[{"page":"317-346","status":"public","intvolume":"     11443","type":"conference","day":"06","date_created":"2019-05-13T08:13:46Z","conference":{"location":"Beijing, China","name":"PKC: Public-Key Cryptograhy","end_date":"2019-04-17","start_date":"2019-04-14"},"department":[{"_id":"KrPi"}],"language":[{"iso":"eng"}],"scopus_import":"1","publisher":"Springer Nature","date_published":"2019-04-06T00:00:00Z","month":"04","quality_controlled":"1","oa_version":"Preprint","project":[{"grant_number":"682815","call_identifier":"H2020","_id":"258AA5B2-B435-11E9-9278-68D0E5697425","name":"Teaching Old Crypto New Tricks"}],"user_id":"c635000d-4b10-11ee-a964-aac5a93f6ac1","publication_identifier":{"issn":["03029743"],"isbn":["9783030172589"],"eissn":["16113349"]},"_id":"6430","article_processing_charge":"No","oa":1,"date_updated":"2023-09-08T11:33:20Z","volume":11443,"author":[{"first_name":"Georg","last_name":"Fuchsbauer","full_name":"Fuchsbauer, Georg","id":"46B4C3EE-F248-11E8-B48F-1D18A9856A87"},{"full_name":"Kamath Hosdurg, Chethan","last_name":"Kamath Hosdurg","first_name":"Chethan","id":"4BD3F30E-F248-11E8-B48F-1D18A9856A87"},{"first_name":"Karen","full_name":"Klein, Karen","last_name":"Klein","id":"3E83A2F8-F248-11E8-B48F-1D18A9856A87"},{"id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","first_name":"Krzysztof Z","orcid":"0000-0002-9139-1654","full_name":"Pietrzak, Krzysztof Z","last_name":"Pietrzak"}],"abstract":[{"lang":"eng","text":"A proxy re-encryption (PRE) scheme is a public-key encryption scheme that allows the holder of a key pk to derive a re-encryption key for any other key 𝑝𝑘′. This re-encryption key lets anyone transform ciphertexts under pk into ciphertexts under 𝑝𝑘′ without having to know the underlying message, while transformations from 𝑝𝑘′ to pk should not be possible (unidirectional). Security is defined in a multi-user setting against an adversary that gets the users’ public keys and can ask for re-encryption keys and can corrupt users by requesting their secret keys. Any ciphertext that the adversary cannot trivially decrypt given the obtained secret and re-encryption keys should be secure.\r\n\r\nAll existing security proofs for PRE only show selective security, where the adversary must first declare the users it wants to corrupt. This can be lifted to more meaningful adaptive security by guessing the set of corrupted users among the n users, which loses a factor exponential in  Open image in new window , rendering the result meaningless already for moderate Open image in new window .\r\n\r\nJafargholi et al. (CRYPTO’17) proposed a framework that in some cases allows to give adaptive security proofs for schemes which were previously only known to be selectively secure, while avoiding the exponential loss that results from guessing the adaptive choices made by an adversary. We apply their framework to PREs that satisfy some natural additional properties. Concretely, we give a more fine-grained reduction for several unidirectional PREs, proving adaptive security at a much smaller loss. The loss depends on the graph of users whose edges represent the re-encryption keys queried by the adversary. For trees and chains the loss is quasi-polynomial in the size and for general graphs it is exponential in their depth and indegree (instead of their size as for previous reductions). Fortunately, trees and low-depth graphs cover many, if not most, interesting applications.\r\n\r\nOur results apply e.g. to the bilinear-map based PRE schemes by Ateniese et al. (NDSS’05 and CT-RSA’09), Gentry’s FHE-based scheme (STOC’09) and the LWE-based scheme by Chandran et al. (PKC’14)."}],"citation":{"mla":"Fuchsbauer, Georg, et al. <i>Adaptively Secure Proxy Re-Encryption</i>. Vol. 11443, Springer Nature, 2019, pp. 317–46, doi:<a href=\"https://doi.org/10.1007/978-3-030-17259-6_11\">10.1007/978-3-030-17259-6_11</a>.","ama":"Fuchsbauer G, Kamath Hosdurg C, Klein K, Pietrzak KZ. Adaptively secure proxy re-encryption. In: Vol 11443. Springer Nature; 2019:317-346. doi:<a href=\"https://doi.org/10.1007/978-3-030-17259-6_11\">10.1007/978-3-030-17259-6_11</a>","short":"G. Fuchsbauer, C. Kamath Hosdurg, K. Klein, K.Z. Pietrzak, in:, Springer Nature, 2019, pp. 317–346.","ista":"Fuchsbauer G, Kamath Hosdurg C, Klein K, Pietrzak KZ. 2019. Adaptively secure proxy re-encryption. PKC: Public-Key Cryptograhy, LNCS, vol. 11443, 317–346.","apa":"Fuchsbauer, G., Kamath Hosdurg, C., Klein, K., &#38; Pietrzak, K. Z. (2019). Adaptively secure proxy re-encryption (Vol. 11443, pp. 317–346). Presented at the PKC: Public-Key Cryptograhy, Beijing, China: Springer Nature. <a href=\"https://doi.org/10.1007/978-3-030-17259-6_11\">https://doi.org/10.1007/978-3-030-17259-6_11</a>","ieee":"G. Fuchsbauer, C. Kamath Hosdurg, K. Klein, and K. Z. Pietrzak, “Adaptively secure proxy re-encryption,” presented at the PKC: Public-Key Cryptograhy, Beijing, China, 2019, vol. 11443, pp. 317–346.","chicago":"Fuchsbauer, Georg, Chethan Kamath Hosdurg, Karen Klein, and Krzysztof Z Pietrzak. “Adaptively Secure Proxy Re-Encryption,” 11443:317–46. Springer Nature, 2019. <a href=\"https://doi.org/10.1007/978-3-030-17259-6_11\">https://doi.org/10.1007/978-3-030-17259-6_11</a>."},"publication_status":"published","related_material":{"record":[{"status":"public","id":"10035","relation":"dissertation_contains"}]},"main_file_link":[{"open_access":"1","url":"https://eprint.iacr.org/2018/426"}],"alternative_title":["LNCS"],"title":"Adaptively secure proxy re-encryption","ec_funded":1,"year":"2019","doi":"10.1007/978-3-030-17259-6_11"},{"page":"480-499","publication":"22nd International Conference on Financial Cryptography and Data Security","type":"conference","day":"07","status":"public","intvolume":"     10957","department":[{"_id":"KrPi"}],"date_created":"2019-10-14T06:35:38Z","conference":{"name":"FC: Financial Cryptography and Data Security","location":"Nieuwpoort, Curacao","end_date":"2018-03-02","start_date":"2018-02-26"},"date_published":"2018-12-07T00:00:00Z","month":"12","language":[{"iso":"eng"}],"publisher":"Springer Nature","scopus_import":"1","oa":1,"date_updated":"2023-09-19T15:02:13Z","volume":10957,"article_processing_charge":"No","user_id":"c635000d-4b10-11ee-a964-aac5a93f6ac1","oa_version":"Submitted Version","quality_controlled":"1","project":[{"call_identifier":"H2020","name":"Teaching Old Crypto New Tricks","_id":"258AA5B2-B435-11E9-9278-68D0E5697425","grant_number":"682815"}],"_id":"6941","publication_identifier":{"issn":["0302-9743"],"isbn":["9783662583869","9783662583876"],"eissn":["1611-3349"]},"publication_status":"published","citation":{"short":"S. Park, A. Kwon, G. Fuchsbauer, P. Gazi, J.F. Alwen, K.Z. Pietrzak, in:, 22nd International Conference on Financial Cryptography and Data Security, Springer Nature, 2018, pp. 480–499.","ista":"Park S, Kwon A, Fuchsbauer G, Gazi P, Alwen JF, Pietrzak KZ. 2018. SpaceMint: A cryptocurrency based on proofs of space. 22nd International Conference on Financial Cryptography and Data Security. FC: Financial Cryptography and Data Security, LNCS, vol. 10957, 480–499.","ama":"Park S, Kwon A, Fuchsbauer G, Gazi P, Alwen JF, Pietrzak KZ. SpaceMint: A cryptocurrency based on proofs of space. In: <i>22nd International Conference on Financial Cryptography and Data Security</i>. Vol 10957. Springer Nature; 2018:480-499. doi:<a href=\"https://doi.org/10.1007/978-3-662-58387-6_26\">10.1007/978-3-662-58387-6_26</a>","mla":"Park, Sunoo, et al. “SpaceMint: A Cryptocurrency Based on Proofs of Space.” <i>22nd International Conference on Financial Cryptography and Data Security</i>, vol. 10957, Springer Nature, 2018, pp. 480–99, doi:<a href=\"https://doi.org/10.1007/978-3-662-58387-6_26\">10.1007/978-3-662-58387-6_26</a>.","chicago":"Park, Sunoo, Albert Kwon, Georg Fuchsbauer, Peter Gazi, Joel F Alwen, and Krzysztof Z Pietrzak. “SpaceMint: A Cryptocurrency Based on Proofs of Space.” In <i>22nd International Conference on Financial Cryptography and Data Security</i>, 10957:480–99. Springer Nature, 2018. <a href=\"https://doi.org/10.1007/978-3-662-58387-6_26\">https://doi.org/10.1007/978-3-662-58387-6_26</a>.","ieee":"S. Park, A. Kwon, G. Fuchsbauer, P. Gazi, J. F. Alwen, and K. Z. Pietrzak, “SpaceMint: A cryptocurrency based on proofs of space,” in <i>22nd International Conference on Financial Cryptography and Data Security</i>, Nieuwpoort, Curacao, 2018, vol. 10957, pp. 480–499.","apa":"Park, S., Kwon, A., Fuchsbauer, G., Gazi, P., Alwen, J. F., &#38; Pietrzak, K. Z. (2018). SpaceMint: A cryptocurrency based on proofs of space. In <i>22nd International Conference on Financial Cryptography and Data Security</i> (Vol. 10957, pp. 480–499). Nieuwpoort, Curacao: Springer Nature. <a href=\"https://doi.org/10.1007/978-3-662-58387-6_26\">https://doi.org/10.1007/978-3-662-58387-6_26</a>"},"author":[{"last_name":"Park","full_name":"Park, Sunoo","first_name":"Sunoo"},{"full_name":"Kwon, Albert","last_name":"Kwon","first_name":"Albert"},{"first_name":"Georg","full_name":"Fuchsbauer, Georg","last_name":"Fuchsbauer","id":"46B4C3EE-F248-11E8-B48F-1D18A9856A87"},{"first_name":"Peter","last_name":"Gazi","full_name":"Gazi, Peter","id":"3E0BFE38-F248-11E8-B48F-1D18A9856A87"},{"first_name":"Joel F","last_name":"Alwen","full_name":"Alwen, Joel F","id":"2A8DFA8C-F248-11E8-B48F-1D18A9856A87"},{"id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","first_name":"Krzysztof Z","orcid":"0000-0002-9139-1654","last_name":"Pietrzak","full_name":"Pietrzak, Krzysztof Z"}],"abstract":[{"text":"Bitcoin has become the most successful cryptocurrency ever deployed, and its most distinctive feature is that it is decentralized. Its underlying protocol (Nakamoto consensus) achieves this by using proof of work, which has the drawback that it causes the consumption of vast amounts of energy to maintain the ledger. Moreover, Bitcoin mining dynamics have become less distributed over time.\r\n\r\nTowards addressing these issues, we propose SpaceMint, a cryptocurrency based on proofs of space instead of proofs of work. Miners in SpaceMint dedicate disk space rather than computation. We argue that SpaceMint’s design solves or alleviates several of Bitcoin’s issues: most notably, its large energy consumption. SpaceMint also rewards smaller miners fairly according to their contribution to the network, thus incentivizing more distributed participation.\r\n\r\nThis paper adapts proof of space to enable its use in cryptocurrency, studies the attacks that can arise against a Bitcoin-like blockchain that uses proof of space, and proposes a new blockchain format and transaction types to address these attacks. Our prototype shows that initializing 1 TB for mining takes about a day (a one-off setup cost), and miners spend on average just a fraction of a second per block mined. Finally, we provide a game-theoretic analysis modeling SpaceMint as an extensive game (the canonical game-theoretic notion for games that take place over time) and show that this stylized game satisfies a strong equilibrium notion, thereby arguing for SpaceMint ’s stability and consensus.","lang":"eng"}],"isi":1,"main_file_link":[{"url":"https://eprint.iacr.org/2015/528","open_access":"1"}],"alternative_title":["LNCS"],"ec_funded":1,"year":"2018","doi":"10.1007/978-3-662-58387-6_26","external_id":{"isi":["000540656400026"]},"title":"SpaceMint: A cryptocurrency based on proofs of space"},{"day":"01","citation":{"short":"M. Abe, G. Fuchsbauer, J. Groth, K. Haralambiev, M. Ohkubo, Journal of Cryptology 29 (2016) 363–421.","ista":"Abe M, Fuchsbauer G, Groth J, Haralambiev K, Ohkubo M. 2016. Structure preserving signatures and commitments to group elements. Journal of Cryptology. 29(2), 363–421.","mla":"Abe, Masayuki, et al. “Structure Preserving Signatures and Commitments to Group Elements.” <i>Journal of Cryptology</i>, vol. 29, no. 2, Springer, 2016, pp. 363–421, doi:<a href=\"https://doi.org/10.1007/s00145-014-9196-7\">10.1007/s00145-014-9196-7</a>.","ama":"Abe M, Fuchsbauer G, Groth J, Haralambiev K, Ohkubo M. Structure preserving signatures and commitments to group elements. <i>Journal of Cryptology</i>. 2016;29(2):363-421. doi:<a href=\"https://doi.org/10.1007/s00145-014-9196-7\">10.1007/s00145-014-9196-7</a>","chicago":"Abe, Masayuki, Georg Fuchsbauer, Jens Groth, Kristiyan Haralambiev, and Miyako Ohkubo. “Structure Preserving Signatures and Commitments to Group Elements.” <i>Journal of Cryptology</i>. Springer, 2016. <a href=\"https://doi.org/10.1007/s00145-014-9196-7\">https://doi.org/10.1007/s00145-014-9196-7</a>.","apa":"Abe, M., Fuchsbauer, G., Groth, J., Haralambiev, K., &#38; Ohkubo, M. (2016). Structure preserving signatures and commitments to group elements. <i>Journal of Cryptology</i>. Springer. <a href=\"https://doi.org/10.1007/s00145-014-9196-7\">https://doi.org/10.1007/s00145-014-9196-7</a>","ieee":"M. Abe, G. Fuchsbauer, J. Groth, K. Haralambiev, and M. Ohkubo, “Structure preserving signatures and commitments to group elements,” <i>Journal of Cryptology</i>, vol. 29, no. 2. Springer, pp. 363–421, 2016."},"publication_status":"published","type":"journal_article","intvolume":"        29","abstract":[{"text":"A modular approach to constructing cryptographic protocols leads to simple designs but often inefficient instantiations. On the other hand, ad hoc constructions may yield efficient protocols at the cost of losing conceptual simplicity. We suggest a new design paradigm, structure-preserving cryptography, that provides a way to construct modular protocols with reasonable efficiency while retaining conceptual simplicity. A cryptographic scheme over a bilinear group is called structure-preserving if its public inputs and outputs consist of elements from the bilinear groups and their consistency can be verified by evaluating pairing-product equations. As structure-preserving schemes smoothly interoperate with each other, they are useful as building blocks in modular design of cryptographic applications. This paper introduces structure-preserving commitment and signature schemes over bilinear groups with several desirable properties. The commitment schemes include homomorphic, trapdoor and length-reducing commitments to group elements, and the structure-preserving signature schemes are the first ones that yield constant-size signatures on multiple group elements. A structure-preserving signature scheme is called automorphic if the public keys lie in the message space, which cannot be achieved by compressing inputs via a cryptographic hash function, as this would destroy the mathematical structure we are trying to preserve. Automorphic signatures can be used for building certification chains underlying privacy-preserving protocols. Among a vast number of applications of structure-preserving protocols, we present an efficient round-optimal blind-signature scheme and a group signature scheme with an efficient and concurrently secure protocol for enrolling new members.","lang":"eng"}],"status":"public","author":[{"full_name":"Abe, Masayuki","last_name":"Abe","first_name":"Masayuki"},{"first_name":"Georg","last_name":"Fuchsbauer","full_name":"Fuchsbauer, Georg","id":"46B4C3EE-F248-11E8-B48F-1D18A9856A87"},{"first_name":"Jens","last_name":"Groth","full_name":"Groth, Jens"},{"last_name":"Haralambiev","full_name":"Haralambiev, Kristiyan","first_name":"Kristiyan"},{"first_name":"Miyako","last_name":"Ohkubo","full_name":"Ohkubo, Miyako"}],"publication":"Journal of Cryptology","issue":"2","page":"363 - 421","publist_id":"5579","date_updated":"2021-01-12T06:51:49Z","volume":29,"_id":"1592","quality_controlled":"1","oa_version":"None","acknowledgement":"The authors would like to thank the anonymous reviewers of this paper. We also would like to express our appreciation to the program committee and the anonymous reviewers for CRYPTO 2010. The first author thanks Sherman S. M. Chow for his comment on group signatures in Sect. 7.1.","user_id":"3E5EF7F0-F248-11E8-B48F-1D18A9856A87","year":"2016","doi":"10.1007/s00145-014-9196-7","month":"04","date_published":"2016-04-01T00:00:00Z","title":"Structure preserving signatures and commitments to group elements","scopus_import":1,"publisher":"Springer","language":[{"iso":"eng"}],"department":[{"_id":"KrPi"}],"date_created":"2018-12-11T11:52:54Z"},{"publication_status":"published","citation":{"chicago":"Fuchsbauer, Georg, Christian Hanser, Chethan Kamath Hosdurg, and Daniel Slamanig. “Practical Round-Optimal Blind Signatures in the Standard Model from Weaker Assumptions,” 9841:391–408. Springer, 2016. <a href=\"https://doi.org/10.1007/978-3-319-44618-9_21\">https://doi.org/10.1007/978-3-319-44618-9_21</a>.","apa":"Fuchsbauer, G., Hanser, C., Kamath Hosdurg, C., &#38; Slamanig, D. (2016). Practical round-optimal blind signatures in the standard model from weaker assumptions (Vol. 9841, pp. 391–408). Presented at the SCN: Security and Cryptography for Networks, Amalfi, Italy: Springer. <a href=\"https://doi.org/10.1007/978-3-319-44618-9_21\">https://doi.org/10.1007/978-3-319-44618-9_21</a>","ieee":"G. Fuchsbauer, C. Hanser, C. Kamath Hosdurg, and D. Slamanig, “Practical round-optimal blind signatures in the standard model from weaker assumptions,” presented at the SCN: Security and Cryptography for Networks, Amalfi, Italy, 2016, vol. 9841, pp. 391–408.","short":"G. Fuchsbauer, C. Hanser, C. Kamath Hosdurg, D. Slamanig, in:, Springer, 2016, pp. 391–408.","ista":"Fuchsbauer G, Hanser C, Kamath Hosdurg C, Slamanig D. 2016. Practical round-optimal blind signatures in the standard model from weaker assumptions. SCN: Security and Cryptography for Networks, LNCS, vol. 9841, 391–408.","ama":"Fuchsbauer G, Hanser C, Kamath Hosdurg C, Slamanig D. Practical round-optimal blind signatures in the standard model from weaker assumptions. In: Vol 9841. Springer; 2016:391-408. doi:<a href=\"https://doi.org/10.1007/978-3-319-44618-9_21\">10.1007/978-3-319-44618-9_21</a>","mla":"Fuchsbauer, Georg, et al. <i>Practical Round-Optimal Blind Signatures in the Standard Model from Weaker Assumptions</i>. Vol. 9841, Springer, 2016, pp. 391–408, doi:<a href=\"https://doi.org/10.1007/978-3-319-44618-9_21\">10.1007/978-3-319-44618-9_21</a>."},"author":[{"last_name":"Fuchsbauer","full_name":"Fuchsbauer, Georg","first_name":"Georg","id":"46B4C3EE-F248-11E8-B48F-1D18A9856A87"},{"first_name":"Christian","full_name":"Hanser, Christian","last_name":"Hanser"},{"first_name":"Chethan","full_name":"Kamath Hosdurg, Chethan","last_name":"Kamath Hosdurg","id":"4BD3F30E-F248-11E8-B48F-1D18A9856A87"},{"full_name":"Slamanig, Daniel","last_name":"Slamanig","first_name":"Daniel"}],"abstract":[{"text":"At Crypto 2015 Fuchsbauer, Hanser and Slamanig (FHS) presented the first standard-model construction of efficient roundoptimal blind signatures that does not require complexity leveraging. It is conceptually simple and builds on the primitive of structure-preserving signatures on equivalence classes (SPS-EQ). FHS prove the unforgeability of their scheme assuming EUF-CMA security of the SPS-EQ scheme and hardness of a version of the DH inversion problem. Blindness under adversarially chosen keys is proven under an interactive variant of the DDH assumption. We propose a variant of their scheme whose blindness can be proven under a non-interactive assumption, namely a variant of the bilinear DDH assumption. We moreover prove its unforgeability assuming only unforgeability of the underlying SPS-EQ but no additional assumptions as needed for the FHS scheme.","lang":"eng"}],"oa":1,"date_updated":"2023-02-23T10:08:16Z","publist_id":"6109","volume":9841,"user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","quality_controlled":"1","oa_version":"Submitted Version","project":[{"grant_number":"259668","_id":"258C570E-B435-11E9-9278-68D0E5697425","name":"Provable Security for Physical Cryptography","call_identifier":"FP7"},{"_id":"258AA5B2-B435-11E9-9278-68D0E5697425","name":"Teaching Old Crypto New Tricks","call_identifier":"H2020","grant_number":"682815"}],"_id":"1225","ec_funded":1,"doi":"10.1007/978-3-319-44618-9_21","year":"2016","title":"Practical round-optimal blind signatures in the standard model from weaker assumptions","main_file_link":[{"open_access":"1","url":"https://eprint.iacr.org/2016/662"}],"alternative_title":["LNCS"],"related_material":{"record":[{"relation":"earlier_version","id":"1647","status":"public"}]},"type":"conference","day":"11","status":"public","intvolume":"      9841","page":"391 - 408","date_published":"2016-08-11T00:00:00Z","month":"08","language":[{"iso":"eng"}],"publisher":"Springer","scopus_import":1,"department":[{"_id":"KrPi"}],"date_created":"2018-12-11T11:50:49Z","conference":{"end_date":"2016-09-02","location":"Amalfi, Italy","name":"SCN: Security and Cryptography for Networks","start_date":"2016-08-31"}},{"month":"06","date_published":"2016-06-09T00:00:00Z","scopus_import":1,"publisher":"Springer","language":[{"iso":"eng"}],"has_accepted_license":"1","department":[{"_id":"KrPi"}],"conference":{"name":"ACNS: Applied Cryptography and Network Security","end_date":"2016-06-22","location":"Guildford, UK","start_date":"2016-06-19"},"date_created":"2018-12-11T11:50:50Z","file":[{"creator":"system","file_id":"5273","content_type":"application/pdf","relation":"main_file","date_updated":"2020-07-14T12:44:39Z","access_level":"open_access","date_created":"2018-12-12T10:17:20Z","checksum":"34fa9ce681da845a1ba945ba3dc57867","file_name":"IST-2017-765-v1+1_838.pdf","file_size":515000}],"day":"09","type":"conference","intvolume":"      9696","status":"public","page":"285 - 303","file_date_updated":"2020-07-14T12:44:39Z","doi":"10.1007/978-3-319-39555-5_16","year":"2016","ec_funded":1,"title":"Offline witness encryption","pubrep_id":"765","alternative_title":["LNCS"],"related_material":{"record":[{"status":"public","relation":"dissertation_contains","id":"83"}]},"ddc":["005","600"],"citation":{"ieee":"H. M. Abusalah, G. Fuchsbauer, and K. Z. Pietrzak, “Offline witness encryption,” presented at the ACNS: Applied Cryptography and Network Security, Guildford, UK, 2016, vol. 9696, pp. 285–303.","apa":"Abusalah, H. M., Fuchsbauer, G., &#38; Pietrzak, K. Z. (2016). Offline witness encryption (Vol. 9696, pp. 285–303). Presented at the ACNS: Applied Cryptography and Network Security, Guildford, UK: Springer. <a href=\"https://doi.org/10.1007/978-3-319-39555-5_16\">https://doi.org/10.1007/978-3-319-39555-5_16</a>","chicago":"Abusalah, Hamza M, Georg Fuchsbauer, and Krzysztof Z Pietrzak. “Offline Witness Encryption,” 9696:285–303. Springer, 2016. <a href=\"https://doi.org/10.1007/978-3-319-39555-5_16\">https://doi.org/10.1007/978-3-319-39555-5_16</a>.","ama":"Abusalah HM, Fuchsbauer G, Pietrzak KZ. Offline witness encryption. In: Vol 9696. Springer; 2016:285-303. doi:<a href=\"https://doi.org/10.1007/978-3-319-39555-5_16\">10.1007/978-3-319-39555-5_16</a>","mla":"Abusalah, Hamza M., et al. <i>Offline Witness Encryption</i>. Vol. 9696, Springer, 2016, pp. 285–303, doi:<a href=\"https://doi.org/10.1007/978-3-319-39555-5_16\">10.1007/978-3-319-39555-5_16</a>.","ista":"Abusalah HM, Fuchsbauer G, Pietrzak KZ. 2016. Offline witness encryption. ACNS: Applied Cryptography and Network Security, LNCS, vol. 9696, 285–303.","short":"H.M. Abusalah, G. Fuchsbauer, K.Z. Pietrzak, in:, Springer, 2016, pp. 285–303."},"publication_status":"published","abstract":[{"lang":"eng","text":"Witness encryption (WE) was introduced by Garg et al. [GGSW13]. A WE scheme is defined for some NP language L and lets a sender encrypt messages relative to instances x. A ciphertext for x can be decrypted using w witnessing x ∈ L, but hides the message if x ∈ L. Garg et al. construct WE from multilinear maps and give another construction [GGH+13b] using indistinguishability obfuscation (iO) for circuits. Due to the reliance on such heavy tools, WE can cur- rently hardly be implemented on powerful hardware and will unlikely be realizable on constrained devices like smart cards any time soon. We construct a WE scheme where encryption is done by simply computing a Naor-Yung ciphertext (two CPA encryptions and a NIZK proof). To achieve this, our scheme has a setup phase, which outputs public parameters containing an obfuscated circuit (only required for decryption), two encryption keys and a common reference string (used for encryption). This setup need only be run once, and the parame- ters can be used for arbitrary many encryptions. Our scheme can also be turned into a functional WE scheme, where a message is encrypted w.r.t. a statement and a function f, and decryption with a witness w yields f (m, w). Our construction is inspired by the functional encryption scheme by Garg et al. and we prove (selective) security assuming iO and statistically simulation-sound NIZK. We give a construction of the latter in bilinear groups and combining it with ElGamal encryption, our ciphertexts are of size 1.3 kB at a 128-bit security level and can be computed on a smart card."}],"author":[{"id":"40297222-F248-11E8-B48F-1D18A9856A87","last_name":"Abusalah","full_name":"Abusalah, Hamza M","first_name":"Hamza M"},{"first_name":"Georg","last_name":"Fuchsbauer","full_name":"Fuchsbauer, Georg","id":"46B4C3EE-F248-11E8-B48F-1D18A9856A87"},{"first_name":"Krzysztof Z","full_name":"Pietrzak, Krzysztof Z","last_name":"Pietrzak","orcid":"0000-0002-9139-1654","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87"}],"oa":1,"publist_id":"6105","date_updated":"2023-09-07T12:30:22Z","volume":9696,"_id":"1229","oa_version":"Submitted Version","project":[{"call_identifier":"FP7","_id":"258C570E-B435-11E9-9278-68D0E5697425","name":"Provable Security for Physical Cryptography","grant_number":"259668"},{"grant_number":"682815","_id":"258AA5B2-B435-11E9-9278-68D0E5697425","name":"Teaching Old Crypto New Tricks","call_identifier":"H2020"}],"quality_controlled":"1","acknowledgement":"Research  supported  by  the  European  Research  Council,  ERC  starting  grant (259668-PSPC) and ERC consolidator grant (682815 - TOCNeT).","user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87"},{"author":[{"id":"46B4C3EE-F248-11E8-B48F-1D18A9856A87","first_name":"Georg","last_name":"Fuchsbauer","full_name":"Fuchsbauer, Georg"},{"full_name":"Heuer, Felix","last_name":"Heuer","first_name":"Felix"},{"last_name":"Kiltz","full_name":"Kiltz, Eike","first_name":"Eike"},{"first_name":"Krzysztof Z","orcid":"0000-0002-9139-1654","full_name":"Pietrzak, Krzysztof Z","last_name":"Pietrzak","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87"}],"abstract":[{"lang":"eng","text":"About three decades ago it was realized that implementing private channels between parties which can be adaptively corrupted requires an encryption scheme that is secure against selective opening attacks. Whether standard (IND-CPA) security implies security against selective opening attacks has been a major open question since. The only known reduction from selective opening to IND-CPA security loses an exponential factor. A polynomial reduction is only known for the very special case where the distribution considered in the selective opening security experiment is a product distribution, i.e., the messages are sampled independently from each other. In this paper we give a reduction whose loss is quantified via the dependence graph (where message dependencies correspond to edges) of the underlying message distribution. In particular, for some concrete distributions including Markov distributions, our reduction is polynomial."}],"citation":{"chicago":"Fuchsbauer, Georg, Felix Heuer, Eike Kiltz, and Krzysztof Z Pietrzak. “Standard Security Does Imply Security against Selective Opening for Markov Distributions,” 9562:282–305. Springer, 2016. <a href=\"https://doi.org/10.1007/978-3-662-49096-9_12\">https://doi.org/10.1007/978-3-662-49096-9_12</a>.","apa":"Fuchsbauer, G., Heuer, F., Kiltz, E., &#38; Pietrzak, K. Z. (2016). Standard security does imply security against selective opening for markov distributions (Vol. 9562, pp. 282–305). Presented at the TCC: Theory of Cryptography Conference, Tel Aviv, Israel: Springer. <a href=\"https://doi.org/10.1007/978-3-662-49096-9_12\">https://doi.org/10.1007/978-3-662-49096-9_12</a>","ieee":"G. Fuchsbauer, F. Heuer, E. Kiltz, and K. Z. Pietrzak, “Standard security does imply security against selective opening for markov distributions,” presented at the TCC: Theory of Cryptography Conference, Tel Aviv, Israel, 2016, vol. 9562, pp. 282–305.","short":"G. Fuchsbauer, F. Heuer, E. Kiltz, K.Z. Pietrzak, in:, Springer, 2016, pp. 282–305.","ista":"Fuchsbauer G, Heuer F, Kiltz E, Pietrzak KZ. 2016. Standard security does imply security against selective opening for markov distributions. TCC: Theory of Cryptography Conference, LNCS, vol. 9562, 282–305.","mla":"Fuchsbauer, Georg, et al. <i>Standard Security Does Imply Security against Selective Opening for Markov Distributions</i>. Vol. 9562, Springer, 2016, pp. 282–305, doi:<a href=\"https://doi.org/10.1007/978-3-662-49096-9_12\">10.1007/978-3-662-49096-9_12</a>.","ama":"Fuchsbauer G, Heuer F, Kiltz E, Pietrzak KZ. Standard security does imply security against selective opening for markov distributions. In: Vol 9562. Springer; 2016:282-305. doi:<a href=\"https://doi.org/10.1007/978-3-662-49096-9_12\">10.1007/978-3-662-49096-9_12</a>"},"publication_status":"published","quality_controlled":"1","project":[{"_id":"258C570E-B435-11E9-9278-68D0E5697425","name":"Provable Security for Physical Cryptography","call_identifier":"FP7","grant_number":"259668"}],"oa_version":"Submitted Version","acknowledgement":"G. Fuchsbauer and K. Pietrzak are supported by the European Research Council, ERC Starting Grant (259668-PSPC). F. Heuer is funded by a Sofja Kovalevskaja Award of the Alexander von Humboldt Foundation and DFG SPP 1736, Algorithms for BIG DATA. E. Kiltz is supported by a Sofja Kovalevskaja Award of the Alexander von Humboldt Foundation, the German Israel Foundation, and ERC Project ERCC (FP7/615074).","user_id":"3E5EF7F0-F248-11E8-B48F-1D18A9856A87","_id":"1233","date_updated":"2021-01-12T06:49:16Z","oa":1,"publist_id":"6100","volume":9562,"title":"Standard security does imply security against selective opening for markov distributions","ec_funded":1,"doi":"10.1007/978-3-662-49096-9_12","year":"2016","main_file_link":[{"url":"https://eprint.iacr.org/2015/853","open_access":"1"}],"alternative_title":["LNCS"],"status":"public","intvolume":"      9562","type":"conference","day":"01","page":"282 - 305","language":[{"iso":"eng"}],"scopus_import":1,"publisher":"Springer","date_published":"2016-01-01T00:00:00Z","month":"01","date_created":"2018-12-11T11:50:51Z","conference":{"start_date":"2016-01-10","location":"Tel Aviv, Israel","end_date":"2016-01-13","name":"TCC: Theory of Cryptography Conference"},"department":[{"_id":"KrPi"}]},{"department":[{"_id":"KrPi"}],"date_created":"2018-12-11T11:50:52Z","conference":{"end_date":"2016-06-22","location":"Guildford, UK","name":"ACNS: Applied Cryptography and Network Security","start_date":"2016-06-19"},"date_published":"2016-01-01T00:00:00Z","month":"01","language":[{"iso":"eng"}],"publisher":"Springer","scopus_import":1,"page":"445 - 463","type":"conference","day":"01","status":"public","intvolume":"      9696","main_file_link":[{"url":"https://eprint.iacr.org/2016/279.pdf","open_access":"1"}],"alternative_title":["LNCS"],"related_material":{"record":[{"relation":"dissertation_contains","id":"83","status":"public"}]},"ec_funded":1,"doi":"10.1007/978-3-319-39555-5_24","year":"2016","title":"Constrained PRFs for unbounded inputs with short keys","volume":9696,"oa":1,"publist_id":"6098","date_updated":"2023-09-07T12:30:22Z","user_id":"3E5EF7F0-F248-11E8-B48F-1D18A9856A87","acknowledgement":"H. Abusalah—Research supported by the European Research Council, ERC starting grant (259668-PSPC) and ERC consolidator grant (682815 - TOCNeT).","quality_controlled":"1","project":[{"grant_number":"259668","_id":"258C570E-B435-11E9-9278-68D0E5697425","name":"Provable Security for Physical Cryptography","call_identifier":"FP7"},{"_id":"258AA5B2-B435-11E9-9278-68D0E5697425","name":"Teaching Old Crypto New Tricks","call_identifier":"H2020","grant_number":"682815"}],"oa_version":"Submitted Version","_id":"1235","publication_status":"published","citation":{"mla":"Abusalah, Hamza M., and Georg Fuchsbauer. <i>Constrained PRFs for Unbounded Inputs with Short Keys</i>. Vol. 9696, Springer, 2016, pp. 445–63, doi:<a href=\"https://doi.org/10.1007/978-3-319-39555-5_24\">10.1007/978-3-319-39555-5_24</a>.","ama":"Abusalah HM, Fuchsbauer G. Constrained PRFs for unbounded inputs with short keys. In: Vol 9696. Springer; 2016:445-463. doi:<a href=\"https://doi.org/10.1007/978-3-319-39555-5_24\">10.1007/978-3-319-39555-5_24</a>","ista":"Abusalah HM, Fuchsbauer G. 2016. Constrained PRFs for unbounded inputs with short keys. ACNS: Applied Cryptography and Network Security, LNCS, vol. 9696, 445–463.","short":"H.M. Abusalah, G. Fuchsbauer, in:, Springer, 2016, pp. 445–463.","apa":"Abusalah, H. M., &#38; Fuchsbauer, G. (2016). Constrained PRFs for unbounded inputs with short keys (Vol. 9696, pp. 445–463). Presented at the ACNS: Applied Cryptography and Network Security, Guildford, UK: Springer. <a href=\"https://doi.org/10.1007/978-3-319-39555-5_24\">https://doi.org/10.1007/978-3-319-39555-5_24</a>","ieee":"H. M. Abusalah and G. Fuchsbauer, “Constrained PRFs for unbounded inputs with short keys,” presented at the ACNS: Applied Cryptography and Network Security, Guildford, UK, 2016, vol. 9696, pp. 445–463.","chicago":"Abusalah, Hamza M, and Georg Fuchsbauer. “Constrained PRFs for Unbounded Inputs with Short Keys,” 9696:445–63. Springer, 2016. <a href=\"https://doi.org/10.1007/978-3-319-39555-5_24\">https://doi.org/10.1007/978-3-319-39555-5_24</a>."},"author":[{"id":"40297222-F248-11E8-B48F-1D18A9856A87","first_name":"Hamza M","last_name":"Abusalah","full_name":"Abusalah, Hamza M"},{"first_name":"Georg","last_name":"Fuchsbauer","full_name":"Fuchsbauer, Georg","id":"46B4C3EE-F248-11E8-B48F-1D18A9856A87"}],"abstract":[{"text":"A constrained pseudorandom function (CPRF) F: K×X → Y for a family T of subsets of χ is a function where for any key k ∈ K and set S ∈ T one can efficiently compute a short constrained key kS, which allows to evaluate F(k, ·) on all inputs x ∈ S, while the outputs on all inputs x /∈ S look random even given kS. Abusalah et al. recently constructed the first constrained PRF for inputs of arbitrary length whose sets S are decided by Turing machines. They use their CPRF to build broadcast encryption and the first ID-based non-interactive key exchange for an unbounded number of users. Their constrained keys are obfuscated circuits and are therefore large. In this work we drastically reduce the key size and define a constrained key for a Turing machine M as a short signature on M. For this, we introduce a new signature primitive with constrained signing keys that let one only sign certain messages, while forging a signature on others is hard even when knowing the coins for key generation.","lang":"eng"}]},{"page":"413 - 428","file_date_updated":"2020-07-14T12:44:41Z","day":"02","type":"conference","intvolume":"      9610","status":"public","has_accepted_license":"1","department":[{"_id":"KrPi"}],"conference":{"location":"San Francisco, CA, USA","end_date":"2016-03-04","name":"CT-RSA: Topics in Cryptology","start_date":"2016-02-29"},"date_created":"2018-12-11T11:50:52Z","file":[{"date_updated":"2020-07-14T12:44:41Z","access_level":"open_access","file_name":"IST-2017-764-v1+1_279.pdf","file_size":495176,"date_created":"2018-12-12T10:08:05Z","checksum":"3851cee49933ae13b1272e516f213e13","content_type":"application/pdf","relation":"main_file","file_id":"4664","creator":"system"}],"month":"02","date_published":"2016-02-02T00:00:00Z","publisher":"Springer","scopus_import":1,"language":[{"iso":"eng"}],"oa":1,"volume":9610,"date_updated":"2023-09-07T12:30:22Z","publist_id":"6097","_id":"1236","acknowledgement":"Supported by the European Research Council, ERC Starting Grant (259668-PSPC).","user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","quality_controlled":"1","project":[{"name":"Provable Security for Physical Cryptography","_id":"258C570E-B435-11E9-9278-68D0E5697425","call_identifier":"FP7","grant_number":"259668"}],"oa_version":"Submitted Version","publication_status":"published","citation":{"ama":"Abusalah HM, Fuchsbauer G, Pietrzak KZ. Constrained PRFs for unbounded inputs. In: Vol 9610. Springer; 2016:413-428. doi:<a href=\"https://doi.org/10.1007/978-3-319-29485-8_24\">10.1007/978-3-319-29485-8_24</a>","mla":"Abusalah, Hamza M., et al. <i>Constrained PRFs for Unbounded Inputs</i>. Vol. 9610, Springer, 2016, pp. 413–28, doi:<a href=\"https://doi.org/10.1007/978-3-319-29485-8_24\">10.1007/978-3-319-29485-8_24</a>.","short":"H.M. Abusalah, G. Fuchsbauer, K.Z. Pietrzak, in:, Springer, 2016, pp. 413–428.","ista":"Abusalah HM, Fuchsbauer G, Pietrzak KZ. 2016. Constrained PRFs for unbounded inputs. CT-RSA: Topics in Cryptology, LNCS, vol. 9610, 413–428.","ieee":"H. M. Abusalah, G. Fuchsbauer, and K. Z. Pietrzak, “Constrained PRFs for unbounded inputs,” presented at the CT-RSA: Topics in Cryptology, San Francisco, CA, USA, 2016, vol. 9610, pp. 413–428.","apa":"Abusalah, H. M., Fuchsbauer, G., &#38; Pietrzak, K. Z. (2016). Constrained PRFs for unbounded inputs (Vol. 9610, pp. 413–428). Presented at the CT-RSA: Topics in Cryptology, San Francisco, CA, USA: Springer. <a href=\"https://doi.org/10.1007/978-3-319-29485-8_24\">https://doi.org/10.1007/978-3-319-29485-8_24</a>","chicago":"Abusalah, Hamza M, Georg Fuchsbauer, and Krzysztof Z Pietrzak. “Constrained PRFs for Unbounded Inputs,” 9610:413–28. Springer, 2016. <a href=\"https://doi.org/10.1007/978-3-319-29485-8_24\">https://doi.org/10.1007/978-3-319-29485-8_24</a>."},"abstract":[{"text":"A constrained pseudorandom function F: K × X → Y for a family T ⊆ 2X of subsets of X is a function where for any key k ∈ K and set S ∈ T one can efficiently compute a constrained key kS which allows to evaluate F (k, ·) on all inputs x ∈ S, while even given this key, the outputs on all inputs x ∉ S look random. At Asiacrypt’13 Boneh and Waters gave a construction which supports the most general set family so far. Its keys kc are defined for sets decided by boolean circuits C and enable evaluation of the PRF on any x ∈ X where C(x) = 1. In their construction the PRF input length and the size of the circuits C for which constrained keys can be computed must be fixed beforehand during key generation. We construct a constrained PRF that has an unbounded input length and whose constrained keys can be defined for any set recognized by a Turing machine. The only a priori bound we make is on the description size of the machines. We prove our construction secure assuming publiccoin differing-input obfuscation. As applications of our constrained PRF we build a broadcast encryption scheme where the number of potential receivers need not be fixed at setup (in particular, the length of the keys is independent of the number of parties) and the first identity-based non-interactive key exchange protocol with no bound on the number of parties that can agree on a shared key.","lang":"eng"}],"author":[{"first_name":"Hamza M","last_name":"Abusalah","full_name":"Abusalah, Hamza M","id":"40297222-F248-11E8-B48F-1D18A9856A87"},{"id":"46B4C3EE-F248-11E8-B48F-1D18A9856A87","last_name":"Fuchsbauer","full_name":"Fuchsbauer, Georg","first_name":"Georg"},{"id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","first_name":"Krzysztof Z","orcid":"0000-0002-9139-1654","last_name":"Pietrzak","full_name":"Pietrzak, Krzysztof Z"}],"alternative_title":["LNCS"],"related_material":{"record":[{"status":"public","relation":"dissertation_contains","id":"83"}]},"ddc":["005","600"],"doi":"10.1007/978-3-319-29485-8_24","year":"2016","ec_funded":1,"pubrep_id":"764","title":"Constrained PRFs for unbounded inputs"},{"user_id":"8b945eb4-e2f2-11eb-945a-df72226e66a9","oa_version":"Submitted Version","project":[{"grant_number":"259668","_id":"258C570E-B435-11E9-9278-68D0E5697425","name":"Provable Security for Physical Cryptography","call_identifier":"FP7"}],"quality_controlled":"1","_id":"1646","publication_identifier":{"isbn":["978-3-662-46496-0"]},"date_updated":"2022-02-03T08:41:46Z","volume":9015,"publist_id":"5505","oa":1,"article_processing_charge":"No","author":[{"last_name":"Banerjee","full_name":"Banerjee, Abishek","first_name":"Abishek"},{"id":"46B4C3EE-F248-11E8-B48F-1D18A9856A87","first_name":"Georg","last_name":"Fuchsbauer","full_name":"Fuchsbauer, Georg"},{"first_name":"Chris","full_name":"Peikert, Chris","last_name":"Peikert"},{"first_name":"Krzysztof Z","orcid":"0000-0002-9139-1654","last_name":"Pietrzak","full_name":"Pietrzak, Krzysztof Z","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87"},{"first_name":"Sophie","last_name":"Stevens","full_name":"Stevens, Sophie"}],"abstract":[{"lang":"eng","text":"A pseudorandom function (PRF) is a keyed function F : K × X → Y where, for a random key k ∈ K, the function F(k, ·) is indistinguishable from a uniformly random function, given black-box access. A key-homomorphic PRF has the additional feature that for any keys k, k' and any input x, we have F(k+k', x) = F(k, x)⊕F(k', x) for some group operations +,⊕ on K and Y, respectively. A constrained PRF for a family of setsS ⊆ P(X) has the property that, given any key k and set S ∈ S, one can efficiently compute a “constrained” key kS that enables evaluation of F(k, x) on all inputs x ∈ S, while the values F(k, x) for x /∈ S remain pseudorandom even given kS. In this paper we construct PRFs that are simultaneously constrained and key homomorphic, where the homomorphic property holds even for constrained keys. We first show that the multilinear map-based bit-fixing and circuit-constrained PRFs of Boneh and Waters (Asiacrypt 2013) can be modified to also be keyhomomorphic. We then show that the LWE-based key-homomorphic PRFs of Banerjee and Peikert (Crypto 2014) are essentially already prefix-constrained PRFs, using a (non-obvious) definition of constrained keys and associated group operation. Moreover, the constrained keys themselves are pseudorandom, and the constraining and evaluation functions can all be computed in low depth. As an application of key-homomorphic constrained PRFs,we construct a proxy re-encryption schemewith fine-grained access control. This scheme allows storing encrypted data on an untrusted server, where each file can be encrypted relative to some attributes, so that only parties whose constrained keys match the attributes can decrypt. Moreover, the server can re-key (arbitrary subsets of) the ciphertexts without learning anything about the plaintexts, thus permitting efficient and finegrained revocation."}],"publication_status":"published","citation":{"apa":"Banerjee, A., Fuchsbauer, G., Peikert, C., Pietrzak, K. Z., &#38; Stevens, S. (2015). Key-homomorphic constrained pseudorandom functions. In <i>12th Theory of Cryptography Conference</i> (Vol. 9015, pp. 31–60). Warsaw, Poland: Springer Nature. <a href=\"https://doi.org/10.1007/978-3-662-46497-7_2\">https://doi.org/10.1007/978-3-662-46497-7_2</a>","ieee":"A. Banerjee, G. Fuchsbauer, C. Peikert, K. Z. Pietrzak, and S. Stevens, “Key-homomorphic constrained pseudorandom functions,” in <i>12th Theory of Cryptography Conference</i>, Warsaw, Poland, 2015, vol. 9015, pp. 31–60.","chicago":"Banerjee, Abishek, Georg Fuchsbauer, Chris Peikert, Krzysztof Z Pietrzak, and Sophie Stevens. “Key-Homomorphic Constrained Pseudorandom Functions.” In <i>12th Theory of Cryptography Conference</i>, 9015:31–60. Springer Nature, 2015. <a href=\"https://doi.org/10.1007/978-3-662-46497-7_2\">https://doi.org/10.1007/978-3-662-46497-7_2</a>.","mla":"Banerjee, Abishek, et al. “Key-Homomorphic Constrained Pseudorandom Functions.” <i>12th Theory of Cryptography Conference</i>, vol. 9015, Springer Nature, 2015, pp. 31–60, doi:<a href=\"https://doi.org/10.1007/978-3-662-46497-7_2\">10.1007/978-3-662-46497-7_2</a>.","ama":"Banerjee A, Fuchsbauer G, Peikert C, Pietrzak KZ, Stevens S. Key-homomorphic constrained pseudorandom functions. In: <i>12th Theory of Cryptography Conference</i>. Vol 9015. Springer Nature; 2015:31-60. doi:<a href=\"https://doi.org/10.1007/978-3-662-46497-7_2\">10.1007/978-3-662-46497-7_2</a>","ista":"Banerjee A, Fuchsbauer G, Peikert C, Pietrzak KZ, Stevens S. 2015. Key-homomorphic constrained pseudorandom functions. 12th Theory of Cryptography Conference. TCC: Theory of Cryptography Conference, LNCS, vol. 9015, 31–60.","short":"A. Banerjee, G. Fuchsbauer, C. Peikert, K.Z. Pietrzak, S. Stevens, in:, 12th Theory of Cryptography Conference, Springer Nature, 2015, pp. 31–60."},"ddc":["000","004"],"main_file_link":[{"open_access":"1","url":"https://eprint.iacr.org/2015/180"}],"alternative_title":["LNCS"],"pubrep_id":"679","title":"Key-homomorphic constrained pseudorandom functions","ec_funded":1,"doi":"10.1007/978-3-662-46497-7_2","year":"2015","page":"31 - 60","file_date_updated":"2020-07-14T12:45:08Z","publication":"12th Theory of Cryptography Conference","status":"public","intvolume":"      9015","type":"conference","day":"01","file":[{"creator":"system","file_id":"5136","relation":"main_file","content_type":"application/pdf","checksum":"3c5093bda5783c89beaacabf1aa0e60e","date_created":"2018-12-12T10:15:17Z","file_size":450665,"file_name":"IST-2016-679-v1+1_180.pdf","access_level":"open_access","date_updated":"2020-07-14T12:45:08Z"}],"date_created":"2018-12-11T11:53:14Z","conference":{"name":"TCC: Theory of Cryptography Conference","end_date":"2015-03-25","location":"Warsaw, Poland","start_date":"2015-03-23"},"department":[{"_id":"KrPi"}],"has_accepted_license":"1","language":[{"iso":"eng"}],"publisher":"Springer Nature","scopus_import":"1","date_published":"2015-03-01T00:00:00Z","month":"03"},{"alternative_title":["LNCS"],"main_file_link":[{"url":"https://eprint.iacr.org/2015/626.pdf","open_access":"1"}],"related_material":{"record":[{"relation":"later_version","id":"1225","status":"public"}]},"doi":"10.1007/978-3-662-48000-7_12","year":"2015","ec_funded":1,"title":"Practical round-optimal blind signatures in the standard model","volume":9216,"date_updated":"2023-02-21T16:44:51Z","publist_id":"5503","oa":1,"article_processing_charge":"No","_id":"1647","user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","project":[{"grant_number":"259668","call_identifier":"FP7","name":"Provable Security for Physical Cryptography","_id":"258C570E-B435-11E9-9278-68D0E5697425"}],"oa_version":"Submitted Version","quality_controlled":"1","publication_status":"published","citation":{"mla":"Fuchsbauer, Georg, et al. <i>Practical Round-Optimal Blind Signatures in the Standard Model</i>. Vol. 9216, Springer, 2015, pp. 233–53, doi:<a href=\"https://doi.org/10.1007/978-3-662-48000-7_12\">10.1007/978-3-662-48000-7_12</a>.","ama":"Fuchsbauer G, Hanser C, Slamanig D. Practical round-optimal blind signatures in the standard model. In: Vol 9216. Springer; 2015:233-253. doi:<a href=\"https://doi.org/10.1007/978-3-662-48000-7_12\">10.1007/978-3-662-48000-7_12</a>","short":"G. Fuchsbauer, C. Hanser, D. Slamanig, in:, Springer, 2015, pp. 233–253.","ista":"Fuchsbauer G, Hanser C, Slamanig D. 2015. Practical round-optimal blind signatures in the standard model. CRYPTO: International Cryptology Conference, LNCS, vol. 9216, 233–253.","apa":"Fuchsbauer, G., Hanser, C., &#38; Slamanig, D. (2015). Practical round-optimal blind signatures in the standard model (Vol. 9216, pp. 233–253). Presented at the CRYPTO: International Cryptology Conference, Santa Barbara, CA, United States: Springer. <a href=\"https://doi.org/10.1007/978-3-662-48000-7_12\">https://doi.org/10.1007/978-3-662-48000-7_12</a>","ieee":"G. Fuchsbauer, C. Hanser, and D. Slamanig, “Practical round-optimal blind signatures in the standard model,” presented at the CRYPTO: International Cryptology Conference, Santa Barbara, CA, United States, 2015, vol. 9216, pp. 233–253.","chicago":"Fuchsbauer, Georg, Christian Hanser, and Daniel Slamanig. “Practical Round-Optimal Blind Signatures in the Standard Model,” 9216:233–53. Springer, 2015. <a href=\"https://doi.org/10.1007/978-3-662-48000-7_12\">https://doi.org/10.1007/978-3-662-48000-7_12</a>."},"abstract":[{"text":"Round-optimal blind signatures are notoriously hard to construct in the standard model, especially in the malicious-signer model, where blindness must hold under adversarially chosen keys. This is substantiated by several impossibility results. The only construction that can be termed theoretically efficient, by Garg and Gupta (Eurocrypt’14), requires complexity leveraging, inducing an exponential security loss. We present a construction of practically efficient round-optimal blind signatures in the standard model. It is conceptually simple and builds on the recent structure-preserving signatures on equivalence classes (SPSEQ) from Asiacrypt’14. While the traditional notion of blindness follows from standard assumptions, we prove blindness under adversarially chosen keys under an interactive variant of DDH. However, we neither require non-uniform assumptions nor complexity leveraging. We then show how to extend our construction to partially blind signatures and to blind signatures on message vectors, which yield a construction of one-show anonymous credentials à la “anonymous credentials light” (CCS’13) in the standard model. Furthermore, we give the first SPS-EQ construction under noninteractive assumptions and show how SPS-EQ schemes imply conventional structure-preserving signatures, which allows us to apply optimality results for the latter to SPS-EQ.","lang":"eng"}],"author":[{"last_name":"Fuchsbauer","full_name":"Fuchsbauer, Georg","first_name":"Georg","id":"46B4C3EE-F248-11E8-B48F-1D18A9856A87"},{"first_name":"Christian","full_name":"Hanser, Christian","last_name":"Hanser"},{"first_name":"Daniel","full_name":"Slamanig, Daniel","last_name":"Slamanig"}],"department":[{"_id":"KrPi"}],"conference":{"end_date":"2015-08-20","location":"Santa Barbara, CA, United States","name":"CRYPTO: International Cryptology Conference","start_date":"2015-08-16"},"date_created":"2018-12-11T11:53:14Z","month":"08","date_published":"2015-08-01T00:00:00Z","publisher":"Springer","scopus_import":1,"language":[{"iso":"eng"}],"page":"233 - 253","day":"01","type":"conference","intvolume":"      9216","status":"public"},{"month":"08","date_published":"2015-08-01T00:00:00Z","publisher":"Springer","scopus_import":1,"language":[{"iso":"eng"}],"has_accepted_license":"1","department":[{"_id":"KrPi"}],"conference":{"start_date":"2015-08-16","location":"Santa Barbara, CA, USA","name":"CRYPTO: International Cryptology Conference","end_date":"2015-08-20"},"file":[{"relation":"main_file","content_type":"application/pdf","creator":"system","file_id":"5015","access_level":"open_access","date_updated":"2020-07-14T12:45:08Z","file_size":505618,"file_name":"IST-2016-674-v1+1_389.pdf","checksum":"99b76b3263d5082554d0a9cbdeca3a22","date_created":"2018-12-12T10:13:31Z"}],"date_created":"2018-12-11T11:53:14Z","day":"01","type":"conference","intvolume":"      9215","status":"public","file_date_updated":"2020-07-14T12:45:08Z","page":"601 - 620","year":"2015","doi":"10.1007/978-3-662-47989-6_29","ec_funded":1,"pubrep_id":"674","title":"A quasipolynomial reduction for generalized selective decryption on trees","alternative_title":["LNCS"],"tmp":{"image":"/images/cc_by.png","legal_code_url":"https://creativecommons.org/licenses/by/4.0/legalcode","name":"Creative Commons Attribution 4.0 International Public License (CC-BY 4.0)","short":"CC BY (4.0)"},"ddc":["004"],"publication_status":"published","citation":{"chicago":"Fuchsbauer, Georg, Zahra Jafargholi, and Krzysztof Z Pietrzak. “A Quasipolynomial Reduction for Generalized Selective Decryption on Trees,” 9215:601–20. Springer, 2015. <a href=\"https://doi.org/10.1007/978-3-662-47989-6_29\">https://doi.org/10.1007/978-3-662-47989-6_29</a>.","apa":"Fuchsbauer, G., Jafargholi, Z., &#38; Pietrzak, K. Z. (2015). A quasipolynomial reduction for generalized selective decryption on trees (Vol. 9215, pp. 601–620). Presented at the CRYPTO: International Cryptology Conference, Santa Barbara, CA, USA: Springer. <a href=\"https://doi.org/10.1007/978-3-662-47989-6_29\">https://doi.org/10.1007/978-3-662-47989-6_29</a>","ieee":"G. Fuchsbauer, Z. Jafargholi, and K. Z. Pietrzak, “A quasipolynomial reduction for generalized selective decryption on trees,” presented at the CRYPTO: International Cryptology Conference, Santa Barbara, CA, USA, 2015, vol. 9215, pp. 601–620.","short":"G. Fuchsbauer, Z. Jafargholi, K.Z. Pietrzak, in:, Springer, 2015, pp. 601–620.","ista":"Fuchsbauer G, Jafargholi Z, Pietrzak KZ. 2015. A quasipolynomial reduction for generalized selective decryption on trees. CRYPTO: International Cryptology Conference, LNCS, vol. 9215, 601–620.","mla":"Fuchsbauer, Georg, et al. <i>A Quasipolynomial Reduction for Generalized Selective Decryption on Trees</i>. Vol. 9215, Springer, 2015, pp. 601–20, doi:<a href=\"https://doi.org/10.1007/978-3-662-47989-6_29\">10.1007/978-3-662-47989-6_29</a>.","ama":"Fuchsbauer G, Jafargholi Z, Pietrzak KZ. A quasipolynomial reduction for generalized selective decryption on trees. In: Vol 9215. Springer; 2015:601-620. doi:<a href=\"https://doi.org/10.1007/978-3-662-47989-6_29\">10.1007/978-3-662-47989-6_29</a>"},"abstract":[{"lang":"eng","text":"Generalized Selective Decryption (GSD), introduced by Panjwani [TCC’07], is a game for a symmetric encryption scheme Enc that captures the difficulty of proving adaptive security of certain protocols, most notably the Logical Key Hierarchy (LKH) multicast encryption protocol. In the GSD game there are n keys k1,..., kn, which the adversary may adaptively corrupt (learn); moreover, it can ask for encryptions Encki (kj) of keys under other keys. The adversary’s task is to distinguish keys (which it cannot trivially compute) from random. Proving the hardness of GSD assuming only IND-CPA security of Enc is surprisingly hard. Using “complexity leveraging” loses a factor exponential in n, which makes the proof practically meaningless. We can think of the GSD game as building a graph on n vertices, where we add an edge i → j when the adversary asks for an encryption of kj under ki. If restricted to graphs of depth ℓ, Panjwani gave a reduction that loses only a factor exponential in ℓ (not n). To date, this is the only non-trivial result known for GSD. In this paper we give almost-polynomial reductions for large classes of graphs. Most importantly, we prove the security of the GSD game restricted to trees losing only a quasi-polynomial factor n3 log n+5. Trees are an important special case capturing real-world protocols like the LKH protocol. Our new bound improves upon Panjwani’s on some LKH variants proposed in the literature where the underlying tree is not balanced. Our proof builds on ideas from the “nested hybrids” technique recently introduced by Fuchsbauer et al. [Asiacrypt’14] for proving the adaptive security of constrained PRFs."}],"author":[{"id":"46B4C3EE-F248-11E8-B48F-1D18A9856A87","full_name":"Fuchsbauer, Georg","last_name":"Fuchsbauer","first_name":"Georg"},{"full_name":"Jafargholi, Zahra","last_name":"Jafargholi","first_name":"Zahra"},{"first_name":"Krzysztof Z","orcid":"0000-0002-9139-1654","full_name":"Pietrzak, Krzysztof Z","last_name":"Pietrzak","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87"}],"publist_id":"5502","volume":9215,"oa":1,"date_updated":"2021-01-12T06:52:14Z","_id":"1648","user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","quality_controlled":"1","project":[{"call_identifier":"FP7","_id":"258C570E-B435-11E9-9278-68D0E5697425","name":"Provable Security for Physical Cryptography","grant_number":"259668"}],"oa_version":"Submitted Version"},{"title":"Anonymous transferable e-cash","doi":"10.1007/978-3-662-46447-2_5","year":"2015","ec_funded":1,"alternative_title":["LNCS"],"main_file_link":[{"url":"https://doi.org/10.1007/978-3-662-46447-2_5","open_access":"1"}],"abstract":[{"text":"Cryptographic e-cash allows off-line electronic transactions between a bank, users and merchants in a secure and anonymous fashion. A plethora of e-cash constructions has been proposed in the literature; however, these traditional e-cash schemes only allow coins to be transferred once between users and merchants. Ideally, we would like users to be able to transfer coins between each other multiple times before deposit, as happens with physical cash. “Transferable” e-cash schemes are the solution to this problem. Unfortunately, the currently proposed schemes are either completely impractical or do not achieve the desirable anonymity properties without compromises, such as assuming the existence of a trusted “judge” who can trace all coins and users in the system. This paper presents the first efficient and fully anonymous transferable e-cash scheme without any trusted third parties. We start by revising the security and anonymity properties of transferable e-cash to capture issues that were previously overlooked. For our construction we use the recently proposed malleable signatures by Chase et al. to allow the secure and anonymous transfer of coins, combined with a new efficient double-spending detection mechanism. Finally, we discuss an instantiation of our construction.","lang":"eng"}],"author":[{"last_name":"Baldimtsi","full_name":"Baldimtsi, Foteini","first_name":"Foteini"},{"first_name":"Melissa","last_name":"Chase","full_name":"Chase, Melissa"},{"id":"46B4C3EE-F248-11E8-B48F-1D18A9856A87","last_name":"Fuchsbauer","full_name":"Fuchsbauer, Georg","first_name":"Georg"},{"full_name":"Kohlweiss, Markulf","last_name":"Kohlweiss","first_name":"Markulf"}],"citation":{"chicago":"Baldimtsi, Foteini, Melissa Chase, Georg Fuchsbauer, and Markulf Kohlweiss. “Anonymous Transferable E-Cash.” In <i>Public-Key Cryptography - PKC 2015</i>, 9020:101–24. Springer, 2015. <a href=\"https://doi.org/10.1007/978-3-662-46447-2_5\">https://doi.org/10.1007/978-3-662-46447-2_5</a>.","apa":"Baldimtsi, F., Chase, M., Fuchsbauer, G., &#38; Kohlweiss, M. (2015). Anonymous transferable e-cash. In <i>Public-Key Cryptography - PKC 2015</i> (Vol. 9020, pp. 101–124). Gaithersburg, MD, United States: Springer. <a href=\"https://doi.org/10.1007/978-3-662-46447-2_5\">https://doi.org/10.1007/978-3-662-46447-2_5</a>","ieee":"F. Baldimtsi, M. Chase, G. Fuchsbauer, and M. Kohlweiss, “Anonymous transferable e-cash,” in <i>Public-Key Cryptography - PKC 2015</i>, Gaithersburg, MD, United States, 2015, vol. 9020, pp. 101–124.","short":"F. Baldimtsi, M. Chase, G. Fuchsbauer, M. Kohlweiss, in:, Public-Key Cryptography - PKC 2015, Springer, 2015, pp. 101–124.","ista":"Baldimtsi F, Chase M, Fuchsbauer G, Kohlweiss M. 2015. Anonymous transferable e-cash. Public-Key Cryptography - PKC 2015. PKC: Public Key Crypography, LNCS, vol. 9020, 101–124.","ama":"Baldimtsi F, Chase M, Fuchsbauer G, Kohlweiss M. Anonymous transferable e-cash. In: <i>Public-Key Cryptography - PKC 2015</i>. Vol 9020. Springer; 2015:101-124. doi:<a href=\"https://doi.org/10.1007/978-3-662-46447-2_5\">10.1007/978-3-662-46447-2_5</a>","mla":"Baldimtsi, Foteini, et al. “Anonymous Transferable E-Cash.” <i>Public-Key Cryptography - PKC 2015</i>, vol. 9020, Springer, 2015, pp. 101–24, doi:<a href=\"https://doi.org/10.1007/978-3-662-46447-2_5\">10.1007/978-3-662-46447-2_5</a>."},"publication_status":"published","publication_identifier":{"isbn":["978-3-662-46446-5"]},"_id":"1651","oa_version":"Published Version","project":[{"grant_number":"259668","call_identifier":"FP7","_id":"258C570E-B435-11E9-9278-68D0E5697425","name":"Provable Security for Physical Cryptography"}],"quality_controlled":"1","acknowledgement":"Work done as an intern in Microsoft Research Redmond and as a student at Brown University, where supported by NSF grant 0964379. Supported by the European Research Council, ERC Starting Grant (259668-PSPC).","user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","article_processing_charge":"No","volume":9020,"publist_id":"5499","date_updated":"2022-05-23T10:08:37Z","oa":1,"scopus_import":"1","publisher":"Springer","language":[{"iso":"eng"}],"month":"03","date_published":"2015-03-17T00:00:00Z","conference":{"location":"Gaithersburg, MD, United States","end_date":"2015-04-01","name":"PKC: Public Key Crypography","start_date":"2015-03-30"},"date_created":"2018-12-11T11:53:15Z","department":[{"_id":"KrPi"}],"intvolume":"      9020","status":"public","day":"17","type":"conference","publication":"Public-Key Cryptography - PKC 2015","page":"101 - 124"},{"ec_funded":1,"date_published":"2015-09-04T00:00:00Z","month":"09","doi":"10.1109/CSF.2015.11","year":"2015","language":[{"iso":"eng"}],"publisher":"IEEE","title":"Policy privacy in cryptographic access control","department":[{"_id":"KrPi"}],"main_file_link":[{"open_access":"1","url":"http://epubs.surrey.ac.uk/808055/"}],"date_created":"2018-12-11T11:52:14Z","conference":{"name":"CSF: Computer Security Foundations","end_date":"2015-07-17","location":"Verona, Italy","start_date":"2015-07-13"},"type":"conference","publication_status":"published","day":"04","citation":{"ieee":"A. Ferrara, G. Fuchsbauer, B. Liu, and B. Warinschi, “Policy privacy in cryptographic access control,” presented at the CSF: Computer Security Foundations, Verona, Italy, 2015, pp. 46–60.","apa":"Ferrara, A., Fuchsbauer, G., Liu, B., &#38; Warinschi, B. (2015). Policy privacy in cryptographic access control (pp. 46–60). Presented at the CSF: Computer Security Foundations, Verona, Italy: IEEE. <a href=\"https://doi.org/10.1109/CSF.2015.11\">https://doi.org/10.1109/CSF.2015.11</a>","chicago":"Ferrara, Anna, Georg Fuchsbauer, Bin Liu, and Bogdan Warinschi. “Policy Privacy in Cryptographic Access Control,” 46–60. IEEE, 2015. <a href=\"https://doi.org/10.1109/CSF.2015.11\">https://doi.org/10.1109/CSF.2015.11</a>.","ama":"Ferrara A, Fuchsbauer G, Liu B, Warinschi B. Policy privacy in cryptographic access control. In: IEEE; 2015:46-60. doi:<a href=\"https://doi.org/10.1109/CSF.2015.11\">10.1109/CSF.2015.11</a>","mla":"Ferrara, Anna, et al. <i>Policy Privacy in Cryptographic Access Control</i>. IEEE, 2015, pp. 46–60, doi:<a href=\"https://doi.org/10.1109/CSF.2015.11\">10.1109/CSF.2015.11</a>.","ista":"Ferrara A, Fuchsbauer G, Liu B, Warinschi B. 2015. Policy privacy in cryptographic access control. CSF: Computer Security Foundations, 46–60.","short":"A. Ferrara, G. Fuchsbauer, B. Liu, B. Warinschi, in:, IEEE, 2015, pp. 46–60."},"status":"public","author":[{"full_name":"Ferrara, Anna","last_name":"Ferrara","first_name":"Anna"},{"id":"46B4C3EE-F248-11E8-B48F-1D18A9856A87","full_name":"Fuchsbauer, Georg","last_name":"Fuchsbauer","first_name":"Georg"},{"first_name":"Bin","full_name":"Liu, Bin","last_name":"Liu"},{"first_name":"Bogdan","full_name":"Warinschi, Bogdan","last_name":"Warinschi"}],"abstract":[{"text":"Cryptographic access control offers selective access to encrypted data via a combination of key management and functionality-rich cryptographic schemes, such as attribute-based encryption. Using this approach, publicly available meta-data may inadvertently leak information on the access policy that is enforced by cryptography, which renders cryptographic access control unusable in settings where this information is highly sensitive. We begin to address this problem by presenting rigorous definitions for policy privacy in cryptographic access control. For concreteness we set our results in the model of Role-Based Access Control (RBAC), where we identify and formalize several different flavors of privacy, however, our framework should serve as inspiration for other models of access control. Based on our insights we propose a new system which significantly improves on the privacy properties of state-of-the-art constructions. Our design is based on a novel type of privacy-preserving attribute-based encryption, which we introduce and show how to instantiate. We present our results in the context of a cryptographic RBAC system by Ferrara et al. (CSF'13), which uses cryptography to control read access to files, while write access is still delegated to trusted monitors. We give an extension of the construction that permits cryptographic control over write access. Our construction assumes that key management uses out-of-band channels between the policy enforcer and the users but eliminates completely the need for monitoring read/write access to the data.","lang":"eng"}],"date_updated":"2021-01-12T06:50:59Z","oa":1,"publist_id":"5722","article_processing_charge":"No","page":"46-60","user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","quality_controlled":"1","project":[{"grant_number":"259668","call_identifier":"FP7","_id":"258C570E-B435-11E9-9278-68D0E5697425","name":"Provable Security for Physical Cryptography"}],"oa_version":"Submitted Version","_id":"1474"},{"doi":"10.1007/978-3-319-10879-7_7","year":"2014","ec_funded":1,"title":"Constrained Verifiable Random Functions ","alternative_title":["LNCS"],"main_file_link":[{"open_access":"1","url":"http://eprint.iacr.org/2014/537"}],"citation":{"ama":"Fuchsbauer G. Constrained Verifiable Random Functions . In: Abdalla M, De Prisco R, eds. <i>SCN 2014</i>. Vol 8642. Springer; 2014:95-114. doi:<a href=\"https://doi.org/10.1007/978-3-319-10879-7_7\">10.1007/978-3-319-10879-7_7</a>","mla":"Fuchsbauer, Georg. “Constrained Verifiable Random Functions .” <i>SCN 2014</i>, edited by Michel Abdalla and Roberto De Prisco, vol. 8642, Springer, 2014, pp. 95–114, doi:<a href=\"https://doi.org/10.1007/978-3-319-10879-7_7\">10.1007/978-3-319-10879-7_7</a>.","ista":"Fuchsbauer G. 2014. Constrained Verifiable Random Functions . SCN 2014. SCN: Security and Cryptography for Networks, LNCS, vol. 8642, 95–114.","short":"G. Fuchsbauer, in:, M. Abdalla, R. De Prisco (Eds.), SCN 2014, Springer, 2014, pp. 95–114.","apa":"Fuchsbauer, G. (2014). Constrained Verifiable Random Functions . In M. Abdalla &#38; R. De Prisco (Eds.), <i>SCN 2014</i> (Vol. 8642, pp. 95–114). Amalfi, Italy: Springer. <a href=\"https://doi.org/10.1007/978-3-319-10879-7_7\">https://doi.org/10.1007/978-3-319-10879-7_7</a>","ieee":"G. Fuchsbauer, “Constrained Verifiable Random Functions ,” in <i>SCN 2014</i>, Amalfi, Italy, 2014, vol. 8642, pp. 95–114.","chicago":"Fuchsbauer, Georg. “Constrained Verifiable Random Functions .” In <i>SCN 2014</i>, edited by Michel Abdalla and Roberto De Prisco, 8642:95–114. Springer, 2014. <a href=\"https://doi.org/10.1007/978-3-319-10879-7_7\">https://doi.org/10.1007/978-3-319-10879-7_7</a>."},"publication_status":"published","abstract":[{"lang":"eng","text":"We extend the notion of verifiable random functions (VRF) to constrained VRFs, which generalize the concept of constrained pseudorandom functions, put forward by Boneh and Waters (Asiacrypt’13), and independently by Kiayias et al. (CCS’13) and Boyle et al. (PKC’14), who call them delegatable PRFs and functional PRFs, respectively. In a standard VRF the secret key sk allows one to evaluate a pseudorandom function at any point of its domain; in addition, it enables computation of a non-interactive proof that the function value was computed correctly. In a constrained VRF from the key sk one can derive constrained keys skS for subsets S of the domain, which allow computation of function values and proofs only at points in S. After formally defining constrained VRFs, we derive instantiations from the multilinear-maps-based constrained PRFs by Boneh and Waters, yielding a VRF with constrained keys for any set that can be decided by a polynomial-size circuit. Our VRFs have the same function values as the Boneh-Waters PRFs and are proved secure under the same hardness assumption, showing that verifiability comes at no cost. Constrained (functional) VRFs were stated as an open problem by Boyle et al."}],"author":[{"id":"46B4C3EE-F248-11E8-B48F-1D18A9856A87","full_name":"Fuchsbauer, Georg","last_name":"Fuchsbauer","first_name":"Georg"}],"editor":[{"last_name":"Abdalla","full_name":"Abdalla, Michel","first_name":"Michel"},{"first_name":"Roberto","last_name":"De Prisco","full_name":"De Prisco, Roberto"}],"oa":1,"date_updated":"2021-01-12T06:52:12Z","volume":8642,"publist_id":"5509","_id":"1643","project":[{"_id":"258C570E-B435-11E9-9278-68D0E5697425","name":"Provable Security for Physical Cryptography","call_identifier":"FP7","grant_number":"259668"}],"oa_version":"Submitted Version","user_id":"4435EBFC-F248-11E8-B48F-1D18A9856A87","month":"01","date_published":"2014-01-01T00:00:00Z","scopus_import":1,"publisher":"Springer","language":[{"iso":"eng"}],"department":[{"_id":"KrPi"}],"conference":{"end_date":"2014-09-05","name":"SCN: Security and Cryptography for Networks","location":"Amalfi, Italy","start_date":"2014-09-03"},"date_created":"2018-12-11T11:53:13Z","day":"01","type":"conference","intvolume":"      8642","status":"public","publication":"SCN 2014","page":"95 - 114"},{"conference":{"name":"Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)"},"date_created":"2018-12-11T11:54:45Z","main_file_link":[{"open_access":"1","url":"http://eprint.iacr.org/2014/416"}],"publisher":"Springer","title":"Adaptive security of constrained PRFs","month":"01","doi":"10.1145/2591796.2591825","year":"2014","date_published":"2014-01-01T00:00:00Z","_id":"1927","extern":1,"acknowledgement":"We are grateful to Mihir Bellare for his feedback on earlier versions of this paper. We are indebted to Vanishree Rao for her generous assistance in preparing this proceedings version.","quality_controlled":0,"publist_id":"5167","volume":8874,"oa":1,"date_updated":"2021-01-12T06:54:08Z","page":"173 - 192","intvolume":"      8874","abstract":[{"text":"Constrained pseudorandom functions have recently been introduced independently by Boneh and Waters (Asiacrypt’13), Kiayias et al. (CCS’13), and Boyle et al. (PKC’14). In a standard pseudorandom function (PRF) a key k is used to evaluate the PRF on all inputs in the domain. Constrained PRFs additionally offer the functionality to delegate “constrained” keys kS which allow to evaluate the PRF only on a subset S of the domain. The three above-mentioned papers all show that the classical GGM construction (J.ACM’86) of a PRF from a pseudorandom generator (PRG) directly yields a constrained PRF where one can compute constrained keys to evaluate the PRF on all inputs with a given prefix. This constrained PRF has already found many interesting applications. Unfortunately, the existing security proofs only show selective security (by a reduction to the security of the underlying PRG). To achieve full security, one has to use complexity leveraging, which loses an exponential factor 2N in security, where N is the input length. The first contribution of this paper is a new reduction that only loses a quasipolynomial factor qlog N, where q is the number of adversarial queries. For this we develop a new proof technique which constructs a distinguisher by interleaving simple guessing steps and hybrid arguments a small number of times. This approach might be of interest also in other contexts where currently the only technique to achieve full security is complexity leveraging. Our second contribution is concerned with another constrained PRF, due to Boneh and Waters, which allows for constrained keys for the more general class of bit-fixing functions. Their security proof also suffers from a 2N loss, which we show is inherent. We construct a meta-reduction which shows that any “simple” reduction of full security from a noninteractive hardness assumption must incur an exponential security loss.","lang":"eng"}],"status":"public","author":[{"first_name":"Georg","last_name":"Fuchsbauer","full_name":"Georg Fuchsbauer","id":"46B4C3EE-F248-11E8-B48F-1D18A9856A87"},{"first_name":"Momchil","full_name":"Konstantinov, Momchil","last_name":"Konstantinov"},{"id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","first_name":"Krzysztof Z","orcid":"0000-0002-9139-1654","full_name":"Krzysztof Pietrzak","last_name":"Pietrzak"},{"first_name":"Vanishree","last_name":"Rao","full_name":"Rao, Vanishree"}],"publication_status":"published","citation":{"short":"G. Fuchsbauer, M. Konstantinov, K.Z. Pietrzak, V. Rao, in:, Springer, 2014, pp. 173–192.","ista":"Fuchsbauer G, Konstantinov M, Pietrzak KZ, Rao V. 2014. Adaptive security of constrained PRFs. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) vol. 8874, 173–192.","mla":"Fuchsbauer, Georg, et al. <i>Adaptive Security of Constrained PRFs</i>. Vol. 8874, Springer, 2014, pp. 173–92, doi:<a href=\"https://doi.org/10.1145/2591796.2591825\">10.1145/2591796.2591825</a>.","ama":"Fuchsbauer G, Konstantinov M, Pietrzak KZ, Rao V. Adaptive security of constrained PRFs. In: Vol 8874. Springer; 2014:173-192. doi:<a href=\"https://doi.org/10.1145/2591796.2591825\">10.1145/2591796.2591825</a>","chicago":"Fuchsbauer, Georg, Momchil Konstantinov, Krzysztof Z Pietrzak, and Vanishree Rao. “Adaptive Security of Constrained PRFs,” 8874:173–92. Springer, 2014. <a href=\"https://doi.org/10.1145/2591796.2591825\">https://doi.org/10.1145/2591796.2591825</a>.","apa":"Fuchsbauer, G., Konstantinov, M., Pietrzak, K. Z., &#38; Rao, V. (2014). Adaptive security of constrained PRFs (Vol. 8874, pp. 173–192). Presented at the Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), Springer. <a href=\"https://doi.org/10.1145/2591796.2591825\">https://doi.org/10.1145/2591796.2591825</a>","ieee":"G. Fuchsbauer, M. Konstantinov, K. Z. Pietrzak, and V. Rao, “Adaptive security of constrained PRFs,” presented at the Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 2014, vol. 8874, pp. 173–192."},"day":"01","type":"conference"},{"publication":"Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)","page":"329 - 344","intvolume":"      8383","status":"public","day":"01","type":"conference","conference":{"start_date":"2014-03-26","end_date":"2014-03-28","location":"Buenos Aires, Argentina","name":"PKC: Public Key Crypography"},"date_created":"2018-12-11T11:55:24Z","department":[{"_id":"KrPi"}],"scopus_import":1,"publisher":"Springer","language":[{"iso":"eng"}],"month":"01","date_published":"2014-01-01T00:00:00Z","_id":"2045","oa_version":"Submitted Version","project":[{"_id":"258C570E-B435-11E9-9278-68D0E5697425","name":"Provable Security for Physical Cryptography","call_identifier":"FP7","grant_number":"259668"}],"quality_controlled":"1","user_id":"4435EBFC-F248-11E8-B48F-1D18A9856A87","acknowledgement":"The second author was supported by EPSRC grant EP/H043454/1.","editor":[{"full_name":"Krawczyk, Hugo","last_name":"Krawczyk","first_name":"Hugo"}],"publist_id":"5006","volume":8383,"date_updated":"2021-01-12T06:54:57Z","oa":1,"abstract":[{"lang":"eng","text":"We introduce and study a new notion of enhanced chosen-ciphertext security (ECCA) for public-key encryption. Loosely speaking, in the ECCA security experiment, the decryption oracle provided to the adversary is augmented to return not only the output of the decryption algorithm on a queried ciphertext but also of a randomness-recovery algorithm associated to the scheme. Our results mainly concern the case where the randomness-recovery algorithm is efficient. We provide constructions of ECCA-secure encryption from adaptive trapdoor functions as defined by Kiltz et al. (EUROCRYPT 2010), resulting in ECCA encryption from standard number-theoretic assumptions. We then give two applications of ECCA-secure encryption: (1) We use it as a unifying concept in showing equivalence of adaptive trapdoor functions and tag-based adaptive trapdoor functions, resolving an open question of Kiltz et al. (2) We show that ECCA-secure encryption can be used to securely realize an approach to public-key encryption with non-interactive opening (PKENO) originally suggested by Damgård and Thorbek (EUROCRYPT 2007), resulting in new and practical PKENO schemes quite different from those in prior work. Our results demonstrate that ECCA security is of both practical and theoretical interest."}],"author":[{"first_name":"Dana","full_name":"Dachman Soled, Dana","last_name":"Dachman Soled"},{"full_name":"Fuchsbauer, Georg","last_name":"Fuchsbauer","first_name":"Georg","id":"46B4C3EE-F248-11E8-B48F-1D18A9856A87"},{"last_name":"Mohassel","full_name":"Mohassel, Payman","first_name":"Payman"},{"full_name":"O’Neill, Adam","last_name":"O’Neill","first_name":"Adam"}],"citation":{"apa":"Dachman Soled, D., Fuchsbauer, G., Mohassel, P., &#38; O’Neill, A. (2014). Enhanced chosen-ciphertext security and applications. In H. Krawczyk (Ed.), <i>Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)</i> (Vol. 8383, pp. 329–344). Buenos Aires, Argentina: Springer. <a href=\"https://doi.org/10.1007/978-3-642-54631-0_19\">https://doi.org/10.1007/978-3-642-54631-0_19</a>","ieee":"D. Dachman Soled, G. Fuchsbauer, P. Mohassel, and A. O’Neill, “Enhanced chosen-ciphertext security and applications,” in <i>Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)</i>, Buenos Aires, Argentina, 2014, vol. 8383, pp. 329–344.","chicago":"Dachman Soled, Dana, Georg Fuchsbauer, Payman Mohassel, and Adam O’Neill. “Enhanced Chosen-Ciphertext Security and Applications.” In <i>Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)</i>, edited by Hugo Krawczyk, 8383:329–44. Springer, 2014. <a href=\"https://doi.org/10.1007/978-3-642-54631-0_19\">https://doi.org/10.1007/978-3-642-54631-0_19</a>.","ama":"Dachman Soled D, Fuchsbauer G, Mohassel P, O’Neill A. Enhanced chosen-ciphertext security and applications. In: Krawczyk H, ed. <i>Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)</i>. Vol 8383. Springer; 2014:329-344. doi:<a href=\"https://doi.org/10.1007/978-3-642-54631-0_19\">10.1007/978-3-642-54631-0_19</a>","mla":"Dachman Soled, Dana, et al. “Enhanced Chosen-Ciphertext Security and Applications.” <i>Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)</i>, edited by Hugo Krawczyk, vol. 8383, Springer, 2014, pp. 329–44, doi:<a href=\"https://doi.org/10.1007/978-3-642-54631-0_19\">10.1007/978-3-642-54631-0_19</a>.","ista":"Dachman Soled D, Fuchsbauer G, Mohassel P, O’Neill A. 2014. Enhanced chosen-ciphertext security and applications. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). PKC: Public Key Crypography, LNCS, vol. 8383, 329–344.","short":"D. Dachman Soled, G. Fuchsbauer, P. Mohassel, A. O’Neill, in:, H. Krawczyk (Ed.), Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), Springer, 2014, pp. 329–344."},"publication_status":"published","alternative_title":["LNCS"],"main_file_link":[{"open_access":"1","url":"https://eprint.iacr.org/2012/543"}],"title":"Enhanced chosen-ciphertext security and applications","doi":"10.1007/978-3-642-54631-0_19","year":"2014","ec_funded":1},{"main_file_link":[{"open_access":"1","url":"https://eprint.iacr.org/2013/413"}],"alternative_title":["LNCS"],"ec_funded":1,"doi":"10.1007/978-3-642-54631-0_30","year":"2014","title":"Policy-based signatures","volume":8383,"publist_id":"5005","oa":1,"date_updated":"2021-01-12T06:54:57Z","editor":[{"first_name":"Hugo","full_name":"Krawczyk, Hugo","last_name":"Krawczyk"}],"acknowledgement":"Part of his work was done while at Bristol University, supported by EPSRC grant EP/H043454/1.","user_id":"4435EBFC-F248-11E8-B48F-1D18A9856A87","oa_version":"Submitted Version","project":[{"grant_number":"259668","_id":"258C570E-B435-11E9-9278-68D0E5697425","name":"Provable Security for Physical Cryptography","call_identifier":"FP7"}],"quality_controlled":"1","_id":"2046","publication_status":"published","citation":{"apa":"Bellare, M., &#38; Fuchsbauer, G. (2014). Policy-based signatures. In H. Krawczyk (Ed.), <i>Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)</i> (Vol. 8383, pp. 520–537). Buenos Aires, Argentina: Springer. <a href=\"https://doi.org/10.1007/978-3-642-54631-0_30\">https://doi.org/10.1007/978-3-642-54631-0_30</a>","ieee":"M. Bellare and G. Fuchsbauer, “Policy-based signatures,” in <i>Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)</i>, Buenos Aires, Argentina, 2014, vol. 8383, pp. 520–537.","chicago":"Bellare, Mihir, and Georg Fuchsbauer. “Policy-Based Signatures.” In <i>Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)</i>, edited by Hugo Krawczyk, 8383:520–37. Springer, 2014. <a href=\"https://doi.org/10.1007/978-3-642-54631-0_30\">https://doi.org/10.1007/978-3-642-54631-0_30</a>.","mla":"Bellare, Mihir, and Georg Fuchsbauer. “Policy-Based Signatures.” <i>Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)</i>, edited by Hugo Krawczyk, vol. 8383, Springer, 2014, pp. 520–37, doi:<a href=\"https://doi.org/10.1007/978-3-642-54631-0_30\">10.1007/978-3-642-54631-0_30</a>.","ama":"Bellare M, Fuchsbauer G. Policy-based signatures. In: Krawczyk H, ed. <i>Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)</i>. Vol 8383. Springer; 2014:520-537. doi:<a href=\"https://doi.org/10.1007/978-3-642-54631-0_30\">10.1007/978-3-642-54631-0_30</a>","ista":"Bellare M, Fuchsbauer G. 2014. Policy-based signatures. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). PKC: Public Key Crypography, LNCS, vol. 8383, 520–537.","short":"M. Bellare, G. Fuchsbauer, in:, H. Krawczyk (Ed.), Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), Springer, 2014, pp. 520–537."},"author":[{"first_name":"Mihir","last_name":"Bellare","full_name":"Bellare, Mihir"},{"id":"46B4C3EE-F248-11E8-B48F-1D18A9856A87","full_name":"Fuchsbauer, Georg","last_name":"Fuchsbauer","first_name":"Georg"}],"abstract":[{"text":"We introduce policy-based signatures (PBS), where a signer can only sign messages conforming to some authority-specified policy. The main requirements are unforgeability and privacy, the latter meaning that signatures not reveal the policy. PBS offers value along two fronts: (1) On the practical side, they allow a corporation to control what messages its employees can sign under the corporate key. (2) On the theoretical side, they unify existing work, capturing other forms of signatures as special cases or allowing them to be easily built. Our work focuses on definitions of PBS, proofs that this challenging primitive is realizable for arbitrary policies, efficient constructions for specific policies, and a few representative applications.","lang":"eng"}],"department":[{"_id":"KrPi"}],"date_created":"2018-12-11T11:55:24Z","conference":{"name":"PKC: Public Key Crypography","location":"Buenos Aires, Argentina","end_date":"2014-05-28","start_date":"2014-05-26"},"date_published":"2014-01-01T00:00:00Z","month":"01","language":[{"iso":"eng"}],"publisher":"Springer","scopus_import":1,"page":"520 - 537","publication":"Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)","type":"conference","day":"01","status":"public","intvolume":"      8383"},{"title":"Efficient signatures of knowledge and DAA in the standard model","year":"2013","doi":"10.1007/978-3-642-38980-1_33","main_file_link":[{"url":"http://eprint.iacr.org/2012/475","open_access":"1"}],"alternative_title":["LNCS"],"author":[{"full_name":"Bernhard, David","last_name":"Bernhard","first_name":"David"},{"first_name":"Georg","last_name":"Fuchsbauer","full_name":"Fuchsbauer, Georg","id":"46B4C3EE-F248-11E8-B48F-1D18A9856A87"},{"full_name":"Ghadafi, Essam","last_name":"Ghadafi","first_name":"Essam"}],"abstract":[{"text":"Direct Anonymous Attestation (DAA) is one of the most complex cryptographic protocols deployed in practice. It allows an embedded secure processor known as a Trusted Platform Module (TPM) to attest to the configuration of its host computer without violating the owner’s privacy. DAA has been standardized by the Trusted Computing Group and ISO/IEC.\r\n\r\nThe security of the DAA standard and all existing schemes is analyzed in the random-oracle model. We provide the first constructions of DAA in the standard model, that is, without relying on random oracles. Our constructions use new building blocks, including the first efficient signatures of knowledge in the standard model, which have many applications beyond DAA.\r\n","lang":"eng"}],"publication_status":"published","citation":{"ieee":"D. Bernhard, G. Fuchsbauer, and E. Ghadafi, “Efficient signatures of knowledge and DAA in the standard model,” vol. 7954. Springer, pp. 518–533, 2013.","apa":"Bernhard, D., Fuchsbauer, G., &#38; Ghadafi, E. (2013). Efficient signatures of knowledge and DAA in the standard model. Presented at the ACNS: Applied Cryptography and Network Security, Banff, AB, Canada: Springer. <a href=\"https://doi.org/10.1007/978-3-642-38980-1_33\">https://doi.org/10.1007/978-3-642-38980-1_33</a>","chicago":"Bernhard, David, Georg Fuchsbauer, and Essam Ghadafi. “Efficient Signatures of Knowledge and DAA in the Standard Model.” Lecture Notes in Computer Science. Springer, 2013. <a href=\"https://doi.org/10.1007/978-3-642-38980-1_33\">https://doi.org/10.1007/978-3-642-38980-1_33</a>.","mla":"Bernhard, David, et al. <i>Efficient Signatures of Knowledge and DAA in the Standard Model</i>. Vol. 7954, Springer, 2013, pp. 518–33, doi:<a href=\"https://doi.org/10.1007/978-3-642-38980-1_33\">10.1007/978-3-642-38980-1_33</a>.","ama":"Bernhard D, Fuchsbauer G, Ghadafi E. Efficient signatures of knowledge and DAA in the standard model. 2013;7954:518-533. doi:<a href=\"https://doi.org/10.1007/978-3-642-38980-1_33\">10.1007/978-3-642-38980-1_33</a>","ista":"Bernhard D, Fuchsbauer G, Ghadafi E. 2013. Efficient signatures of knowledge and DAA in the standard model. 7954, 518–533.","short":"D. Bernhard, G. Fuchsbauer, E. Ghadafi, 7954 (2013) 518–533."},"user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","oa_version":"Submitted Version","quality_controlled":"1","_id":"2260","publist_id":"4686","date_updated":"2020-08-11T10:09:44Z","oa":1,"volume":7954,"language":[{"iso":"eng"}],"publisher":"Springer","scopus_import":1,"date_published":"2013-06-01T00:00:00Z","month":"06","date_created":"2018-12-11T11:56:37Z","conference":{"location":"Banff, AB, Canada","name":"ACNS: Applied Cryptography and Network Security","end_date":"2013-06-28","start_date":"2013-06-25"},"department":[{"_id":"KrPi"}],"status":"public","intvolume":"      7954","type":"conference","series_title":"Lecture Notes in Computer Science","day":"01","page":"518 - 533"},{"publisher":"IEEE","title":"Cryptographically enforced RBAC","scopus_import":1,"language":[{"iso":"eng"}],"year":"2013","doi":"10.1109/CSF.2013.15","month":"09","date_published":"2013-09-01T00:00:00Z","conference":{"name":"CSF: Computer Security Foundations","location":"New Orleans, LA, United States","end_date":"2013-09-28","start_date":"2013-09-26"},"date_created":"2018-12-11T11:56:48Z","department":[{"_id":"KrPi"}],"main_file_link":[{"url":"http://eprint.iacr.org/2013/492","open_access":"1"}],"abstract":[{"text":"Cryptographic access control promises to offer easily distributed trust and broader applicability, while reducing reliance on low-level online monitors. Traditional implementations of cryptographic access control rely on simple cryptographic primitives whereas recent endeavors employ primitives with richer functionality and security guarantees. Worryingly, few of the existing cryptographic access-control schemes come with precise guarantees, the gap between the policy specification and the implementation being analyzed only informally, if at all. In this paper we begin addressing this shortcoming. Unlike prior work that targeted ad-hoc policy specification, we look at the well-established Role-Based Access Control (RBAC) model, as used in a typical file system. In short, we provide a precise syntax for a computational version of RBAC, offer rigorous definitions for cryptographic policy enforcement of a large class of RBAC security policies, and demonstrate that an implementation based on attribute-based encryption meets our security notions. We view our main contribution as being at the conceptual level. Although we work with RBAC for concreteness, our general methodology could guide future research for uses of cryptography in other access-control models. \r\n","lang":"eng"}],"status":"public","author":[{"last_name":"Ferrara","full_name":"Ferrara, Anna","first_name":"Anna"},{"first_name":"Georg","full_name":"Fuchsbauer, Georg","last_name":"Fuchsbauer","id":"46B4C3EE-F248-11E8-B48F-1D18A9856A87"},{"last_name":"Warinschi","full_name":"Warinschi, Bogdan","first_name":"Bogdan"}],"publication_status":"published","citation":{"ieee":"A. Ferrara, G. Fuchsbauer, and B. Warinschi, “Cryptographically enforced RBAC,” presented at the CSF: Computer Security Foundations, New Orleans, LA, United States, 2013, pp. 115–129.","apa":"Ferrara, A., Fuchsbauer, G., &#38; Warinschi, B. (2013). Cryptographically enforced RBAC (pp. 115–129). Presented at the CSF: Computer Security Foundations, New Orleans, LA, United States: IEEE. <a href=\"https://doi.org/10.1109/CSF.2013.15\">https://doi.org/10.1109/CSF.2013.15</a>","chicago":"Ferrara, Anna, Georg Fuchsbauer, and Bogdan Warinschi. “Cryptographically Enforced RBAC,” 115–29. IEEE, 2013. <a href=\"https://doi.org/10.1109/CSF.2013.15\">https://doi.org/10.1109/CSF.2013.15</a>.","mla":"Ferrara, Anna, et al. <i>Cryptographically Enforced RBAC</i>. IEEE, 2013, pp. 115–29, doi:<a href=\"https://doi.org/10.1109/CSF.2013.15\">10.1109/CSF.2013.15</a>.","ama":"Ferrara A, Fuchsbauer G, Warinschi B. Cryptographically enforced RBAC. In: IEEE; 2013:115-129. doi:<a href=\"https://doi.org/10.1109/CSF.2013.15\">10.1109/CSF.2013.15</a>","short":"A. Ferrara, G. Fuchsbauer, B. Warinschi, in:, IEEE, 2013, pp. 115–129.","ista":"Ferrara A, Fuchsbauer G, Warinschi B. 2013. Cryptographically enforced RBAC. CSF: Computer Security Foundations, 115–129."},"day":"01","type":"conference","_id":"2291","user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","quality_controlled":"1","oa_version":"Submitted Version","oa":1,"publist_id":"4637","date_updated":"2021-01-12T06:56:34Z","page":"115 - 129"},{"language":[{"iso":"eng"}],"title":"Short blind signatures","scopus_import":1,"publisher":"IOS Press","date_published":"2013-11-22T00:00:00Z","doi":"10.3233/JCS-130477","year":"2013","month":"11","date_created":"2018-12-11T11:46:50Z","department":[{"_id":"KrPi"}],"status":"public","author":[{"first_name":"Olivier","full_name":"Blazy, Olivier","last_name":"Blazy"},{"id":"46B4C3EE-F248-11E8-B48F-1D18A9856A87","first_name":"Georg","full_name":"Fuchsbauer, Georg","last_name":"Fuchsbauer"},{"first_name":"David","full_name":"Pointcheval, David","last_name":"Pointcheval"},{"last_name":"Vergnaud","full_name":"Vergnaud, Damien","first_name":"Damien"}],"abstract":[{"lang":"eng","text":"Blind signatures allow users to obtain signatures on messages hidden from the signer; moreover, the signer cannot link the resulting message/signature pair to the signing session. This paper presents blind signature schemes, in which the number of interactions between the user and the signer is minimal and whose blind signatures are short. Our schemes are defined over bilinear groups and are proved secure in the common-reference-string model without random oracles and under standard assumptions: CDH and the decision-linear assumption. (We also give variants over asymmetric groups based on similar assumptions.) The blind signatures are Waters signatures, which consist of 2 group elements. Moreover, we instantiate partially blind signatures, where the message consists of a part hidden from the signer and a commonly known public part, and schemes achieving perfect blindness. We propose new variants of blind signatures, such as signer-friendly partially blind signatures, where the public part can be chosen by the signer without prior agreement, 3-party blind signatures, as well as blind signatures on multiple aggregated messages provided by independent sources. We also extend Waters signatures to non-binary alphabets by proving a new result on the underlying hash function. "}],"intvolume":"        21","type":"journal_article","day":"22","citation":{"ieee":"O. Blazy, G. Fuchsbauer, D. Pointcheval, and D. Vergnaud, “Short blind signatures,” <i>Journal of Computer Security</i>, vol. 21, no. 5. IOS Press, pp. 627–661, 2013.","apa":"Blazy, O., Fuchsbauer, G., Pointcheval, D., &#38; Vergnaud, D. (2013). Short blind signatures. <i>Journal of Computer Security</i>. IOS Press. <a href=\"https://doi.org/10.3233/JCS-130477\">https://doi.org/10.3233/JCS-130477</a>","chicago":"Blazy, Olivier, Georg Fuchsbauer, David Pointcheval, and Damien Vergnaud. “Short Blind Signatures.” <i>Journal of Computer Security</i>. IOS Press, 2013. <a href=\"https://doi.org/10.3233/JCS-130477\">https://doi.org/10.3233/JCS-130477</a>.","mla":"Blazy, Olivier, et al. “Short Blind Signatures.” <i>Journal of Computer Security</i>, vol. 21, no. 5, IOS Press, 2013, pp. 627–61, doi:<a href=\"https://doi.org/10.3233/JCS-130477\">10.3233/JCS-130477</a>.","ama":"Blazy O, Fuchsbauer G, Pointcheval D, Vergnaud D. Short blind signatures. <i>Journal of Computer Security</i>. 2013;21(5):627-661. doi:<a href=\"https://doi.org/10.3233/JCS-130477\">10.3233/JCS-130477</a>","ista":"Blazy O, Fuchsbauer G, Pointcheval D, Vergnaud D. 2013. Short blind signatures. Journal of Computer Security. 21(5), 627–661.","short":"O. Blazy, G. Fuchsbauer, D. Pointcheval, D. Vergnaud, Journal of Computer Security 21 (2013) 627–661."},"publication_status":"published","oa_version":"None","quality_controlled":"1","user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","_id":"502","page":"627 - 661","volume":21,"date_updated":"2021-01-12T08:01:09Z","publist_id":"7318","publication":"Journal of Computer Security","issue":"5"}]