[{"external_id":{"isi":["000523199100100"]},"oa_version":"Preprint","type":"conference","project":[{"name":"Teaching Old Crypto New Tricks","call_identifier":"H2020","_id":"258AA5B2-B435-11E9-9278-68D0E5697425","grant_number":"682815"}],"date_published":"2019-06-01T00:00:00Z","month":"06","quality_controlled":"1","oa":1,"article_processing_charge":"No","publisher":"ACM Press","doi":"10.1145/3313276.3316400","date_updated":"2023-09-07T13:15:55Z","publication":"Proceedings of the 51st Annual ACM SIGACT Symposium on Theory of Computing  - STOC 2019","date_created":"2019-07-24T09:20:53Z","day":"01","publication_status":"published","author":[{"first_name":"Arka Rai","full_name":"Choudhuri, Arka Rai","last_name":"Choudhuri"},{"last_name":"Hubáček","full_name":"Hubáček, Pavel","first_name":"Pavel"},{"first_name":"Chethan","id":"4BD3F30E-F248-11E8-B48F-1D18A9856A87","full_name":"Kamath Hosdurg, Chethan","last_name":"Kamath Hosdurg"},{"last_name":"Pietrzak","orcid":"0000-0002-9139-1654","full_name":"Pietrzak, Krzysztof Z","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","first_name":"Krzysztof Z"},{"last_name":"Rosen","first_name":"Alon","full_name":"Rosen, Alon"},{"last_name":"Rothblum","first_name":"Guy N.","full_name":"Rothblum, Guy N."}],"conference":{"end_date":"2019-06-26","location":"Phoenix, AZ, United States","name":"STOC: Symposium on Theory of Computing","start_date":"2019-06-23"},"page":"1103-1114","department":[{"_id":"KrPi"}],"related_material":{"record":[{"status":"public","relation":"dissertation_contains","id":"7896"}]},"language":[{"iso":"eng"}],"year":"2019","citation":{"chicago":"Choudhuri, Arka Rai, Pavel Hubáček, Chethan Kamath Hosdurg, Krzysztof Z Pietrzak, Alon Rosen, and Guy N. Rothblum. “Finding a Nash Equilibrium Is No Easier than Breaking Fiat-Shamir.” In <i>Proceedings of the 51st Annual ACM SIGACT Symposium on Theory of Computing  - STOC 2019</i>, 1103–14. ACM Press, 2019. <a href=\"https://doi.org/10.1145/3313276.3316400\">https://doi.org/10.1145/3313276.3316400</a>.","ama":"Choudhuri AR, Hubáček P, Kamath Hosdurg C, Pietrzak KZ, Rosen A, Rothblum GN. Finding a Nash equilibrium is no easier than breaking Fiat-Shamir. In: <i>Proceedings of the 51st Annual ACM SIGACT Symposium on Theory of Computing  - STOC 2019</i>. ACM Press; 2019:1103-1114. doi:<a href=\"https://doi.org/10.1145/3313276.3316400\">10.1145/3313276.3316400</a>","mla":"Choudhuri, Arka Rai, et al. “Finding a Nash Equilibrium Is No Easier than Breaking Fiat-Shamir.” <i>Proceedings of the 51st Annual ACM SIGACT Symposium on Theory of Computing  - STOC 2019</i>, ACM Press, 2019, pp. 1103–14, doi:<a href=\"https://doi.org/10.1145/3313276.3316400\">10.1145/3313276.3316400</a>.","short":"A.R. Choudhuri, P. Hubáček, C. Kamath Hosdurg, K.Z. Pietrzak, A. Rosen, G.N. Rothblum, in:, Proceedings of the 51st Annual ACM SIGACT Symposium on Theory of Computing  - STOC 2019, ACM Press, 2019, pp. 1103–1114.","ieee":"A. R. Choudhuri, P. Hubáček, C. Kamath Hosdurg, K. Z. Pietrzak, A. Rosen, and G. N. Rothblum, “Finding a Nash equilibrium is no easier than breaking Fiat-Shamir,” in <i>Proceedings of the 51st Annual ACM SIGACT Symposium on Theory of Computing  - STOC 2019</i>, Phoenix, AZ, United States, 2019, pp. 1103–1114.","ista":"Choudhuri AR, Hubáček P, Kamath Hosdurg C, Pietrzak KZ, Rosen A, Rothblum GN. 2019. Finding a Nash equilibrium is no easier than breaking Fiat-Shamir. Proceedings of the 51st Annual ACM SIGACT Symposium on Theory of Computing  - STOC 2019. STOC: Symposium on Theory of Computing, 1103–1114.","apa":"Choudhuri, A. R., Hubáček, P., Kamath Hosdurg, C., Pietrzak, K. Z., Rosen, A., &#38; Rothblum, G. N. (2019). Finding a Nash equilibrium is no easier than breaking Fiat-Shamir. In <i>Proceedings of the 51st Annual ACM SIGACT Symposium on Theory of Computing  - STOC 2019</i> (pp. 1103–1114). Phoenix, AZ, United States: ACM Press. <a href=\"https://doi.org/10.1145/3313276.3316400\">https://doi.org/10.1145/3313276.3316400</a>"},"main_file_link":[{"open_access":"1","url":"https://eprint.iacr.org/2019/549"}],"status":"public","ec_funded":1,"user_id":"4359f0d1-fa6c-11eb-b949-802e58b17ae8","abstract":[{"lang":"eng","text":"The Fiat-Shamir heuristic transforms a public-coin interactive proof into a non-interactive argument, by replacing the verifier with a cryptographic hash function that is applied to the protocol’s transcript. Constructing hash functions for which this transformation is sound is a central and long-standing open question in cryptography.\r\n\r\nWe show that solving the END−OF−METERED−LINE problem is no easier than breaking the soundness of the Fiat-Shamir transformation when applied to the sumcheck protocol. In particular, if the transformed protocol is sound, then any hard problem in #P gives rise to a hard distribution in the class CLS, which is contained in PPAD. Our result opens up the possibility of sampling moderately-sized games for which it is hard to find a Nash equilibrium, by reducing the inversion of appropriately chosen one-way functions to #SAT.\r\n\r\nOur main technical contribution is a stateful incrementally verifiable procedure that, given a SAT instance over n variables, counts the number of satisfying assignments. This is accomplished via an exponential sequence of small steps, each computable in time poly(n). Incremental verifiability means that each intermediate state includes a sumcheck-based proof of its correctness, and the proof can be updated and verified in time poly(n)."}],"title":"Finding a Nash equilibrium is no easier than breaking Fiat-Shamir","_id":"6677","publication_identifier":{"isbn":["9781450367059"]},"scopus_import":"1","isi":1},{"publication_identifier":{"isbn":["978-3-0302-3695-3"],"eisbn":["978-3-0302-3696-0"],"issn":["0302-9743","1611-3349"]},"scopus_import":"1","ec_funded":1,"status":"public","main_file_link":[{"url":"https://eprint.iacr.org/2019/068","open_access":"1"}],"editor":[{"full_name":"Buchmann, J","first_name":"J","last_name":"Buchmann"},{"last_name":"Nitaj","full_name":"Nitaj, A","first_name":"A"},{"first_name":"T","full_name":"Rachidi, T","last_name":"Rachidi"}],"intvolume":"     11627","citation":{"short":"M. Walter, in:, J. Buchmann, A. Nitaj, T. Rachidi (Eds.), Progress in Cryptology – AFRICACRYPT 2019, Springer Nature, Cham, 2019, pp. 157–180.","ieee":"M. Walter, “Sampling the integers with low relative error,” in <i>Progress in Cryptology – AFRICACRYPT 2019</i>, vol. 11627, J. Buchmann, A. Nitaj, and T. Rachidi, Eds. Cham: Springer Nature, 2019, pp. 157–180.","ista":"Walter M. 2019.Sampling the integers with low relative error. In: Progress in Cryptology – AFRICACRYPT 2019. vol. 11627, 157–180.","apa":"Walter, M. (2019). Sampling the integers with low relative error. In J. Buchmann, A. Nitaj, &#38; T. Rachidi (Eds.), <i>Progress in Cryptology – AFRICACRYPT 2019</i> (Vol. 11627, pp. 157–180). Cham: Springer Nature. <a href=\"https://doi.org/10.1007/978-3-030-23696-0_9\">https://doi.org/10.1007/978-3-030-23696-0_9</a>","chicago":"Walter, Michael. “Sampling the Integers with Low Relative Error.” In <i>Progress in Cryptology – AFRICACRYPT 2019</i>, edited by J Buchmann, A Nitaj, and T Rachidi, 11627:157–80. LNCS. Cham: Springer Nature, 2019. <a href=\"https://doi.org/10.1007/978-3-030-23696-0_9\">https://doi.org/10.1007/978-3-030-23696-0_9</a>.","ama":"Walter M. Sampling the integers with low relative error. In: Buchmann J, Nitaj A, Rachidi T, eds. <i>Progress in Cryptology – AFRICACRYPT 2019</i>. Vol 11627. LNCS. Cham: Springer Nature; 2019:157-180. doi:<a href=\"https://doi.org/10.1007/978-3-030-23696-0_9\">10.1007/978-3-030-23696-0_9</a>","mla":"Walter, Michael. “Sampling the Integers with Low Relative Error.” <i>Progress in Cryptology – AFRICACRYPT 2019</i>, edited by J Buchmann et al., vol. 11627, Springer Nature, 2019, pp. 157–80, doi:<a href=\"https://doi.org/10.1007/978-3-030-23696-0_9\">10.1007/978-3-030-23696-0_9</a>."},"_id":"6726","title":"Sampling the integers with low relative error","abstract":[{"text":"Randomness is an essential part of any secure cryptosystem, but many constructions rely on distributions that are not uniform. This is particularly true for lattice based cryptosystems, which more often than not make use of discrete Gaussian distributions over the integers. For practical purposes it is crucial to evaluate the impact that approximation errors have on the security of a scheme to provide the best possible trade-off between security and performance. Recent years have seen surprising results allowing to use relatively low precision while maintaining high levels of security. A key insight in these results is that sampling a distribution with low relative error can provide very strong security guarantees. Since floating point numbers provide guarantees on the relative approximation error, they seem a suitable tool in this setting, but it is not obvious which sampling algorithms can actually profit from them. While previous works have shown that inversion sampling can be adapted to provide a low relative error (Pöppelmann et al., CHES 2014; Prest, ASIACRYPT 2017), other works have called into question if this is possible for other sampling techniques (Zheng et al., Eprint report 2018/309). In this work, we consider all sampling algorithms that are popular in the cryptographic setting and analyze the relationship of floating point precision and the resulting relative error. We show that all of the algorithms either natively achieve a low relative error or can be adapted to do so.","lang":"eng"}],"user_id":"8b945eb4-e2f2-11eb-945a-df72226e66a9","page":"157-180","conference":{"location":"Rabat, Morocco","end_date":"2019-07-11","start_date":"2019-07-09","name":"AFRICACRYPT: International Conference on Cryptology in Africa"},"author":[{"last_name":"Walter","orcid":"0000-0003-3186-2482","full_name":"Walter, Michael","first_name":"Michael","id":"488F98B0-F248-11E8-B48F-1D18A9856A87"}],"publication_status":"published","day":"29","date_created":"2019-07-29T12:25:31Z","language":[{"iso":"eng"}],"year":"2019","department":[{"_id":"KrPi"}],"volume":11627,"date_published":"2019-06-29T00:00:00Z","type":"book_chapter","project":[{"name":"Teaching Old Crypto New Tricks","call_identifier":"H2020","grant_number":"682815","_id":"258AA5B2-B435-11E9-9278-68D0E5697425"}],"oa_version":"Preprint","publication":"Progress in Cryptology – AFRICACRYPT 2019","date_updated":"2023-02-23T12:50:15Z","publisher":"Springer Nature","doi":"10.1007/978-3-030-23696-0_9","article_processing_charge":"No","quality_controlled":"1","oa":1,"series_title":"LNCS","place":"Cham","month":"06"},{"department":[{"_id":"KrPi"}],"supervisor":[{"last_name":"Pietrzak","orcid":"0000-0002-9139-1654","first_name":"Krzysztof Z","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","full_name":"Pietrzak, Krzysztof Z"}],"year":"2018","ddc":["004"],"language":[{"iso":"eng"}],"related_material":{"record":[{"relation":"part_of_dissertation","status":"public","id":"1229"},{"status":"public","relation":"part_of_dissertation","id":"1235"},{"relation":"part_of_dissertation","status":"public","id":"1236"},{"id":"559","relation":"part_of_dissertation","status":"public"}]},"publist_id":"7971","publication_status":"published","day":"05","degree_awarded":"PhD","date_created":"2018-12-11T11:44:32Z","page":"59","alternative_title":["ISTA Thesis"],"pubrep_id":"1046","author":[{"full_name":"Abusalah, Hamza M","id":"40297222-F248-11E8-B48F-1D18A9856A87","first_name":"Hamza M","last_name":"Abusalah"}],"oa":1,"file":[{"file_size":876241,"date_updated":"2020-07-14T12:48:11Z","checksum":"c4b5f7d111755d1396787f41886fc674","access_level":"open_access","file_name":"2018_Thesis_Abusalah.pdf","creator":"dernst","relation":"main_file","file_id":"6245","date_created":"2019-04-09T06:43:41Z","content_type":"application/pdf"},{"date_created":"2019-04-09T06:43:41Z","file_id":"6246","content_type":"application/x-gzip","creator":"dernst","relation":"source_file","checksum":"0f382ac56b471c48fd907d63eb87dafe","file_name":"2018_Thesis_Abusalah_source.tar.gz","access_level":"closed","file_size":2029190,"date_updated":"2020-07-14T12:48:11Z"}],"month":"09","doi":"10.15479/AT:ISTA:TH_1046","publisher":"Institute of Science and Technology Austria","date_updated":"2023-09-07T12:30:23Z","article_processing_charge":"No","oa_version":"Published Version","type":"dissertation","date_published":"2018-09-05T00:00:00Z","project":[{"_id":"258C570E-B435-11E9-9278-68D0E5697425","grant_number":"259668","name":"Provable Security for Physical Cryptography","call_identifier":"FP7"},{"grant_number":"682815","_id":"258AA5B2-B435-11E9-9278-68D0E5697425","call_identifier":"H2020","name":"Teaching Old Crypto New Tricks"}],"file_date_updated":"2020-07-14T12:48:11Z","publication_identifier":{"issn":["2663-337X"]},"_id":"83","title":"Proof systems for sustainable decentralized cryptocurrencies","abstract":[{"text":"A proof system is a protocol between a prover and a verifier over a common input in which an honest prover convinces the verifier of the validity of true statements. Motivated by the success of decentralized cryptocurrencies, exemplified by Bitcoin, the focus of this thesis will be on proof systems which found applications in some sustainable alternatives to Bitcoin, such as the Spacemint and Chia cryptocurrencies. In particular, we focus on proofs of space and proofs of sequential work.\r\nProofs of space (PoSpace) were suggested as more ecological, economical, and egalitarian alternative to the energy-wasteful proof-of-work mining of Bitcoin. However, the state-of-the-art constructions of PoSpace are based on sophisticated graph pebbling lower bounds, and are therefore complex. Moreover, when these PoSpace are used in cryptocurrencies like Spacemint, miners can only start mining after ensuring that a commitment to their space is already added in a special transaction to the blockchain. Proofs of sequential work (PoSW) are proof systems in which a prover, upon receiving a statement x and a time parameter T, computes a proof which convinces the verifier that T time units had passed since x was received. Whereas Spacemint assumes synchrony to retain some interesting Bitcoin dynamics, Chia requires PoSW with unique proofs, i.e., PoSW in which it is hard to come up with more than one accepting proof for any true statement. In this thesis we construct simple and practically-efficient PoSpace and PoSW. When using our PoSpace in cryptocurrencies, miners can start mining on the fly, like in Bitcoin, and unlike current constructions of PoSW, which either achieve efficient verification of sequential work, or faster-than-recomputing verification of correctness of proofs, but not both at the same time, ours achieve the best of these two worlds.","lang":"eng"}],"user_id":"c635000d-4b10-11ee-a964-aac5a93f6ac1","has_accepted_license":"1","citation":{"apa":"Abusalah, H. M. (2018). <i>Proof systems for sustainable decentralized cryptocurrencies</i>. Institute of Science and Technology Austria. <a href=\"https://doi.org/10.15479/AT:ISTA:TH_1046\">https://doi.org/10.15479/AT:ISTA:TH_1046</a>","ista":"Abusalah HM. 2018. Proof systems for sustainable decentralized cryptocurrencies. Institute of Science and Technology Austria.","short":"H.M. Abusalah, Proof Systems for Sustainable Decentralized Cryptocurrencies, Institute of Science and Technology Austria, 2018.","ieee":"H. M. Abusalah, “Proof systems for sustainable decentralized cryptocurrencies,” Institute of Science and Technology Austria, 2018.","mla":"Abusalah, Hamza M. <i>Proof Systems for Sustainable Decentralized Cryptocurrencies</i>. Institute of Science and Technology Austria, 2018, doi:<a href=\"https://doi.org/10.15479/AT:ISTA:TH_1046\">10.15479/AT:ISTA:TH_1046</a>.","ama":"Abusalah HM. Proof systems for sustainable decentralized cryptocurrencies. 2018. doi:<a href=\"https://doi.org/10.15479/AT:ISTA:TH_1046\">10.15479/AT:ISTA:TH_1046</a>","chicago":"Abusalah, Hamza M. “Proof Systems for Sustainable Decentralized Cryptocurrencies.” Institute of Science and Technology Austria, 2018. <a href=\"https://doi.org/10.15479/AT:ISTA:TH_1046\">https://doi.org/10.15479/AT:ISTA:TH_1046</a>."},"ec_funded":1,"status":"public"},{"oa":1,"quality_controlled":"1","month":"12","publication":"22nd International Conference on Financial Cryptography and Data Security","date_updated":"2023-09-19T15:02:13Z","doi":"10.1007/978-3-662-58387-6_26","publisher":"Springer Nature","article_processing_charge":"No","oa_version":"Submitted Version","external_id":{"isi":["000540656400026"]},"volume":10957,"date_published":"2018-12-07T00:00:00Z","project":[{"call_identifier":"H2020","name":"Teaching Old Crypto New Tricks","grant_number":"682815","_id":"258AA5B2-B435-11E9-9278-68D0E5697425"}],"type":"conference","department":[{"_id":"KrPi"}],"year":"2018","language":[{"iso":"eng"}],"publication_status":"published","day":"07","date_created":"2019-10-14T06:35:38Z","page":"480-499","alternative_title":["LNCS"],"conference":{"end_date":"2018-03-02","location":"Nieuwpoort, Curacao","name":"FC: Financial Cryptography and Data Security","start_date":"2018-02-26"},"author":[{"first_name":"Sunoo","full_name":"Park, Sunoo","last_name":"Park"},{"last_name":"Kwon","first_name":"Albert","full_name":"Kwon, Albert"},{"full_name":"Fuchsbauer, Georg","id":"46B4C3EE-F248-11E8-B48F-1D18A9856A87","first_name":"Georg","last_name":"Fuchsbauer"},{"last_name":"Gazi","id":"3E0BFE38-F248-11E8-B48F-1D18A9856A87","first_name":"Peter","full_name":"Gazi, Peter"},{"last_name":"Alwen","first_name":"Joel F","id":"2A8DFA8C-F248-11E8-B48F-1D18A9856A87","full_name":"Alwen, Joel F"},{"last_name":"Pietrzak","orcid":"0000-0002-9139-1654","first_name":"Krzysztof Z","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","full_name":"Pietrzak, Krzysztof Z"}],"_id":"6941","title":"SpaceMint: A cryptocurrency based on proofs of space","abstract":[{"lang":"eng","text":"Bitcoin has become the most successful cryptocurrency ever deployed, and its most distinctive feature is that it is decentralized. Its underlying protocol (Nakamoto consensus) achieves this by using proof of work, which has the drawback that it causes the consumption of vast amounts of energy to maintain the ledger. Moreover, Bitcoin mining dynamics have become less distributed over time.\r\n\r\nTowards addressing these issues, we propose SpaceMint, a cryptocurrency based on proofs of space instead of proofs of work. Miners in SpaceMint dedicate disk space rather than computation. We argue that SpaceMint’s design solves or alleviates several of Bitcoin’s issues: most notably, its large energy consumption. SpaceMint also rewards smaller miners fairly according to their contribution to the network, thus incentivizing more distributed participation.\r\n\r\nThis paper adapts proof of space to enable its use in cryptocurrency, studies the attacks that can arise against a Bitcoin-like blockchain that uses proof of space, and proposes a new blockchain format and transaction types to address these attacks. Our prototype shows that initializing 1 TB for mining takes about a day (a one-off setup cost), and miners spend on average just a fraction of a second per block mined. Finally, we provide a game-theoretic analysis modeling SpaceMint as an extensive game (the canonical game-theoretic notion for games that take place over time) and show that this stylized game satisfies a strong equilibrium notion, thereby arguing for SpaceMint ’s stability and consensus."}],"user_id":"c635000d-4b10-11ee-a964-aac5a93f6ac1","main_file_link":[{"url":"https://eprint.iacr.org/2015/528","open_access":"1"}],"citation":{"ama":"Park S, Kwon A, Fuchsbauer G, Gazi P, Alwen JF, Pietrzak KZ. SpaceMint: A cryptocurrency based on proofs of space. In: <i>22nd International Conference on Financial Cryptography and Data Security</i>. Vol 10957. Springer Nature; 2018:480-499. doi:<a href=\"https://doi.org/10.1007/978-3-662-58387-6_26\">10.1007/978-3-662-58387-6_26</a>","mla":"Park, Sunoo, et al. “SpaceMint: A Cryptocurrency Based on Proofs of Space.” <i>22nd International Conference on Financial Cryptography and Data Security</i>, vol. 10957, Springer Nature, 2018, pp. 480–99, doi:<a href=\"https://doi.org/10.1007/978-3-662-58387-6_26\">10.1007/978-3-662-58387-6_26</a>.","chicago":"Park, Sunoo, Albert Kwon, Georg Fuchsbauer, Peter Gazi, Joel F Alwen, and Krzysztof Z Pietrzak. “SpaceMint: A Cryptocurrency Based on Proofs of Space.” In <i>22nd International Conference on Financial Cryptography and Data Security</i>, 10957:480–99. Springer Nature, 2018. <a href=\"https://doi.org/10.1007/978-3-662-58387-6_26\">https://doi.org/10.1007/978-3-662-58387-6_26</a>.","ista":"Park S, Kwon A, Fuchsbauer G, Gazi P, Alwen JF, Pietrzak KZ. 2018. SpaceMint: A cryptocurrency based on proofs of space. 22nd International Conference on Financial Cryptography and Data Security. FC: Financial Cryptography and Data Security, LNCS, vol. 10957, 480–499.","apa":"Park, S., Kwon, A., Fuchsbauer, G., Gazi, P., Alwen, J. F., &#38; Pietrzak, K. Z. (2018). SpaceMint: A cryptocurrency based on proofs of space. In <i>22nd International Conference on Financial Cryptography and Data Security</i> (Vol. 10957, pp. 480–499). Nieuwpoort, Curacao: Springer Nature. <a href=\"https://doi.org/10.1007/978-3-662-58387-6_26\">https://doi.org/10.1007/978-3-662-58387-6_26</a>","short":"S. Park, A. Kwon, G. Fuchsbauer, P. Gazi, J.F. Alwen, K.Z. Pietrzak, in:, 22nd International Conference on Financial Cryptography and Data Security, Springer Nature, 2018, pp. 480–499.","ieee":"S. Park, A. Kwon, G. Fuchsbauer, P. Gazi, J. F. Alwen, and K. Z. Pietrzak, “SpaceMint: A cryptocurrency based on proofs of space,” in <i>22nd International Conference on Financial Cryptography and Data Security</i>, Nieuwpoort, Curacao, 2018, vol. 10957, pp. 480–499."},"intvolume":"     10957","ec_funded":1,"status":"public","isi":1,"scopus_import":"1","publication_identifier":{"issn":["0302-9743"],"isbn":["9783662583869","9783662583876"],"eissn":["1611-3349"]}},{"title":"Proofs of catalytic space","_id":"7407","user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","abstract":[{"text":"Proofs of space (PoS) [Dziembowski et al., CRYPTO'15] are proof systems where a prover can convince a verifier that he \"wastes\" disk space. PoS were introduced as a more ecological and economical replacement for proofs of work which are currently used to secure blockchains like Bitcoin. In this work we investigate extensions of PoS which allow the prover to embed useful data into the dedicated space, which later can be recovered. Our first contribution is a security proof for the original PoS from CRYPTO'15 in the random oracle model (the original proof only applied to a restricted class of adversaries which can store a subset of the data an honest prover would store). When this PoS is instantiated with recent constructions of maximally depth robust graphs, our proof implies basically optimal security. As a second contribution we show three different extensions of this PoS where useful data can be embedded into the space required by the prover. Our security proof for the PoS extends (non-trivially) to these constructions. We discuss how some of these variants can be used as proofs of catalytic space (PoCS), a notion we put forward in this work, and which basically is a PoS where most of the space required by the prover can be used to backup useful data. Finally we discuss how one of the extensions is a candidate construction for a proof of replication (PoR), a proof system recently suggested in the Filecoin whitepaper. ","lang":"eng"}],"citation":{"chicago":"Pietrzak, Krzysztof Z. “Proofs of Catalytic Space.” In <i>10th Innovations in Theoretical Computer Science  Conference (ITCS 2019)</i>, 124:59:1-59:25. Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 2018. <a href=\"https://doi.org/10.4230/LIPICS.ITCS.2019.59\">https://doi.org/10.4230/LIPICS.ITCS.2019.59</a>.","mla":"Pietrzak, Krzysztof Z. “Proofs of Catalytic Space.” <i>10th Innovations in Theoretical Computer Science  Conference (ITCS 2019)</i>, vol. 124, Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 2018, p. 59:1-59:25, doi:<a href=\"https://doi.org/10.4230/LIPICS.ITCS.2019.59\">10.4230/LIPICS.ITCS.2019.59</a>.","ama":"Pietrzak KZ. Proofs of catalytic space. In: <i>10th Innovations in Theoretical Computer Science  Conference (ITCS 2019)</i>. Vol 124. Schloss Dagstuhl - Leibniz-Zentrum für Informatik; 2018:59:1-59:25. doi:<a href=\"https://doi.org/10.4230/LIPICS.ITCS.2019.59\">10.4230/LIPICS.ITCS.2019.59</a>","short":"K.Z. Pietrzak, in:, 10th Innovations in Theoretical Computer Science  Conference (ITCS 2019), Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 2018, p. 59:1-59:25.","ieee":"K. Z. Pietrzak, “Proofs of catalytic space,” in <i>10th Innovations in Theoretical Computer Science  Conference (ITCS 2019)</i>, San Diego, CA, United States, 2018, vol. 124, p. 59:1-59:25.","apa":"Pietrzak, K. Z. (2018). Proofs of catalytic space. In <i>10th Innovations in Theoretical Computer Science  Conference (ITCS 2019)</i> (Vol. 124, p. 59:1-59:25). San Diego, CA, United States: Schloss Dagstuhl - Leibniz-Zentrum für Informatik. <a href=\"https://doi.org/10.4230/LIPICS.ITCS.2019.59\">https://doi.org/10.4230/LIPICS.ITCS.2019.59</a>","ista":"Pietrzak KZ. 2018. Proofs of catalytic space. 10th Innovations in Theoretical Computer Science  Conference (ITCS 2019). ITCS: Innovations in theoretical Computer Science Conference, LIPIcs, vol. 124, 59:1-59:25."},"intvolume":"       124","main_file_link":[{"url":"https://eprint.iacr.org/2018/194","open_access":"1"}],"has_accepted_license":"1","status":"public","ec_funded":1,"file_date_updated":"2020-07-14T12:47:57Z","scopus_import":1,"publication_identifier":{"isbn":["978-3-95977-095-8"],"issn":["1868-8969"]},"file":[{"creator":"dernst","relation":"main_file","content_type":"application/pdf","date_created":"2020-02-04T08:17:52Z","file_id":"7443","date_updated":"2020-07-14T12:47:57Z","file_size":822884,"file_name":"2018_LIPIcs_Pietrzak.pdf","access_level":"open_access","checksum":"5cebb7f7849a3beda898f697d755dd96"}],"quality_controlled":"1","oa":1,"month":"12","publisher":"Schloss Dagstuhl - Leibniz-Zentrum für Informatik","doi":"10.4230/LIPICS.ITCS.2019.59","date_updated":"2021-01-12T08:13:26Z","publication":"10th Innovations in Theoretical Computer Science  Conference (ITCS 2019)","article_processing_charge":"No","oa_version":"Published Version","type":"conference","project":[{"grant_number":"682815","_id":"258AA5B2-B435-11E9-9278-68D0E5697425","call_identifier":"H2020","name":"Teaching Old Crypto New Tricks"}],"date_published":"2018-12-31T00:00:00Z","volume":124,"department":[{"_id":"KrPi"}],"tmp":{"legal_code_url":"https://creativecommons.org/licenses/by/4.0/legalcode","image":"/images/cc_by.png","short":"CC BY (4.0)","name":"Creative Commons Attribution 4.0 International Public License (CC-BY 4.0)"},"year":"2018","language":[{"iso":"eng"}],"ddc":["000"],"day":"31","publication_status":"published","date_created":"2020-01-30T09:16:05Z","conference":{"end_date":"2019-01-12","location":"San Diego, CA, United States","name":"ITCS: Innovations in theoretical Computer Science Conference","start_date":"2019-01-10"},"alternative_title":["LIPIcs"],"page":"59:1-59:25","author":[{"last_name":"Pietrzak","orcid":"0000-0002-9139-1654","first_name":"Krzysztof Z","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","full_name":"Pietrzak, Krzysztof Z"}]},{"year":"2018","language":[{"iso":"eng"}],"department":[{"_id":"KrPi"},{"_id":"HeEd"},{"_id":"VlKo"}],"author":[{"id":"2A8DFA8C-F248-11E8-B48F-1D18A9856A87","first_name":"Joel F","full_name":"Alwen, Joel F","last_name":"Alwen"},{"first_name":"Peter","full_name":"Gazi, Peter","last_name":"Gazi"},{"full_name":"Kamath Hosdurg, Chethan","first_name":"Chethan","id":"4BD3F30E-F248-11E8-B48F-1D18A9856A87","last_name":"Kamath Hosdurg"},{"full_name":"Klein, Karen","first_name":"Karen","id":"3E83A2F8-F248-11E8-B48F-1D18A9856A87","last_name":"Klein"},{"full_name":"Osang, Georg F","id":"464B40D6-F248-11E8-B48F-1D18A9856A87","first_name":"Georg F","last_name":"Osang","orcid":"0000-0002-8882-5116"},{"full_name":"Pietrzak, Krzysztof Z","first_name":"Krzysztof Z","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","last_name":"Pietrzak","orcid":"0000-0002-9139-1654"},{"first_name":"Lenoid","full_name":"Reyzin, Lenoid","last_name":"Reyzin"},{"last_name":"Rolinek","id":"3CB3BC06-F248-11E8-B48F-1D18A9856A87","first_name":"Michal","full_name":"Rolinek, Michal"},{"last_name":"Rybar","id":"2B3E3DE8-F248-11E8-B48F-1D18A9856A87","first_name":"Michal","full_name":"Rybar, Michal"}],"conference":{"location":"Incheon, Republic of Korea","end_date":"2018-06-08","start_date":"2018-06-04","name":"ASIACCS: Asia Conference on Computer and Communications Security "},"page":"51 - 65","date_created":"2018-12-11T11:45:07Z","day":"01","publication_status":"published","publist_id":"7723","article_processing_charge":"No","date_updated":"2023-09-13T09:13:12Z","publisher":"ACM","doi":"10.1145/3196494.3196534","publication":"Proceedings of the 2018 on Asia Conference on Computer and Communication Security","month":"06","quality_controlled":"1","oa":1,"project":[{"_id":"25FBA906-B435-11E9-9278-68D0E5697425","grant_number":"616160","name":"Discrete Optimization in Computer Vision: Theory and Practice","call_identifier":"FP7"},{"call_identifier":"H2020","name":"Teaching Old Crypto New Tricks","_id":"258AA5B2-B435-11E9-9278-68D0E5697425","grant_number":"682815"}],"type":"conference","date_published":"2018-06-01T00:00:00Z","oa_version":"Submitted Version","external_id":{"isi":["000516620100005"]},"scopus_import":"1","isi":1,"user_id":"c635000d-4b10-11ee-a964-aac5a93f6ac1","abstract":[{"text":"We show attacks on five data-independent memory-hard functions (iMHF) that were submitted to the password hashing competition (PHC). Informally, an MHF is a function which cannot be evaluated on dedicated hardware, like ASICs, at significantly lower hardware and/or energy cost than evaluating a single instance on a standard single-core architecture. Data-independent means the memory access pattern of the function is independent of the input; this makes iMHFs harder to construct than data-dependent ones, but the latter can be attacked by various side-channel attacks. Following [Alwen-Blocki'16], we capture the evaluation of an iMHF as a directed acyclic graph (DAG). The cumulative parallel pebbling complexity of this DAG is a measure for the hardware cost of evaluating the iMHF on an ASIC. Ideally, one would like the complexity of a DAG underlying an iMHF to be as close to quadratic in the number of nodes of the graph as possible. Instead, we show that (the DAGs underlying) the following iMHFs are far from this bound: Rig.v2, TwoCats and Gambit each having an exponent no more than 1.75. Moreover, we show that the complexity of the iMHF modes of the PHC finalists Pomelo and Lyra2 have exponents at most 1.83 and 1.67 respectively. To show this we investigate a combinatorial property of each underlying DAG (called its depth-robustness. By establishing upper bounds on this property we are then able to apply the general technique of [Alwen-Block'16] for analyzing the hardware costs of an iMHF.","lang":"eng"}],"title":"On the memory hardness of data independent password hashing functions","_id":"193","acknowledgement":"Leonid Reyzin was supported in part by IST Austria and by US NSF grants 1012910, 1012798, and 1422965; this research was performed while he was visiting IST Austria.","status":"public","ec_funded":1,"citation":{"short":"J.F. Alwen, P. Gazi, C. Kamath Hosdurg, K. Klein, G.F. Osang, K.Z. Pietrzak, L. Reyzin, M. Rolinek, M. Rybar, in:, Proceedings of the 2018 on Asia Conference on Computer and Communication Security, ACM, 2018, pp. 51–65.","ieee":"J. F. Alwen <i>et al.</i>, “On the memory hardness of data independent password hashing functions,” in <i>Proceedings of the 2018 on Asia Conference on Computer and Communication Security</i>, Incheon, Republic of Korea, 2018, pp. 51–65.","ista":"Alwen JF, Gazi P, Kamath Hosdurg C, Klein K, Osang GF, Pietrzak KZ, Reyzin L, Rolinek M, Rybar M. 2018. On the memory hardness of data independent password hashing functions. Proceedings of the 2018 on Asia Conference on Computer and Communication Security. ASIACCS: Asia Conference on Computer and Communications Security , 51–65.","apa":"Alwen, J. F., Gazi, P., Kamath Hosdurg, C., Klein, K., Osang, G. F., Pietrzak, K. Z., … Rybar, M. (2018). On the memory hardness of data independent password hashing functions. In <i>Proceedings of the 2018 on Asia Conference on Computer and Communication Security</i> (pp. 51–65). Incheon, Republic of Korea: ACM. <a href=\"https://doi.org/10.1145/3196494.3196534\">https://doi.org/10.1145/3196494.3196534</a>","chicago":"Alwen, Joel F, Peter Gazi, Chethan Kamath Hosdurg, Karen Klein, Georg F Osang, Krzysztof Z Pietrzak, Lenoid Reyzin, Michal Rolinek, and Michal Rybar. “On the Memory Hardness of Data Independent Password Hashing Functions.” In <i>Proceedings of the 2018 on Asia Conference on Computer and Communication Security</i>, 51–65. ACM, 2018. <a href=\"https://doi.org/10.1145/3196494.3196534\">https://doi.org/10.1145/3196494.3196534</a>.","ama":"Alwen JF, Gazi P, Kamath Hosdurg C, et al. On the memory hardness of data independent password hashing functions. In: <i>Proceedings of the 2018 on Asia Conference on Computer and Communication Security</i>. ACM; 2018:51-65. doi:<a href=\"https://doi.org/10.1145/3196494.3196534\">10.1145/3196494.3196534</a>","mla":"Alwen, Joel F., et al. “On the Memory Hardness of Data Independent Password Hashing Functions.” <i>Proceedings of the 2018 on Asia Conference on Computer and Communication Security</i>, ACM, 2018, pp. 51–65, doi:<a href=\"https://doi.org/10.1145/3196494.3196534\">10.1145/3196494.3196534</a>."},"main_file_link":[{"url":"https://eprint.iacr.org/2016/783","open_access":"1"}]},{"page":"17-47","issue":"1","author":[{"full_name":"Chatterjee, Sanjit","first_name":"Sanjit","last_name":"Chatterjee"},{"first_name":"Chethan","id":"4BD3F30E-F248-11E8-B48F-1D18A9856A87","full_name":"Kamath Hosdurg, Chethan","last_name":"Kamath Hosdurg"},{"first_name":"Vikas","full_name":"Kumar, Vikas","last_name":"Kumar"}],"day":"01","publication_status":"published","date_created":"2019-02-13T13:49:41Z","language":[{"iso":"eng"}],"year":"2018","scopus_import":"1","isi":1,"department":[{"_id":"KrPi"}],"status":"public","type":"journal_article","date_published":"2018-02-01T00:00:00Z","volume":12,"intvolume":"        12","citation":{"ista":"Chatterjee S, Kamath Hosdurg C, Kumar V. 2018. Private set-intersection with common set-up. American Institute of Mathematical Sciences. 12(1), 17–47.","apa":"Chatterjee, S., Kamath Hosdurg, C., &#38; Kumar, V. (2018). Private set-intersection with common set-up. <i>American Institute of Mathematical Sciences</i>. AIMS. <a href=\"https://doi.org/10.3934/amc.2018002\">https://doi.org/10.3934/amc.2018002</a>","short":"S. Chatterjee, C. Kamath Hosdurg, V. Kumar, American Institute of Mathematical Sciences 12 (2018) 17–47.","ieee":"S. Chatterjee, C. Kamath Hosdurg, and V. Kumar, “Private set-intersection with common set-up,” <i>American Institute of Mathematical Sciences</i>, vol. 12, no. 1. AIMS, pp. 17–47, 2018.","ama":"Chatterjee S, Kamath Hosdurg C, Kumar V. Private set-intersection with common set-up. <i>American Institute of Mathematical Sciences</i>. 2018;12(1):17-47. doi:<a href=\"https://doi.org/10.3934/amc.2018002\">10.3934/amc.2018002</a>","mla":"Chatterjee, Sanjit, et al. “Private Set-Intersection with Common Set-Up.” <i>American Institute of Mathematical Sciences</i>, vol. 12, no. 1, AIMS, 2018, pp. 17–47, doi:<a href=\"https://doi.org/10.3934/amc.2018002\">10.3934/amc.2018002</a>.","chicago":"Chatterjee, Sanjit, Chethan Kamath Hosdurg, and Vikas Kumar. “Private Set-Intersection with Common Set-Up.” <i>American Institute of Mathematical Sciences</i>. AIMS, 2018. <a href=\"https://doi.org/10.3934/amc.2018002\">https://doi.org/10.3934/amc.2018002</a>."},"external_id":{"isi":["000430950400002"]},"oa_version":"None","date_updated":"2023-09-19T14:27:59Z","title":"Private set-intersection with common set-up","publisher":"AIMS","doi":"10.3934/amc.2018002","publication":"American Institute of Mathematical Sciences","_id":"5980","article_processing_charge":"No","user_id":"c635000d-4b10-11ee-a964-aac5a93f6ac1","abstract":[{"lang":"eng","text":"The problem of private set-intersection (PSI) has been traditionally treated as an instance of the more general problem of multi-party computation (MPC). Consequently, in order to argue security, or compose these protocols one has to rely on the general theory that was developed for the purpose of MPC. The pursuit of efficient protocols, however, has resulted in designs that exploit properties pertaining to PSI. In almost all practical applications where a PSI protocol is deployed, it is expected to be executed multiple times, possibly on related inputs. In this work we initiate a dedicated study of PSI in the multi-interaction (MI) setting. In this model a server sets up the common system parameters and executes set-intersection multiple times with potentially different clients. We discuss a few attacks that arise when protocols are naïvely composed in this manner and, accordingly, craft security definitions for the MI setting and study their inter-relation. Finally, we suggest a set of protocols that are MI-secure, at the same time almost as efficient as their parent, stand-alone, protocols."}],"quality_controlled":"1","month":"02"},{"user_id":"8b945eb4-e2f2-11eb-945a-df72226e66a9","abstract":[{"lang":"eng","text":"In this paper, we evaluate clock signals generated in ring oscillators and self-timed rings and the way their jitter can be transformed into random numbers. We show that counting the periods of the jittery clock signal produces random numbers of significantly better quality than the methods in which the jittery signal is simply sampled (the case in almost all current methods). Moreover, we use the counter values to characterize and continuously monitor the source of randomness. However, instead of using the widely used statistical variance, we propose to use Allan variance to do so. There are two main advantages: Allan variance is insensitive to low frequency noises such as flicker noise that are known to be autocorrelated and significantly less circuitry is required for its computation than that used to compute commonly used variance. We also show that it is essential to use a differential principle of randomness extraction from the jitter based on the use of two identical oscillators to avoid autocorrelations originating from external and internal global jitter sources and that this fact is valid for both kinds of rings. Last but not least, we propose a method of statistical testing based on high order Markov model to show the reduced dependencies when the proposed randomness extraction is applied."}],"title":"Evaluation and monitoring of free running oscillators serving as source of randomness","_id":"10286","intvolume":"      2018","citation":{"ista":"Allini EN, Skórski M, Petura O, Bernard F, Laban M, Fischer V. 2018. Evaluation and monitoring of free running oscillators serving as source of randomness. IACR Transactions on Cryptographic Hardware and Embedded Systems. 2018(3), 214–242.","apa":"Allini, E. N., Skórski, M., Petura, O., Bernard, F., Laban, M., &#38; Fischer, V. (2018). Evaluation and monitoring of free running oscillators serving as source of randomness. <i>IACR Transactions on Cryptographic Hardware and Embedded Systems</i>. International Association for Cryptologic Research. <a href=\"https://doi.org/10.13154/tches.v2018.i3.214-242\">https://doi.org/10.13154/tches.v2018.i3.214-242</a>","ieee":"E. N. Allini, M. Skórski, O. Petura, F. Bernard, M. Laban, and V. Fischer, “Evaluation and monitoring of free running oscillators serving as source of randomness,” <i>IACR Transactions on Cryptographic Hardware and Embedded Systems</i>, vol. 2018, no. 3. International Association for Cryptologic Research, pp. 214–242, 2018.","short":"E.N. Allini, M. Skórski, O. Petura, F. Bernard, M. Laban, V. Fischer, IACR Transactions on Cryptographic Hardware and Embedded Systems 2018 (2018) 214–242.","ama":"Allini EN, Skórski M, Petura O, Bernard F, Laban M, Fischer V. Evaluation and monitoring of free running oscillators serving as source of randomness. <i>IACR Transactions on Cryptographic Hardware and Embedded Systems</i>. 2018;2018(3):214-242. doi:<a href=\"https://doi.org/10.13154/tches.v2018.i3.214-242\">10.13154/tches.v2018.i3.214-242</a>","mla":"Allini, Elie Noumon, et al. “Evaluation and Monitoring of Free Running Oscillators Serving as Source of Randomness.” <i>IACR Transactions on Cryptographic Hardware and Embedded Systems</i>, vol. 2018, no. 3, International Association for Cryptologic Research, 2018, pp. 214–42, doi:<a href=\"https://doi.org/10.13154/tches.v2018.i3.214-242\">10.13154/tches.v2018.i3.214-242</a>.","chicago":"Allini, Elie Noumon, Maciej Skórski, Oto Petura, Florent Bernard, Marek Laban, and Viktor Fischer. “Evaluation and Monitoring of Free Running Oscillators Serving as Source of Randomness.” <i>IACR Transactions on Cryptographic Hardware and Embedded Systems</i>. International Association for Cryptologic Research, 2018. <a href=\"https://doi.org/10.13154/tches.v2018.i3.214-242\">https://doi.org/10.13154/tches.v2018.i3.214-242</a>."},"has_accepted_license":"1","status":"public","file_date_updated":"2021-11-15T10:27:29Z","scopus_import":"1","publication_identifier":{"eissn":["2569-2925"]},"issue":"3","month":"01","quality_controlled":"1","oa":1,"file":[{"file_id":"10289","date_created":"2021-11-15T10:27:29Z","content_type":"application/pdf","creator":"cchlebak","relation":"main_file","checksum":"b816b848f046c48a8357700d9305dce5","file_name":"2018_IACR_Allini.pdf","access_level":"open_access","success":1,"file_size":955755,"date_updated":"2021-11-15T10:27:29Z"}],"article_processing_charge":"No","publisher":"International Association for Cryptologic Research","date_updated":"2021-11-15T10:48:49Z","doi":"10.13154/tches.v2018.i3.214-242","publication":"IACR Transactions on Cryptographic Hardware and Embedded Systems","oa_version":"Published Version","article_type":"original","date_published":"2018-01-01T00:00:00Z","type":"journal_article","volume":2018,"tmp":{"legal_code_url":"https://creativecommons.org/licenses/by/4.0/legalcode","image":"/images/cc_by.png","short":"CC BY (4.0)","name":"Creative Commons Attribution 4.0 International Public License (CC-BY 4.0)"},"department":[{"_id":"KrPi"}],"ddc":["000"],"year":"2018","language":[{"iso":"eng"}],"date_created":"2021-11-14T23:01:25Z","day":"01","publication_status":"published","author":[{"last_name":"Allini","full_name":"Allini, Elie Noumon","first_name":"Elie Noumon"},{"last_name":"Skórski","full_name":"Skórski, Maciej","id":"EC09FA6A-02D0-11E9-8223-86B7C91467DD","first_name":"Maciej"},{"first_name":"Oto","full_name":"Petura, Oto","last_name":"Petura"},{"first_name":"Florent","full_name":"Bernard, Florent","last_name":"Bernard"},{"last_name":"Laban","full_name":"Laban, Marek","first_name":"Marek"},{"full_name":"Fischer, Viktor","first_name":"Viktor","last_name":"Fischer"}],"page":"214-242"},{"issue":"4","scopus_import":"1","isi":1,"citation":{"ama":"Dziembowski S, Pietrzak KZ, Wichs D. Non-malleable codes. <i>Journal of the ACM</i>. 2018;65(4). doi:<a href=\"https://doi.org/10.1145/3178432\">10.1145/3178432</a>","mla":"Dziembowski, Stefan, et al. “Non-Malleable Codes.” <i>Journal of the ACM</i>, vol. 65, no. 4, 20, ACM, 2018, doi:<a href=\"https://doi.org/10.1145/3178432\">10.1145/3178432</a>.","chicago":"Dziembowski, Stefan, Krzysztof Z Pietrzak, and Daniel Wichs. “Non-Malleable Codes.” <i>Journal of the ACM</i>. ACM, 2018. <a href=\"https://doi.org/10.1145/3178432\">https://doi.org/10.1145/3178432</a>.","ista":"Dziembowski S, Pietrzak KZ, Wichs D. 2018. Non-malleable codes. Journal of the ACM. 65(4), 20.","apa":"Dziembowski, S., Pietrzak, K. Z., &#38; Wichs, D. (2018). Non-malleable codes. <i>Journal of the ACM</i>. ACM. <a href=\"https://doi.org/10.1145/3178432\">https://doi.org/10.1145/3178432</a>","short":"S. Dziembowski, K.Z. Pietrzak, D. Wichs, Journal of the ACM 65 (2018).","ieee":"S. Dziembowski, K. Z. Pietrzak, and D. Wichs, “Non-malleable codes,” <i>Journal of the ACM</i>, vol. 65, no. 4. ACM, 2018."},"intvolume":"        65","main_file_link":[{"url":"https://eprint.iacr.org/2009/608","open_access":"1"}],"status":"public","ec_funded":1,"user_id":"c635000d-4b10-11ee-a964-aac5a93f6ac1","abstract":[{"text":"We introduce the notion of “non-malleable codes” which relaxes the notion of error correction and error detection. Informally, a code is non-malleable if the message contained in a modified codeword is either the original message, or a completely unrelated value. In contrast to error correction and error detection, non-malleability can be achieved for very rich classes of modifications. We construct an efficient code that is non-malleable with respect to modifications that affect each bit of the codeword arbitrarily (i.e., leave it untouched, flip it, or set it to either 0 or 1), but independently of the value of the other bits of the codeword. Using the probabilistic method, we also show a very strong and general statement: there exists a non-malleable code for every “small enough” family F of functions via which codewords can be modified. Although this probabilistic method argument does not directly yield efficient constructions, it gives us efficient non-malleable codes in the random-oracle model for very general classes of tampering functions—e.g., functions where every bit in the tampered codeword can depend arbitrarily on any 99% of the bits in the original codeword. As an application of non-malleable codes, we show that they provide an elegant algorithmic solution to the task of protecting functionalities implemented in hardware (e.g., signature cards) against “tampering attacks.” In such attacks, the secret state of a physical system is tampered, in the hopes that future interaction with the modified system will reveal some secret information. This problem was previously studied in the work of Gennaro et al. in 2004 under the name “algorithmic tamper proof security” (ATP). We show that non-malleable codes can be used to achieve important improvements over the prior work. In particular, we show that any functionality can be made secure against a large class of tampering attacks, simply by encoding the secret state with a non-malleable code while it is stored in memory.","lang":"eng"}],"title":"Non-malleable codes","_id":"107","date_created":"2018-12-11T11:44:40Z","day":"01","publication_status":"published","publist_id":"7947","author":[{"last_name":"Dziembowski","first_name":"Stefan","full_name":"Dziembowski, Stefan"},{"orcid":"0000-0002-9139-1654","last_name":"Pietrzak","full_name":"Pietrzak, Krzysztof Z","first_name":"Krzysztof Z","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87"},{"last_name":"Wichs","full_name":"Wichs, Daniel","first_name":"Daniel"}],"department":[{"_id":"KrPi"}],"language":[{"iso":"eng"}],"year":"2018","article_type":"original","external_id":{"isi":["000442938200004"]},"oa_version":"Preprint","date_published":"2018-08-01T00:00:00Z","type":"journal_article","project":[{"_id":"258AA5B2-B435-11E9-9278-68D0E5697425","grant_number":"682815","call_identifier":"H2020","name":"Teaching Old Crypto New Tricks"},{"name":"Provable Security for Physical Cryptography","call_identifier":"FP7","_id":"258C570E-B435-11E9-9278-68D0E5697425","grant_number":"259668"}],"volume":65,"month":"08","quality_controlled":"1","oa":1,"article_number":"20","article_processing_charge":"No","doi":"10.1145/3178432","date_updated":"2023-09-13T09:05:17Z","publisher":"ACM","publication":"Journal of the ACM"},{"type":"conference","date_published":"2018-08-16T00:00:00Z","volume":2018,"external_id":{"isi":["000448139300368"]},"oa_version":"Submitted Version","article_processing_charge":"No","publisher":"IEEE","date_updated":"2023-09-13T08:23:18Z","doi":"10.1109/ISIT.2018.8437654","month":"08","oa":1,"quality_controlled":"1","author":[{"last_name":"Obremski","full_name":"Obremski, Marciej","first_name":"Marciej"},{"last_name":"Skorski","first_name":"Maciej","id":"EC09FA6A-02D0-11E9-8223-86B7C91467DD","full_name":"Skorski, Maciej"}],"conference":{"end_date":"2018-06-22","location":"Vail, CO, USA","name":"ISIT: International Symposium on Information Theory","start_date":"2018-06-17 "},"alternative_title":["ISIT Proceedings"],"date_created":"2018-12-11T11:44:40Z","day":"16","publication_status":"published","publist_id":"7946","year":"2018","language":[{"iso":"eng"}],"department":[{"_id":"KrPi"}],"status":"public","intvolume":"      2018","citation":{"chicago":"Obremski, Marciej, and Maciej Skórski. “Inverted Leftover Hash Lemma,” Vol. 2018. IEEE, 2018. <a href=\"https://doi.org/10.1109/ISIT.2018.8437654\">https://doi.org/10.1109/ISIT.2018.8437654</a>.","mla":"Obremski, Marciej, and Maciej Skórski. <i>Inverted Leftover Hash Lemma</i>. Vol. 2018, IEEE, 2018, doi:<a href=\"https://doi.org/10.1109/ISIT.2018.8437654\">10.1109/ISIT.2018.8437654</a>.","ama":"Obremski M, Skórski M. Inverted leftover hash lemma. In: Vol 2018. IEEE; 2018. doi:<a href=\"https://doi.org/10.1109/ISIT.2018.8437654\">10.1109/ISIT.2018.8437654</a>","short":"M. Obremski, M. Skórski, in:, IEEE, 2018.","ieee":"M. Obremski and M. Skórski, “Inverted leftover hash lemma,” presented at the ISIT: International Symposium on Information Theory, Vail, CO, USA, 2018, vol. 2018.","apa":"Obremski, M., &#38; Skórski, M. (2018). Inverted leftover hash lemma (Vol. 2018). Presented at the ISIT: International Symposium on Information Theory, Vail, CO, USA: IEEE. <a href=\"https://doi.org/10.1109/ISIT.2018.8437654\">https://doi.org/10.1109/ISIT.2018.8437654</a>","ista":"Obremski M, Skórski M. 2018. Inverted leftover hash lemma. ISIT: International Symposium on Information Theory, ISIT Proceedings, vol. 2018."},"main_file_link":[{"open_access":"1","url":"https://eprint.iacr.org/2017/507"}],"user_id":"c635000d-4b10-11ee-a964-aac5a93f6ac1","abstract":[{"lang":"eng","text":"Universal hashing found a lot of applications in computer science. In cryptography the most important fact about universal families is the so called Leftover Hash Lemma, proved by Impagliazzo, Levin and Luby. In the language of modern cryptography it states that almost universal families are good extractors. In this work we provide a somewhat surprising characterization in the opposite direction. Namely, every extractor with sufficiently good parameters yields a universal family on a noticeable fraction of its inputs. Our proof technique is based on tools from extremal graph theory applied to the \\'collision graph\\' induced by the extractor, and may be of independent interest. We discuss possible applications to the theory of randomness extractors and non-malleable codes."}],"title":"Inverted leftover hash lemma","_id":"108","scopus_import":"1","isi":1},{"isi":1,"scopus_import":"1","abstract":[{"text":"Memory-hard functions (MHF) are functions whose evaluation cost is dominated by memory cost. MHFs are egalitarian, in the sense that evaluating them on dedicated hardware (like FPGAs or ASICs) is not much cheaper than on off-the-shelf hardware (like x86 CPUs). MHFs have interesting cryptographic applications, most notably to password hashing and securing blockchains.\r\n\r\nAlwen and Serbinenko [STOC’15] define the cumulative memory complexity (cmc) of a function as the sum (over all time-steps) of the amount of memory required to compute the function. They advocate that a good MHF must have high cmc. Unlike previous notions, cmc takes into account that dedicated hardware might exploit amortization and parallelism. Still, cmc has been critizised as insufficient, as it fails to capture possible time-memory trade-offs; as memory cost doesn’t scale linearly, functions with the same cmc could still have very different actual hardware cost.\r\n\r\nIn this work we address this problem, and introduce the notion of sustained-memory complexity, which requires that any algorithm evaluating the function must use a large amount of memory for many steps. We construct functions (in the parallel random oracle model) whose sustained-memory complexity is almost optimal: our function can be evaluated using n steps and   O(n/log(n))  memory, in each step making one query to the (fixed-input length) random oracle, while any algorithm that can make arbitrary many parallel queries to the random oracle, still needs   Ω(n/log(n))  memory for   Ω(n)  steps.\r\n\r\nAs has been done for various notions (including cmc) before, we reduce the task of constructing an MHFs with high sustained-memory complexity to proving pebbling lower bounds on DAGs. Our main technical contribution is the construction is a family of DAGs on n nodes with constant indegree with high “sustained-space complexity”, meaning that any parallel black-pebbling strategy requires   Ω(n/log(n))  pebbles for at least   Ω(n)  steps.\r\n\r\nAlong the way we construct a family of maximally “depth-robust” DAGs with maximum indegree   O(logn) , improving upon the construction of Mahmoody et al. [ITCS’13] which had maximum indegree   O(log2n⋅","lang":"eng"}],"user_id":"c635000d-4b10-11ee-a964-aac5a93f6ac1","_id":"298","title":"Sustained space complexity","main_file_link":[{"open_access":"1","url":"https://arxiv.org/abs/1705.05313"}],"intvolume":"     10821","citation":{"apa":"Alwen, J. F., Blocki, J., &#38; Pietrzak, K. Z. (2018). Sustained space complexity (Vol. 10821, pp. 99–130). Presented at the Eurocrypt 2018: Advances in Cryptology, Tel Aviv, Israel: Springer. <a href=\"https://doi.org/10.1007/978-3-319-78375-8_4\">https://doi.org/10.1007/978-3-319-78375-8_4</a>","ista":"Alwen JF, Blocki J, Pietrzak KZ. 2018. Sustained space complexity. Eurocrypt 2018: Advances in Cryptology, LNCS, vol. 10821, 99–130.","short":"J.F. Alwen, J. Blocki, K.Z. Pietrzak, in:, Springer, 2018, pp. 99–130.","ieee":"J. F. Alwen, J. Blocki, and K. Z. Pietrzak, “Sustained space complexity,” presented at the Eurocrypt 2018: Advances in Cryptology, Tel Aviv, Israel, 2018, vol. 10821, pp. 99–130.","mla":"Alwen, Joel F., et al. <i>Sustained Space Complexity</i>. Vol. 10821, Springer, 2018, pp. 99–130, doi:<a href=\"https://doi.org/10.1007/978-3-319-78375-8_4\">10.1007/978-3-319-78375-8_4</a>.","ama":"Alwen JF, Blocki J, Pietrzak KZ. Sustained space complexity. In: Vol 10821. Springer; 2018:99-130. doi:<a href=\"https://doi.org/10.1007/978-3-319-78375-8_4\">10.1007/978-3-319-78375-8_4</a>","chicago":"Alwen, Joel F, Jeremiah Blocki, and Krzysztof Z Pietrzak. “Sustained Space Complexity,” 10821:99–130. Springer, 2018. <a href=\"https://doi.org/10.1007/978-3-319-78375-8_4\">https://doi.org/10.1007/978-3-319-78375-8_4</a>."},"ec_funded":1,"status":"public","department":[{"_id":"KrPi"}],"language":[{"iso":"eng"}],"year":"2018","date_created":"2018-12-11T11:45:41Z","arxiv":1,"publist_id":"7583","publication_status":"published","day":"31","author":[{"first_name":"Joel F","id":"2A8DFA8C-F248-11E8-B48F-1D18A9856A87","full_name":"Alwen, Joel F","last_name":"Alwen"},{"last_name":"Blocki","full_name":"Blocki, Jeremiah","first_name":"Jeremiah"},{"orcid":"0000-0002-9139-1654","last_name":"Pietrzak","first_name":"Krzysztof Z","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","full_name":"Pietrzak, Krzysztof Z"}],"alternative_title":["LNCS"],"page":"99 - 130","conference":{"name":"Eurocrypt 2018: Advances in Cryptology","start_date":"2018-04-29","end_date":"2018-05-03","location":"Tel Aviv, Israel"},"month":"03","oa":1,"quality_controlled":"1","article_processing_charge":"No","date_updated":"2023-09-19T09:59:30Z","doi":"10.1007/978-3-319-78375-8_4","publisher":"Springer","oa_version":"Preprint","external_id":{"isi":["000517098700004"],"arxiv":["1705.05313"]},"volume":10821,"date_published":"2018-03-31T00:00:00Z","type":"conference","project":[{"_id":"258AA5B2-B435-11E9-9278-68D0E5697425","grant_number":"682815","call_identifier":"H2020","name":"Teaching Old Crypto New Tricks"}]},{"isi":1,"scopus_import":"1","ec_funded":1,"status":"public","main_file_link":[{"url":"https://eprint.iacr.org/2018/077","open_access":"1"}],"citation":{"short":"D. Micciancio, M. Walter, in:, Springer, 2018, pp. 3–28.","ieee":"D. Micciancio and M. Walter, “On the bit security of cryptographic primitives,” presented at the Eurocrypt: Advances in Cryptology, Tel Aviv, Israel, 2018, vol. 10820, pp. 3–28.","ista":"Micciancio D, Walter M. 2018. On the bit security of cryptographic primitives. Eurocrypt: Advances in Cryptology, LNCS, vol. 10820, 3–28.","apa":"Micciancio, D., &#38; Walter, M. (2018). On the bit security of cryptographic primitives (Vol. 10820, pp. 3–28). Presented at the Eurocrypt: Advances in Cryptology, Tel Aviv, Israel: Springer. <a href=\"https://doi.org/10.1007/978-3-319-78381-9_1\">https://doi.org/10.1007/978-3-319-78381-9_1</a>","chicago":"Micciancio, Daniele, and Michael Walter. “On the Bit Security of Cryptographic Primitives,” 10820:3–28. Springer, 2018. <a href=\"https://doi.org/10.1007/978-3-319-78381-9_1\">https://doi.org/10.1007/978-3-319-78381-9_1</a>.","ama":"Micciancio D, Walter M. On the bit security of cryptographic primitives. In: Vol 10820. Springer; 2018:3-28. doi:<a href=\"https://doi.org/10.1007/978-3-319-78381-9_1\">10.1007/978-3-319-78381-9_1</a>","mla":"Micciancio, Daniele, and Michael Walter. <i>On the Bit Security of Cryptographic Primitives</i>. Vol. 10820, Springer, 2018, pp. 3–28, doi:<a href=\"https://doi.org/10.1007/978-3-319-78381-9_1\">10.1007/978-3-319-78381-9_1</a>."},"intvolume":"     10820","_id":"300","title":"On the bit security of cryptographic primitives","abstract":[{"text":"We introduce a formal quantitative notion of “bit security” for a general type of cryptographic games (capturing both decision and search problems), aimed at capturing the intuition that a cryptographic primitive with k-bit security is as hard to break as an ideal cryptographic function requiring a brute force attack on a k-bit key space. Our new definition matches the notion of bit security commonly used by cryptographers and cryptanalysts when studying search (e.g., key recovery) problems, where the use of the traditional definition is well established. However, it produces a quantitatively different metric in the case of decision (indistinguishability) problems, where the use of (a straightforward generalization of) the traditional definition is more problematic and leads to a number of paradoxical situations or mismatches between theoretical/provable security and practical/common sense intuition. Key to our new definition is to consider adversaries that may explicitly declare failure of the attack. We support and justify the new definition by proving a number of technical results, including tight reductions between several standard cryptographic problems, a new hybrid theorem that preserves bit security, and an application to the security analysis of indistinguishability primitives making use of (approximate) floating point numbers. This is the first result showing that (standard precision) 53-bit floating point numbers can be used to achieve 100-bit security in the context of cryptographic primitives with general indistinguishability-based security definitions. Previous results of this type applied only to search problems, or special types of decision problems.","lang":"eng"}],"user_id":"c635000d-4b10-11ee-a964-aac5a93f6ac1","acknowledgement":"Research supported in part by the Defense Advanced Research Projects Agency (DARPA) and the U.S. Army Research Office under the SafeWare program. Opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views, position or policy of the Government. The second author was also supported by the European Research Council, ERC consolidator grant (682815 - TOCNeT).","alternative_title":["LNCS"],"page":"3 - 28","conference":{"location":"Tel Aviv, Israel","end_date":"2018-05-03","start_date":"2018-04-29","name":"Eurocrypt: Advances in Cryptology"},"author":[{"first_name":"Daniele","full_name":"Micciancio, Daniele","last_name":"Micciancio"},{"first_name":"Michael","id":"488F98B0-F248-11E8-B48F-1D18A9856A87","full_name":"Walter, Michael","orcid":"0000-0003-3186-2482","last_name":"Walter"}],"publist_id":"7581","publication_status":"published","day":"31","date_created":"2018-12-11T11:45:42Z","year":"2018","language":[{"iso":"eng"}],"department":[{"_id":"KrPi"}],"volume":10820,"project":[{"call_identifier":"H2020","name":"Teaching Old Crypto New Tricks","_id":"258AA5B2-B435-11E9-9278-68D0E5697425","grant_number":"682815"}],"date_published":"2018-03-31T00:00:00Z","type":"conference","oa_version":"Submitted Version","external_id":{"isi":["000517097500001"]},"publisher":"Springer","date_updated":"2023-09-13T09:12:04Z","doi":"10.1007/978-3-319-78381-9_1","article_processing_charge":"No","quality_controlled":"1","oa":1,"month":"03"},{"quality_controlled":"1","oa":1,"month":"05","doi":"10.1007/978-3-319-78375-8_15","publisher":"Springer","date_updated":"2023-09-18T09:29:33Z","article_processing_charge":"No","external_id":{"isi":["000517098700015"]},"oa_version":"Submitted Version","volume":10821,"project":[{"name":"Teaching Old Crypto New Tricks","call_identifier":"H2020","_id":"258AA5B2-B435-11E9-9278-68D0E5697425","grant_number":"682815"}],"type":"conference","date_published":"2018-05-29T00:00:00Z","department":[{"_id":"KrPi"}],"language":[{"iso":"eng"}],"year":"2018","publist_id":"7579","publication_status":"published","day":"29","date_created":"2018-12-11T11:45:42Z","alternative_title":["LNCS"],"page":"451 - 467","conference":{"name":"Eurocrypt: Advances in Cryptology","start_date":"2018-04-29","end_date":"2018-05-03","location":"Tel Aviv, Israel"},"author":[{"full_name":"Cohen, Bram","first_name":"Bram","last_name":"Cohen"},{"last_name":"Pietrzak","orcid":"0000-0002-9139-1654","full_name":"Pietrzak, Krzysztof Z","first_name":"Krzysztof Z","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87"}],"_id":"302","title":"Simple proofs of sequential work","abstract":[{"text":"At ITCS 2013, Mahmoody, Moran and Vadhan [MMV13] introduce and construct publicly verifiable proofs of sequential work, which is a protocol for proving that one spent sequential computational work related to some statement. The original motivation for such proofs included non-interactive time-stamping and universally verifiable CPU benchmarks. A more recent application, and our main motivation, are blockchain designs, where proofs of sequential work can be used – in combination with proofs of space – as a more ecological and economical substitute for proofs of work which are currently used to secure Bitcoin and other cryptocurrencies. The construction proposed by [MMV13] is based on a hash function and can be proven secure in the random oracle model, or assuming inherently sequential hash-functions, which is a new standard model assumption introduced in their work. In a proof of sequential work, a prover gets a “statement” χ, a time parameter N and access to a hash-function H, which for the security proof is modelled as a random oracle. Correctness requires that an honest prover can make a verifier accept making only N queries to H, while soundness requires that any prover who makes the verifier accept must have made (almost) N sequential queries to H. Thus a solution constitutes a proof that N time passed since χ was received. Solutions must be publicly verifiable in time at most polylogarithmic in N. The construction of [MMV13] is based on “depth-robust” graphs, and as a consequence has rather poor concrete parameters. But the major drawback is that the prover needs not just N time, but also N space to compute a proof. In this work we propose a proof of sequential work which is much simpler, more efficient and achieves much better concrete bounds. Most importantly, the space required can be as small as log (N) (but we get better soundness using slightly more memory than that). An open problem stated by [MMV13] that our construction does not solve either is achieving a “unique” proof, where even a cheating prover can only generate a single accepting proof. This property would be extremely useful for applications to blockchains.","lang":"eng"}],"user_id":"c635000d-4b10-11ee-a964-aac5a93f6ac1","main_file_link":[{"open_access":"1","url":"https://eprint.iacr.org/2018/183.pdf"}],"citation":{"mla":"Cohen, Bram, and Krzysztof Z. Pietrzak. <i>Simple Proofs of Sequential Work</i>. Vol. 10821, Springer, 2018, pp. 451–67, doi:<a href=\"https://doi.org/10.1007/978-3-319-78375-8_15\">10.1007/978-3-319-78375-8_15</a>.","ama":"Cohen B, Pietrzak KZ. Simple proofs of sequential work. In: Vol 10821. Springer; 2018:451-467. doi:<a href=\"https://doi.org/10.1007/978-3-319-78375-8_15\">10.1007/978-3-319-78375-8_15</a>","chicago":"Cohen, Bram, and Krzysztof Z Pietrzak. “Simple Proofs of Sequential Work,” 10821:451–67. Springer, 2018. <a href=\"https://doi.org/10.1007/978-3-319-78375-8_15\">https://doi.org/10.1007/978-3-319-78375-8_15</a>.","apa":"Cohen, B., &#38; Pietrzak, K. Z. (2018). Simple proofs of sequential work (Vol. 10821, pp. 451–467). Presented at the Eurocrypt: Advances in Cryptology, Tel Aviv, Israel: Springer. <a href=\"https://doi.org/10.1007/978-3-319-78375-8_15\">https://doi.org/10.1007/978-3-319-78375-8_15</a>","ista":"Cohen B, Pietrzak KZ. 2018. Simple proofs of sequential work. Eurocrypt: Advances in Cryptology, LNCS, vol. 10821, 451–467.","short":"B. Cohen, K.Z. Pietrzak, in:, Springer, 2018, pp. 451–467.","ieee":"B. Cohen and K. Z. Pietrzak, “Simple proofs of sequential work,” presented at the Eurocrypt: Advances in Cryptology, Tel Aviv, Israel, 2018, vol. 10821, pp. 451–467."},"intvolume":"     10821","ec_funded":1,"status":"public","isi":1,"scopus_import":"1"},{"alternative_title":["ISTA Thesis"],"page":"86","author":[{"id":"2B3E3DE8-F248-11E8-B48F-1D18A9856A87","first_name":"Michal","full_name":"Rybar, Michal","last_name":"Rybar"}],"pubrep_id":"828","day":"26","publication_status":"published","publist_id":"6810","date_created":"2018-12-11T11:48:46Z","degree_awarded":"PhD","related_material":{"record":[{"status":"public","relation":"part_of_dissertation","id":"2082"},{"id":"6196","status":"public","relation":"part_of_dissertation"}]},"ddc":["000"],"language":[{"iso":"eng"}],"year":"2017","department":[{"_id":"KrPi"}],"date_published":"2017-06-26T00:00:00Z","type":"dissertation","oa_version":"Published Version","date_updated":"2023-09-07T12:02:28Z","publisher":"Institute of Science and Technology Austria","doi":"10.15479/AT:ISTA:th_828","article_processing_charge":"No","file":[{"checksum":"ff8639ec4bded6186f44c7bd3ee26804","file_name":"IST-2017-828-v1+3_2017_Rybar_thesis.pdf","access_level":"open_access","file_size":847400,"date_updated":"2020-07-14T12:48:12Z","date_created":"2018-12-12T10:10:13Z","file_id":"4799","content_type":"application/pdf","creator":"system","relation":"main_file"},{"date_updated":"2020-07-14T12:48:12Z","file_size":26054879,"access_level":"closed","file_name":"2017_Thesis_Rybar_source.zip","checksum":"3462101745ce8ad199c2d0f75dae4a7e","relation":"source_file","creator":"dernst","content_type":"application/zip","file_id":"6202","date_created":"2019-04-05T08:24:11Z"}],"oa":1,"month":"06","publication_identifier":{"issn":["2663-337X"]},"file_date_updated":"2020-07-14T12:48:12Z","status":"public","citation":{"ista":"Rybar M. 2017. (The exact security of) Message authentication codes. Institute of Science and Technology Austria.","apa":"Rybar, M. (2017). <i>(The exact security of) Message authentication codes</i>. Institute of Science and Technology Austria. <a href=\"https://doi.org/10.15479/AT:ISTA:th_828\">https://doi.org/10.15479/AT:ISTA:th_828</a>","short":"M. Rybar, (The Exact Security of) Message Authentication Codes, Institute of Science and Technology Austria, 2017.","ieee":"M. Rybar, “(The exact security of) Message authentication codes,” Institute of Science and Technology Austria, 2017.","ama":"Rybar M. (The exact security of) Message authentication codes. 2017. doi:<a href=\"https://doi.org/10.15479/AT:ISTA:th_828\">10.15479/AT:ISTA:th_828</a>","mla":"Rybar, Michal. <i>(The Exact Security of) Message Authentication Codes</i>. Institute of Science and Technology Austria, 2017, doi:<a href=\"https://doi.org/10.15479/AT:ISTA:th_828\">10.15479/AT:ISTA:th_828</a>.","chicago":"Rybar, Michal. “(The Exact Security of) Message Authentication Codes.” Institute of Science and Technology Austria, 2017. <a href=\"https://doi.org/10.15479/AT:ISTA:th_828\">https://doi.org/10.15479/AT:ISTA:th_828</a>."},"has_accepted_license":"1","title":"(The exact security of) Message authentication codes","_id":"838","user_id":"c635000d-4b10-11ee-a964-aac5a93f6ac1","abstract":[{"lang":"eng","text":"In this thesis we discuss the exact security of message authentications codes HMAC , NMAC , and PMAC . NMAC is a mode of operation which turns a fixed input-length keyed hash function f into a variable input-length function. A practical single-key variant of NMAC called HMAC is a very popular and widely deployed message authentication code (MAC). PMAC is a block-cipher based mode of operation, which also happens to be the most famous fully parallel MAC. NMAC was introduced by Bellare, Canetti and Krawczyk Crypto’96, who proved it to be a secure pseudorandom function (PRF), and thus also a MAC, under two assumptions. Unfortunately, for many instantiations of HMAC one of them has been found to be wrong. To restore the provable guarantees for NMAC , Bellare [Crypto’06] showed its security without this assumption. PMAC was introduced by Black and Rogaway at Eurocrypt 2002. If instantiated with a pseudorandom permutation over n -bit strings, PMAC constitutes a provably secure variable input-length PRF. For adversaries making q queries, each of length at most ` (in n -bit blocks), and of total length σ ≤ q` , the original paper proves an upper bound on the distinguishing advantage of O ( σ 2 / 2 n ), while the currently best bound is O ( qσ/ 2 n ). In this work we show that this bound is tight by giving an attack with advantage Ω( q 2 `/ 2 n ). In the PMAC construction one initially XORs a mask to every message block, where the mask for the i th block is computed as τ i := γ i · L , where L is a (secret) random value, and γ i is the i -th codeword of the Gray code. Our attack applies more generally to any sequence of γ i ’s which contains a large coset of a subgroup of GF (2 n ). As for NMAC , our first contribution is a simpler and uniform proof: If f is an ε -secure PRF (against q queries) and a δ - non-adaptively secure PRF (against q queries), then NMAC f is an ( ε + `qδ )-secure PRF against q queries of length at most ` blocks each. We also show that this ε + `qδ bound is basically tight by constructing an f for which an attack with advantage `qδ exists. Moreover, we analyze the PRF-security of a modification of NMAC called NI by An and Bellare that avoids the constant rekeying on multi-block messages in NMAC and allows for an information-theoretic analysis. We carry out such an analysis, obtaining a tight `q 2 / 2 c bound for this step, improving over the trivial bound of ` 2 q 2 / 2 c . Finally, we investigate, if the security of PMAC can be further improved by using τ i ’s that are k -wise independent, for k &gt; 1 (the original has k = 1). We observe that the security of PMAC will not increase in general if k = 2, and then prove that the security increases to O ( q 2 / 2 n ), if the k = 4. Due to simple extension attacks, this is the best bound one can hope for, using any distribution on the masks. Whether k = 3 is already sufficient to get this level of security is left as an open problem. Keywords: Message authentication codes, Pseudorandom functions, HMAC, PMAC. "}]},{"oa_version":"Published Version","date_published":"2017-07-01T00:00:00Z","type":"conference","project":[{"_id":"258AA5B2-B435-11E9-9278-68D0E5697425","grant_number":"682815","name":"Teaching Old Crypto New Tricks","call_identifier":"H2020"}],"volume":80,"oa":1,"file":[{"relation":"main_file","creator":"system","content_type":"application/pdf","file_id":"4701","date_created":"2018-12-12T10:08:40Z","date_updated":"2020-07-14T12:47:46Z","file_size":601004,"file_name":"IST-2017-893-v1+1_LIPIcs-ICALP-2017-39.pdf","access_level":"open_access","checksum":"e95618a001692f1af2d68f5fde43bc1f"}],"quality_controlled":"1","article_number":"39","month":"07","publisher":"Schloss Dagstuhl - Leibniz-Zentrum für Informatik","doi":"10.4230/LIPIcs.ICALP.2017.39","date_updated":"2021-01-12T08:11:15Z","day":"01","publist_id":"7003","publication_status":"published","date_created":"2018-12-11T11:47:59Z","conference":{"location":"Warsaw, Poland","end_date":"2017-07-14","start_date":"2017-07-10","name":"ICALP: International Colloquium on Automata, Languages, and Programming"},"alternative_title":["LIPIcs"],"author":[{"last_name":"Pietrzak","orcid":"0000-0002-9139-1654","first_name":"Krzysztof Z","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","full_name":"Pietrzak, Krzysztof Z"},{"last_name":"Skórski","full_name":"Skórski, Maciej","id":"EC09FA6A-02D0-11E9-8223-86B7C91467DD","first_name":"Maciej"}],"pubrep_id":"893","department":[{"_id":"KrPi"}],"tmp":{"legal_code_url":"https://creativecommons.org/licenses/by/4.0/legalcode","image":"/images/cc_by.png","short":"CC BY (4.0)","name":"Creative Commons Attribution 4.0 International Public License (CC-BY 4.0)"},"ddc":["005"],"year":"2017","language":[{"iso":"eng"}],"intvolume":"        80","citation":{"ieee":"K. Z. Pietrzak and M. Skórski, “Non uniform attacks against pseudoentropy,” presented at the ICALP: International Colloquium on Automata, Languages, and Programming, Warsaw, Poland, 2017, vol. 80.","short":"K.Z. Pietrzak, M. Skórski, in:, Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 2017.","apa":"Pietrzak, K. Z., &#38; Skórski, M. (2017). Non uniform attacks against pseudoentropy (Vol. 80). Presented at the ICALP: International Colloquium on Automata, Languages, and Programming, Warsaw, Poland: Schloss Dagstuhl - Leibniz-Zentrum für Informatik. <a href=\"https://doi.org/10.4230/LIPIcs.ICALP.2017.39\">https://doi.org/10.4230/LIPIcs.ICALP.2017.39</a>","ista":"Pietrzak KZ, Skórski M. 2017. Non uniform attacks against pseudoentropy. ICALP: International Colloquium on Automata, Languages, and Programming, LIPIcs, vol. 80, 39.","chicago":"Pietrzak, Krzysztof Z, and Maciej Skórski. “Non Uniform Attacks against Pseudoentropy,” Vol. 80. Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 2017. <a href=\"https://doi.org/10.4230/LIPIcs.ICALP.2017.39\">https://doi.org/10.4230/LIPIcs.ICALP.2017.39</a>.","mla":"Pietrzak, Krzysztof Z., and Maciej Skórski. <i>Non Uniform Attacks against Pseudoentropy</i>. Vol. 80, 39, Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 2017, doi:<a href=\"https://doi.org/10.4230/LIPIcs.ICALP.2017.39\">10.4230/LIPIcs.ICALP.2017.39</a>.","ama":"Pietrzak KZ, Skórski M. Non uniform attacks against pseudoentropy. In: Vol 80. Schloss Dagstuhl - Leibniz-Zentrum für Informatik; 2017. doi:<a href=\"https://doi.org/10.4230/LIPIcs.ICALP.2017.39\">10.4230/LIPIcs.ICALP.2017.39</a>"},"has_accepted_license":"1","status":"public","ec_funded":1,"title":"Non uniform attacks against pseudoentropy","_id":"697","user_id":"3E5EF7F0-F248-11E8-B48F-1D18A9856A87","abstract":[{"text":"De, Trevisan and Tulsiani [CRYPTO 2010] show that every distribution over n-bit strings which has constant statistical distance to uniform (e.g., the output of a pseudorandom generator mapping n-1 to n bit strings), can be distinguished from the uniform distribution with advantage epsilon by a circuit of size O( 2^n epsilon^2). We generalize this result, showing that a distribution which has less than k bits of min-entropy, can be distinguished from any distribution with k bits of delta-smooth min-entropy with advantage epsilon by a circuit of size O(2^k epsilon^2/delta^2). As a special case, this implies that any distribution with support at most 2^k (e.g., the output of a pseudoentropy generator mapping k to n bit strings) can be distinguished from any given distribution with min-entropy k+1 with advantage epsilon by a circuit of size O(2^k epsilon^2). Our result thus shows that pseudoentropy distributions face basically the same non-uniform attacks as pseudorandom distributions. ","lang":"eng"}],"publication_identifier":{"issn":["18688969"]},"file_date_updated":"2020-07-14T12:47:46Z","scopus_import":1},{"has_accepted_license":"1","citation":{"mla":"Obremski, Maciej, and Maciej Skórski. <i>Renyi Entropy Estimation Revisited</i>. Vol. 81, 20, Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 2017, doi:<a href=\"https://doi.org/10.4230/LIPIcs.APPROX-RANDOM.2017.20\">10.4230/LIPIcs.APPROX-RANDOM.2017.20</a>.","ama":"Obremski M, Skórski M. Renyi entropy estimation revisited. In: Vol 81. Schloss Dagstuhl - Leibniz-Zentrum für Informatik; 2017. doi:<a href=\"https://doi.org/10.4230/LIPIcs.APPROX-RANDOM.2017.20\">10.4230/LIPIcs.APPROX-RANDOM.2017.20</a>","chicago":"Obremski, Maciej, and Maciej Skórski. “Renyi Entropy Estimation Revisited,” Vol. 81. Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 2017. <a href=\"https://doi.org/10.4230/LIPIcs.APPROX-RANDOM.2017.20\">https://doi.org/10.4230/LIPIcs.APPROX-RANDOM.2017.20</a>.","apa":"Obremski, M., &#38; Skórski, M. (2017). Renyi entropy estimation revisited (Vol. 81). Presented at the 20th International Workshop on Approximation Algorithms for Combinatorial Optimization Problems, APPROX, Berkeley, USA: Schloss Dagstuhl - Leibniz-Zentrum für Informatik. <a href=\"https://doi.org/10.4230/LIPIcs.APPROX-RANDOM.2017.20\">https://doi.org/10.4230/LIPIcs.APPROX-RANDOM.2017.20</a>","ista":"Obremski M, Skórski M. 2017. Renyi entropy estimation revisited. 20th International Workshop on Approximation Algorithms for Combinatorial Optimization Problems, APPROX, LIPIcs, vol. 81, 20.","short":"M. Obremski, M. Skórski, in:, Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 2017.","ieee":"M. Obremski and M. Skórski, “Renyi entropy estimation revisited,” presented at the 20th International Workshop on Approximation Algorithms for Combinatorial Optimization Problems, APPROX, Berkeley, USA, 2017, vol. 81."},"intvolume":"        81","ec_funded":1,"status":"public","abstract":[{"lang":"eng","text":"We revisit the problem of estimating entropy of discrete distributions from independent samples, studied recently by Acharya, Orlitsky, Suresh and Tyagi (SODA 2015), improving their upper and lower bounds on the necessary sample size n. For estimating Renyi entropy of order alpha, up to constant accuracy and error probability, we show the following * Upper bounds n = O(1) 2^{(1-1/alpha)H_alpha} for integer alpha&gt;1, as the worst case over distributions with Renyi entropy equal to H_alpha. * Lower bounds n = Omega(1) K^{1-1/alpha} for any real alpha&gt;1, with the constant being an inverse polynomial of the accuracy, as the worst case over all distributions on K elements. Our upper bounds essentially replace the alphabet size by a factor exponential in the entropy, which offers improvements especially in low or medium entropy regimes (interesting for example in anomaly detection). As for the lower bounds, our proof explicitly shows how the complexity depends on both alphabet and accuracy, partially solving the open problem posted in previous works. The argument for upper bounds derives a clean identity for the variance of falling-power sum of a multinomial distribution. Our approach for lower bounds utilizes convex optimization to find a distribution with possibly worse estimation performance, and may be of independent interest as a tool to work with Le Cam’s two point method. "}],"user_id":"3E5EF7F0-F248-11E8-B48F-1D18A9856A87","_id":"710","title":"Renyi entropy estimation revisited","publication_identifier":{"issn":["18688969"]},"file_date_updated":"2020-07-14T12:47:49Z","scopus_import":1,"oa_version":"Published Version","volume":81,"project":[{"name":"Teaching Old Crypto New Tricks","call_identifier":"H2020","grant_number":"682815","_id":"258AA5B2-B435-11E9-9278-68D0E5697425"}],"date_published":"2017-08-01T00:00:00Z","type":"conference","month":"08","article_number":"20","quality_controlled":"1","oa":1,"file":[{"file_size":604813,"date_updated":"2020-07-14T12:47:49Z","checksum":"89225c7dcec2c93838458c9102858985","access_level":"open_access","file_name":"IST-2017-888-v1+1_LIPIcs-APPROX-RANDOM-2017-20.pdf","relation":"main_file","creator":"system","file_id":"4991","date_created":"2018-12-12T10:13:10Z","content_type":"application/pdf"}],"date_updated":"2021-01-12T08:11:50Z","doi":"10.4230/LIPIcs.APPROX-RANDOM.2017.20","publisher":"Schloss Dagstuhl - Leibniz-Zentrum für Informatik","date_created":"2018-12-11T11:48:04Z","publist_id":"6979","publication_status":"published","day":"01","pubrep_id":"888","author":[{"first_name":"Maciej","full_name":"Obremski, Maciej","last_name":"Obremski"},{"last_name":"Skórski","full_name":"Skórski, Maciej","first_name":"Maciej","id":"EC09FA6A-02D0-11E9-8223-86B7C91467DD"}],"alternative_title":["LIPIcs"],"conference":{"location":"Berkeley, USA","end_date":"2017-08-18","start_date":"2017-08-18","name":"20th International Workshop on Approximation Algorithms for Combinatorial Optimization Problems, APPROX"},"tmp":{"legal_code_url":"https://creativecommons.org/licenses/by/4.0/legalcode","image":"/images/cc_by.png","short":"CC BY (4.0)","name":"Creative Commons Attribution 4.0 International Public License (CC-BY 4.0)"},"department":[{"_id":"KrPi"}],"year":"2017","language":[{"iso":"eng"}],"ddc":["005","600"]},{"alternative_title":["LNCS"],"page":"357 - 379","conference":{"name":"ASIACRYPT: Theory and Applications of Cryptology and Information Security","start_date":"2017-12-03","end_date":"2017-12-07","location":"Hong Kong, China"},"author":[{"last_name":"Abusalah","id":"40297222-F248-11E8-B48F-1D18A9856A87","first_name":"Hamza M","full_name":"Abusalah, Hamza M"},{"last_name":"Alwen","full_name":"Alwen, Joel F","first_name":"Joel F","id":"2A8DFA8C-F248-11E8-B48F-1D18A9856A87"},{"full_name":"Cohen, Bram","first_name":"Bram","last_name":"Cohen"},{"full_name":"Khilko, Danylo","first_name":"Danylo","last_name":"Khilko"},{"last_name":"Pietrzak","orcid":"0000-0002-9139-1654","full_name":"Pietrzak, Krzysztof Z","first_name":"Krzysztof Z","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87"},{"full_name":"Reyzin, Leonid","first_name":"Leonid","last_name":"Reyzin"}],"publist_id":"7257","publication_status":"published","day":"18","date_created":"2018-12-11T11:47:10Z","year":"2017","language":[{"iso":"eng"}],"related_material":{"record":[{"relation":"dissertation_contains","status":"public","id":"83"}]},"department":[{"_id":"KrPi"}],"volume":10625,"date_published":"2017-11-18T00:00:00Z","type":"conference","project":[{"grant_number":"682815","_id":"258AA5B2-B435-11E9-9278-68D0E5697425","name":"Teaching Old Crypto New Tricks","call_identifier":"H2020"}],"oa_version":"Submitted Version","date_updated":"2023-09-07T12:30:22Z","publisher":"Springer","doi":"10.1007/978-3-319-70697-9_13","quality_controlled":"1","oa":1,"month":"11","publication_identifier":{"isbn":["978-331970696-2"]},"scopus_import":1,"ec_funded":1,"status":"public","main_file_link":[{"url":"https://eprint.iacr.org/2017/893.pdf","open_access":"1"}],"citation":{"ama":"Abusalah HM, Alwen JF, Cohen B, Khilko D, Pietrzak KZ, Reyzin L. Beyond Hellman’s time-memory trade-offs with applications to proofs of space. In: Vol 10625. Springer; 2017:357-379. doi:<a href=\"https://doi.org/10.1007/978-3-319-70697-9_13\">10.1007/978-3-319-70697-9_13</a>","mla":"Abusalah, Hamza M., et al. <i>Beyond Hellman’s Time-Memory Trade-Offs with Applications to Proofs of Space</i>. Vol. 10625, Springer, 2017, pp. 357–79, doi:<a href=\"https://doi.org/10.1007/978-3-319-70697-9_13\">10.1007/978-3-319-70697-9_13</a>.","chicago":"Abusalah, Hamza M, Joel F Alwen, Bram Cohen, Danylo Khilko, Krzysztof Z Pietrzak, and Leonid Reyzin. “Beyond Hellman’s Time-Memory Trade-Offs with Applications to Proofs of Space,” 10625:357–79. Springer, 2017. <a href=\"https://doi.org/10.1007/978-3-319-70697-9_13\">https://doi.org/10.1007/978-3-319-70697-9_13</a>.","ista":"Abusalah HM, Alwen JF, Cohen B, Khilko D, Pietrzak KZ, Reyzin L. 2017. Beyond Hellman’s time-memory trade-offs with applications to proofs of space. ASIACRYPT: Theory and Applications of Cryptology and Information Security, LNCS, vol. 10625, 357–379.","apa":"Abusalah, H. M., Alwen, J. F., Cohen, B., Khilko, D., Pietrzak, K. Z., &#38; Reyzin, L. (2017). Beyond Hellman’s time-memory trade-offs with applications to proofs of space (Vol. 10625, pp. 357–379). Presented at the ASIACRYPT: Theory and Applications of Cryptology and Information Security, Hong Kong, China: Springer. <a href=\"https://doi.org/10.1007/978-3-319-70697-9_13\">https://doi.org/10.1007/978-3-319-70697-9_13</a>","ieee":"H. M. Abusalah, J. F. Alwen, B. Cohen, D. Khilko, K. Z. Pietrzak, and L. Reyzin, “Beyond Hellman’s time-memory trade-offs with applications to proofs of space,” presented at the ASIACRYPT: Theory and Applications of Cryptology and Information Security, Hong Kong, China, 2017, vol. 10625, pp. 357–379.","short":"H.M. Abusalah, J.F. Alwen, B. Cohen, D. Khilko, K.Z. Pietrzak, L. Reyzin, in:, Springer, 2017, pp. 357–379."},"intvolume":"     10625","_id":"559","title":"Beyond Hellman’s time-memory trade-offs with applications to proofs of space","abstract":[{"lang":"eng","text":"Proofs of space (PoS) were suggested as more ecological and economical alternative to proofs of work, which are currently used in blockchain designs like Bitcoin. The existing PoS are based on rather sophisticated graph pebbling lower bounds. Much simpler and in several aspects more efficient schemes based on inverting random functions have been suggested, but they don’t give meaningful security guarantees due to existing time-memory trade-offs. In particular, Hellman showed that any permutation over a domain of size N can be inverted in time T by an algorithm that is given S bits of auxiliary information whenever (Formula presented). For functions Hellman gives a weaker attack with S2· T≈ N2 (e.g., S= T≈ N2/3). To prove lower bounds, one considers an adversary who has access to an oracle f: [ N] → [N] and can make T oracle queries. The best known lower bound is S· T∈ Ω(N) and holds for random functions and permutations. We construct functions that provably require more time and/or space to invert. Specifically, for any constant k we construct a function [N] → [N] that cannot be inverted unless Sk· T∈ Ω(Nk) (in particular, S= T≈ (Formula presented). Our construction does not contradict Hellman’s time-memory trade-off, because it cannot be efficiently evaluated in forward direction. However, its entire function table can be computed in time quasilinear in N, which is sufficient for the PoS application. Our simplest construction is built from a random function oracle g: [N] × [N] → [ N] and a random permutation oracle f: [N] → N] and is defined as h(x) = g(x, x′) where f(x) = π(f(x′)) with π being any involution without a fixed point, e.g. flipping all the bits. For this function we prove that any adversary who gets S bits of auxiliary information, makes at most T oracle queries, and inverts h on an ϵ fraction of outputs must satisfy S2· T∈ Ω(ϵ2N2)."}],"user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87"},{"publication_identifier":{"isbn":["978-331970499-9"]},"scopus_import":1,"ec_funded":1,"status":"public","main_file_link":[{"url":"https://eprint.iacr.org/2016/536","open_access":"1"}],"editor":[{"first_name":"Yael","full_name":"Kalai, Yael","last_name":"Kalai"},{"full_name":"Reyzin, Leonid","first_name":"Leonid","last_name":"Reyzin"}],"citation":{"chicago":"Brody, Joshua, Stefan Dziembowski, Sebastian Faust, and Krzysztof Z Pietrzak. “Position Based Cryptography and Multiparty Communication Complexity.” edited by Yael Kalai and Leonid Reyzin, 10677:56–81. Springer, 2017. <a href=\"https://doi.org/10.1007/978-3-319-70500-2_3\">https://doi.org/10.1007/978-3-319-70500-2_3</a>.","ama":"Brody J, Dziembowski S, Faust S, Pietrzak KZ. Position based cryptography and multiparty communication complexity. In: Kalai Y, Reyzin L, eds. Vol 10677. Springer; 2017:56-81. doi:<a href=\"https://doi.org/10.1007/978-3-319-70500-2_3\">10.1007/978-3-319-70500-2_3</a>","mla":"Brody, Joshua, et al. <i>Position Based Cryptography and Multiparty Communication Complexity</i>. Edited by Yael Kalai and Leonid Reyzin, vol. 10677, Springer, 2017, pp. 56–81, doi:<a href=\"https://doi.org/10.1007/978-3-319-70500-2_3\">10.1007/978-3-319-70500-2_3</a>.","short":"J. Brody, S. Dziembowski, S. Faust, K.Z. Pietrzak, in:, Y. Kalai, L. Reyzin (Eds.), Springer, 2017, pp. 56–81.","ieee":"J. Brody, S. Dziembowski, S. Faust, and K. Z. Pietrzak, “Position based cryptography and multiparty communication complexity,” presented at the TCC: Theory of Cryptography Conference, Baltimore, MD, United States, 2017, vol. 10677, pp. 56–81.","ista":"Brody J, Dziembowski S, Faust S, Pietrzak KZ. 2017. Position based cryptography and multiparty communication complexity. TCC: Theory of Cryptography Conference, LNCS, vol. 10677, 56–81.","apa":"Brody, J., Dziembowski, S., Faust, S., &#38; Pietrzak, K. Z. (2017). Position based cryptography and multiparty communication complexity. In Y. Kalai &#38; L. Reyzin (Eds.) (Vol. 10677, pp. 56–81). Presented at the TCC: Theory of Cryptography Conference, Baltimore, MD, United States: Springer. <a href=\"https://doi.org/10.1007/978-3-319-70500-2_3\">https://doi.org/10.1007/978-3-319-70500-2_3</a>"},"intvolume":"     10677","_id":"605","title":"Position based cryptography and multiparty communication complexity","abstract":[{"text":"Position based cryptography (PBC), proposed in the seminal work of Chandran, Goyal, Moriarty, and Ostrovsky (SIAM J. Computing, 2014), aims at constructing cryptographic schemes in which the identity of the user is his geographic position. Chandran et al. construct PBC schemes for secure positioning and position-based key agreement in the bounded-storage model (Maurer, J. Cryptology, 1992). Apart from bounded memory, their security proofs need a strong additional restriction on the power of the adversary: he cannot compute joint functions of his inputs. Removing this assumption is left as an open problem. We show that an answer to this question would resolve a long standing open problem in multiparty communication complexity: finding a function that is hard to compute with low communication complexity in the simultaneous message model, but easy to compute in the fully adaptive model. On a more positive side: we also show some implications in the other direction, i.e.: we prove that lower bounds on the communication complexity of certain multiparty problems imply existence of PBC primitives. Using this result we then show two attractive ways to “bypass” our hardness result: the first uses the random oracle model, the second weakens the locality requirement in the bounded-storage model to online computability. The random oracle construction is arguably one of the simplest proposed so far in this area. Our results indicate that constructing improved provably secure protocols for PBC requires a better understanding of multiparty communication complexity. This is yet another example where negative results in one area (in our case: lower bounds in multiparty communication complexity) can be used to construct secure cryptographic schemes.","lang":"eng"}],"user_id":"3E5EF7F0-F248-11E8-B48F-1D18A9856A87","alternative_title":["LNCS"],"page":"56 - 81","conference":{"location":"Baltimore, MD, United States","end_date":"2017-11-15","start_date":"2017-11-12","name":"TCC: Theory of Cryptography Conference"},"author":[{"first_name":"Joshua","full_name":"Brody, Joshua","last_name":"Brody"},{"last_name":"Dziembowski","first_name":"Stefan","full_name":"Dziembowski, Stefan"},{"full_name":"Faust, Sebastian","first_name":"Sebastian","last_name":"Faust"},{"full_name":"Pietrzak, Krzysztof Z","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","first_name":"Krzysztof Z","orcid":"0000-0002-9139-1654","last_name":"Pietrzak"}],"publist_id":"7200","publication_status":"published","day":"05","date_created":"2018-12-11T11:47:27Z","year":"2017","language":[{"iso":"eng"}],"department":[{"_id":"KrPi"}],"volume":10677,"date_published":"2017-11-05T00:00:00Z","project":[{"call_identifier":"H2020","name":"Teaching Old Crypto New Tricks","_id":"258AA5B2-B435-11E9-9278-68D0E5697425","grant_number":"682815"}],"type":"conference","oa_version":"Submitted Version","date_updated":"2021-01-12T08:05:53Z","doi":"10.1007/978-3-319-70500-2_3","publisher":"Springer","quality_controlled":"1","oa":1,"month":"11"},{"status":"public","intvolume":"     10677","citation":{"apa":"Alwen, J. F., &#38; Tackmann, B. (2017). Moderately hard functions: Definition, instantiations, and applications. In Y. Kalai &#38; L. Reyzin (Eds.) (Vol. 10677, pp. 493–526). Presented at the TCC: Theory of Cryptography, Baltimore, MD, United States: Springer. <a href=\"https://doi.org/10.1007/978-3-319-70500-2_17\">https://doi.org/10.1007/978-3-319-70500-2_17</a>","ista":"Alwen JF, Tackmann B. 2017. Moderately hard functions: Definition, instantiations, and applications. TCC: Theory of Cryptography, LNCS, vol. 10677, 493–526.","ieee":"J. F. Alwen and B. Tackmann, “Moderately hard functions: Definition, instantiations, and applications,” presented at the TCC: Theory of Cryptography, Baltimore, MD, United States, 2017, vol. 10677, pp. 493–526.","short":"J.F. Alwen, B. Tackmann, in:, Y. Kalai, L. Reyzin (Eds.), Springer, 2017, pp. 493–526.","mla":"Alwen, Joel F., and Björn Tackmann. <i>Moderately Hard Functions: Definition, Instantiations, and Applications</i>. Edited by Yael Kalai and Leonid Reyzin, vol. 10677, Springer, 2017, pp. 493–526, doi:<a href=\"https://doi.org/10.1007/978-3-319-70500-2_17\">10.1007/978-3-319-70500-2_17</a>.","ama":"Alwen JF, Tackmann B. Moderately hard functions: Definition, instantiations, and applications. In: Kalai Y, Reyzin L, eds. Vol 10677. Springer; 2017:493-526. doi:<a href=\"https://doi.org/10.1007/978-3-319-70500-2_17\">10.1007/978-3-319-70500-2_17</a>","chicago":"Alwen, Joel F, and Björn Tackmann. “Moderately Hard Functions: Definition, Instantiations, and Applications.” edited by Yael Kalai and Leonid Reyzin, 10677:493–526. Springer, 2017. <a href=\"https://doi.org/10.1007/978-3-319-70500-2_17\">https://doi.org/10.1007/978-3-319-70500-2_17</a>."},"main_file_link":[{"url":"https://eprint.iacr.org/2017/945","open_access":"1"}],"editor":[{"first_name":"Yael","full_name":"Kalai, Yael","last_name":"Kalai"},{"last_name":"Reyzin","full_name":"Reyzin, Leonid","first_name":"Leonid"}],"user_id":"3E5EF7F0-F248-11E8-B48F-1D18A9856A87","abstract":[{"text":"Several cryptographic schemes and applications are based on functions that are both reasonably efficient to compute and moderately hard to invert, including client puzzles for Denial-of-Service protection, password protection via salted hashes, or recent proof-of-work blockchain systems. Despite their wide use, a definition of this concept has not yet been distilled and formalized explicitly. Instead, either the applications are proven directly based on the assumptions underlying the function, or some property of the function is proven, but the security of the application is argued only informally. The goal of this work is to provide a (universal) definition that decouples the efforts of designing new moderately hard functions and of building protocols based on them, serving as an interface between the two. On a technical level, beyond the mentioned definitions, we instantiate the model for four different notions of hardness. We extend the work of Alwen and Serbinenko (STOC 2015) by providing a general tool for proving security for the first notion of memory-hard functions that allows for provably secure applications. The tool allows us to recover all of the graph-theoretic techniques developed for proving security under the older, non-composable, notion of security used by Alwen and Serbinenko. As an application of our definition of moderately hard functions, we prove the security of two different schemes for proofs of effort (PoE). We also formalize and instantiate the concept of a non-interactive proof of effort (niPoE), in which the proof is not bound to a particular communication context but rather any bit-string chosen by the prover.","lang":"eng"}],"title":"Moderately hard functions: Definition, instantiations, and applications","_id":"609","publication_identifier":{"isbn":["978-331970499-9"]},"scopus_import":1,"date_published":"2017-11-05T00:00:00Z","type":"conference","volume":10677,"oa_version":"Submitted Version","date_updated":"2021-01-12T08:06:04Z","publisher":"Springer","doi":"10.1007/978-3-319-70500-2_17","month":"11","oa":1,"quality_controlled":"1","author":[{"last_name":"Alwen","full_name":"Alwen, Joel F","first_name":"Joel F","id":"2A8DFA8C-F248-11E8-B48F-1D18A9856A87"},{"full_name":"Tackmann, Björn","first_name":"Björn","last_name":"Tackmann"}],"conference":{"name":"TCC: Theory of Cryptography","start_date":"2017-11-12","end_date":"2017-11-15","location":"Baltimore, MD, United States"},"page":"493 - 526","alternative_title":["LNCS"],"date_created":"2018-12-11T11:47:28Z","day":"05","publist_id":"7196","publication_status":"published","language":[{"iso":"eng"}],"year":"2017","department":[{"_id":"KrPi"}]},{"oa_version":"Published Version","project":[{"_id":"258AA5B2-B435-11E9-9278-68D0E5697425","grant_number":"682815","call_identifier":"H2020","name":"Teaching Old Crypto New Tricks"}],"date_published":"2017-02-03T00:00:00Z","type":"journal_article","volume":2016,"quality_controlled":"1","file":[{"file_name":"2017_IACR_Gazi.pdf","access_level":"open_access","checksum":"f23161d685dd957ae8d7274132999684","date_updated":"2020-07-14T12:47:24Z","file_size":597335,"content_type":"application/pdf","file_id":"6197","date_created":"2019-04-04T13:53:58Z","relation":"main_file","creator":"dernst"}],"oa":1,"month":"02","date_updated":"2023-09-07T12:02:27Z","publisher":"Ruhr University Bochum","doi":"10.13154/TOSC.V2016.I2.145-161","publication":"IACR Transactions on Symmetric Cryptology","day":"03","publication_status":"published","date_created":"2019-04-04T13:48:23Z","page":"145-161","author":[{"id":"3E0BFE38-F248-11E8-B48F-1D18A9856A87","first_name":"Peter","full_name":"Gazi, Peter","last_name":"Gazi"},{"last_name":"Pietrzak","orcid":"0000-0002-9139-1654","full_name":"Pietrzak, Krzysztof Z","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","first_name":"Krzysztof Z"},{"last_name":"Rybar","first_name":"Michal","id":"2B3E3DE8-F248-11E8-B48F-1D18A9856A87","full_name":"Rybar, Michal"}],"department":[{"_id":"KrPi"}],"tmp":{"legal_code_url":"https://creativecommons.org/licenses/by/4.0/legalcode","image":"/images/cc_by.png","short":"CC BY (4.0)","name":"Creative Commons Attribution 4.0 International Public License (CC-BY 4.0)"},"related_material":{"record":[{"status":"public","relation":"dissertation_contains","id":"838"}]},"year":"2017","language":[{"iso":"eng"}],"ddc":["000"],"intvolume":"      2016","citation":{"short":"P. Gazi, K.Z. Pietrzak, M. Rybar, IACR Transactions on Symmetric Cryptology 2016 (2017) 145–161.","ieee":"P. Gazi, K. Z. Pietrzak, and M. Rybar, “The exact security of PMAC,” <i>IACR Transactions on Symmetric Cryptology</i>, vol. 2016, no. 2. Ruhr University Bochum, pp. 145–161, 2017.","ista":"Gazi P, Pietrzak KZ, Rybar M. 2017. The exact security of PMAC. IACR Transactions on Symmetric Cryptology. 2016(2), 145–161.","apa":"Gazi, P., Pietrzak, K. Z., &#38; Rybar, M. (2017). The exact security of PMAC. <i>IACR Transactions on Symmetric Cryptology</i>. Ruhr University Bochum. <a href=\"https://doi.org/10.13154/TOSC.V2016.I2.145-161\">https://doi.org/10.13154/TOSC.V2016.I2.145-161</a>","chicago":"Gazi, Peter, Krzysztof Z Pietrzak, and Michal Rybar. “The Exact Security of PMAC.” <i>IACR Transactions on Symmetric Cryptology</i>. Ruhr University Bochum, 2017. <a href=\"https://doi.org/10.13154/TOSC.V2016.I2.145-161\">https://doi.org/10.13154/TOSC.V2016.I2.145-161</a>.","ama":"Gazi P, Pietrzak KZ, Rybar M. The exact security of PMAC. <i>IACR Transactions on Symmetric Cryptology</i>. 2017;2016(2):145-161. doi:<a href=\"https://doi.org/10.13154/TOSC.V2016.I2.145-161\">10.13154/TOSC.V2016.I2.145-161</a>","mla":"Gazi, Peter, et al. “The Exact Security of PMAC.” <i>IACR Transactions on Symmetric Cryptology</i>, vol. 2016, no. 2, Ruhr University Bochum, 2017, pp. 145–61, doi:<a href=\"https://doi.org/10.13154/TOSC.V2016.I2.145-161\">10.13154/TOSC.V2016.I2.145-161</a>."},"has_accepted_license":"1","status":"public","ec_funded":1,"title":"The exact security of PMAC","_id":"6196","user_id":"3E5EF7F0-F248-11E8-B48F-1D18A9856A87","abstract":[{"lang":"eng","text":"PMAC is a simple and parallel block-cipher mode of operation, which was introduced by Black and Rogaway at Eurocrypt 2002. If instantiated with a (pseudo)random permutation over n-bit strings, PMAC constitutes a provably secure variable input-length (pseudo)random function. For adversaries making q queries, each of length at most l (in n-bit blocks), and of total length σ ≤ ql, the original paper proves an upper bound on the distinguishing advantage of  Ο(σ2/2n), while the currently best bound is  Ο (qσ/2n).In this work we show that this bound is tight by giving an attack with advantage Ω (q2l/2n). In the PMAC construction one initially XORs a mask to every message block, where the mask for the ith block is computed as τi := γi·L, where L is a (secret) random value, and γi is the i-th codeword of the Gray code. Our attack applies more generally to any sequence of γi’s which contains a large coset of a subgroup of GF(2n). We then investigate if the security of PMAC can be further improved by using τi’s that are k-wise independent, for k > 1 (the original distribution is only 1-wise independent). We observe that the security of PMAC will not increase in general, even if the masks are chosen from a 2-wise independent distribution, and then prove that the security increases to O(q<2/2n), if the τi are 4-wise independent. Due to simple extension attacks, this is the best bound one can hope for, using any distribution on the masks. Whether 3-wise independence is already sufficient to get this level of security is left as an open problem."}],"publication_identifier":{"eissn":["2519-173X"]},"issue":"2","file_date_updated":"2020-07-14T12:47:24Z"}]
