---
_id: '7896'
abstract:
- lang: eng
  text: "A search problem lies in the complexity class FNP if a solution to the given
    instance of the problem can be verified efficiently. The complexity class TFNP
    consists of all search problems in FNP that are total in the sense that a solution
    is guaranteed to exist. TFNP contains a host of interesting problems from fields
    such as algorithmic game theory, computational topology, number theory and combinatorics.
    Since TFNP is a semantic class, it is unlikely to have a complete problem. Instead,
    one studies its syntactic subclasses which are defined based on the combinatorial
    principle used to argue totality. Of particular interest is the subclass PPAD,
    which contains important problems\r\nlike computing Nash equilibrium for bimatrix
    games and computational counterparts of several fixed-point theorems as complete.
    In the thesis, we undertake the study of averagecase hardness of TFNP, and in
    particular its subclass PPAD.\r\nAlmost nothing was known about average-case hardness
    of PPAD before a series of recent results showed how to achieve it using a cryptographic
    primitive called program obfuscation.\r\nHowever, it is currently not known how
    to construct program obfuscation from standard cryptographic assumptions. Therefore,
    it is desirable to relax the assumption under which average-case hardness of PPAD
    can be shown. In the thesis we take a step in this direction. First, we show that
    assuming the (average-case) hardness of a numbertheoretic\r\nproblem related to
    factoring of integers, which we call Iterated-Squaring, PPAD is hard-on-average
    in the random-oracle model. Then we strengthen this result to show that the average-case
    hardness of PPAD reduces to the (adaptive) soundness of the Fiat-Shamir Transform,
    a well-known technique used to compile a public-coin interactive protocol into
    a non-interactive one. As a corollary, we obtain average-case hardness for PPAD
    in the random-oracle model assuming the worst-case hardness of #SAT. Moreover,
    the above results can all be strengthened to obtain average-case hardness for
    the class CLS ⊆ PPAD.\r\nOur main technical contribution is constructing incrementally-verifiable
    procedures for computing Iterated-Squaring and #SAT. By incrementally-verifiable,
    we mean that every intermediate state of the computation includes a proof of its
    correctness, and the proof can be updated and verified in polynomial time. Previous
    constructions of such procedures relied on strong, non-standard assumptions. Instead,
    we introduce a technique called recursive proof-merging to obtain the same from
    weaker assumptions. "
alternative_title:
- ISTA Thesis
article_processing_charge: No
author:
- first_name: Chethan
  full_name: Kamath Hosdurg, Chethan
  id: 4BD3F30E-F248-11E8-B48F-1D18A9856A87
  last_name: Kamath Hosdurg
citation:
  ama: Kamath Hosdurg C. On the average-case hardness of total search problems. 2020.
    doi:<a href="https://doi.org/10.15479/AT:ISTA:7896">10.15479/AT:ISTA:7896</a>
  apa: Kamath Hosdurg, C. (2020). <i>On the average-case hardness of total search
    problems</i>. Institute of Science and Technology Austria. <a href="https://doi.org/10.15479/AT:ISTA:7896">https://doi.org/10.15479/AT:ISTA:7896</a>
  chicago: Kamath Hosdurg, Chethan. “On the Average-Case Hardness of Total Search
    Problems.” Institute of Science and Technology Austria, 2020. <a href="https://doi.org/10.15479/AT:ISTA:7896">https://doi.org/10.15479/AT:ISTA:7896</a>.
  ieee: C. Kamath Hosdurg, “On the average-case hardness of total search problems,”
    Institute of Science and Technology Austria, 2020.
  ista: Kamath Hosdurg C. 2020. On the average-case hardness of total search problems.
    Institute of Science and Technology Austria.
  mla: Kamath Hosdurg, Chethan. <i>On the Average-Case Hardness of Total Search Problems</i>.
    Institute of Science and Technology Austria, 2020, doi:<a href="https://doi.org/10.15479/AT:ISTA:7896">10.15479/AT:ISTA:7896</a>.
  short: C. Kamath Hosdurg, On the Average-Case Hardness of Total Search Problems,
    Institute of Science and Technology Austria, 2020.
date_created: 2020-05-26T14:08:55Z
date_published: 2020-05-25T00:00:00Z
date_updated: 2023-09-07T13:15:55Z
day: '25'
ddc:
- '000'
degree_awarded: PhD
department:
- _id: KrPi
doi: 10.15479/AT:ISTA:7896
ec_funded: 1
file:
- access_level: open_access
  checksum: b39e2e1c376f5819b823fb7077491c64
  content_type: application/pdf
  creator: dernst
  date_created: 2020-05-26T14:08:13Z
  date_updated: 2020-07-14T12:48:04Z
  file_id: '7897'
  file_name: 2020_Thesis_Kamath.pdf
  file_size: 1622742
  relation: main_file
- access_level: closed
  checksum: 8b26ba729c1a85ac6bea775f5d73cdc7
  content_type: application/x-zip-compressed
  creator: dernst
  date_created: 2020-05-26T14:08:23Z
  date_updated: 2020-07-14T12:48:04Z
  file_id: '7898'
  file_name: Thesis_Kamath.zip
  file_size: 15301529
  relation: source_file
file_date_updated: 2020-07-14T12:48:04Z
has_accepted_license: '1'
language:
- iso: eng
license: https://creativecommons.org/licenses/by/4.0/
month: '05'
oa: 1
oa_version: Published Version
page: '126'
project:
- _id: 258C570E-B435-11E9-9278-68D0E5697425
  call_identifier: FP7
  grant_number: '259668'
  name: Provable Security for Physical Cryptography
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
  call_identifier: H2020
  grant_number: '682815'
  name: Teaching Old Crypto New Tricks
publication_identifier:
  issn:
  - 2663-337X
publication_status: published
publisher: Institute of Science and Technology Austria
related_material:
  record:
  - id: '6677'
    relation: part_of_dissertation
    status: public
status: public
supervisor:
- first_name: Krzysztof Z
  full_name: Pietrzak, Krzysztof Z
  id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
  last_name: Pietrzak
  orcid: 0000-0002-9139-1654
title: On the average-case hardness of total search problems
tmp:
  image: /images/cc_by.png
  legal_code_url: https://creativecommons.org/licenses/by/4.0/legalcode
  name: Creative Commons Attribution 4.0 International Public License (CC-BY 4.0)
  short: CC BY (4.0)
type: dissertation
user_id: c635000d-4b10-11ee-a964-aac5a93f6ac1
year: '2020'
...
---
_id: '107'
abstract:
- lang: eng
  text: 'We introduce the notion of “non-malleable codes” which relaxes the notion
    of error correction and error detection. Informally, a code is non-malleable if
    the message contained in a modified codeword is either the original message, or
    a completely unrelated value. In contrast to error correction and error detection,
    non-malleability can be achieved for very rich classes of modifications. We construct
    an efficient code that is non-malleable with respect to modifications that affect
    each bit of the codeword arbitrarily (i.e., leave it untouched, flip it, or set
    it to either 0 or 1), but independently of the value of the other bits of the
    codeword. Using the probabilistic method, we also show a very strong and general
    statement: there exists a non-malleable code for every “small enough” family F
    of functions via which codewords can be modified. Although this probabilistic
    method argument does not directly yield efficient constructions, it gives us efficient
    non-malleable codes in the random-oracle model for very general classes of tampering
    functions—e.g., functions where every bit in the tampered codeword can depend
    arbitrarily on any 99% of the bits in the original codeword. As an application
    of non-malleable codes, we show that they provide an elegant algorithmic solution
    to the task of protecting functionalities implemented in hardware (e.g., signature
    cards) against “tampering attacks.” In such attacks, the secret state of a physical
    system is tampered, in the hopes that future interaction with the modified system
    will reveal some secret information. This problem was previously studied in the
    work of Gennaro et al. in 2004 under the name “algorithmic tamper proof security”
    (ATP). We show that non-malleable codes can be used to achieve important improvements
    over the prior work. In particular, we show that any functionality can be made
    secure against a large class of tampering attacks, simply by encoding the secret
    state with a non-malleable code while it is stored in memory.'
article_number: '20'
article_processing_charge: No
article_type: original
author:
- first_name: Stefan
  full_name: Dziembowski, Stefan
  last_name: Dziembowski
- first_name: Krzysztof Z
  full_name: Pietrzak, Krzysztof Z
  id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
  last_name: Pietrzak
  orcid: 0000-0002-9139-1654
- first_name: Daniel
  full_name: Wichs, Daniel
  last_name: Wichs
citation:
  ama: Dziembowski S, Pietrzak KZ, Wichs D. Non-malleable codes. <i>Journal of the
    ACM</i>. 2018;65(4). doi:<a href="https://doi.org/10.1145/3178432">10.1145/3178432</a>
  apa: Dziembowski, S., Pietrzak, K. Z., &#38; Wichs, D. (2018). Non-malleable codes.
    <i>Journal of the ACM</i>. ACM. <a href="https://doi.org/10.1145/3178432">https://doi.org/10.1145/3178432</a>
  chicago: Dziembowski, Stefan, Krzysztof Z Pietrzak, and Daniel Wichs. “Non-Malleable
    Codes.” <i>Journal of the ACM</i>. ACM, 2018. <a href="https://doi.org/10.1145/3178432">https://doi.org/10.1145/3178432</a>.
  ieee: S. Dziembowski, K. Z. Pietrzak, and D. Wichs, “Non-malleable codes,” <i>Journal
    of the ACM</i>, vol. 65, no. 4. ACM, 2018.
  ista: Dziembowski S, Pietrzak KZ, Wichs D. 2018. Non-malleable codes. Journal of
    the ACM. 65(4), 20.
  mla: Dziembowski, Stefan, et al. “Non-Malleable Codes.” <i>Journal of the ACM</i>,
    vol. 65, no. 4, 20, ACM, 2018, doi:<a href="https://doi.org/10.1145/3178432">10.1145/3178432</a>.
  short: S. Dziembowski, K.Z. Pietrzak, D. Wichs, Journal of the ACM 65 (2018).
date_created: 2018-12-11T11:44:40Z
date_published: 2018-08-01T00:00:00Z
date_updated: 2023-09-13T09:05:17Z
day: '01'
department:
- _id: KrPi
doi: 10.1145/3178432
ec_funded: 1
external_id:
  isi:
  - '000442938200004'
intvolume: '        65'
isi: 1
issue: '4'
language:
- iso: eng
main_file_link:
- open_access: '1'
  url: https://eprint.iacr.org/2009/608
month: '08'
oa: 1
oa_version: Preprint
project:
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
  call_identifier: H2020
  grant_number: '682815'
  name: Teaching Old Crypto New Tricks
- _id: 258C570E-B435-11E9-9278-68D0E5697425
  call_identifier: FP7
  grant_number: '259668'
  name: Provable Security for Physical Cryptography
publication: Journal of the ACM
publication_status: published
publisher: ACM
publist_id: '7947'
quality_controlled: '1'
scopus_import: '1'
status: public
title: Non-malleable codes
type: journal_article
user_id: c635000d-4b10-11ee-a964-aac5a93f6ac1
volume: 65
year: '2018'
...
---
_id: '83'
abstract:
- lang: eng
  text: "A proof system is a protocol between a prover and a verifier over a common
    input in which an honest prover convinces the verifier of the validity of true
    statements. Motivated by the success of decentralized cryptocurrencies, exemplified
    by Bitcoin, the focus of this thesis will be on proof systems which found applications
    in some sustainable alternatives to Bitcoin, such as the Spacemint and Chia cryptocurrencies.
    In particular, we focus on proofs of space and proofs of sequential work.\r\nProofs
    of space (PoSpace) were suggested as more ecological, economical, and egalitarian
    alternative to the energy-wasteful proof-of-work mining of Bitcoin. However, the
    state-of-the-art constructions of PoSpace are based on sophisticated graph pebbling
    lower bounds, and are therefore complex. Moreover, when these PoSpace are used
    in cryptocurrencies like Spacemint, miners can only start mining after ensuring
    that a commitment to their space is already added in a special transaction to
    the blockchain. Proofs of sequential work (PoSW) are proof systems in which a
    prover, upon receiving a statement x and a time parameter T, computes a proof
    which convinces the verifier that T time units had passed since x was received.
    Whereas Spacemint assumes synchrony to retain some interesting Bitcoin dynamics,
    Chia requires PoSW with unique proofs, i.e., PoSW in which it is hard to come
    up with more than one accepting proof for any true statement. In this thesis we
    construct simple and practically-efficient PoSpace and PoSW. When using our PoSpace
    in cryptocurrencies, miners can start mining on the fly, like in Bitcoin, and
    unlike current constructions of PoSW, which either achieve efficient verification
    of sequential work, or faster-than-recomputing verification of correctness of
    proofs, but not both at the same time, ours achieve the best of these two worlds."
alternative_title:
- ISTA Thesis
article_processing_charge: No
author:
- first_name: Hamza M
  full_name: Abusalah, Hamza M
  id: 40297222-F248-11E8-B48F-1D18A9856A87
  last_name: Abusalah
citation:
  ama: Abusalah HM. Proof systems for sustainable decentralized cryptocurrencies.
    2018. doi:<a href="https://doi.org/10.15479/AT:ISTA:TH_1046">10.15479/AT:ISTA:TH_1046</a>
  apa: Abusalah, H. M. (2018). <i>Proof systems for sustainable decentralized cryptocurrencies</i>.
    Institute of Science and Technology Austria. <a href="https://doi.org/10.15479/AT:ISTA:TH_1046">https://doi.org/10.15479/AT:ISTA:TH_1046</a>
  chicago: Abusalah, Hamza M. “Proof Systems for Sustainable Decentralized Cryptocurrencies.”
    Institute of Science and Technology Austria, 2018. <a href="https://doi.org/10.15479/AT:ISTA:TH_1046">https://doi.org/10.15479/AT:ISTA:TH_1046</a>.
  ieee: H. M. Abusalah, “Proof systems for sustainable decentralized cryptocurrencies,”
    Institute of Science and Technology Austria, 2018.
  ista: Abusalah HM. 2018. Proof systems for sustainable decentralized cryptocurrencies.
    Institute of Science and Technology Austria.
  mla: Abusalah, Hamza M. <i>Proof Systems for Sustainable Decentralized Cryptocurrencies</i>.
    Institute of Science and Technology Austria, 2018, doi:<a href="https://doi.org/10.15479/AT:ISTA:TH_1046">10.15479/AT:ISTA:TH_1046</a>.
  short: H.M. Abusalah, Proof Systems for Sustainable Decentralized Cryptocurrencies,
    Institute of Science and Technology Austria, 2018.
date_created: 2018-12-11T11:44:32Z
date_published: 2018-09-05T00:00:00Z
date_updated: 2023-09-07T12:30:23Z
day: '05'
ddc:
- '004'
degree_awarded: PhD
department:
- _id: KrPi
doi: 10.15479/AT:ISTA:TH_1046
ec_funded: 1
file:
- access_level: open_access
  checksum: c4b5f7d111755d1396787f41886fc674
  content_type: application/pdf
  creator: dernst
  date_created: 2019-04-09T06:43:41Z
  date_updated: 2020-07-14T12:48:11Z
  file_id: '6245'
  file_name: 2018_Thesis_Abusalah.pdf
  file_size: 876241
  relation: main_file
- access_level: closed
  checksum: 0f382ac56b471c48fd907d63eb87dafe
  content_type: application/x-gzip
  creator: dernst
  date_created: 2019-04-09T06:43:41Z
  date_updated: 2020-07-14T12:48:11Z
  file_id: '6246'
  file_name: 2018_Thesis_Abusalah_source.tar.gz
  file_size: 2029190
  relation: source_file
file_date_updated: 2020-07-14T12:48:11Z
has_accepted_license: '1'
language:
- iso: eng
month: '09'
oa: 1
oa_version: Published Version
page: '59'
project:
- _id: 258C570E-B435-11E9-9278-68D0E5697425
  call_identifier: FP7
  grant_number: '259668'
  name: Provable Security for Physical Cryptography
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
  call_identifier: H2020
  grant_number: '682815'
  name: Teaching Old Crypto New Tricks
publication_identifier:
  issn:
  - 2663-337X
publication_status: published
publisher: Institute of Science and Technology Austria
publist_id: '7971'
pubrep_id: '1046'
related_material:
  record:
  - id: '1229'
    relation: part_of_dissertation
    status: public
  - id: '1235'
    relation: part_of_dissertation
    status: public
  - id: '1236'
    relation: part_of_dissertation
    status: public
  - id: '559'
    relation: part_of_dissertation
    status: public
status: public
supervisor:
- first_name: Krzysztof Z
  full_name: Pietrzak, Krzysztof Z
  id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
  last_name: Pietrzak
  orcid: 0000-0002-9139-1654
title: Proof systems for sustainable decentralized cryptocurrencies
type: dissertation
user_id: c635000d-4b10-11ee-a964-aac5a93f6ac1
year: '2018'
...
---
_id: '1187'
abstract:
- lang: eng
  text: We construct efficient authentication protocols and message authentication
    codes (MACs) whose security can be reduced to the learning parity with noise (LPN)
    problem. Despite a large body of work—starting with the (Formula presented.) protocol
    of Hopper and Blum in 2001—until now it was not even known how to construct an
    efficient authentication protocol from LPN which is secure against man-in-the-middle
    attacks. A MAC implies such a (two-round) protocol.
article_processing_charge: No
article_type: original
author:
- first_name: Eike
  full_name: Kiltz, Eike
  last_name: Kiltz
- first_name: Krzysztof Z
  full_name: Pietrzak, Krzysztof Z
  id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
  last_name: Pietrzak
  orcid: 0000-0002-9139-1654
- first_name: Daniele
  full_name: Venturi, Daniele
  last_name: Venturi
- first_name: David
  full_name: Cash, David
  last_name: Cash
- first_name: Abhishek
  full_name: Jain, Abhishek
  last_name: Jain
citation:
  ama: Kiltz E, Pietrzak KZ, Venturi D, Cash D, Jain A. Efficient authentication from
    hard learning problems. <i>Journal of Cryptology</i>. 2017;30(4):1238-1275. doi:<a
    href="https://doi.org/10.1007/s00145-016-9247-3">10.1007/s00145-016-9247-3</a>
  apa: Kiltz, E., Pietrzak, K. Z., Venturi, D., Cash, D., &#38; Jain, A. (2017). Efficient
    authentication from hard learning problems. <i>Journal of Cryptology</i>. Springer.
    <a href="https://doi.org/10.1007/s00145-016-9247-3">https://doi.org/10.1007/s00145-016-9247-3</a>
  chicago: Kiltz, Eike, Krzysztof Z Pietrzak, Daniele Venturi, David Cash, and Abhishek
    Jain. “Efficient Authentication from Hard Learning Problems.” <i>Journal of Cryptology</i>.
    Springer, 2017. <a href="https://doi.org/10.1007/s00145-016-9247-3">https://doi.org/10.1007/s00145-016-9247-3</a>.
  ieee: E. Kiltz, K. Z. Pietrzak, D. Venturi, D. Cash, and A. Jain, “Efficient authentication
    from hard learning problems,” <i>Journal of Cryptology</i>, vol. 30, no. 4. Springer,
    pp. 1238–1275, 2017.
  ista: Kiltz E, Pietrzak KZ, Venturi D, Cash D, Jain A. 2017. Efficient authentication
    from hard learning problems. Journal of Cryptology. 30(4), 1238–1275.
  mla: Kiltz, Eike, et al. “Efficient Authentication from Hard Learning Problems.”
    <i>Journal of Cryptology</i>, vol. 30, no. 4, Springer, 2017, pp. 1238–75, doi:<a
    href="https://doi.org/10.1007/s00145-016-9247-3">10.1007/s00145-016-9247-3</a>.
  short: E. Kiltz, K.Z. Pietrzak, D. Venturi, D. Cash, A. Jain, Journal of Cryptology
    30 (2017) 1238–1275.
date_created: 2018-12-11T11:50:37Z
date_published: 2017-10-01T00:00:00Z
date_updated: 2023-09-20T11:20:58Z
day: '01'
ddc:
- '000'
department:
- _id: KrPi
doi: 10.1007/s00145-016-9247-3
ec_funded: 1
external_id:
  isi:
  - '000410788600007'
file:
- access_level: open_access
  checksum: c647520d115b772a1682fc06fa273eb1
  content_type: application/pdf
  creator: dernst
  date_created: 2020-05-14T16:30:17Z
  date_updated: 2020-07-14T12:44:37Z
  file_id: '7843'
  file_name: 2017_JournalCrypto_Kiltz.pdf
  file_size: 516959
  relation: main_file
file_date_updated: 2020-07-14T12:44:37Z
has_accepted_license: '1'
intvolume: '        30'
isi: 1
issue: '4'
language:
- iso: eng
month: '10'
oa: 1
oa_version: Submitted Version
page: 1238 - 1275
project:
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
  call_identifier: H2020
  grant_number: '682815'
  name: Teaching Old Crypto New Tricks
- _id: 258C570E-B435-11E9-9278-68D0E5697425
  call_identifier: FP7
  grant_number: '259668'
  name: Provable Security for Physical Cryptography
publication: Journal of Cryptology
publication_status: published
publisher: Springer
publist_id: '6166'
quality_controlled: '1'
related_material:
  record:
  - id: '3238'
    relation: earlier_version
    status: public
scopus_import: '1'
status: public
title: Efficient authentication from hard learning problems
type: journal_article
user_id: c635000d-4b10-11ee-a964-aac5a93f6ac1
volume: 30
year: '2017'
...
---
_id: '1653'
abstract:
- lang: eng
  text: "A somewhere statistically binding (SSB) hash, introduced by Hubáček and Wichs
    (ITCS ’15), can be used to hash a long string x to a short digest y = H hk (x)
    using a public hashing-key hk. Furthermore, there is a way to set up the hash
    key hk to make it statistically binding on some arbitrary hidden position i, meaning
    that: (1) the digest y completely determines the i’th bit (or symbol) of x so
    that all pre-images of y have the same value in the i’th position, (2) it is computationally
    infeasible to distinguish the position i on which hk is statistically binding
    from any other position i’. Lastly, the hash should have a local opening property
    analogous to Merkle-Tree hashing, meaning that given x and y = H hk (x) it should
    be possible to create a short proof π that certifies the value of the i’th bit
    (or symbol) of x without having to provide the entire input x. A similar primitive
    called a positional accumulator, introduced by Koppula, Lewko and Waters (STOC
    ’15) further supports dynamic updates of the hashed value. These tools, which
    are interesting in their own right, also serve as one of the main technical components
    in several recent works building advanced applications from indistinguishability
    obfuscation (iO).\r\n\r\nThe prior constructions of SSB hashing and positional
    accumulators required fully homomorphic encryption (FHE) and iO respectively.
    In this work, we give new constructions of these tools based on well studied number-theoretic
    assumptions such as DDH, Phi-Hiding and DCR, as well as a general construction
    from lossy/injective functions."
alternative_title:
- LNCS
author:
- first_name: Tatsuaki
  full_name: Okamoto, Tatsuaki
  last_name: Okamoto
- first_name: Krzysztof Z
  full_name: Pietrzak, Krzysztof Z
  id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
  last_name: Pietrzak
  orcid: 0000-0002-9139-1654
- first_name: Brent
  full_name: Waters, Brent
  last_name: Waters
- first_name: Daniel
  full_name: Wichs, Daniel
  last_name: Wichs
citation:
  ama: 'Okamoto T, Pietrzak KZ, Waters B, Wichs D. New realizations of somewhere statistically
    binding hashing and positional accumulators. In: Vol 9452. Springer; 2016:121-145.
    doi:<a href="https://doi.org/10.1007/978-3-662-48797-6_6">10.1007/978-3-662-48797-6_6</a>'
  apa: 'Okamoto, T., Pietrzak, K. Z., Waters, B., &#38; Wichs, D. (2016). New realizations
    of somewhere statistically binding hashing and positional accumulators (Vol. 9452,
    pp. 121–145). Presented at the ASIACRYPT: Theory and Application of Cryptology
    and Information Security, Auckland, New Zealand: Springer. <a href="https://doi.org/10.1007/978-3-662-48797-6_6">https://doi.org/10.1007/978-3-662-48797-6_6</a>'
  chicago: Okamoto, Tatsuaki, Krzysztof Z Pietrzak, Brent Waters, and Daniel Wichs.
    “New Realizations of Somewhere Statistically Binding Hashing and Positional Accumulators,”
    9452:121–45. Springer, 2016. <a href="https://doi.org/10.1007/978-3-662-48797-6_6">https://doi.org/10.1007/978-3-662-48797-6_6</a>.
  ieee: 'T. Okamoto, K. Z. Pietrzak, B. Waters, and D. Wichs, “New realizations of
    somewhere statistically binding hashing and positional accumulators,” presented
    at the ASIACRYPT: Theory and Application of Cryptology and Information Security,
    Auckland, New Zealand, 2016, vol. 9452, pp. 121–145.'
  ista: 'Okamoto T, Pietrzak KZ, Waters B, Wichs D. 2016. New realizations of somewhere
    statistically binding hashing and positional accumulators. ASIACRYPT: Theory and
    Application of Cryptology and Information Security, LNCS, vol. 9452, 121–145.'
  mla: Okamoto, Tatsuaki, et al. <i>New Realizations of Somewhere Statistically Binding
    Hashing and Positional Accumulators</i>. Vol. 9452, Springer, 2016, pp. 121–45,
    doi:<a href="https://doi.org/10.1007/978-3-662-48797-6_6">10.1007/978-3-662-48797-6_6</a>.
  short: T. Okamoto, K.Z. Pietrzak, B. Waters, D. Wichs, in:, Springer, 2016, pp.
    121–145.
conference:
  end_date: 2015-12-03
  location: Auckland, New Zealand
  name: 'ASIACRYPT: Theory and Application of Cryptology and Information Security'
  start_date: 2015-11-29
date_created: 2018-12-11T11:53:16Z
date_published: 2016-01-08T00:00:00Z
date_updated: 2021-01-12T06:52:16Z
day: '08'
ddc:
- '000'
department:
- _id: KrPi
doi: 10.1007/978-3-662-48797-6_6
ec_funded: 1
file:
- access_level: open_access
  checksum: a57711cb660c5b17b42bb47275a00180
  content_type: application/pdf
  creator: system
  date_created: 2018-12-12T10:12:05Z
  date_updated: 2020-07-14T12:45:08Z
  file_id: '4923'
  file_name: IST-2016-677-v1+1_869.pdf
  file_size: 580088
  relation: main_file
file_date_updated: 2020-07-14T12:45:08Z
has_accepted_license: '1'
intvolume: '      9452'
language:
- iso: eng
month: '01'
oa: 1
oa_version: Submitted Version
page: 121 - 145
project:
- _id: 258C570E-B435-11E9-9278-68D0E5697425
  call_identifier: FP7
  grant_number: '259668'
  name: Provable Security for Physical Cryptography
publication_status: published
publisher: Springer
publist_id: '5497'
pubrep_id: '677'
quality_controlled: '1'
scopus_import: 1
status: public
title: New realizations of somewhere statistically binding hashing and positional
  accumulators
type: conference
user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87
volume: 9452
year: '2016'
...
---
_id: '1479'
abstract:
- lang: eng
  text: "Most entropy notions H(.) like Shannon or min-entropy satisfy a chain rule
    stating that for random variables X,Z, and A we have H(X|Z,A)≥H(X|Z)−|A|. That
    is, by conditioning on A the entropy of X can decrease by at most the bitlength
    |A| of A. Such chain rules are known to hold for some computational entropy notions
    like Yao’s and unpredictability-entropy. For HILL entropy, the computational analogue
    of min-entropy, the chain rule is of special interest and has found many applications,
    including leakage-resilient cryptography, deterministic encryption, and memory
    delegation. These applications rely on restricted special cases of the chain rule.
    Whether the chain rule for conditional HILL entropy holds in general was an open
    problem for which we give a strong negative answer: we construct joint distributions
    (X,Z,A), where A is a distribution over a single bit, such that the HILL entropy
    H HILL (X|Z) is large but H HILL (X|Z,A) is basically zero.\r\n\r\nOur counterexample
    just makes the minimal assumption that NP⊈P/poly. Under the stronger assumption
    that injective one-way function exist, we can make all the distributions efficiently
    samplable.\r\n\r\nFinally, we show that some more sophisticated cryptographic
    objects like lossy functions can be used to sample a distribution constituting
    a counterexample to the chain rule making only a single invocation to the underlying
    object."
acknowledgement: "This work was partly funded by the European Research Council under
  ERC Starting Grant 259668-PSPC and ERC Advanced Grant 321310-PERCY.\r\n"
author:
- first_name: Stephan
  full_name: Krenn, Stephan
  id: 329FCCF0-F248-11E8-B48F-1D18A9856A87
  last_name: Krenn
  orcid: 0000-0003-2835-9093
- first_name: Krzysztof Z
  full_name: Pietrzak, Krzysztof Z
  id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
  last_name: Pietrzak
  orcid: 0000-0002-9139-1654
- first_name: Akshay
  full_name: Wadia, Akshay
  last_name: Wadia
- first_name: Daniel
  full_name: Wichs, Daniel
  last_name: Wichs
citation:
  ama: Krenn S, Pietrzak KZ, Wadia A, Wichs D. A counterexample to the chain rule
    for conditional HILL entropy. <i>Computational Complexity</i>. 2016;25(3):567-605.
    doi:<a href="https://doi.org/10.1007/s00037-015-0120-9">10.1007/s00037-015-0120-9</a>
  apa: Krenn, S., Pietrzak, K. Z., Wadia, A., &#38; Wichs, D. (2016). A counterexample
    to the chain rule for conditional HILL entropy. <i>Computational Complexity</i>.
    Springer. <a href="https://doi.org/10.1007/s00037-015-0120-9">https://doi.org/10.1007/s00037-015-0120-9</a>
  chicago: Krenn, Stephan, Krzysztof Z Pietrzak, Akshay Wadia, and Daniel Wichs. “A
    Counterexample to the Chain Rule for Conditional HILL Entropy.” <i>Computational
    Complexity</i>. Springer, 2016. <a href="https://doi.org/10.1007/s00037-015-0120-9">https://doi.org/10.1007/s00037-015-0120-9</a>.
  ieee: S. Krenn, K. Z. Pietrzak, A. Wadia, and D. Wichs, “A counterexample to the
    chain rule for conditional HILL entropy,” <i>Computational Complexity</i>, vol.
    25, no. 3. Springer, pp. 567–605, 2016.
  ista: Krenn S, Pietrzak KZ, Wadia A, Wichs D. 2016. A counterexample to the chain
    rule for conditional HILL entropy. Computational Complexity. 25(3), 567–605.
  mla: Krenn, Stephan, et al. “A Counterexample to the Chain Rule for Conditional
    HILL Entropy.” <i>Computational Complexity</i>, vol. 25, no. 3, Springer, 2016,
    pp. 567–605, doi:<a href="https://doi.org/10.1007/s00037-015-0120-9">10.1007/s00037-015-0120-9</a>.
  short: S. Krenn, K.Z. Pietrzak, A. Wadia, D. Wichs, Computational Complexity 25
    (2016) 567–605.
date_created: 2018-12-11T11:52:16Z
date_published: 2016-09-01T00:00:00Z
date_updated: 2023-02-23T11:05:09Z
day: '01'
ddc:
- '004'
department:
- _id: KrPi
doi: 10.1007/s00037-015-0120-9
ec_funded: 1
file:
- access_level: open_access
  checksum: 7659296174fa75f5f0364f31f46f4bcf
  content_type: application/pdf
  creator: system
  date_created: 2018-12-12T10:13:29Z
  date_updated: 2020-07-14T12:44:56Z
  file_id: '5012'
  file_name: IST-2017-766-v1+1_678.pdf
  file_size: 483258
  relation: main_file
file_date_updated: 2020-07-14T12:44:56Z
has_accepted_license: '1'
intvolume: '        25'
issue: '3'
language:
- iso: eng
month: '09'
oa: 1
oa_version: Submitted Version
page: 567 - 605
project:
- _id: 258C570E-B435-11E9-9278-68D0E5697425
  call_identifier: FP7
  grant_number: '259668'
  name: Provable Security for Physical Cryptography
publication: Computational Complexity
publication_status: published
publisher: Springer
publist_id: '5715'
pubrep_id: '766'
quality_controlled: '1'
related_material:
  record:
  - id: '2940'
    relation: earlier_version
    status: public
scopus_import: 1
status: public
title: A counterexample to the chain rule for conditional HILL entropy
tmp:
  image: /images/cc_by.png
  legal_code_url: https://creativecommons.org/licenses/by/4.0/legalcode
  name: Creative Commons Attribution 4.0 International Public License (CC-BY 4.0)
  short: CC BY (4.0)
type: journal_article
user_id: 3E5EF7F0-F248-11E8-B48F-1D18A9856A87
volume: 25
year: '2016'
...
---
_id: '1366'
abstract:
- lang: eng
  text: 'We study the problem of devising provably secure PRNGs with input based on
    the sponge paradigm. Such constructions are very appealing, as efficient software/hardware
    implementations of SHA-3 can easily be translated into a PRNG in a nearly black-box
    way. The only existing sponge-based construction, proposed by Bertoni et al. (CHES
    2010), fails to achieve the security notion of robustness recently considered
    by Dodis et al. (CCS 2013), for two reasons: (1) The construction is deterministic,
    and thus there are high-entropy input distributions on which the construction
    fails to extract random bits, and (2) The construction is not forward secure,
    and presented solutions aiming at restoring forward security have not been rigorously
    analyzed. We propose a seeded variant of Bertoni et al.’s PRNG with input which
    we prove secure in the sense of robustness, delivering in particular concrete
    security bounds. On the way, we make what we believe to be an important conceptual
    contribution, developing a variant of the security framework of Dodis et al. tailored
    at the ideal permutation model that captures PRNG security in settings where the
    weakly random inputs are provided from a large class of possible adversarial samplers
    which are also allowed to query the random permutation. As a further application
    of our techniques, we also present an efficient sponge-based key-derivation function
    (which can be instantiated from SHA-3 in a black-box fashion), which we also prove
    secure when fed with samples from permutation-dependent distributions.'
alternative_title:
- LNCS
author:
- first_name: Peter
  full_name: Gazi, Peter
  id: 3E0BFE38-F248-11E8-B48F-1D18A9856A87
  last_name: Gazi
- first_name: Stefano
  full_name: Tessaro, Stefano
  last_name: Tessaro
citation:
  ama: 'Gazi P, Tessaro S. Provably robust sponge-based PRNGs and KDFs. In: Vol 9665.
    Springer; 2016:87-116. doi:<a href="https://doi.org/10.1007/978-3-662-49890-3_4">10.1007/978-3-662-49890-3_4</a>'
  apa: 'Gazi, P., &#38; Tessaro, S. (2016). Provably robust sponge-based PRNGs and
    KDFs (Vol. 9665, pp. 87–116). Presented at the EUROCRYPT: Theory and Applications
    of Cryptographic Techniques, Vienna, Austria: Springer. <a href="https://doi.org/10.1007/978-3-662-49890-3_4">https://doi.org/10.1007/978-3-662-49890-3_4</a>'
  chicago: Gazi, Peter, and Stefano Tessaro. “Provably Robust Sponge-Based PRNGs and
    KDFs,” 9665:87–116. Springer, 2016. <a href="https://doi.org/10.1007/978-3-662-49890-3_4">https://doi.org/10.1007/978-3-662-49890-3_4</a>.
  ieee: 'P. Gazi and S. Tessaro, “Provably robust sponge-based PRNGs and KDFs,” presented
    at the EUROCRYPT: Theory and Applications of Cryptographic Techniques, Vienna,
    Austria, 2016, vol. 9665, pp. 87–116.'
  ista: 'Gazi P, Tessaro S. 2016. Provably robust sponge-based PRNGs and KDFs. EUROCRYPT:
    Theory and Applications of Cryptographic Techniques, LNCS, vol. 9665, 87–116.'
  mla: Gazi, Peter, and Stefano Tessaro. <i>Provably Robust Sponge-Based PRNGs and
    KDFs</i>. Vol. 9665, Springer, 2016, pp. 87–116, doi:<a href="https://doi.org/10.1007/978-3-662-49890-3_4">10.1007/978-3-662-49890-3_4</a>.
  short: P. Gazi, S. Tessaro, in:, Springer, 2016, pp. 87–116.
conference:
  end_date: 2016-05-12
  location: Vienna, Austria
  name: 'EUROCRYPT: Theory and Applications of Cryptographic Techniques'
  start_date: 2016-05-08
date_created: 2018-12-11T11:51:36Z
date_published: 2016-05-01T00:00:00Z
date_updated: 2021-01-12T06:50:11Z
day: '01'
department:
- _id: KrPi
doi: 10.1007/978-3-662-49890-3_4
ec_funded: 1
intvolume: '      9665'
language:
- iso: eng
main_file_link:
- open_access: '1'
  url: https://eprint.iacr.org/2016/169/20160219:201940
month: '05'
oa: 1
oa_version: Preprint
page: 87 - 116
project:
- _id: 258C570E-B435-11E9-9278-68D0E5697425
  call_identifier: FP7
  grant_number: '259668'
  name: Provable Security for Physical Cryptography
publication_status: published
publisher: Springer
publist_id: '5872'
quality_controlled: '1'
scopus_import: 1
status: public
title: Provably robust sponge-based PRNGs and KDFs
type: conference
user_id: 3E5EF7F0-F248-11E8-B48F-1D18A9856A87
volume: 9665
year: '2016'
...
---
_id: '1225'
abstract:
- lang: eng
  text: At Crypto 2015 Fuchsbauer, Hanser and Slamanig (FHS) presented the first standard-model
    construction of efficient roundoptimal blind signatures that does not require
    complexity leveraging. It is conceptually simple and builds on the primitive of
    structure-preserving signatures on equivalence classes (SPS-EQ). FHS prove the
    unforgeability of their scheme assuming EUF-CMA security of the SPS-EQ scheme
    and hardness of a version of the DH inversion problem. Blindness under adversarially
    chosen keys is proven under an interactive variant of the DDH assumption. We propose
    a variant of their scheme whose blindness can be proven under a non-interactive
    assumption, namely a variant of the bilinear DDH assumption. We moreover prove
    its unforgeability assuming only unforgeability of the underlying SPS-EQ but no
    additional assumptions as needed for the FHS scheme.
alternative_title:
- LNCS
author:
- first_name: Georg
  full_name: Fuchsbauer, Georg
  id: 46B4C3EE-F248-11E8-B48F-1D18A9856A87
  last_name: Fuchsbauer
- first_name: Christian
  full_name: Hanser, Christian
  last_name: Hanser
- first_name: Chethan
  full_name: Kamath Hosdurg, Chethan
  id: 4BD3F30E-F248-11E8-B48F-1D18A9856A87
  last_name: Kamath Hosdurg
- first_name: Daniel
  full_name: Slamanig, Daniel
  last_name: Slamanig
citation:
  ama: 'Fuchsbauer G, Hanser C, Kamath Hosdurg C, Slamanig D. Practical round-optimal
    blind signatures in the standard model from weaker assumptions. In: Vol 9841.
    Springer; 2016:391-408. doi:<a href="https://doi.org/10.1007/978-3-319-44618-9_21">10.1007/978-3-319-44618-9_21</a>'
  apa: 'Fuchsbauer, G., Hanser, C., Kamath Hosdurg, C., &#38; Slamanig, D. (2016).
    Practical round-optimal blind signatures in the standard model from weaker assumptions
    (Vol. 9841, pp. 391–408). Presented at the SCN: Security and Cryptography for
    Networks, Amalfi, Italy: Springer. <a href="https://doi.org/10.1007/978-3-319-44618-9_21">https://doi.org/10.1007/978-3-319-44618-9_21</a>'
  chicago: Fuchsbauer, Georg, Christian Hanser, Chethan Kamath Hosdurg, and Daniel
    Slamanig. “Practical Round-Optimal Blind Signatures in the Standard Model from
    Weaker Assumptions,” 9841:391–408. Springer, 2016. <a href="https://doi.org/10.1007/978-3-319-44618-9_21">https://doi.org/10.1007/978-3-319-44618-9_21</a>.
  ieee: 'G. Fuchsbauer, C. Hanser, C. Kamath Hosdurg, and D. Slamanig, “Practical
    round-optimal blind signatures in the standard model from weaker assumptions,”
    presented at the SCN: Security and Cryptography for Networks, Amalfi, Italy, 2016,
    vol. 9841, pp. 391–408.'
  ista: 'Fuchsbauer G, Hanser C, Kamath Hosdurg C, Slamanig D. 2016. Practical round-optimal
    blind signatures in the standard model from weaker assumptions. SCN: Security
    and Cryptography for Networks, LNCS, vol. 9841, 391–408.'
  mla: Fuchsbauer, Georg, et al. <i>Practical Round-Optimal Blind Signatures in the
    Standard Model from Weaker Assumptions</i>. Vol. 9841, Springer, 2016, pp. 391–408,
    doi:<a href="https://doi.org/10.1007/978-3-319-44618-9_21">10.1007/978-3-319-44618-9_21</a>.
  short: G. Fuchsbauer, C. Hanser, C. Kamath Hosdurg, D. Slamanig, in:, Springer,
    2016, pp. 391–408.
conference:
  end_date: 2016-09-02
  location: Amalfi, Italy
  name: 'SCN: Security and Cryptography for Networks'
  start_date: 2016-08-31
date_created: 2018-12-11T11:50:49Z
date_published: 2016-08-11T00:00:00Z
date_updated: 2023-02-23T10:08:16Z
day: '11'
department:
- _id: KrPi
doi: 10.1007/978-3-319-44618-9_21
ec_funded: 1
intvolume: '      9841'
language:
- iso: eng
main_file_link:
- open_access: '1'
  url: https://eprint.iacr.org/2016/662
month: '08'
oa: 1
oa_version: Submitted Version
page: 391 - 408
project:
- _id: 258C570E-B435-11E9-9278-68D0E5697425
  call_identifier: FP7
  grant_number: '259668'
  name: Provable Security for Physical Cryptography
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
  call_identifier: H2020
  grant_number: '682815'
  name: Teaching Old Crypto New Tricks
publication_status: published
publisher: Springer
publist_id: '6109'
quality_controlled: '1'
related_material:
  record:
  - id: '1647'
    relation: earlier_version
    status: public
scopus_import: 1
status: public
title: Practical round-optimal blind signatures in the standard model from weaker
  assumptions
type: conference
user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87
volume: 9841
year: '2016'
...
---
_id: '1229'
abstract:
- lang: eng
  text: Witness encryption (WE) was introduced by Garg et al. [GGSW13]. A WE scheme
    is defined for some NP language L and lets a sender encrypt messages relative
    to instances x. A ciphertext for x can be decrypted using w witnessing x ∈ L,
    but hides the message if x ∈ L. Garg et al. construct WE from multilinear maps
    and give another construction [GGH+13b] using indistinguishability obfuscation
    (iO) for circuits. Due to the reliance on such heavy tools, WE can cur- rently
    hardly be implemented on powerful hardware and will unlikely be realizable on
    constrained devices like smart cards any time soon. We construct a WE scheme where
    encryption is done by simply computing a Naor-Yung ciphertext (two CPA encryptions
    and a NIZK proof). To achieve this, our scheme has a setup phase, which outputs
    public parameters containing an obfuscated circuit (only required for decryption),
    two encryption keys and a common reference string (used for encryption). This
    setup need only be run once, and the parame- ters can be used for arbitrary many
    encryptions. Our scheme can also be turned into a functional WE scheme, where
    a message is encrypted w.r.t. a statement and a function f, and decryption with
    a witness w yields f (m, w). Our construction is inspired by the functional encryption
    scheme by Garg et al. and we prove (selective) security assuming iO and statistically
    simulation-sound NIZK. We give a construction of the latter in bilinear groups
    and combining it with ElGamal encryption, our ciphertexts are of size 1.3 kB at
    a 128-bit security level and can be computed on a smart card.
acknowledgement: Research  supported  by  the  European  Research  Council,  ERC  starting  grant
  (259668-PSPC) and ERC consolidator grant (682815 - TOCNeT).
alternative_title:
- LNCS
author:
- first_name: Hamza M
  full_name: Abusalah, Hamza M
  id: 40297222-F248-11E8-B48F-1D18A9856A87
  last_name: Abusalah
- first_name: Georg
  full_name: Fuchsbauer, Georg
  id: 46B4C3EE-F248-11E8-B48F-1D18A9856A87
  last_name: Fuchsbauer
- first_name: Krzysztof Z
  full_name: Pietrzak, Krzysztof Z
  id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
  last_name: Pietrzak
  orcid: 0000-0002-9139-1654
citation:
  ama: 'Abusalah HM, Fuchsbauer G, Pietrzak KZ. Offline witness encryption. In: Vol
    9696. Springer; 2016:285-303. doi:<a href="https://doi.org/10.1007/978-3-319-39555-5_16">10.1007/978-3-319-39555-5_16</a>'
  apa: 'Abusalah, H. M., Fuchsbauer, G., &#38; Pietrzak, K. Z. (2016). Offline witness
    encryption (Vol. 9696, pp. 285–303). Presented at the ACNS: Applied Cryptography
    and Network Security, Guildford, UK: Springer. <a href="https://doi.org/10.1007/978-3-319-39555-5_16">https://doi.org/10.1007/978-3-319-39555-5_16</a>'
  chicago: Abusalah, Hamza M, Georg Fuchsbauer, and Krzysztof Z Pietrzak. “Offline
    Witness Encryption,” 9696:285–303. Springer, 2016. <a href="https://doi.org/10.1007/978-3-319-39555-5_16">https://doi.org/10.1007/978-3-319-39555-5_16</a>.
  ieee: 'H. M. Abusalah, G. Fuchsbauer, and K. Z. Pietrzak, “Offline witness encryption,”
    presented at the ACNS: Applied Cryptography and Network Security, Guildford, UK,
    2016, vol. 9696, pp. 285–303.'
  ista: 'Abusalah HM, Fuchsbauer G, Pietrzak KZ. 2016. Offline witness encryption.
    ACNS: Applied Cryptography and Network Security, LNCS, vol. 9696, 285–303.'
  mla: Abusalah, Hamza M., et al. <i>Offline Witness Encryption</i>. Vol. 9696, Springer,
    2016, pp. 285–303, doi:<a href="https://doi.org/10.1007/978-3-319-39555-5_16">10.1007/978-3-319-39555-5_16</a>.
  short: H.M. Abusalah, G. Fuchsbauer, K.Z. Pietrzak, in:, Springer, 2016, pp. 285–303.
conference:
  end_date: 2016-06-22
  location: Guildford, UK
  name: 'ACNS: Applied Cryptography and Network Security'
  start_date: 2016-06-19
date_created: 2018-12-11T11:50:50Z
date_published: 2016-06-09T00:00:00Z
date_updated: 2023-09-07T12:30:22Z
day: '09'
ddc:
- '005'
- '600'
department:
- _id: KrPi
doi: 10.1007/978-3-319-39555-5_16
ec_funded: 1
file:
- access_level: open_access
  checksum: 34fa9ce681da845a1ba945ba3dc57867
  content_type: application/pdf
  creator: system
  date_created: 2018-12-12T10:17:20Z
  date_updated: 2020-07-14T12:44:39Z
  file_id: '5273'
  file_name: IST-2017-765-v1+1_838.pdf
  file_size: 515000
  relation: main_file
file_date_updated: 2020-07-14T12:44:39Z
has_accepted_license: '1'
intvolume: '      9696'
language:
- iso: eng
month: '06'
oa: 1
oa_version: Submitted Version
page: 285 - 303
project:
- _id: 258C570E-B435-11E9-9278-68D0E5697425
  call_identifier: FP7
  grant_number: '259668'
  name: Provable Security for Physical Cryptography
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
  call_identifier: H2020
  grant_number: '682815'
  name: Teaching Old Crypto New Tricks
publication_status: published
publisher: Springer
publist_id: '6105'
pubrep_id: '765'
quality_controlled: '1'
related_material:
  record:
  - id: '83'
    relation: dissertation_contains
    status: public
scopus_import: 1
status: public
title: Offline witness encryption
type: conference
user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87
volume: 9696
year: '2016'
...
---
_id: '1231'
abstract:
- lang: eng
  text: 'We study the time-and memory-complexities of the problem of computing labels
    of (multiple) randomly selected challenge-nodes in a directed acyclic graph. The
    w-bit label of a node is the hash of the labels of its parents, and the hash function
    is modeled as a random oracle. Specific instances of this problem underlie both
    proofs of space [Dziembowski et al. CRYPTO’15] as well as popular memory-hard
    functions like scrypt. As our main tool, we introduce the new notion of a probabilistic
    parallel entangled pebbling game, a new type of combinatorial pebbling game on
    a graph, which is closely related to the labeling game on the same graph. As a
    first application of our framework, we prove that for scrypt, when the underlying
    hash function is invoked n times, the cumulative memory complexity (CMC) (a notion
    recently introduced by Alwen and Serbinenko (STOC’15) to capture amortized memory-hardness
    for parallel adversaries) is at least Ω(w · (n/ log(n))2). This bound holds for
    adversaries that can store many natural functions of the labels (e.g., linear
    combinations), but still not arbitrary functions thereof. We then introduce and
    study a combinatorial quantity, and show how a sufficiently small upper bound
    on it (which we conjecture) extends our CMC bound for scrypt to hold against arbitrary
    adversaries. We also show that such an upper bound solves the main open problem
    for proofs-of-space protocols: namely, establishing that the time complexity of
    computing the label of a random node in a graph on n nodes (given an initial kw-bit
    state) reduces tightly to the time complexity for black pebbling on the same graph
    (given an initial k-node pebbling).'
acknowledgement: "Joël Alwen, Chethan Kamath, and Krzysztof Pietrzak’s research is
  partially supported by an ERC starting grant (259668-PSPC). Vladimir Kolmogorov
  is partially supported by an ERC consolidator grant (616160-DOICV). Binyi Chen was
  partially supported by NSF grants CNS-1423566 and CNS-1514526, and a gift from the
  Gareatis Foundation. Stefano Tessaro was partially supported by NSF grants CNS-1423566,
  CNS-1528178, a Hellman Fellowship, and the Glen and Susanne Culler Chair.\r\n\r\nThis
  work was done in part while the authors were visiting the Simons Institute for the
  Theory of Computing, supported by the Simons Foundation and by the DIMACS/Simons
  Collaboration in Cryptography through NSF grant CNS-1523467."
alternative_title:
- LNCS
author:
- first_name: Joel F
  full_name: Alwen, Joel F
  id: 2A8DFA8C-F248-11E8-B48F-1D18A9856A87
  last_name: Alwen
- first_name: Binyi
  full_name: Chen, Binyi
  last_name: Chen
- first_name: Chethan
  full_name: Kamath Hosdurg, Chethan
  id: 4BD3F30E-F248-11E8-B48F-1D18A9856A87
  last_name: Kamath Hosdurg
- first_name: Vladimir
  full_name: Kolmogorov, Vladimir
  id: 3D50B0BA-F248-11E8-B48F-1D18A9856A87
  last_name: Kolmogorov
- first_name: Krzysztof Z
  full_name: Pietrzak, Krzysztof Z
  id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
  last_name: Pietrzak
  orcid: 0000-0002-9139-1654
- first_name: Stefano
  full_name: Tessaro, Stefano
  last_name: Tessaro
citation:
  ama: 'Alwen JF, Chen B, Kamath Hosdurg C, Kolmogorov V, Pietrzak KZ, Tessaro S.
    On the complexity of scrypt and proofs of space in the parallel random oracle
    model. In: Vol 9666. Springer; 2016:358-387. doi:<a href="https://doi.org/10.1007/978-3-662-49896-5_13">10.1007/978-3-662-49896-5_13</a>'
  apa: 'Alwen, J. F., Chen, B., Kamath Hosdurg, C., Kolmogorov, V., Pietrzak, K. Z.,
    &#38; Tessaro, S. (2016). On the complexity of scrypt and proofs of space in the
    parallel random oracle model (Vol. 9666, pp. 358–387). Presented at the EUROCRYPT:
    Theory and Applications of Cryptographic Techniques, Vienna, Austria: Springer.
    <a href="https://doi.org/10.1007/978-3-662-49896-5_13">https://doi.org/10.1007/978-3-662-49896-5_13</a>'
  chicago: Alwen, Joel F, Binyi Chen, Chethan Kamath Hosdurg, Vladimir Kolmogorov,
    Krzysztof Z Pietrzak, and Stefano Tessaro. “On the Complexity of Scrypt and Proofs
    of Space in the Parallel Random Oracle Model,” 9666:358–87. Springer, 2016. <a
    href="https://doi.org/10.1007/978-3-662-49896-5_13">https://doi.org/10.1007/978-3-662-49896-5_13</a>.
  ieee: 'J. F. Alwen, B. Chen, C. Kamath Hosdurg, V. Kolmogorov, K. Z. Pietrzak, and
    S. Tessaro, “On the complexity of scrypt and proofs of space in the parallel random
    oracle model,” presented at the EUROCRYPT: Theory and Applications of Cryptographic
    Techniques, Vienna, Austria, 2016, vol. 9666, pp. 358–387.'
  ista: 'Alwen JF, Chen B, Kamath Hosdurg C, Kolmogorov V, Pietrzak KZ, Tessaro S.
    2016. On the complexity of scrypt and proofs of space in the parallel random oracle
    model. EUROCRYPT: Theory and Applications of Cryptographic Techniques, LNCS, vol.
    9666, 358–387.'
  mla: Alwen, Joel F., et al. <i>On the Complexity of Scrypt and Proofs of Space in
    the Parallel Random Oracle Model</i>. Vol. 9666, Springer, 2016, pp. 358–87, doi:<a
    href="https://doi.org/10.1007/978-3-662-49896-5_13">10.1007/978-3-662-49896-5_13</a>.
  short: J.F. Alwen, B. Chen, C. Kamath Hosdurg, V. Kolmogorov, K.Z. Pietrzak, S.
    Tessaro, in:, Springer, 2016, pp. 358–387.
conference:
  end_date: 2016-05-12
  location: Vienna, Austria
  name: 'EUROCRYPT: Theory and Applications of Cryptographic Techniques'
  start_date: 2016-05-08
date_created: 2018-12-11T11:50:51Z
date_published: 2016-04-28T00:00:00Z
date_updated: 2021-01-12T06:49:15Z
day: '28'
department:
- _id: KrPi
- _id: VlKo
doi: 10.1007/978-3-662-49896-5_13
ec_funded: 1
intvolume: '      9666'
language:
- iso: eng
main_file_link:
- open_access: '1'
  url: https://eprint.iacr.org/2016/100
month: '04'
oa: 1
oa_version: Submitted Version
page: 358 - 387
project:
- _id: 258C570E-B435-11E9-9278-68D0E5697425
  call_identifier: FP7
  grant_number: '259668'
  name: Provable Security for Physical Cryptography
- _id: 25FBA906-B435-11E9-9278-68D0E5697425
  call_identifier: FP7
  grant_number: '616160'
  name: 'Discrete Optimization in Computer Vision: Theory and Practice'
publication_status: published
publisher: Springer
publist_id: '6103'
quality_controlled: '1'
scopus_import: 1
status: public
title: On the complexity of scrypt and proofs of space in the parallel random oracle
  model
type: conference
user_id: 3E5EF7F0-F248-11E8-B48F-1D18A9856A87
volume: 9666
year: '2016'
...
---
_id: '1233'
abstract:
- lang: eng
  text: About three decades ago it was realized that implementing private channels
    between parties which can be adaptively corrupted requires an encryption scheme
    that is secure against selective opening attacks. Whether standard (IND-CPA) security
    implies security against selective opening attacks has been a major open question
    since. The only known reduction from selective opening to IND-CPA security loses
    an exponential factor. A polynomial reduction is only known for the very special
    case where the distribution considered in the selective opening security experiment
    is a product distribution, i.e., the messages are sampled independently from each
    other. In this paper we give a reduction whose loss is quantified via the dependence
    graph (where message dependencies correspond to edges) of the underlying message
    distribution. In particular, for some concrete distributions including Markov
    distributions, our reduction is polynomial.
acknowledgement: G. Fuchsbauer and K. Pietrzak are supported by the European Research
  Council, ERC Starting Grant (259668-PSPC). F. Heuer is funded by a Sofja Kovalevskaja
  Award of the Alexander von Humboldt Foundation and DFG SPP 1736, Algorithms for
  BIG DATA. E. Kiltz is supported by a Sofja Kovalevskaja Award of the Alexander von
  Humboldt Foundation, the German Israel Foundation, and ERC Project ERCC (FP7/615074).
alternative_title:
- LNCS
author:
- first_name: Georg
  full_name: Fuchsbauer, Georg
  id: 46B4C3EE-F248-11E8-B48F-1D18A9856A87
  last_name: Fuchsbauer
- first_name: Felix
  full_name: Heuer, Felix
  last_name: Heuer
- first_name: Eike
  full_name: Kiltz, Eike
  last_name: Kiltz
- first_name: Krzysztof Z
  full_name: Pietrzak, Krzysztof Z
  id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
  last_name: Pietrzak
  orcid: 0000-0002-9139-1654
citation:
  ama: 'Fuchsbauer G, Heuer F, Kiltz E, Pietrzak KZ. Standard security does imply
    security against selective opening for markov distributions. In: Vol 9562. Springer;
    2016:282-305. doi:<a href="https://doi.org/10.1007/978-3-662-49096-9_12">10.1007/978-3-662-49096-9_12</a>'
  apa: 'Fuchsbauer, G., Heuer, F., Kiltz, E., &#38; Pietrzak, K. Z. (2016). Standard
    security does imply security against selective opening for markov distributions
    (Vol. 9562, pp. 282–305). Presented at the TCC: Theory of Cryptography Conference,
    Tel Aviv, Israel: Springer. <a href="https://doi.org/10.1007/978-3-662-49096-9_12">https://doi.org/10.1007/978-3-662-49096-9_12</a>'
  chicago: Fuchsbauer, Georg, Felix Heuer, Eike Kiltz, and Krzysztof Z Pietrzak. “Standard
    Security Does Imply Security against Selective Opening for Markov Distributions,”
    9562:282–305. Springer, 2016. <a href="https://doi.org/10.1007/978-3-662-49096-9_12">https://doi.org/10.1007/978-3-662-49096-9_12</a>.
  ieee: 'G. Fuchsbauer, F. Heuer, E. Kiltz, and K. Z. Pietrzak, “Standard security
    does imply security against selective opening for markov distributions,” presented
    at the TCC: Theory of Cryptography Conference, Tel Aviv, Israel, 2016, vol. 9562,
    pp. 282–305.'
  ista: 'Fuchsbauer G, Heuer F, Kiltz E, Pietrzak KZ. 2016. Standard security does
    imply security against selective opening for markov distributions. TCC: Theory
    of Cryptography Conference, LNCS, vol. 9562, 282–305.'
  mla: Fuchsbauer, Georg, et al. <i>Standard Security Does Imply Security against
    Selective Opening for Markov Distributions</i>. Vol. 9562, Springer, 2016, pp.
    282–305, doi:<a href="https://doi.org/10.1007/978-3-662-49096-9_12">10.1007/978-3-662-49096-9_12</a>.
  short: G. Fuchsbauer, F. Heuer, E. Kiltz, K.Z. Pietrzak, in:, Springer, 2016, pp.
    282–305.
conference:
  end_date: 2016-01-13
  location: Tel Aviv, Israel
  name: 'TCC: Theory of Cryptography Conference'
  start_date: 2016-01-10
date_created: 2018-12-11T11:50:51Z
date_published: 2016-01-01T00:00:00Z
date_updated: 2021-01-12T06:49:16Z
day: '01'
department:
- _id: KrPi
doi: 10.1007/978-3-662-49096-9_12
ec_funded: 1
intvolume: '      9562'
language:
- iso: eng
main_file_link:
- open_access: '1'
  url: https://eprint.iacr.org/2015/853
month: '01'
oa: 1
oa_version: Submitted Version
page: 282 - 305
project:
- _id: 258C570E-B435-11E9-9278-68D0E5697425
  call_identifier: FP7
  grant_number: '259668'
  name: Provable Security for Physical Cryptography
publication_status: published
publisher: Springer
publist_id: '6100'
quality_controlled: '1'
scopus_import: 1
status: public
title: Standard security does imply security against selective opening for markov
  distributions
type: conference
user_id: 3E5EF7F0-F248-11E8-B48F-1D18A9856A87
volume: 9562
year: '2016'
...
---
_id: '1235'
abstract:
- lang: eng
  text: 'A constrained pseudorandom function (CPRF) F: K×X → Y for a family T of subsets
    of χ is a function where for any key k ∈ K and set S ∈ T one can efficiently compute
    a short constrained key kS, which allows to evaluate F(k, ·) on all inputs x ∈
    S, while the outputs on all inputs x /∈ S look random even given kS. Abusalah
    et al. recently constructed the first constrained PRF for inputs of arbitrary
    length whose sets S are decided by Turing machines. They use their CPRF to build
    broadcast encryption and the first ID-based non-interactive key exchange for an
    unbounded number of users. Their constrained keys are obfuscated circuits and
    are therefore large. In this work we drastically reduce the key size and define
    a constrained key for a Turing machine M as a short signature on M. For this,
    we introduce a new signature primitive with constrained signing keys that let
    one only sign certain messages, while forging a signature on others is hard even
    when knowing the coins for key generation.'
acknowledgement: H. Abusalah—Research supported by the European Research Council,
  ERC starting grant (259668-PSPC) and ERC consolidator grant (682815 - TOCNeT).
alternative_title:
- LNCS
author:
- first_name: Hamza M
  full_name: Abusalah, Hamza M
  id: 40297222-F248-11E8-B48F-1D18A9856A87
  last_name: Abusalah
- first_name: Georg
  full_name: Fuchsbauer, Georg
  id: 46B4C3EE-F248-11E8-B48F-1D18A9856A87
  last_name: Fuchsbauer
citation:
  ama: 'Abusalah HM, Fuchsbauer G. Constrained PRFs for unbounded inputs with short
    keys. In: Vol 9696. Springer; 2016:445-463. doi:<a href="https://doi.org/10.1007/978-3-319-39555-5_24">10.1007/978-3-319-39555-5_24</a>'
  apa: 'Abusalah, H. M., &#38; Fuchsbauer, G. (2016). Constrained PRFs for unbounded
    inputs with short keys (Vol. 9696, pp. 445–463). Presented at the ACNS: Applied
    Cryptography and Network Security, Guildford, UK: Springer. <a href="https://doi.org/10.1007/978-3-319-39555-5_24">https://doi.org/10.1007/978-3-319-39555-5_24</a>'
  chicago: Abusalah, Hamza M, and Georg Fuchsbauer. “Constrained PRFs for Unbounded
    Inputs with Short Keys,” 9696:445–63. Springer, 2016. <a href="https://doi.org/10.1007/978-3-319-39555-5_24">https://doi.org/10.1007/978-3-319-39555-5_24</a>.
  ieee: 'H. M. Abusalah and G. Fuchsbauer, “Constrained PRFs for unbounded inputs
    with short keys,” presented at the ACNS: Applied Cryptography and Network Security,
    Guildford, UK, 2016, vol. 9696, pp. 445–463.'
  ista: 'Abusalah HM, Fuchsbauer G. 2016. Constrained PRFs for unbounded inputs with
    short keys. ACNS: Applied Cryptography and Network Security, LNCS, vol. 9696,
    445–463.'
  mla: Abusalah, Hamza M., and Georg Fuchsbauer. <i>Constrained PRFs for Unbounded
    Inputs with Short Keys</i>. Vol. 9696, Springer, 2016, pp. 445–63, doi:<a href="https://doi.org/10.1007/978-3-319-39555-5_24">10.1007/978-3-319-39555-5_24</a>.
  short: H.M. Abusalah, G. Fuchsbauer, in:, Springer, 2016, pp. 445–463.
conference:
  end_date: 2016-06-22
  location: Guildford, UK
  name: 'ACNS: Applied Cryptography and Network Security'
  start_date: 2016-06-19
date_created: 2018-12-11T11:50:52Z
date_published: 2016-01-01T00:00:00Z
date_updated: 2023-09-07T12:30:22Z
day: '01'
department:
- _id: KrPi
doi: 10.1007/978-3-319-39555-5_24
ec_funded: 1
intvolume: '      9696'
language:
- iso: eng
main_file_link:
- open_access: '1'
  url: https://eprint.iacr.org/2016/279.pdf
month: '01'
oa: 1
oa_version: Submitted Version
page: 445 - 463
project:
- _id: 258C570E-B435-11E9-9278-68D0E5697425
  call_identifier: FP7
  grant_number: '259668'
  name: Provable Security for Physical Cryptography
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
  call_identifier: H2020
  grant_number: '682815'
  name: Teaching Old Crypto New Tricks
publication_status: published
publisher: Springer
publist_id: '6098'
quality_controlled: '1'
related_material:
  record:
  - id: '83'
    relation: dissertation_contains
    status: public
scopus_import: 1
status: public
title: Constrained PRFs for unbounded inputs with short keys
type: conference
user_id: 3E5EF7F0-F248-11E8-B48F-1D18A9856A87
volume: 9696
year: '2016'
...
---
_id: '1236'
abstract:
- lang: eng
  text: 'A constrained pseudorandom function F: K × X → Y for a family T ⊆ 2X of subsets
    of X is a function where for any key k ∈ K and set S ∈ T one can efficiently compute
    a constrained key kS which allows to evaluate F (k, ·) on all inputs x ∈ S, while
    even given this key, the outputs on all inputs x ∉ S look random. At Asiacrypt’13
    Boneh and Waters gave a construction which supports the most general set family
    so far. Its keys kc are defined for sets decided by boolean circuits C and enable
    evaluation of the PRF on any x ∈ X where C(x) = 1. In their construction the PRF
    input length and the size of the circuits C for which constrained keys can be
    computed must be fixed beforehand during key generation. We construct a constrained
    PRF that has an unbounded input length and whose constrained keys can be defined
    for any set recognized by a Turing machine. The only a priori bound we make is
    on the description size of the machines. We prove our construction secure assuming
    publiccoin differing-input obfuscation. As applications of our constrained PRF
    we build a broadcast encryption scheme where the number of potential receivers
    need not be fixed at setup (in particular, the length of the keys is independent
    of the number of parties) and the first identity-based non-interactive key exchange
    protocol with no bound on the number of parties that can agree on a shared key.'
acknowledgement: Supported by the European Research Council, ERC Starting Grant (259668-PSPC).
alternative_title:
- LNCS
author:
- first_name: Hamza M
  full_name: Abusalah, Hamza M
  id: 40297222-F248-11E8-B48F-1D18A9856A87
  last_name: Abusalah
- first_name: Georg
  full_name: Fuchsbauer, Georg
  id: 46B4C3EE-F248-11E8-B48F-1D18A9856A87
  last_name: Fuchsbauer
- first_name: Krzysztof Z
  full_name: Pietrzak, Krzysztof Z
  id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
  last_name: Pietrzak
  orcid: 0000-0002-9139-1654
citation:
  ama: 'Abusalah HM, Fuchsbauer G, Pietrzak KZ. Constrained PRFs for unbounded inputs.
    In: Vol 9610. Springer; 2016:413-428. doi:<a href="https://doi.org/10.1007/978-3-319-29485-8_24">10.1007/978-3-319-29485-8_24</a>'
  apa: 'Abusalah, H. M., Fuchsbauer, G., &#38; Pietrzak, K. Z. (2016). Constrained
    PRFs for unbounded inputs (Vol. 9610, pp. 413–428). Presented at the CT-RSA: Topics
    in Cryptology, San Francisco, CA, USA: Springer. <a href="https://doi.org/10.1007/978-3-319-29485-8_24">https://doi.org/10.1007/978-3-319-29485-8_24</a>'
  chicago: Abusalah, Hamza M, Georg Fuchsbauer, and Krzysztof Z Pietrzak. “Constrained
    PRFs for Unbounded Inputs,” 9610:413–28. Springer, 2016. <a href="https://doi.org/10.1007/978-3-319-29485-8_24">https://doi.org/10.1007/978-3-319-29485-8_24</a>.
  ieee: 'H. M. Abusalah, G. Fuchsbauer, and K. Z. Pietrzak, “Constrained PRFs for
    unbounded inputs,” presented at the CT-RSA: Topics in Cryptology, San Francisco,
    CA, USA, 2016, vol. 9610, pp. 413–428.'
  ista: 'Abusalah HM, Fuchsbauer G, Pietrzak KZ. 2016. Constrained PRFs for unbounded
    inputs. CT-RSA: Topics in Cryptology, LNCS, vol. 9610, 413–428.'
  mla: Abusalah, Hamza M., et al. <i>Constrained PRFs for Unbounded Inputs</i>. Vol.
    9610, Springer, 2016, pp. 413–28, doi:<a href="https://doi.org/10.1007/978-3-319-29485-8_24">10.1007/978-3-319-29485-8_24</a>.
  short: H.M. Abusalah, G. Fuchsbauer, K.Z. Pietrzak, in:, Springer, 2016, pp. 413–428.
conference:
  end_date: 2016-03-04
  location: San Francisco, CA, USA
  name: 'CT-RSA: Topics in Cryptology'
  start_date: 2016-02-29
date_created: 2018-12-11T11:50:52Z
date_published: 2016-02-02T00:00:00Z
date_updated: 2023-09-07T12:30:22Z
day: '02'
ddc:
- '005'
- '600'
department:
- _id: KrPi
doi: 10.1007/978-3-319-29485-8_24
ec_funded: 1
file:
- access_level: open_access
  checksum: 3851cee49933ae13b1272e516f213e13
  content_type: application/pdf
  creator: system
  date_created: 2018-12-12T10:08:05Z
  date_updated: 2020-07-14T12:44:41Z
  file_id: '4664'
  file_name: IST-2017-764-v1+1_279.pdf
  file_size: 495176
  relation: main_file
file_date_updated: 2020-07-14T12:44:41Z
has_accepted_license: '1'
intvolume: '      9610'
language:
- iso: eng
month: '02'
oa: 1
oa_version: Submitted Version
page: 413 - 428
project:
- _id: 258C570E-B435-11E9-9278-68D0E5697425
  call_identifier: FP7
  grant_number: '259668'
  name: Provable Security for Physical Cryptography
publication_status: published
publisher: Springer
publist_id: '6097'
pubrep_id: '764'
quality_controlled: '1'
related_material:
  record:
  - id: '83'
    relation: dissertation_contains
    status: public
scopus_import: 1
status: public
title: Constrained PRFs for unbounded inputs
type: conference
user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87
volume: 9610
year: '2016'
...
---
_id: '1644'
abstract:
- lang: eng
  text: Increasing the computational complexity of evaluating a hash function, both
    for the honest users as well as for an adversary, is a useful technique employed
    for example in password-based cryptographic schemes to impede brute-force attacks,
    and also in so-called proofs of work (used in protocols like Bitcoin) to show
    that a certain amount of computation was performed by a legitimate user. A natural
    approach to adjust the complexity of a hash function is to iterate it c times,
    for some parameter c, in the hope that any query to the scheme requires c evaluations
    of the underlying hash function. However, results by Dodis et al. (Crypto 2012)
    imply that plain iteration falls short of achieving this goal, and designing schemes
    which provably have such a desirable property remained an open problem. This paper
    formalizes explicitly what it means for a given scheme to amplify the query complexity
    of a hash function. In the random oracle model, the goal of a secure query-complexity
    amplifier (QCA) scheme is captured as transforming, in the sense of indifferentiability,
    a random oracle allowing R queries (for the adversary) into one provably allowing
    only r &lt; R queries. Turned around, this means that making r queries to the
    scheme requires at least R queries to the actual random oracle. Second, a new
    scheme, called collision-free iteration, is proposed and proven to achieve c-fold
    QCA for both the honest parties and the adversary, for any fixed parameter c.
alternative_title:
- LNCS
author:
- first_name: Grégory
  full_name: Demay, Grégory
  last_name: Demay
- first_name: Peter
  full_name: Gazi, Peter
  id: 3E0BFE38-F248-11E8-B48F-1D18A9856A87
  last_name: Gazi
- first_name: Ueli
  full_name: Maurer, Ueli
  last_name: Maurer
- first_name: Björn
  full_name: Tackmann, Björn
  last_name: Tackmann
citation:
  ama: 'Demay G, Gazi P, Maurer U, Tackmann B. Query-complexity amplification for
    random oracles. In: Vol 9063. Springer; 2015:159-180. doi:<a href="https://doi.org/10.1007/978-3-319-17470-9_10">10.1007/978-3-319-17470-9_10</a>'
  apa: 'Demay, G., Gazi, P., Maurer, U., &#38; Tackmann, B. (2015). Query-complexity
    amplification for random oracles (Vol. 9063, pp. 159–180). Presented at the ICITS:
    International Conference on Information Theoretic Security, Lugano, Switzerland:
    Springer. <a href="https://doi.org/10.1007/978-3-319-17470-9_10">https://doi.org/10.1007/978-3-319-17470-9_10</a>'
  chicago: Demay, Grégory, Peter Gazi, Ueli Maurer, and Björn Tackmann. “Query-Complexity
    Amplification for Random Oracles,” 9063:159–80. Springer, 2015. <a href="https://doi.org/10.1007/978-3-319-17470-9_10">https://doi.org/10.1007/978-3-319-17470-9_10</a>.
  ieee: 'G. Demay, P. Gazi, U. Maurer, and B. Tackmann, “Query-complexity amplification
    for random oracles,” presented at the ICITS: International Conference on Information
    Theoretic Security, Lugano, Switzerland, 2015, vol. 9063, pp. 159–180.'
  ista: 'Demay G, Gazi P, Maurer U, Tackmann B. 2015. Query-complexity amplification
    for random oracles. ICITS: International Conference on Information Theoretic Security,
    LNCS, vol. 9063, 159–180.'
  mla: Demay, Grégory, et al. <i>Query-Complexity Amplification for Random Oracles</i>.
    Vol. 9063, Springer, 2015, pp. 159–80, doi:<a href="https://doi.org/10.1007/978-3-319-17470-9_10">10.1007/978-3-319-17470-9_10</a>.
  short: G. Demay, P. Gazi, U. Maurer, B. Tackmann, in:, Springer, 2015, pp. 159–180.
conference:
  end_date: 2015-05-05
  location: Lugano, Switzerland
  name: 'ICITS: International Conference on Information Theoretic Security'
  start_date: 2015-05-02
date_created: 2018-12-11T11:53:13Z
date_published: 2015-01-01T00:00:00Z
date_updated: 2021-01-12T06:52:13Z
day: '01'
department:
- _id: KrPi
doi: 10.1007/978-3-319-17470-9_10
ec_funded: 1
intvolume: '      9063'
language:
- iso: eng
main_file_link:
- open_access: '1'
  url: http://eprint.iacr.org/2015/315
month: '01'
oa: 1
oa_version: Submitted Version
page: 159 - 180
project:
- _id: 258C570E-B435-11E9-9278-68D0E5697425
  call_identifier: FP7
  grant_number: '259668'
  name: Provable Security for Physical Cryptography
publication_status: published
publisher: Springer
publist_id: '5507'
quality_controlled: '1'
scopus_import: 1
status: public
title: Query-complexity amplification for random oracles
type: conference
user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87
volume: 9063
year: '2015'
...
---
_id: '1645'
abstract:
- lang: eng
  text: Secret-key constructions are often proved secure in a model where one or more
    underlying components are replaced by an idealized oracle accessible to the attacker.
    This model gives rise to information-theoretic security analyses, and several
    advances have been made in this area over the last few years. This paper provides
    a systematic overview of what is achievable in this model, and how existing works
    fit into this view.
article_number: '7133163'
author:
- first_name: Peter
  full_name: Gazi, Peter
  id: 3E0BFE38-F248-11E8-B48F-1D18A9856A87
  last_name: Gazi
- first_name: Stefano
  full_name: Tessaro, Stefano
  last_name: Tessaro
citation:
  ama: 'Gazi P, Tessaro S. Secret-key cryptography from ideal primitives: A systematic
    verview. In: <i>2015 IEEE Information Theory Workshop</i>. IEEE; 2015. doi:<a
    href="https://doi.org/10.1109/ITW.2015.7133163">10.1109/ITW.2015.7133163</a>'
  apa: 'Gazi, P., &#38; Tessaro, S. (2015). Secret-key cryptography from ideal primitives:
    A systematic verview. In <i>2015 IEEE Information Theory Workshop</i>. Jerusalem,
    Israel: IEEE. <a href="https://doi.org/10.1109/ITW.2015.7133163">https://doi.org/10.1109/ITW.2015.7133163</a>'
  chicago: 'Gazi, Peter, and Stefano Tessaro. “Secret-Key Cryptography from Ideal
    Primitives: A Systematic Verview.” In <i>2015 IEEE Information Theory Workshop</i>.
    IEEE, 2015. <a href="https://doi.org/10.1109/ITW.2015.7133163">https://doi.org/10.1109/ITW.2015.7133163</a>.'
  ieee: 'P. Gazi and S. Tessaro, “Secret-key cryptography from ideal primitives: A
    systematic verview,” in <i>2015 IEEE Information Theory Workshop</i>, Jerusalem,
    Israel, 2015.'
  ista: 'Gazi P, Tessaro S. 2015. Secret-key cryptography from ideal primitives: A
    systematic verview. 2015 IEEE Information Theory Workshop. ITW 2015: IEEE Information
    Theory Workshop, 7133163.'
  mla: 'Gazi, Peter, and Stefano Tessaro. “Secret-Key Cryptography from Ideal Primitives:
    A Systematic Verview.” <i>2015 IEEE Information Theory Workshop</i>, 7133163,
    IEEE, 2015, doi:<a href="https://doi.org/10.1109/ITW.2015.7133163">10.1109/ITW.2015.7133163</a>.'
  short: P. Gazi, S. Tessaro, in:, 2015 IEEE Information Theory Workshop, IEEE, 2015.
conference:
  end_date: 2015-05-01
  location: Jerusalem, Israel
  name: 'ITW 2015: IEEE Information Theory Workshop'
  start_date: 2015-04-26
date_created: 2018-12-11T11:53:13Z
date_published: 2015-06-24T00:00:00Z
date_updated: 2021-01-12T06:52:13Z
day: '24'
department:
- _id: KrPi
doi: 10.1109/ITW.2015.7133163
ec_funded: 1
language:
- iso: eng
month: '06'
oa_version: None
project:
- _id: 258C570E-B435-11E9-9278-68D0E5697425
  call_identifier: FP7
  grant_number: '259668'
  name: Provable Security for Physical Cryptography
publication: 2015 IEEE Information Theory Workshop
publication_status: published
publisher: IEEE
publist_id: '5506'
quality_controlled: '1'
scopus_import: 1
status: public
title: 'Secret-key cryptography from ideal primitives: A systematic verview'
type: conference
user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87
year: '2015'
...
---
_id: '1646'
abstract:
- lang: eng
  text: 'A pseudorandom function (PRF) is a keyed function F : K × X → Y where, for
    a random key k ∈ K, the function F(k, ·) is indistinguishable from a uniformly
    random function, given black-box access. A key-homomorphic PRF has the additional
    feature that for any keys k, k'' and any input x, we have F(k+k'', x) = F(k, x)⊕F(k'',
    x) for some group operations +,⊕ on K and Y, respectively. A constrained PRF for
    a family of setsS ⊆ P(X) has the property that, given any key k and set S ∈ S,
    one can efficiently compute a “constrained” key kS that enables evaluation of
    F(k, x) on all inputs x ∈ S, while the values F(k, x) for x /∈ S remain pseudorandom
    even given kS. In this paper we construct PRFs that are simultaneously constrained
    and key homomorphic, where the homomorphic property holds even for constrained
    keys. We first show that the multilinear map-based bit-fixing and circuit-constrained
    PRFs of Boneh and Waters (Asiacrypt 2013) can be modified to also be keyhomomorphic.
    We then show that the LWE-based key-homomorphic PRFs of Banerjee and Peikert (Crypto
    2014) are essentially already prefix-constrained PRFs, using a (non-obvious) definition
    of constrained keys and associated group operation. Moreover, the constrained
    keys themselves are pseudorandom, and the constraining and evaluation functions
    can all be computed in low depth. As an application of key-homomorphic constrained
    PRFs,we construct a proxy re-encryption schemewith fine-grained access control.
    This scheme allows storing encrypted data on an untrusted server, where each file
    can be encrypted relative to some attributes, so that only parties whose constrained
    keys match the attributes can decrypt. Moreover, the server can re-key (arbitrary
    subsets of) the ciphertexts without learning anything about the plaintexts, thus
    permitting efficient and finegrained revocation.'
alternative_title:
- LNCS
article_processing_charge: No
author:
- first_name: Abishek
  full_name: Banerjee, Abishek
  last_name: Banerjee
- first_name: Georg
  full_name: Fuchsbauer, Georg
  id: 46B4C3EE-F248-11E8-B48F-1D18A9856A87
  last_name: Fuchsbauer
- first_name: Chris
  full_name: Peikert, Chris
  last_name: Peikert
- first_name: Krzysztof Z
  full_name: Pietrzak, Krzysztof Z
  id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
  last_name: Pietrzak
  orcid: 0000-0002-9139-1654
- first_name: Sophie
  full_name: Stevens, Sophie
  last_name: Stevens
citation:
  ama: 'Banerjee A, Fuchsbauer G, Peikert C, Pietrzak KZ, Stevens S. Key-homomorphic
    constrained pseudorandom functions. In: <i>12th Theory of Cryptography Conference</i>.
    Vol 9015. Springer Nature; 2015:31-60. doi:<a href="https://doi.org/10.1007/978-3-662-46497-7_2">10.1007/978-3-662-46497-7_2</a>'
  apa: 'Banerjee, A., Fuchsbauer, G., Peikert, C., Pietrzak, K. Z., &#38; Stevens,
    S. (2015). Key-homomorphic constrained pseudorandom functions. In <i>12th Theory
    of Cryptography Conference</i> (Vol. 9015, pp. 31–60). Warsaw, Poland: Springer
    Nature. <a href="https://doi.org/10.1007/978-3-662-46497-7_2">https://doi.org/10.1007/978-3-662-46497-7_2</a>'
  chicago: Banerjee, Abishek, Georg Fuchsbauer, Chris Peikert, Krzysztof Z Pietrzak,
    and Sophie Stevens. “Key-Homomorphic Constrained Pseudorandom Functions.” In <i>12th
    Theory of Cryptography Conference</i>, 9015:31–60. Springer Nature, 2015. <a href="https://doi.org/10.1007/978-3-662-46497-7_2">https://doi.org/10.1007/978-3-662-46497-7_2</a>.
  ieee: A. Banerjee, G. Fuchsbauer, C. Peikert, K. Z. Pietrzak, and S. Stevens, “Key-homomorphic
    constrained pseudorandom functions,” in <i>12th Theory of Cryptography Conference</i>,
    Warsaw, Poland, 2015, vol. 9015, pp. 31–60.
  ista: 'Banerjee A, Fuchsbauer G, Peikert C, Pietrzak KZ, Stevens S. 2015. Key-homomorphic
    constrained pseudorandom functions. 12th Theory of Cryptography Conference. TCC:
    Theory of Cryptography Conference, LNCS, vol. 9015, 31–60.'
  mla: Banerjee, Abishek, et al. “Key-Homomorphic Constrained Pseudorandom Functions.”
    <i>12th Theory of Cryptography Conference</i>, vol. 9015, Springer Nature, 2015,
    pp. 31–60, doi:<a href="https://doi.org/10.1007/978-3-662-46497-7_2">10.1007/978-3-662-46497-7_2</a>.
  short: A. Banerjee, G. Fuchsbauer, C. Peikert, K.Z. Pietrzak, S. Stevens, in:, 12th
    Theory of Cryptography Conference, Springer Nature, 2015, pp. 31–60.
conference:
  end_date: 2015-03-25
  location: Warsaw, Poland
  name: 'TCC: Theory of Cryptography Conference'
  start_date: 2015-03-23
date_created: 2018-12-11T11:53:14Z
date_published: 2015-03-01T00:00:00Z
date_updated: 2022-02-03T08:41:46Z
day: '01'
ddc:
- '000'
- '004'
department:
- _id: KrPi
doi: 10.1007/978-3-662-46497-7_2
ec_funded: 1
file:
- access_level: open_access
  checksum: 3c5093bda5783c89beaacabf1aa0e60e
  content_type: application/pdf
  creator: system
  date_created: 2018-12-12T10:15:17Z
  date_updated: 2020-07-14T12:45:08Z
  file_id: '5136'
  file_name: IST-2016-679-v1+1_180.pdf
  file_size: 450665
  relation: main_file
file_date_updated: 2020-07-14T12:45:08Z
has_accepted_license: '1'
intvolume: '      9015'
language:
- iso: eng
main_file_link:
- open_access: '1'
  url: https://eprint.iacr.org/2015/180
month: '03'
oa: 1
oa_version: Submitted Version
page: 31 - 60
project:
- _id: 258C570E-B435-11E9-9278-68D0E5697425
  call_identifier: FP7
  grant_number: '259668'
  name: Provable Security for Physical Cryptography
publication: 12th Theory of Cryptography Conference
publication_identifier:
  isbn:
  - 978-3-662-46496-0
publication_status: published
publisher: Springer Nature
publist_id: '5505'
pubrep_id: '679'
quality_controlled: '1'
scopus_import: '1'
status: public
title: Key-homomorphic constrained pseudorandom functions
type: conference
user_id: 8b945eb4-e2f2-11eb-945a-df72226e66a9
volume: 9015
year: '2015'
...
---
_id: '1647'
abstract:
- lang: eng
  text: Round-optimal blind signatures are notoriously hard to construct in the standard
    model, especially in the malicious-signer model, where blindness must hold under
    adversarially chosen keys. This is substantiated by several impossibility results.
    The only construction that can be termed theoretically efficient, by Garg and
    Gupta (Eurocrypt’14), requires complexity leveraging, inducing an exponential
    security loss. We present a construction of practically efficient round-optimal
    blind signatures in the standard model. It is conceptually simple and builds on
    the recent structure-preserving signatures on equivalence classes (SPSEQ) from
    Asiacrypt’14. While the traditional notion of blindness follows from standard
    assumptions, we prove blindness under adversarially chosen keys under an interactive
    variant of DDH. However, we neither require non-uniform assumptions nor complexity
    leveraging. We then show how to extend our construction to partially blind signatures
    and to blind signatures on message vectors, which yield a construction of one-show
    anonymous credentials à la “anonymous credentials light” (CCS’13) in the standard
    model. Furthermore, we give the first SPS-EQ construction under noninteractive
    assumptions and show how SPS-EQ schemes imply conventional structure-preserving
    signatures, which allows us to apply optimality results for the latter to SPS-EQ.
alternative_title:
- LNCS
article_processing_charge: No
author:
- first_name: Georg
  full_name: Fuchsbauer, Georg
  id: 46B4C3EE-F248-11E8-B48F-1D18A9856A87
  last_name: Fuchsbauer
- first_name: Christian
  full_name: Hanser, Christian
  last_name: Hanser
- first_name: Daniel
  full_name: Slamanig, Daniel
  last_name: Slamanig
citation:
  ama: 'Fuchsbauer G, Hanser C, Slamanig D. Practical round-optimal blind signatures
    in the standard model. In: Vol 9216. Springer; 2015:233-253. doi:<a href="https://doi.org/10.1007/978-3-662-48000-7_12">10.1007/978-3-662-48000-7_12</a>'
  apa: 'Fuchsbauer, G., Hanser, C., &#38; Slamanig, D. (2015). Practical round-optimal
    blind signatures in the standard model (Vol. 9216, pp. 233–253). Presented at
    the CRYPTO: International Cryptology Conference, Santa Barbara, CA, United States:
    Springer. <a href="https://doi.org/10.1007/978-3-662-48000-7_12">https://doi.org/10.1007/978-3-662-48000-7_12</a>'
  chicago: Fuchsbauer, Georg, Christian Hanser, and Daniel Slamanig. “Practical Round-Optimal
    Blind Signatures in the Standard Model,” 9216:233–53. Springer, 2015. <a href="https://doi.org/10.1007/978-3-662-48000-7_12">https://doi.org/10.1007/978-3-662-48000-7_12</a>.
  ieee: 'G. Fuchsbauer, C. Hanser, and D. Slamanig, “Practical round-optimal blind
    signatures in the standard model,” presented at the CRYPTO: International Cryptology
    Conference, Santa Barbara, CA, United States, 2015, vol. 9216, pp. 233–253.'
  ista: 'Fuchsbauer G, Hanser C, Slamanig D. 2015. Practical round-optimal blind signatures
    in the standard model. CRYPTO: International Cryptology Conference, LNCS, vol.
    9216, 233–253.'
  mla: Fuchsbauer, Georg, et al. <i>Practical Round-Optimal Blind Signatures in the
    Standard Model</i>. Vol. 9216, Springer, 2015, pp. 233–53, doi:<a href="https://doi.org/10.1007/978-3-662-48000-7_12">10.1007/978-3-662-48000-7_12</a>.
  short: G. Fuchsbauer, C. Hanser, D. Slamanig, in:, Springer, 2015, pp. 233–253.
conference:
  end_date: 2015-08-20
  location: Santa Barbara, CA, United States
  name: 'CRYPTO: International Cryptology Conference'
  start_date: 2015-08-16
date_created: 2018-12-11T11:53:14Z
date_published: 2015-08-01T00:00:00Z
date_updated: 2023-02-21T16:44:51Z
day: '01'
department:
- _id: KrPi
doi: 10.1007/978-3-662-48000-7_12
ec_funded: 1
intvolume: '      9216'
language:
- iso: eng
main_file_link:
- open_access: '1'
  url: https://eprint.iacr.org/2015/626.pdf
month: '08'
oa: 1
oa_version: Submitted Version
page: 233 - 253
project:
- _id: 258C570E-B435-11E9-9278-68D0E5697425
  call_identifier: FP7
  grant_number: '259668'
  name: Provable Security for Physical Cryptography
publication_status: published
publisher: Springer
publist_id: '5503'
quality_controlled: '1'
related_material:
  record:
  - id: '1225'
    relation: later_version
    status: public
scopus_import: 1
status: public
title: Practical round-optimal blind signatures in the standard model
type: conference
user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87
volume: 9216
year: '2015'
...
---
_id: '1648'
abstract:
- lang: eng
  text: Generalized Selective Decryption (GSD), introduced by Panjwani [TCC’07], is
    a game for a symmetric encryption scheme Enc that captures the difficulty of proving
    adaptive security of certain protocols, most notably the Logical Key Hierarchy
    (LKH) multicast encryption protocol. In the GSD game there are n keys k1,...,
    kn, which the adversary may adaptively corrupt (learn); moreover, it can ask for
    encryptions Encki (kj) of keys under other keys. The adversary’s task is to distinguish
    keys (which it cannot trivially compute) from random. Proving the hardness of
    GSD assuming only IND-CPA security of Enc is surprisingly hard. Using “complexity
    leveraging” loses a factor exponential in n, which makes the proof practically
    meaningless. We can think of the GSD game as building a graph on n vertices, where
    we add an edge i → j when the adversary asks for an encryption of kj under ki.
    If restricted to graphs of depth ℓ, Panjwani gave a reduction that loses only
    a factor exponential in ℓ (not n). To date, this is the only non-trivial result
    known for GSD. In this paper we give almost-polynomial reductions for large classes
    of graphs. Most importantly, we prove the security of the GSD game restricted
    to trees losing only a quasi-polynomial factor n3 log n+5. Trees are an important
    special case capturing real-world protocols like the LKH protocol. Our new bound
    improves upon Panjwani’s on some LKH variants proposed in the literature where
    the underlying tree is not balanced. Our proof builds on ideas from the “nested
    hybrids” technique recently introduced by Fuchsbauer et al. [Asiacrypt’14] for
    proving the adaptive security of constrained PRFs.
alternative_title:
- LNCS
author:
- first_name: Georg
  full_name: Fuchsbauer, Georg
  id: 46B4C3EE-F248-11E8-B48F-1D18A9856A87
  last_name: Fuchsbauer
- first_name: Zahra
  full_name: Jafargholi, Zahra
  last_name: Jafargholi
- first_name: Krzysztof Z
  full_name: Pietrzak, Krzysztof Z
  id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
  last_name: Pietrzak
  orcid: 0000-0002-9139-1654
citation:
  ama: 'Fuchsbauer G, Jafargholi Z, Pietrzak KZ. A quasipolynomial reduction for generalized
    selective decryption on trees. In: Vol 9215. Springer; 2015:601-620. doi:<a href="https://doi.org/10.1007/978-3-662-47989-6_29">10.1007/978-3-662-47989-6_29</a>'
  apa: 'Fuchsbauer, G., Jafargholi, Z., &#38; Pietrzak, K. Z. (2015). A quasipolynomial
    reduction for generalized selective decryption on trees (Vol. 9215, pp. 601–620).
    Presented at the CRYPTO: International Cryptology Conference, Santa Barbara, CA,
    USA: Springer. <a href="https://doi.org/10.1007/978-3-662-47989-6_29">https://doi.org/10.1007/978-3-662-47989-6_29</a>'
  chicago: Fuchsbauer, Georg, Zahra Jafargholi, and Krzysztof Z Pietrzak. “A Quasipolynomial
    Reduction for Generalized Selective Decryption on Trees,” 9215:601–20. Springer,
    2015. <a href="https://doi.org/10.1007/978-3-662-47989-6_29">https://doi.org/10.1007/978-3-662-47989-6_29</a>.
  ieee: 'G. Fuchsbauer, Z. Jafargholi, and K. Z. Pietrzak, “A quasipolynomial reduction
    for generalized selective decryption on trees,” presented at the CRYPTO: International
    Cryptology Conference, Santa Barbara, CA, USA, 2015, vol. 9215, pp. 601–620.'
  ista: 'Fuchsbauer G, Jafargholi Z, Pietrzak KZ. 2015. A quasipolynomial reduction
    for generalized selective decryption on trees. CRYPTO: International Cryptology
    Conference, LNCS, vol. 9215, 601–620.'
  mla: Fuchsbauer, Georg, et al. <i>A Quasipolynomial Reduction for Generalized Selective
    Decryption on Trees</i>. Vol. 9215, Springer, 2015, pp. 601–20, doi:<a href="https://doi.org/10.1007/978-3-662-47989-6_29">10.1007/978-3-662-47989-6_29</a>.
  short: G. Fuchsbauer, Z. Jafargholi, K.Z. Pietrzak, in:, Springer, 2015, pp. 601–620.
conference:
  end_date: 2015-08-20
  location: Santa Barbara, CA, USA
  name: 'CRYPTO: International Cryptology Conference'
  start_date: 2015-08-16
date_created: 2018-12-11T11:53:14Z
date_published: 2015-08-01T00:00:00Z
date_updated: 2021-01-12T06:52:14Z
day: '01'
ddc:
- '004'
department:
- _id: KrPi
doi: 10.1007/978-3-662-47989-6_29
ec_funded: 1
file:
- access_level: open_access
  checksum: 99b76b3263d5082554d0a9cbdeca3a22
  content_type: application/pdf
  creator: system
  date_created: 2018-12-12T10:13:31Z
  date_updated: 2020-07-14T12:45:08Z
  file_id: '5015'
  file_name: IST-2016-674-v1+1_389.pdf
  file_size: 505618
  relation: main_file
file_date_updated: 2020-07-14T12:45:08Z
has_accepted_license: '1'
intvolume: '      9215'
language:
- iso: eng
month: '08'
oa: 1
oa_version: Submitted Version
page: 601 - 620
project:
- _id: 258C570E-B435-11E9-9278-68D0E5697425
  call_identifier: FP7
  grant_number: '259668'
  name: Provable Security for Physical Cryptography
publication_status: published
publisher: Springer
publist_id: '5502'
pubrep_id: '674'
quality_controlled: '1'
scopus_import: 1
status: public
title: A quasipolynomial reduction for generalized selective decryption on trees
tmp:
  image: /images/cc_by.png
  legal_code_url: https://creativecommons.org/licenses/by/4.0/legalcode
  name: Creative Commons Attribution 4.0 International Public License (CC-BY 4.0)
  short: CC BY (4.0)
type: conference
user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87
volume: 9215
year: '2015'
...
---
_id: '1649'
abstract:
- lang: eng
  text: 'We extend a commitment scheme based on the learning with errors over rings
    (RLWE) problem, and present efficient companion zeroknowledge proofs of knowledge.
    Our scheme maps elements from the ring (or equivalently, n elements from '
alternative_title:
- LNCS
author:
- first_name: Fabrice
  full_name: Benhamouda, Fabrice
  last_name: Benhamouda
- first_name: Stephan
  full_name: Krenn, Stephan
  last_name: Krenn
- first_name: Vadim
  full_name: Lyubashevsky, Vadim
  last_name: Lyubashevsky
- first_name: Krzysztof Z
  full_name: Pietrzak, Krzysztof Z
  id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
  last_name: Pietrzak
  orcid: 0000-0002-9139-1654
citation:
  ama: Benhamouda F, Krenn S, Lyubashevsky V, Pietrzak KZ. Efficient zero-knowledge
    proofs for commitments from learning with errors over rings. 2015;9326:305-325.
    doi:<a href="https://doi.org/10.1007/978-3-319-24174-6_16">10.1007/978-3-319-24174-6_16</a>
  apa: 'Benhamouda, F., Krenn, S., Lyubashevsky, V., &#38; Pietrzak, K. Z. (2015).
    Efficient zero-knowledge proofs for commitments from learning with errors over
    rings. Presented at the ESORICS: European Symposium on Research in Computer Security,
    Vienna, Austria: Springer. <a href="https://doi.org/10.1007/978-3-319-24174-6_16">https://doi.org/10.1007/978-3-319-24174-6_16</a>'
  chicago: Benhamouda, Fabrice, Stephan Krenn, Vadim Lyubashevsky, and Krzysztof Z
    Pietrzak. “Efficient Zero-Knowledge Proofs for Commitments from Learning with
    Errors over Rings.” Lecture Notes in Computer Science. Springer, 2015. <a href="https://doi.org/10.1007/978-3-319-24174-6_16">https://doi.org/10.1007/978-3-319-24174-6_16</a>.
  ieee: F. Benhamouda, S. Krenn, V. Lyubashevsky, and K. Z. Pietrzak, “Efficient zero-knowledge
    proofs for commitments from learning with errors over rings,” vol. 9326. Springer,
    pp. 305–325, 2015.
  ista: Benhamouda F, Krenn S, Lyubashevsky V, Pietrzak KZ. 2015. Efficient zero-knowledge
    proofs for commitments from learning with errors over rings. 9326, 305–325.
  mla: Benhamouda, Fabrice, et al. <i>Efficient Zero-Knowledge Proofs for Commitments
    from Learning with Errors over Rings</i>. Vol. 9326, Springer, 2015, pp. 305–25,
    doi:<a href="https://doi.org/10.1007/978-3-319-24174-6_16">10.1007/978-3-319-24174-6_16</a>.
  short: F. Benhamouda, S. Krenn, V. Lyubashevsky, K.Z. Pietrzak, 9326 (2015) 305–325.
conference:
  end_date: 2015-09-25
  location: Vienna, Austria
  name: 'ESORICS: European Symposium on Research in Computer Security'
  start_date: 2015-09-21
date_created: 2018-12-11T11:53:15Z
date_published: 2015-01-01T00:00:00Z
date_updated: 2021-01-12T06:52:14Z
day: '01'
ddc:
- '000'
- '004'
department:
- _id: KrPi
doi: 10.1007/978-3-319-24174-6_16
ec_funded: 1
file:
- access_level: open_access
  checksum: 6eac4a485b2aa644b2d3f753ed0b280b
  content_type: application/pdf
  creator: system
  date_created: 2018-12-12T10:11:28Z
  date_updated: 2020-07-14T12:45:08Z
  file_id: '4883'
  file_name: IST-2016-678-v1+1_889.pdf
  file_size: 494239
  relation: main_file
file_date_updated: 2020-07-14T12:45:08Z
has_accepted_license: '1'
intvolume: '      9326'
language:
- iso: eng
license: https://creativecommons.org/licenses/by-nc/4.0/
month: '01'
oa: 1
oa_version: Published Version
page: 305 - 325
project:
- _id: 258C570E-B435-11E9-9278-68D0E5697425
  call_identifier: FP7
  grant_number: '259668'
  name: Provable Security for Physical Cryptography
publication_status: published
publisher: Springer
publist_id: '5501'
pubrep_id: '678'
quality_controlled: '1'
scopus_import: 1
series_title: Lecture Notes in Computer Science
status: public
title: Efficient zero-knowledge proofs for commitments from learning with errors over
  rings
tmp:
  image: /images/cc_by_nc.png
  legal_code_url: https://creativecommons.org/licenses/by-nc/4.0/legalcode
  name: Creative Commons Attribution-NonCommercial 4.0 International (CC BY-NC 4.0)
  short: CC BY-NC (4.0)
type: conference
user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87
volume: 9326
year: '2015'
...
---
_id: '1650'
abstract:
- lang: eng
  text: "We consider the task of deriving a key with high HILL entropy (i.e., being
    computationally indistinguishable from a key with high min-entropy) from an unpredictable
    source.\r\n\r\nPrevious to this work, the only known way to transform unpredictability
    into a key that was ϵ indistinguishable from having min-entropy was via pseudorandomness,
    for example by Goldreich-Levin (GL) hardcore bits. This approach has the inherent
    limitation that from a source with k bits of unpredictability entropy one can
    derive a key of length (and thus HILL entropy) at most k−2log(1/ϵ) bits. In many
    settings, e.g. when dealing with biometric data, such a 2log(1/ϵ) bit entropy
    loss in not an option. Our main technical contribution is a theorem that states
    that in the high entropy regime, unpredictability implies HILL entropy. Concretely,
    any variable K with |K|−d bits of unpredictability entropy has the same amount
    of so called metric entropy (against real-valued, deterministic distinguishers),
    which is known to imply the same amount of HILL entropy. The loss in circuit size
    in this argument is exponential in the entropy gap d, and thus this result only
    applies for small d (i.e., where the size of distinguishers considered is exponential
    in d).\r\n\r\nTo overcome the above restriction, we investigate if it’s possible
    to first “condense” unpredictability entropy and make the entropy gap small. We
    show that any source with k bits of unpredictability can be condensed into a source
    of length k with k−3 bits of unpredictability entropy. Our condenser simply “abuses&quot;
    the GL construction and derives a k bit key from a source with k bits of unpredicatibily.
    The original GL theorem implies nothing when extracting that many bits, but we
    show that in this regime, GL still behaves like a “condenser&quot; for unpredictability.
    This result comes with two caveats (1) the loss in circuit size is exponential
    in k and (2) we require that the source we start with has no HILL entropy (equivalently,
    one can efficiently check if a guess is correct). We leave it as an intriguing
    open problem to overcome these restrictions or to prove they’re inherent."
alternative_title:
- LNCS
author:
- first_name: Maciej
  full_name: Skórski, Maciej
  last_name: Skórski
- first_name: Alexander
  full_name: Golovnev, Alexander
  last_name: Golovnev
- first_name: Krzysztof Z
  full_name: Pietrzak, Krzysztof Z
  id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
  last_name: Pietrzak
  orcid: 0000-0002-9139-1654
citation:
  ama: 'Skórski M, Golovnev A, Pietrzak KZ. Condensed unpredictability . In: Vol 9134.
    Springer; 2015:1046-1057. doi:<a href="https://doi.org/10.1007/978-3-662-47672-7_85">10.1007/978-3-662-47672-7_85</a>'
  apa: 'Skórski, M., Golovnev, A., &#38; Pietrzak, K. Z. (2015). Condensed unpredictability  (Vol.
    9134, pp. 1046–1057). Presented at the ICALP: Automata, Languages and Programming,
    Kyoto, Japan: Springer. <a href="https://doi.org/10.1007/978-3-662-47672-7_85">https://doi.org/10.1007/978-3-662-47672-7_85</a>'
  chicago: Skórski, Maciej, Alexander Golovnev, and Krzysztof Z Pietrzak. “Condensed
    Unpredictability ,” 9134:1046–57. Springer, 2015. <a href="https://doi.org/10.1007/978-3-662-47672-7_85">https://doi.org/10.1007/978-3-662-47672-7_85</a>.
  ieee: 'M. Skórski, A. Golovnev, and K. Z. Pietrzak, “Condensed unpredictability
    ,” presented at the ICALP: Automata, Languages and Programming, Kyoto, Japan,
    2015, vol. 9134, pp. 1046–1057.'
  ista: 'Skórski M, Golovnev A, Pietrzak KZ. 2015. Condensed unpredictability . ICALP:
    Automata, Languages and Programming, LNCS, vol. 9134, 1046–1057.'
  mla: Skórski, Maciej, et al. <i>Condensed Unpredictability </i>. Vol. 9134, Springer,
    2015, pp. 1046–57, doi:<a href="https://doi.org/10.1007/978-3-662-47672-7_85">10.1007/978-3-662-47672-7_85</a>.
  short: M. Skórski, A. Golovnev, K.Z. Pietrzak, in:, Springer, 2015, pp. 1046–1057.
conference:
  end_date: 2015-07-10
  location: Kyoto, Japan
  name: 'ICALP: Automata, Languages and Programming'
  start_date: 2015-07-06
date_created: 2018-12-11T11:53:15Z
date_published: 2015-06-20T00:00:00Z
date_updated: 2021-01-12T06:52:15Z
day: '20'
ddc:
- '000'
- '005'
department:
- _id: KrPi
doi: 10.1007/978-3-662-47672-7_85
ec_funded: 1
file:
- access_level: open_access
  checksum: e808c7eecb631336fc9f9bf2e8d4ecae
  content_type: application/pdf
  creator: system
  date_created: 2018-12-12T10:08:32Z
  date_updated: 2020-07-14T12:45:08Z
  file_id: '4693'
  file_name: IST-2016-675-v1+1_384.pdf
  file_size: 525503
  relation: main_file
file_date_updated: 2020-07-14T12:45:08Z
has_accepted_license: '1'
intvolume: '      9134'
language:
- iso: eng
month: '06'
oa: 1
oa_version: Published Version
page: 1046 - 1057
project:
- _id: 258C570E-B435-11E9-9278-68D0E5697425
  call_identifier: FP7
  grant_number: '259668'
  name: Provable Security for Physical Cryptography
publication_status: published
publisher: Springer
publist_id: '5500'
pubrep_id: '675'
quality_controlled: '1'
scopus_import: 1
status: public
title: 'Condensed unpredictability '
tmp:
  image: /images/cc_by.png
  legal_code_url: https://creativecommons.org/licenses/by/4.0/legalcode
  name: Creative Commons Attribution 4.0 International Public License (CC-BY 4.0)
  short: CC BY (4.0)
type: conference
user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87
volume: 9134
year: '2015'
...