient signatures of knowledge and DAA in the standard model. Presented at the ACNS: Applied Cryptography and Network Security, Banff, AB, Canada: Springer. https://doi.org/10.1007/978-3-642-38980-1_33' chicago: Bernhard, David, Georg Fuchsbauer, and Essam Ghadafi. “Efficient Signatures of Knowledge and DAA in the Standard Model.” Lecture Notes in Computer Science. Springer, 2013. https://doi.org/10.1007/978-3-642-38980-1_33. ieee: D. Bernhard, G. Fuchsbauer, and E. Ghadafi, “Efficient signatures of knowledge and DAA in the standard model,” vol. 7954. Springer, pp. 518–533, 2013. ista: Bernhard D, Fuchsbauer G, Ghadafi E. 2013. Efficient signatures of knowledge and DAA in the standard model. 7954, 518–533. mla: Bernhard, David, et al. Efficient Signatures of Knowledge and DAA in the Standard Model. Vol. 7954, Springer, 2013, pp. 518–33, doi:10.1007/978-3-642-38980-1_33. short: D. Bernhard, G. Fuchsbauer, E. Ghadafi, 7954 (2013) 518–533. conference: end_date: 2013-06-28 location: Banff, AB, Canada name: 'ACNS: Applied Cryptography and Network Security' start_date: 2013-06-25 date_created: 2018-12-11T11:56:37Z date_published: 2013-06-01T00:00:00Z date_updated: 2020-08-11T10:09:44Z day: '01' department: - _id: KrPi doi: 10.1007/978-3-642-38980-1_33 intvolume: ' 7954' language: - iso: eng main_file_link: - open_access: '1' url: http://eprint.iacr.org/2012/475 month: '06' oa: 1 oa_version: Submitted Version page: 518 - 533 publication_status: published publisher: Springer publist_id: '4686' quality_controlled: '1' scopus_import: 1 series_title: Lecture Notes in Computer Science status: public title: Efficient signatures of knowledge and DAA in the standard model type: conference user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87 volume: 7954 year: '2013' ... --- _id: '2291' abstract: - lang: eng text: "Cryptographic access control promises to offer easily distributed trust and broader applicability, while reducing reliance on low-level online monitors. Traditional implementations of cryptographic access control rely on simple cryptographic primitives whereas recent endeavors employ primitives with richer functionality and security guarantees. Worryingly, few of the existing cryptographic access-control schemes come with precise guarantees, the gap between the policy specification and the implementation being analyzed only informally, if at all. In this paper we begin addressing this shortcoming. Unlike prior work that targeted ad-hoc policy specification, we look at the well-established Role-Based Access Control (RBAC) model, as used in a typical file system. In short, we provide a precise syntax for a computational version of RBAC, offer rigorous definitions for cryptographic policy enforcement of a large class of RBAC security policies, and demonstrate that an implementation based on attribute-based encryption meets our security notions. We view our main contribution as being at the conceptual level. Although we work with RBAC for concreteness, our general methodology could guide future research for uses of cryptography in other access-control models. \r\n" author: - first_name: Anna full_name: Ferrara, Anna last_name: Ferrara - first_name: Georg full_name: Fuchsbauer, Georg id: 46B4C3EE-F248-11E8-B48F-1D18A9856A87 last_name: Fuchsbauer - first_name: Bogdan full_name: Warinschi, Bogdan last_name: Warinschi citation: ama: 'Ferrara A, Fuchsbauer G, Warinschi B. Cryptographically enforced RBAC. In: IEEE; 2013:115-129. doi:10.1109/CSF.2013.15' apa: 'Ferrara, A., Fuchsbauer, G., & Warinschi, B. (2013). Cryptographically enforced RBAC (pp. 115–129). Presented at the CSF: Computer Security Foundations, New Orleans, LA, United States: IEEE. https://doi.org/10.1109/CSF.2013.15' chicago: Ferrara, Anna, Georg Fuchsbauer, and Bogdan Warinschi. “Cryptographically Enforced RBAC,” 115–29. IEEE, 2013. https://doi.org/10.1109/CSF.2013.15. ieee: 'A. Ferrara, G. Fuchsbauer, and B. Warinschi, “Cryptographically enforced RBAC,” presented at the CSF: Computer Security Foundations, New Orleans, LA, United States, 2013, pp. 115–129.' ista: 'Ferrara A, Fuchsbauer G, Warinschi B. 2013. Cryptographically enforced RBAC. CSF: Computer Security Foundations, 115–129.' mla: Ferrara, Anna, et al. Cryptographically Enforced RBAC. IEEE, 2013, pp. 115–29, doi:10.1109/CSF.2013.15. short: A. Ferrara, G. Fuchsbauer, B. Warinschi, in:, IEEE, 2013, pp. 115–129. conference: end_date: 2013-09-28 location: New Orleans, LA, United States name: 'CSF: Computer Security Foundations' start_date: 2013-09-26 date_created: 2018-12-11T11:56:48Z date_published: 2013-09-01T00:00:00Z date_updated: 2021-01-12T06:56:34Z day: '01' department: - _id: KrPi doi: 10.1109/CSF.2013.15 language: - iso: eng main_file_link: - open_access: '1' url: http://eprint.iacr.org/2013/492 month: '09' oa: 1 oa_version: Submitted Version page: 115 - 129 publication_status: published publisher: IEEE publist_id: '4637' quality_controlled: '1' scopus_import: 1 status: public title: Cryptographically enforced RBAC type: conference user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87 year: '2013' ... --- _id: '2940' abstract: - lang: eng text: "A chain rule for an entropy notion H(.) states that the entropy H(X) of a variable X decreases by at most l if conditioned on an l-bit string A, i.e., H(X|A)>= H(X)-l. More generally, it satisfies a chain rule for conditional entropy if H(X|Y,A)>= H(X|Y)-l.\r\n\r\nAll natural information theoretic entropy notions we are aware of (like Shannon or min-entropy) satisfy some kind of chain rule for conditional entropy. Moreover, many computational entropy notions (like Yao entropy, unpredictability entropy and several variants of HILL entropy) satisfy the chain rule for conditional entropy, though here not only the quantity decreases by l, but also the quality of the entropy decreases exponentially in l. However, for \r\nthe standard notion of conditional HILL entropy (the computational equivalent of min-entropy) the existence of such a rule was unknown so far.\r\n\r\nIn this paper, we prove that for conditional HILL entropy no meaningful chain rule exists, assuming the existence of one-way permutations: there exist distributions X,Y,A, where A is a distribution over a single bit, but $H(X|Y)>>H(X|Y,A)$, even if we simultaneously allow for a massive degradation in the quality of the entropy.\r\n\r\nThe idea underlying our construction is based on a surprising connection between the chain rule for HILL entropy and deniable encryption. " alternative_title: - LNCS author: - first_name: Stephan full_name: Krenn, Stephan id: 329FCCF0-F248-11E8-B48F-1D18A9856A87 last_name: Krenn orcid: 0000-0003-2835-9093 - first_name: Krzysztof Z full_name: Pietrzak, Krzysztof Z id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87 last_name: Pietrzak orcid: 0000-0002-9139-1654 - first_name: Akshay full_name: Wadia, Akshay last_name: Wadia citation: ama: 'Krenn S, Pietrzak KZ, Wadia A. A counterexample to the chain rule for conditional HILL entropy, and what deniable encryption has to do with it. In: Sahai A, ed. Vol 7785. Springer; 2013:23-39. doi:10.1007/978-3-642-36594-2_2' apa: 'Krenn, S., Pietrzak, K. Z., & Wadia, A. (2013). A counterexample to the chain rule for conditional HILL entropy, and what deniable encryption has to do with it. In A. Sahai (Ed.) (Vol. 7785, pp. 23–39). Presented at the TCC: Theory of Cryptography Conference, Tokyo, Japan: Springer. https://doi.org/10.1007/978-3-642-36594-2_2' chicago: Krenn, Stephan, Krzysztof Z Pietrzak, and Akshay Wadia. “A Counterexample to the Chain Rule for Conditional HILL Entropy, and What Deniable Encryption Has to Do with It.” edited by Amit Sahai, 7785:23–39. Springer, 2013. https://doi.org/10.1007/978-3-642-36594-2_2. ieee: 'S. Krenn, K. Z. Pietrzak, and A. Wadia, “A counterexample to the chain rule for conditional HILL entropy, and what deniable encryption has to do with it,” presented at the TCC: Theory of Cryptography Conference, Tokyo, Japan, 2013, vol. 7785, pp. 23–39.' ista: 'Krenn S, Pietrzak KZ, Wadia A. 2013. A counterexample to the chain rule for conditional HILL entropy, and what deniable encryption has to do with it. TCC: Theory of Cryptography Conference, LNCS, vol. 7785, 23–39.' mla: Krenn, Stephan, et al. A Counterexample to the Chain Rule for Conditional HILL Entropy, and What Deniable Encryption Has to Do with It. Edited by Amit Sahai, vol. 7785, Springer, 2013, pp. 23–39, doi:10.1007/978-3-642-36594-2_2. short: S. Krenn, K.Z. Pietrzak, A. Wadia, in:, A. Sahai (Ed.), Springer, 2013, pp. 23–39. conference: end_date: 2013-03-06 location: Tokyo, Japan name: 'TCC: Theory of Cryptography Conference' start_date: 2013-03-03 date_created: 2018-12-11T12:00:27Z date_published: 2013-01-29T00:00:00Z date_updated: 2023-02-23T10:00:43Z day: '29' ddc: - '000' department: - _id: KrPi doi: 10.1007/978-3-642-36594-2_2 ec_funded: 1 editor: - first_name: Amit full_name: Sahai, Amit last_name: Sahai file: - access_level: open_access checksum: beb0cc1c0579da2d2e84394230a5da78 content_type: application/pdf creator: dernst date_created: 2019-01-22T14:11:11Z date_updated: 2020-07-14T12:45:54Z file_id: '5875' file_name: 2013_LNCS_Krenn.pdf file_size: 414823 relation: main_file file_date_updated: 2020-07-14T12:45:54Z has_accepted_license: '1' intvolume: ' 7785' language: - iso: eng month: '01' oa: 1 oa_version: Submitted Version page: 23 - 39 project: - _id: 258C570E-B435-11E9-9278-68D0E5697425 call_identifier: FP7 grant_number: '259668' name: Provable Security for Physical Cryptography publication_status: published publisher: Springer publist_id: '3795' quality_controlled: '1' related_material: record: - id: '1479' relation: later_version status: public scopus_import: 1 status: public title: A counterexample to the chain rule for conditional HILL entropy, and what deniable encryption has to do with it type: conference user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87 volume: 7785 year: '2013' ... --- _id: '502' abstract: - lang: eng text: 'Blind signatures allow users to obtain signatures on messages hidden from the signer; moreover, the signer cannot link the resulting message/signature pair to the signing session. This paper presents blind signature schemes, in which the number of interactions between the user and the signer is minimal and whose blind signatures are short. Our schemes are defined over bilinear groups and are proved secure in the common-reference-string model without random oracles and under standard assumptions: CDH and the decision-linear assumption. (We also give variants over asymmetric groups based on similar assumptions.) The blind signatures are Waters signatures, which consist of 2 group elements. Moreover, we instantiate partially blind signatures, where the message consists of a part hidden from the signer and a commonly known public part, and schemes achieving perfect blindness. We propose new variants of blind signatures, such as signer-friendly partially blind signatures, where the public part can be chosen by the signer without prior agreement, 3-party blind signatures, as well as blind signatures on multiple aggregated messages provided by independent sources. We also extend Waters signatures to non-binary alphabets by proving a new result on the underlying hash function. ' author: - first_name: Olivier full_name: Blazy, Olivier last_name: Blazy - first_name: Georg full_name: Fuchsbauer, Georg id: 46B4C3EE-F248-11E8-B48F-1D18A9856A87 last_name: Fuchsbauer - first_name: David full_name: Pointcheval, David last_name: Pointcheval - first_name: Damien full_name: Vergnaud, Damien last_name: Vergnaud citation: ama: Blazy O, Fuchsbauer G, Pointcheval D, Vergnaud D. Short blind signatures. Journal of Computer Security. 2013;21(5):627-661. doi:10.3233/JCS-130477 apa: Blazy, O., Fuchsbauer, G., Pointcheval, D., & Vergnaud, D. (2013). Short blind signatures. Journal of Computer Security. IOS Press. https://doi.org/10.3233/JCS-130477 chicago: Blazy, Olivier, Georg Fuchsbauer, David Pointcheval, and Damien Vergnaud. “Short Blind Signatures.” Journal of Computer Security. IOS Press, 2013. https://doi.org/10.3233/JCS-130477. ieee: O. Blazy, G. Fuchsbauer, D. Pointcheval, and D. Vergnaud, “Short blind signatures,” Journal of Computer Security, vol. 21, no. 5. IOS Press, pp. 627–661, 2013. ista: Blazy O, Fuchsbauer G, Pointcheval D, Vergnaud D. 2013. Short blind signatures. Journal of Computer Security. 21(5), 627–661. mla: Blazy, Olivier, et al. “Short Blind Signatures.” Journal of Computer Security, vol. 21, no. 5, IOS Press, 2013, pp. 627–61, doi:10.3233/JCS-130477. short: O. Blazy, G. Fuchsbauer, D. Pointcheval, D. Vergnaud, Journal of Computer Security 21 (2013) 627–661. date_created: 2018-12-11T11:46:50Z date_published: 2013-11-22T00:00:00Z date_updated: 2021-01-12T08:01:09Z day: '22' department: - _id: KrPi doi: 10.3233/JCS-130477 intvolume: ' 21' issue: '5' language: - iso: eng month: '11' oa_version: None page: 627 - 661 publication: Journal of Computer Security publication_status: published publisher: IOS Press publist_id: '7318' quality_controlled: '1' scopus_import: 1 status: public title: Short blind signatures type: journal_article user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87 volume: 21 year: '2013' ... --- _id: '2274' abstract: - lang: eng text: "Proofs of work (PoW) have been suggested by Dwork and Naor (Crypto'92) as protection to a shared resource. The basic idea is to ask the service requestor to dedicate some non-trivial amount of computational work to every request. The original applications included prevention of spam and protection against denial of service attacks. More recently, PoWs have been used to prevent double spending in the Bitcoin digital currency system.\r\n\r\nIn this work, we put forward an alternative concept for PoWs -- so-called proofs of space (PoS), where a service requestor must dedicate a significant amount of disk space as opposed to computation. We construct secure PoS schemes in the random oracle model, using graphs with high "pebbling complexity" and Merkle hash-trees. " author: - first_name: Stefan full_name: Dziembowski, Stefan last_name: Dziembowski - first_name: Sebastian full_name: Faust, Sebastian last_name: Faust - first_name: Vladimir full_name: Kolmogorov, Vladimir id: 3D50B0BA-F248-11E8-B48F-1D18A9856A87 last_name: Kolmogorov - first_name: Krzysztof Z full_name: Pietrzak, Krzysztof Z id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87 last_name: Pietrzak orcid: 0000-0002-9139-1654 citation: ama: Dziembowski S, Faust S, Kolmogorov V, Pietrzak KZ. Proofs of Space. IST Austria; 2013. apa: Dziembowski, S., Faust, S., Kolmogorov, V., & Pietrzak, K. Z. (2013). Proofs of Space. IST Austria. chicago: Dziembowski, Stefan, Sebastian Faust, Vladimir Kolmogorov, and Krzysztof Z Pietrzak. Proofs of Space. IST Austria, 2013. ieee: S. Dziembowski, S. Faust, V. Kolmogorov, and K. Z. Pietrzak, Proofs of Space. IST Austria, 2013. ista: Dziembowski S, Faust S, Kolmogorov V, Pietrzak KZ. 2013. Proofs of Space, IST Austria,p. mla: Dziembowski, Stefan, et al. Proofs of Space. IST Austria, 2013. short: S. Dziembowski, S. Faust, V. Kolmogorov, K.Z. Pietrzak, Proofs of Space, IST Austria, 2013. date_created: 2018-12-11T11:56:42Z date_published: 2013-11-28T00:00:00Z date_updated: 2024-03-20T08:31:49Z day: '28' ddc: - '530' department: - _id: VlKo - _id: KrPi file: - access_level: open_access checksum: 37b61637b62fc079d9141c59d9f1a94f content_type: application/pdf creator: system date_created: 2018-12-12T10:16:11Z date_updated: 2020-07-14T12:45:36Z file_id: '5197' file_name: IST-2016-671-v1+1_796.pdf file_size: 405870 relation: main_file file_date_updated: 2020-07-14T12:45:36Z has_accepted_license: '1' language: - iso: eng month: '11' oa: 1 oa_version: Published Version publication_status: published publisher: IST Austria publist_id: '4670' pubrep_id: '671' related_material: record: - id: '1675' relation: later_version status: public scopus_import: 1 status: public title: Proofs of Space type: report user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87 year: '2013' ... --- _id: '2048' abstract: - lang: eng text: Leakage resilient cryptography attempts to incorporate side-channel leakage into the black-box security model and designs cryptographic schemes that are provably secure within it. Informally, a scheme is leakage-resilient if it remains secure even if an adversary learns a bounded amount of arbitrary information about the schemes internal state. Unfortunately, most leakage resilient schemes are unnecessarily complicated in order to achieve strong provable security guarantees. As advocated by Yu et al. [CCS’10], this mostly is an artefact of the security proof and in practice much simpler construction may already suffice to protect against realistic side-channel attacks. In this paper, we show that indeed for simpler constructions leakage-resilience can be obtained when we aim for relaxed security notions where the leakage-functions and/or the inputs to the primitive are chosen non-adaptively. For example, we show that a three round Feistel network instantiated with a leakage resilient PRF yields a leakage resilient PRP if the inputs are chosen non-adaptively (This complements the result of Dodis and Pietrzak [CRYPTO’10] who show that if a adaptive queries are allowed, a superlogarithmic number of rounds is necessary.) We also show that a minor variation of the classical GGM construction gives a leakage resilient PRF if both, the leakage-function and the inputs, are chosen non-adaptively. acknowledgement: "Sebastian Faust acknowledges support from the Danish National Research Foundation and The National Science Foundation of China (under the grant 61061130540) for the Sino-Danish Center for the Theory of Interactive Computation, within part of this work was performed; and from the CFEM research center, supported by the Danish Strategic Research Council. \r\nSupported by the European Research Council/ERC Starting Grant 259668-PSPC.\r\n" alternative_title: - LNCS author: - first_name: Sebastian full_name: Faust, Sebastian last_name: Faust - first_name: Krzysztof Z full_name: Pietrzak, Krzysztof Z id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87 last_name: Pietrzak orcid: 0000-0002-9139-1654 - first_name: Joachim full_name: Schipper, Joachim id: 7BE863D4-E9CF-11E9-9EDB-90527418172C last_name: Schipper citation: ama: 'Faust S, Pietrzak KZ, Schipper J. Practical leakage-resilient symmetric cryptography. In: Conference Proceedings CHES 2012. Vol 7428. Springer; 2012:213-232. doi:10.1007/978-3-642-33027-8_13' apa: 'Faust, S., Pietrzak, K. Z., & Schipper, J. (2012). Practical leakage-resilient symmetric cryptography. In Conference proceedings CHES 2012 (Vol. 7428, pp. 213–232). Leuven, Belgium: Springer. https://doi.org/10.1007/978-3-642-33027-8_13' chicago: Faust, Sebastian, Krzysztof Z Pietrzak, and Joachim Schipper. “Practical Leakage-Resilient Symmetric Cryptography.” In Conference Proceedings CHES 2012, 7428:213–32. Springer, 2012. https://doi.org/10.1007/978-3-642-33027-8_13. ieee: S. Faust, K. Z. Pietrzak, and J. Schipper, “Practical leakage-resilient symmetric cryptography,” in Conference proceedings CHES 2012, Leuven, Belgium, 2012, vol. 7428, pp. 213–232. ista: 'Faust S, Pietrzak KZ, Schipper J. 2012. Practical leakage-resilient symmetric cryptography. Conference proceedings CHES 2012. CHES: Cryptographic Hardware and Embedded Systems, LNCS, vol. 7428, 213–232.' mla: Faust, Sebastian, et al. “Practical Leakage-Resilient Symmetric Cryptography.” Conference Proceedings CHES 2012, vol. 7428, Springer, 2012, pp. 213–32, doi:10.1007/978-3-642-33027-8_13. short: S. Faust, K.Z. Pietrzak, J. Schipper, in:, Conference Proceedings CHES 2012, Springer, 2012, pp. 213–232. conference: end_date: 2012-09-12 location: Leuven, Belgium name: 'CHES: Cryptographic Hardware and Embedded Systems' start_date: 2012-09-09 date_created: 2018-12-11T11:55:25Z date_published: 2012-09-01T00:00:00Z date_updated: 2021-01-12T06:54:58Z day: '01' department: - _id: KrPi doi: 10.1007/978-3-642-33027-8_13 ec_funded: 1 intvolume: ' 7428' language: - iso: eng main_file_link: - open_access: '1' url: http://www.iacr.org/archive/ches2012/74280211/74280211.pdf month: '09' oa: 1 oa_version: Preprint page: 213 - 232 project: - _id: 258C570E-B435-11E9-9278-68D0E5697425 call_identifier: FP7 grant_number: '259668' name: Provable Security for Physical Cryptography publication: ' Conference proceedings CHES 2012' publication_status: published publisher: Springer publist_id: '5003' quality_controlled: '1' scopus_import: 1 status: public title: Practical leakage-resilient symmetric cryptography type: conference user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87 volume: 7428 year: '2012' ... --- _id: '2049' abstract: - lang: eng text: "We propose a new authentication protocol that is provably secure based on a ring variant of the learning parity with noise (LPN) problem. The protocol follows the design principle of the LPN-based protocol from Eurocrypt’11 (Kiltz et al.), and like it, is a two round protocol secure against active attacks. Moreover, our protocol has small communication complexity and a very small footprint which makes it applicable in scenarios that involve low-cost, resource-constrained devices.\r\n\r\nPerformance-wise, our protocol is more efficient than previous LPN-based schemes, such as the many variants of the Hopper-Blum (HB) protocol and the aforementioned protocol from Eurocrypt’11. Our implementation results show that it is even comparable to the standard challenge-and-response protocols based on the AES block-cipher. Our basic protocol is roughly 20 times slower than AES, but with the advantage of having 10 times smaller code size. Furthermore, if a few hundred bytes of non-volatile memory are available to allow the storage of some off-line pre-computations, then the online phase of our protocols is only twice as slow as AES.\r\n" acknowledgement: "Supported by the European Research Council / ERC Starting Grant (259668- PSPC)\r\nWe would like to thank the anonymous referees of this confer- ence and those of the ECRYPT Workshop on Lightweight Cryptography for very useful comments, and in particular for the suggestion that the scheme is somewhat vulnerable to a man-in-the-middle attack whenever an adversary observes two reader challenges that are the same. We hope that the attack we described in Appendix A corresponds to what the reviewer had in mind. We also thank Tanja Lange for pointing us to the pa- per of [Kir11] and for discussions of some of her recent work. " alternative_title: - LNCS author: - first_name: Stefan full_name: Heyse, Stefan last_name: Heyse - first_name: Eike full_name: Kiltz, Eike last_name: Kiltz - first_name: Vadim full_name: Lyubashevsky, Vadim last_name: Lyubashevsky - first_name: Christof full_name: Paar, Christof last_name: Paar - first_name: Krzysztof Z full_name: Pietrzak, Krzysztof Z id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87 last_name: Pietrzak orcid: 0000-0002-9139-1654 citation: ama: 'Heyse S, Kiltz E, Lyubashevsky V, Paar C, Pietrzak KZ. Lapin: An efficient authentication protocol based on ring-LPN. In: Conference Proceedings FSE 2012. Vol 7549. Springer; 2012:346-365. doi:10.1007/978-3-642-34047-5_20' apa: 'Heyse, S., Kiltz, E., Lyubashevsky, V., Paar, C., & Pietrzak, K. Z. (2012). Lapin: An efficient authentication protocol based on ring-LPN. In Conference proceedings FSE 2012 (Vol. 7549, pp. 346–365). Washington, DC, USA: Springer. https://doi.org/10.1007/978-3-642-34047-5_20' chicago: 'Heyse, Stefan, Eike Kiltz, Vadim Lyubashevsky, Christof Paar, and Krzysztof Z Pietrzak. “Lapin: An Efficient Authentication Protocol Based on Ring-LPN.” In Conference Proceedings FSE 2012, 7549:346–65. Springer, 2012. https://doi.org/10.1007/978-3-642-34047-5_20.' ieee: 'S. Heyse, E. Kiltz, V. Lyubashevsky, C. Paar, and K. Z. Pietrzak, “Lapin: An efficient authentication protocol based on ring-LPN,” in Conference proceedings FSE 2012, Washington, DC, USA, 2012, vol. 7549, pp. 346–365.' ista: 'Heyse S, Kiltz E, Lyubashevsky V, Paar C, Pietrzak KZ. 2012. Lapin: An efficient authentication protocol based on ring-LPN. Conference proceedings FSE 2012. FSE: Fast Software Encryption, LNCS, vol. 7549, 346–365.' mla: 'Heyse, Stefan, et al. “Lapin: An Efficient Authentication Protocol Based on Ring-LPN.” Conference Proceedings FSE 2012, vol. 7549, Springer, 2012, pp. 346–65, doi:10.1007/978-3-642-34047-5_20.' short: S. Heyse, E. Kiltz, V. Lyubashevsky, C. Paar, K.Z. Pietrzak, in:, Conference Proceedings FSE 2012, Springer, 2012, pp. 346–365. conference: end_date: 2012-03-21 location: Washington, DC, USA name: 'FSE: Fast Software Encryption' start_date: 2012-03-19 date_created: 2018-12-11T11:55:25Z date_published: 2012-03-01T00:00:00Z date_updated: 2021-01-12T06:54:58Z day: '01' department: - _id: KrPi doi: 10.1007/978-3-642-34047-5_20 ec_funded: 1 intvolume: ' 7549' language: - iso: eng main_file_link: - open_access: '1' url: http://www.iacr.org/archive/fse2012/75490350/75490350.pdf month: '03' oa: 1 oa_version: Preprint page: 346 - 365 project: - _id: 258C570E-B435-11E9-9278-68D0E5697425 call_identifier: FP7 grant_number: '259668' name: Provable Security for Physical Cryptography publication: ' Conference proceedings FSE 2012' publication_status: published publisher: Springer publist_id: '5002' quality_controlled: '1' scopus_import: 1 status: public title: 'Lapin: An efficient authentication protocol based on ring-LPN' type: conference user_id: 3E5EF7F0-F248-11E8-B48F-1D18A9856A87 volume: 7549 year: '2012' ... --- _id: '2937' abstract: - lang: eng text: Developers building cryptography into security-sensitive applications face a daunting task. Not only must they understand the security guarantees delivered by the constructions they choose, they must also implement and combine them correctly and efficiently. Cryptographic compilers free developers from this task by turning high-level specifications of security goals into efficient implementations. Yet, trusting such tools is hard as they rely on complex mathematical machinery and claim security properties that are subtle and difficult to verify. In this paper we present ZKCrypt, an optimizing cryptographic compiler achieving an unprecedented level of assurance without sacrificing practicality for a comprehensive class of cryptographic protocols, known as Zero-Knowledge Proofs of Knowledge. The pipeline of ZKCrypt integrates purpose-built verified compilers and verifying compilers producing formal proofs in the CertiCrypt framework. By combining the guarantees delivered by each stage, ZKCrypt provides assurance that the output implementation securely realizes the abstract proof goal given as input. We report on the main characteristics of ZKCrypt, highlight new definitions and concepts at its foundations, and illustrate its applicability through a representative example of an anonymous credential system. acknowledgement: This work was partially funded by National Funds through the FCT - Fundação para a Ciência e a Tecnologia (Portuguese Foundation for Science and Technology) within project ENI-AC/2224/2009, by ENIAC Joint Undertaking under grant agreement number 120224, European Projects FP7-256980 NESSoS and FP7-229599 AMAROUT, Spanish National project TIN2009-14599 DESAFIOS 10, and Madrid Regional project S2009TIC-1465 PROMETIDOS. author: - first_name: José full_name: Almeida, José last_name: Almeida - first_name: Manuel full_name: Barbosa, Manuel last_name: Barbosa - first_name: Endre full_name: Bangerter, Endre last_name: Bangerter - first_name: Gilles full_name: Barthe, Gilles last_name: Barthe - first_name: Stephan full_name: Krenn, Stephan id: 329FCCF0-F248-11E8-B48F-1D18A9856A87 last_name: Krenn orcid: 0000-0003-2835-9093 - first_name: Santiago full_name: Béguelin, Santiago last_name: Béguelin citation: ama: 'Almeida J, Barbosa M, Bangerter E, Barthe G, Krenn S, Béguelin S. Full proof cryptography: Verifiable compilation of efficient zero-knowledge protocols. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security. ACM; 2012:488-500. doi:10.1145/2382196.2382249' apa: 'Almeida, J., Barbosa, M., Bangerter, E., Barthe, G., Krenn, S., & Béguelin, S. (2012). Full proof cryptography: Verifiable compilation of efficient zero-knowledge protocols. In Proceedings of the 2012 ACM conference on Computer and communications security (pp. 488–500). Raleigh, NC, USA: ACM. https://doi.org/10.1145/2382196.2382249' chicago: 'Almeida, José, Manuel Barbosa, Endre Bangerter, Gilles Barthe, Stephan Krenn, and Santiago Béguelin. “Full Proof Cryptography: Verifiable Compilation of Efficient Zero-Knowledge Protocols.” In Proceedings of the 2012 ACM Conference on Computer and Communications Security, 488–500. ACM, 2012. https://doi.org/10.1145/2382196.2382249.' ieee: 'J. Almeida, M. Barbosa, E. Bangerter, G. Barthe, S. Krenn, and S. Béguelin, “Full proof cryptography: Verifiable compilation of efficient zero-knowledge protocols,” in Proceedings of the 2012 ACM conference on Computer and communications security, Raleigh, NC, USA, 2012, pp. 488–500.' ista: 'Almeida J, Barbosa M, Bangerter E, Barthe G, Krenn S, Béguelin S. 2012. Full proof cryptography: Verifiable compilation of efficient zero-knowledge protocols. Proceedings of the 2012 ACM conference on Computer and communications security. CCS: Computer and Communications Security, 488–500.' mla: 'Almeida, José, et al. “Full Proof Cryptography: Verifiable Compilation of Efficient Zero-Knowledge Protocols.” Proceedings of the 2012 ACM Conference on Computer and Communications Security, ACM, 2012, pp. 488–500, doi:10.1145/2382196.2382249.' short: J. Almeida, M. Barbosa, E. Bangerter, G. Barthe, S. Krenn, S. Béguelin, in:, Proceedings of the 2012 ACM Conference on Computer and Communications Security, ACM, 2012, pp. 488–500. conference: end_date: 2012-10-18 location: Raleigh, NC, USA name: 'CCS: Computer and Communications Security' start_date: 2012-10-16 date_created: 2018-12-11T12:00:26Z date_published: 2012-10-01T00:00:00Z date_updated: 2021-01-12T07:39:53Z day: '01' department: - _id: KrPi doi: 10.1145/2382196.2382249 language: - iso: eng main_file_link: - open_access: '1' url: https://eprint.iacr.org/2012/258 month: '10' oa: 1 oa_version: Submitted Version page: 488 - 500 publication: Proceedings of the 2012 ACM conference on Computer and communications security publication_status: published publisher: ACM publist_id: '3798' quality_controlled: '1' scopus_import: 1 status: public title: 'Full proof cryptography: Verifiable compilation of efficient zero-knowledge protocols' type: conference user_id: 3E5EF7F0-F248-11E8-B48F-1D18A9856A87 year: '2012' ... --- _id: '2974' abstract: - lang: eng text: "We construct a perfectly binding string commitment scheme whose security is based on the learning parity with noise (LPN) assumption, or equivalently, the hardness of decoding random linear codes. Our scheme not only allows for a simple and efficient zero-knowledge proof of knowledge for committed values (essentially a Σ-protocol), but also for such proofs showing any kind of relation amongst committed values, i.e. proving that messages m_0,...,m_u, are such that m_0=C(m_1,...,m_u) for any circuit C.\r\n\r\nTo get soundness which is exponentially small in a security parameter t, and when the zero-knowledge property relies on the LPN problem with secrets of length l, our 3 round protocol has communication complexity O(t|C|l log(l)) and computational complexity of O(t|C|l) bit operations. The hidden constants are small, and the computation consists mostly of computing inner products of bit-vectors." acknowledgement: "We are grateful to Petros Mol for helpful discussions on the reduction for the hardness of the xLPN problem.\r\n" alternative_title: - LNCS author: - first_name: Abhishek full_name: Jain, Abhishek last_name: Jain - first_name: Stephan full_name: Krenn, Stephan id: 329FCCF0-F248-11E8-B48F-1D18A9856A87 last_name: Krenn orcid: 0000-0003-2835-9093 - first_name: Krzysztof Z full_name: Pietrzak, Krzysztof Z id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87 last_name: Pietrzak orcid: 0000-0002-9139-1654 - first_name: Aris full_name: Tentes, Aris last_name: Tentes citation: ama: 'Jain A, Krenn S, Pietrzak KZ, Tentes A. Commitments and efficient zero knowledge proofs from learning parity with noise. In: Wang X, Sako K, eds. Vol 7658. Springer; 2012:663-680. doi:10.1007/978-3-642-34961-4_40' apa: 'Jain, A., Krenn, S., Pietrzak, K. Z., & Tentes, A. (2012). Commitments and efficient zero knowledge proofs from learning parity with noise. In X. Wang & K. Sako (Eds.) (Vol. 7658, pp. 663–680). Presented at the ASIACRYPT: Theory and Application of Cryptology and Information Security, Beijing, China: Springer. https://doi.org/10.1007/978-3-642-34961-4_40' chicago: Jain, Abhishek, Stephan Krenn, Krzysztof Z Pietrzak, and Aris Tentes. “Commitments and Efficient Zero Knowledge Proofs from Learning Parity with Noise.” edited by Xiaoyun Wang and Kazue Sako, 7658:663–80. Springer, 2012. https://doi.org/10.1007/978-3-642-34961-4_40. ieee: 'A. Jain, S. Krenn, K. Z. Pietrzak, and A. Tentes, “Commitments and efficient zero knowledge proofs from learning parity with noise,” presented at the ASIACRYPT: Theory and Application of Cryptology and Information Security, Beijing, China, 2012, vol. 7658, pp. 663–680.' ista: 'Jain A, Krenn S, Pietrzak KZ, Tentes A. 2012. Commitments and efficient zero knowledge proofs from learning parity with noise. ASIACRYPT: Theory and Application of Cryptology and Information Security, LNCS, vol. 7658, 663–680.' mla: Jain, Abhishek, et al. Commitments and Efficient Zero Knowledge Proofs from Learning Parity with Noise. Edited by Xiaoyun Wang and Kazue Sako, vol. 7658, Springer, 2012, pp. 663–80, doi:10.1007/978-3-642-34961-4_40. short: A. Jain, S. Krenn, K.Z. Pietrzak, A. Tentes, in:, X. Wang, K. Sako (Eds.), Springer, 2012, pp. 663–680. conference: end_date: 2012-12-06 location: Beijing, China name: 'ASIACRYPT: Theory and Application of Cryptology and Information Security' start_date: 2012-12-02 date_created: 2018-12-11T12:00:38Z date_published: 2012-12-01T00:00:00Z date_updated: 2021-01-12T07:40:11Z day: '01' ddc: - '004' - '005' department: - _id: KrPi doi: 10.1007/978-3-642-34961-4_40 ec_funded: 1 editor: - first_name: Xiaoyun full_name: Wang, Xiaoyun last_name: Wang - first_name: Kazue full_name: Sako, Kazue last_name: Sako file: - access_level: open_access checksum: ab879537385efc4cb4203e7ef0fea17b content_type: application/pdf creator: system date_created: 2018-12-12T10:14:00Z date_updated: 2020-07-14T12:45:58Z file_id: '5048' file_name: IST-2016-721-v1+1_513.pdf file_size: 482570 relation: main_file file_date_updated: 2020-07-14T12:45:58Z has_accepted_license: '1' intvolume: ' 7658' language: - iso: eng month: '12' oa: 1 oa_version: Submitted Version page: 663 - 680 project: - _id: 258C570E-B435-11E9-9278-68D0E5697425 call_identifier: FP7 grant_number: '259668' name: Provable Security for Physical Cryptography publication_status: published publisher: Springer publist_id: '3730' pubrep_id: '721' scopus_import: 1 status: public title: Commitments and efficient zero knowledge proofs from learning parity with noise tmp: image: /images/cc_by.png legal_code_url: https://creativecommons.org/licenses/by/4.0/legalcode name: Creative Commons Attribution 4.0 International Public License (CC-BY 4.0) short: CC BY (4.0) type: conference user_id: 3E5EF7F0-F248-11E8-B48F-1D18A9856A87 volume: 7658 year: '2012' ... --- _id: '3250' abstract: - lang: eng text: The Learning Parity with Noise (LPN) problem has recently found many applications in cryptography as the hardness assumption underlying the constructions of "provably secure" cryptographic schemes like encryption or authentication protocols. Being provably secure means that the scheme comes with a proof showing that the existence of an efficient adversary against the scheme implies that the underlying hardness assumption is wrong. LPN based schemes are appealing for theoretical and practical reasons. On the theoretical side, LPN based schemes offer a very strong security guarantee. The LPN problem is equivalent to the problem of decoding random linear codes, a problem that has been extensively studied in the last half century. The fastest known algorithms run in exponential time and unlike most number-theoretic problems used in cryptography, the LPN problem does not succumb to known quantum algorithms. On the practical side, LPN based schemes are often extremely simple and efficient in terms of code-size as well as time and space requirements. This makes them prime candidates for light-weight devices like RFID tags, which are too weak to implement standard cryptographic primitives like the AES block-cipher. This talk will be a gentle introduction to provable security using simple LPN based schemes as examples. Starting from pseudorandom generators and symmetric key encryption, over secret-key authentication protocols, and, if time admits, touching on recent constructions of public-key identification, commitments and zero-knowledge proofs. alternative_title: - LNCS author: - first_name: Krzysztof Z full_name: Pietrzak, Krzysztof Z id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87 last_name: Pietrzak orcid: 0000-0002-9139-1654 citation: ama: 'Pietrzak KZ. Cryptography from learning parity with noise. In: Vol 7147. Springer; 2012:99-114. doi:10.1007/978-3-642-27660-6_9' apa: 'Pietrzak, K. Z. (2012). Cryptography from learning parity with noise (Vol. 7147, pp. 99–114). Presented at the SOFSEM: Current Trends in Theory and Practice of Computer Science, Špindlerův Mlýn, Czech Republic: Springer. https://doi.org/10.1007/978-3-642-27660-6_9' chicago: Pietrzak, Krzysztof Z. “Cryptography from Learning Parity with Noise,” 7147:99–114. Springer, 2012. https://doi.org/10.1007/978-3-642-27660-6_9. ieee: 'K. Z. Pietrzak, “Cryptography from learning parity with noise,” presented at the SOFSEM: Current Trends in Theory and Practice of Computer Science, Špindlerův Mlýn, Czech Republic, 2012, vol. 7147, pp. 99–114.' ista: 'Pietrzak KZ. 2012. Cryptography from learning parity with noise. SOFSEM: Current Trends in Theory and Practice of Computer Science, LNCS, vol. 7147, 99–114.' mla: Pietrzak, Krzysztof Z. Cryptography from Learning Parity with Noise. Vol. 7147, Springer, 2012, pp. 99–114, doi:10.1007/978-3-642-27660-6_9. short: K.Z. Pietrzak, in:, Springer, 2012, pp. 99–114. conference: end_date: 2012-01-27 location: Špindlerův Mlýn, Czech Republic name: 'SOFSEM: Current Trends in Theory and Practice of Computer Science' start_date: 2012-01-21 date_created: 2018-12-11T12:02:15Z date_published: 2012-02-19T00:00:00Z date_updated: 2021-01-12T07:42:07Z day: '19' department: - _id: KrPi doi: 10.1007/978-3-642-27660-6_9 intvolume: ' 7147' language: - iso: eng month: '02' oa_version: None page: 99 - 114 publication_status: published publisher: Springer publist_id: '3407' quality_controlled: '1' scopus_import: 1 status: public title: Cryptography from learning parity with noise type: conference user_id: 3E5EF7F0-F248-11E8-B48F-1D18A9856A87 volume: 7147 year: '2012' ... --- _id: '3282' abstract: - lang: eng text: 'Traditionally, symmetric-key message authentication codes (MACs) are easily built from pseudorandom functions (PRFs). In this work we propose a wide variety of other approaches to building efficient MACs, without going through a PRF first. In particular, unlike deterministic PRF-based MACs, where each message has a unique valid tag, we give a number of probabilistic MAC constructions from various other primitives/assumptions. Our main results are summarized as follows: We show several new probabilistic MAC constructions from a variety of general assumptions, including CCA-secure encryption, Hash Proof Systems and key-homomorphic weak PRFs. By instantiating these frameworks under concrete number theoretic assumptions, we get several schemes which are more efficient than just using a state-of-the-art PRF instantiation under the corresponding assumption. For probabilistic MACs, unlike deterministic ones, unforgeability against a chosen message attack (uf-cma ) alone does not imply security if the adversary can additionally make verification queries (uf-cmva ). We give an efficient generic transformation from any uf-cma secure MAC which is "message-hiding" into a uf-cmva secure MAC. This resolves the main open problem of Kiltz et al. from Eurocrypt''11; By using our transformation on their constructions, we get the first efficient MACs from the LPN assumption. While all our new MAC constructions immediately give efficient actively secure, two-round symmetric-key identification schemes, we also show a very simple, three-round actively secure identification protocol from any weak PRF. In particular, the resulting protocol is much more efficient than the trivial approach of building a regular PRF from a weak PRF. © 2012 International Association for Cryptologic Research.' acknowledgement: Supported by the European Research Council under the European Union’s Seventh Framework Programme (FP7/2007-2013) / ERC Starting Grant (259668-PSPC) alternative_title: - LNCS author: - first_name: Yevgeniy full_name: Dodis, Yevgeniy last_name: Dodis - first_name: Krzysztof Z full_name: Pietrzak, Krzysztof Z id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87 last_name: Pietrzak orcid: 0000-0002-9139-1654 - first_name: Eike full_name: Kiltz, Eike last_name: Kiltz - first_name: Daniel full_name: Wichs, Daniel last_name: Wichs citation: ama: 'Dodis Y, Pietrzak KZ, Kiltz E, Wichs D. Message authentication, revisited. In: Vol 7237. Springer; 2012:355-374. doi:10.1007/978-3-642-29011-4_22' apa: 'Dodis, Y., Pietrzak, K. Z., Kiltz, E., & Wichs, D. (2012). Message authentication, revisited (Vol. 7237, pp. 355–374). Presented at the EUROCRYPT: Theory and Applications of Cryptographic Techniques, Cambridge, UK: Springer. https://doi.org/10.1007/978-3-642-29011-4_22' chicago: Dodis, Yevgeniy, Krzysztof Z Pietrzak, Eike Kiltz, and Daniel Wichs. “Message Authentication, Revisited,” 7237:355–74. Springer, 2012. https://doi.org/10.1007/978-3-642-29011-4_22. ieee: 'Y. Dodis, K. Z. Pietrzak, E. Kiltz, and D. Wichs, “Message authentication, revisited,” presented at the EUROCRYPT: Theory and Applications of Cryptographic Techniques, Cambridge, UK, 2012, vol. 7237, pp. 355–374.' ista: 'Dodis Y, Pietrzak KZ, Kiltz E, Wichs D. 2012. Message authentication, revisited. EUROCRYPT: Theory and Applications of Cryptographic Techniques, LNCS, vol. 7237, 355–374.' mla: Dodis, Yevgeniy, et al. Message Authentication, Revisited. Vol. 7237, Springer, 2012, pp. 355–74, doi:10.1007/978-3-642-29011-4_22. short: Y. Dodis, K.Z. Pietrzak, E. Kiltz, D. Wichs, in:, Springer, 2012, pp. 355–374. conference: end_date: 2012-04-19 location: Cambridge, UK name: 'EUROCRYPT: Theory and Applications of Cryptographic Techniques' start_date: 2012-04-15 date_created: 2018-12-11T12:02:27Z date_published: 2012-03-10T00:00:00Z date_updated: 2021-01-12T07:42:22Z day: '10' ddc: - '000' - '004' department: - _id: KrPi doi: 10.1007/978-3-642-29011-4_22 ec_funded: 1 file: - access_level: open_access checksum: 8557c17a8c2586d06ebfe62d934f5c5f content_type: application/pdf creator: system date_created: 2018-12-12T10:14:23Z date_updated: 2020-07-14T12:46:06Z file_id: '5074' file_name: IST-2016-686-v1+1_059.pdf file_size: 372292 relation: main_file file_date_updated: 2020-07-14T12:46:06Z has_accepted_license: '1' intvolume: ' 7237' language: - iso: eng month: '03' oa: 1 oa_version: Submitted Version page: 355 - 374 project: - _id: 258C570E-B435-11E9-9278-68D0E5697425 call_identifier: FP7 grant_number: '259668' name: Provable Security for Physical Cryptography publication_status: published publisher: Springer publist_id: '3364' pubrep_id: '686' quality_controlled: '1' status: public title: Message authentication, revisited tmp: image: /images/cc_by.png legal_code_url: https://creativecommons.org/licenses/by/4.0/legalcode name: Creative Commons Attribution 4.0 International Public License (CC-BY 4.0) short: CC BY (4.0) type: conference user_id: 3E5EF7F0-F248-11E8-B48F-1D18A9856A87 volume: 7237 year: '2012' ... --- _id: '3280' abstract: - lang: eng text: 'The (decisional) learning with errors problem (LWE) asks to distinguish "noisy" inner products of a secret vector with random vectors from uniform. The learning parities with noise problem (LPN) is the special case where the elements of the vectors are bits. In recent years, the LWE and LPN problems have found many applications in cryptography. In this paper we introduce a (seemingly) much stronger adaptive assumption, called "subspace LWE" (SLWE), where the adversary can learn the inner product of the secret and random vectors after they were projected into an adaptively and adversarially chosen subspace. We prove that, surprisingly, the SLWE problem mapping into subspaces of dimension d is almost as hard as LWE using secrets of length d (the other direction is trivial.) This result immediately implies that several existing cryptosystems whose security is based on the hardness of the LWE/LPN problems are provably secure in a much stronger sense than anticipated. As an illustrative example we show that the standard way of using LPN for symmetric CPA secure encryption is even secure against a very powerful class of related key attacks. ' acknowledgement: Supported by the European Research Council under the European Union’s Seventh Framework Programme (FP7/2007-2013) / ERC Starting Grant (259668-PSPC). alternative_title: - LNCS author: - first_name: Krzysztof Z full_name: Pietrzak, Krzysztof Z id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87 last_name: Pietrzak orcid: 0000-0002-9139-1654 citation: ama: 'Pietrzak KZ. Subspace LWE. In: Vol 7194. Springer; 2012:548-563. doi:10.1007/978-3-642-28914-9_31' apa: 'Pietrzak, K. Z. (2012). Subspace LWE (Vol. 7194, pp. 548–563). Presented at the TCC: Theory of Cryptography Conference, Taormina, Sicily, Italy: Springer. https://doi.org/10.1007/978-3-642-28914-9_31' chicago: Pietrzak, Krzysztof Z. “Subspace LWE,” 7194:548–63. Springer, 2012. https://doi.org/10.1007/978-3-642-28914-9_31. ieee: 'K. Z. Pietrzak, “Subspace LWE,” presented at the TCC: Theory of Cryptography Conference, Taormina, Sicily, Italy, 2012, vol. 7194, pp. 548–563.' ista: 'Pietrzak KZ. 2012. Subspace LWE. TCC: Theory of Cryptography Conference, LNCS, vol. 7194, 548–563.' mla: Pietrzak, Krzysztof Z. Subspace LWE. Vol. 7194, Springer, 2012, pp. 548–63, doi:10.1007/978-3-642-28914-9_31. short: K.Z. Pietrzak, in:, Springer, 2012, pp. 548–563. conference: end_date: 2012-03-21 location: Taormina, Sicily, Italy name: 'TCC: Theory of Cryptography Conference' start_date: 2012-03-19 date_created: 2018-12-11T12:02:26Z date_published: 2012-05-04T00:00:00Z date_updated: 2021-01-12T07:42:21Z day: '04' department: - _id: KrPi doi: 10.1007/978-3-642-28914-9_31 ec_funded: 1 intvolume: ' 7194' language: - iso: eng main_file_link: - open_access: '1' url: http://www.iacr.org/archive/tcc2012/71940166/71940166.pdf month: '05' oa: 1 oa_version: Submitted Version page: 548 - 563 project: - _id: 258C570E-B435-11E9-9278-68D0E5697425 call_identifier: FP7 grant_number: '259668' name: Provable Security for Physical Cryptography publication_status: published publisher: Springer publist_id: '3366' quality_controlled: '1' status: public title: Subspace LWE type: conference user_id: 3E5EF7F0-F248-11E8-B48F-1D18A9856A87 volume: 7194 year: '2012' ... --- _id: '3281' abstract: - lang: eng text: 'We consider the problem of amplifying the "lossiness" of functions. We say that an oracle circuit C*: {0,1} m → {0,1}* amplifies relative lossiness from ℓ/n to L/m if for every function f:{0,1} n → {0,1} n it holds that 1 If f is injective then so is C f. 2 If f has image size of at most 2 n-ℓ, then C f has image size at most 2 m-L. The question is whether such C* exists for L/m ≫ ℓ/n. This problem arises naturally in the context of cryptographic "lossy functions," where the relative lossiness is the key parameter. We show that for every circuit C* that makes at most t queries to f, the relative lossiness of C f is at most L/m ≤ ℓ/n + O(log t)/n. In particular, no black-box method making a polynomial t = poly(n) number of queries can amplify relative lossiness by more than an O(logn)/n additive term. We show that this is tight by giving a simple construction (cascading with some randomization) that achieves such amplification.' acknowledgement: "We would like to thank Oded Goldreich and Omer Rein- gold for discussions at an early stage of this project, and Scott Aaronson for clarifications regarding the collision problem.\r\n" alternative_title: - LNCS author: - first_name: Krzysztof Z full_name: Pietrzak, Krzysztof Z id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87 last_name: Pietrzak orcid: 0000-0002-9139-1654 - first_name: Alon full_name: Rosen, Alon last_name: Rosen - first_name: Gil full_name: Segev, Gil last_name: Segev citation: ama: 'Pietrzak KZ, Rosen A, Segev G. Lossy functions do not amplify well. In: Vol 7194. Springer; 2012:458-475. doi:10.1007/978-3-642-28914-9_26' apa: 'Pietrzak, K. Z., Rosen, A., & Segev, G. (2012). Lossy functions do not amplify well (Vol. 7194, pp. 458–475). Presented at the TCC: Theory of Cryptography Conference, Taormina, Sicily, Italy: Springer. https://doi.org/10.1007/978-3-642-28914-9_26' chicago: Pietrzak, Krzysztof Z, Alon Rosen, and Gil Segev. “Lossy Functions Do Not Amplify Well,” 7194:458–75. Springer, 2012. https://doi.org/10.1007/978-3-642-28914-9_26. ieee: 'K. Z. Pietrzak, A. Rosen, and G. Segev, “Lossy functions do not amplify well,” presented at the TCC: Theory of Cryptography Conference, Taormina, Sicily, Italy, 2012, vol. 7194, pp. 458–475.' ista: 'Pietrzak KZ, Rosen A, Segev G. 2012. Lossy functions do not amplify well. TCC: Theory of Cryptography Conference, LNCS, vol. 7194, 458–475.' mla: Pietrzak, Krzysztof Z., et al. Lossy Functions Do Not Amplify Well. Vol. 7194, Springer, 2012, pp. 458–75, doi:10.1007/978-3-642-28914-9_26. short: K.Z. Pietrzak, A. Rosen, G. Segev, in:, Springer, 2012, pp. 458–475. conference: end_date: 2012-03-21 location: Taormina, Sicily, Italy name: 'TCC: Theory of Cryptography Conference' start_date: 2012-03-19 date_created: 2018-12-11T12:02:26Z date_published: 2012-05-04T00:00:00Z date_updated: 2021-01-12T07:42:22Z day: '04' department: - _id: KrPi doi: 10.1007/978-3-642-28914-9_26 intvolume: ' 7194' language: - iso: eng main_file_link: - url: http://www.iacr.org/archive/tcc2012/tcc2012-index.html month: '05' oa_version: None page: 458 - 475 publication_status: published publisher: Springer publist_id: '3365' quality_controlled: '1' status: public title: Lossy functions do not amplify well type: conference user_id: 3E5EF7F0-F248-11E8-B48F-1D18A9856A87 volume: 7194 year: '2012' ... --- _id: '3279' abstract: - lang: eng text: "We show a hardness-preserving construction of a PRF from any length doubling PRG which improves upon known constructions whenever we can put a non-trivial upper bound q on the number of queries to the PRF. Our construction requires only O(logq) invocations to the underlying PRG with each query. In comparison, the number of invocations by the best previous hardness-preserving construction (GGM using Levin's trick) is logarithmic in the hardness of the PRG. For example, starting from an exponentially secure PRG {0,1} n → {0,1} 2n, we get a PRF which is exponentially secure if queried at most q = exp(√n)times and where each invocation of the PRF requires Θ(√n) queries to the underlying PRG. This is much less than the Θ(n) required by known constructions. \r\n" acknowledgement: Supported by the European Research Council under the European Union’s Seventh Framework Programme (FP7/2007-2013) / ERC Starting Grant (259668-PSPC) alternative_title: - LNCS author: - first_name: Abhishek full_name: Jain, Abhishek last_name: Jain - first_name: Krzysztof Z full_name: Pietrzak, Krzysztof Z id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87 last_name: Pietrzak orcid: 0000-0002-9139-1654 - first_name: Aris full_name: Tentes, Aris last_name: Tentes citation: ama: 'Jain A, Pietrzak KZ, Tentes A. Hardness preserving constructions of pseudorandom functions. In: Vol 7194. Springer; 2012:369-382. doi:10.1007/978-3-642-28914-9_21' apa: 'Jain, A., Pietrzak, K. Z., & Tentes, A. (2012). Hardness preserving constructions of pseudorandom functions (Vol. 7194, pp. 369–382). Presented at the TCC: Theory of Cryptography Conference, Taormina, Sicily, Italy: Springer. https://doi.org/10.1007/978-3-642-28914-9_21' chicago: Jain, Abhishek, Krzysztof Z Pietrzak, and Aris Tentes. “Hardness Preserving Constructions of Pseudorandom Functions,” 7194:369–82. Springer, 2012. https://doi.org/10.1007/978-3-642-28914-9_21. ieee: 'A. Jain, K. Z. Pietrzak, and A. Tentes, “Hardness preserving constructions of pseudorandom functions,” presented at the TCC: Theory of Cryptography Conference, Taormina, Sicily, Italy, 2012, vol. 7194, pp. 369–382.' ista: 'Jain A, Pietrzak KZ, Tentes A. 2012. Hardness preserving constructions of pseudorandom functions. TCC: Theory of Cryptography Conference, LNCS, vol. 7194, 369–382.' mla: Jain, Abhishek, et al. Hardness Preserving Constructions of Pseudorandom Functions. Vol. 7194, Springer, 2012, pp. 369–82, doi:10.1007/978-3-642-28914-9_21. short: A. Jain, K.Z. Pietrzak, A. Tentes, in:, Springer, 2012, pp. 369–382. conference: end_date: 2012-03-21 location: Taormina, Sicily, Italy name: 'TCC: Theory of Cryptography Conference' start_date: 2012-03-19 date_created: 2018-12-11T12:02:25Z date_published: 2012-05-04T00:00:00Z date_updated: 2021-01-12T07:42:21Z day: '04' department: - _id: KrPi doi: 10.1007/978-3-642-28914-9_21 ec_funded: 1 intvolume: ' 7194' language: - iso: eng main_file_link: - url: http://www.iacr.org/archive/tcc2012/tcc2012-index.html month: '05' oa_version: None page: 369 - 382 project: - _id: 258C570E-B435-11E9-9278-68D0E5697425 call_identifier: FP7 grant_number: '259668' name: Provable Security for Physical Cryptography publication_status: published publisher: Springer publist_id: '3367' quality_controlled: '1' scopus_import: 1 status: public title: Hardness preserving constructions of pseudorandom functions type: conference user_id: 3E5EF7F0-F248-11E8-B48F-1D18A9856A87 volume: 7194 year: '2012' ...