[{"has_accepted_license":"1","publisher":"American Physical Society","user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","author":[{"full_name":"Becker, J. M.","last_name":"Becker","first_name":"J. M."},{"id":"d7b23d3a-9e21-11ec-b482-f76739596b95","first_name":"Georgios","last_name":"Koutentakis","full_name":"Koutentakis, Georgios"},{"full_name":"Schmelcher, P.","last_name":"Schmelcher","first_name":"P."}],"title":"Spin-charge correlations in finite one-dimensional multiband Fermi systems","file":[{"date_updated":"2023-12-11T10:49:07Z","date_created":"2023-12-11T10:49:07Z","success":1,"file_name":"2023_PhysReviewResearch_Becker.pdf","access_level":"open_access","relation":"main_file","checksum":"ee31c0d0de5d1b65591990ae6705a601","content_type":"application/pdf","file_id":"14672","file_size":2362158,"creator":"dernst"}],"article_processing_charge":"Yes","department":[{"_id":"MiLe"}],"language":[{"iso":"eng"}],"article_type":"original","publication_identifier":{"issn":["2643-1564"]},"citation":{"chicago":"Becker, J. M., Georgios Koutentakis, and P. Schmelcher. “Spin-Charge Correlations in Finite One-Dimensional Multiband Fermi Systems.” <i>Physical Review Research</i>. American Physical Society, 2023. <a href=\"https://doi.org/10.1103/PhysRevResearch.5.043039\">https://doi.org/10.1103/PhysRevResearch.5.043039</a>.","ieee":"J. M. Becker, G. Koutentakis, and P. Schmelcher, “Spin-charge correlations in finite one-dimensional multiband Fermi systems,” <i>Physical Review Research</i>, vol. 5, no. 4. American Physical Society, 2023.","short":"J.M. Becker, G. Koutentakis, P. Schmelcher, Physical Review Research 5 (2023).","ista":"Becker JM, Koutentakis G, Schmelcher P. 2023. Spin-charge correlations in finite one-dimensional multiband Fermi systems. Physical Review Research. 5(4), 043039.","ama":"Becker JM, Koutentakis G, Schmelcher P. Spin-charge correlations in finite one-dimensional multiband Fermi systems. <i>Physical Review Research</i>. 2023;5(4). doi:<a href=\"https://doi.org/10.1103/PhysRevResearch.5.043039\">10.1103/PhysRevResearch.5.043039</a>","mla":"Becker, J. M., et al. “Spin-Charge Correlations in Finite One-Dimensional Multiband Fermi Systems.” <i>Physical Review Research</i>, vol. 5, no. 4, 043039, American Physical Society, 2023, doi:<a href=\"https://doi.org/10.1103/PhysRevResearch.5.043039\">10.1103/PhysRevResearch.5.043039</a>.","apa":"Becker, J. M., Koutentakis, G., &#38; Schmelcher, P. (2023). Spin-charge correlations in finite one-dimensional multiband Fermi systems. <i>Physical Review Research</i>. American Physical Society. <a href=\"https://doi.org/10.1103/PhysRevResearch.5.043039\">https://doi.org/10.1103/PhysRevResearch.5.043039</a>"},"scopus_import":"1","arxiv":1,"abstract":[{"text":"We investigate spin-charge separation of a spin-\r\n1\r\n2\r\n Fermi system confined in a triple well where multiple bands are occupied. We assume that our finite fermionic system is close to fully spin polarized while being doped by a hole and an impurity fermion with opposite spin. Our setup involves ferromagnetic couplings among the particles in different bands, leading to the development of strong spin-transport correlations in an intermediate interaction regime. Interactions are then strong enough to lift the degeneracy among singlet and triplet spin configurations in the well of the spin impurity but not strong enough to prohibit hole-induced magnetic excitations to the singlet state. Despite the strong spin-hole correlations, the system exhibits spin-charge deconfinement allowing for long-range entanglement of the spatial and spin degrees of freedom.","lang":"eng"}],"type":"journal_article","file_date_updated":"2023-12-11T10:49:07Z","_id":"14658","quality_controlled":"1","project":[{"grant_number":"101034413","call_identifier":"H2020","_id":"fc2ed2f7-9c52-11eb-aca3-c01059dda49c","name":"IST-BRIDGE: International postdoctoral program"}],"publication_status":"published","date_published":"2023-10-12T00:00:00Z","month":"10","intvolume":"         5","article_number":"043039","acknowledgement":"This work has been funded by the Cluster of Excellence “Advanced Imaging of Matter” of the Deutsche Forschungsgemeinschaft (DFG)-EXC 2056-Project ID No. 390715994. G.M.K. gratefully acknowledges funding from the European Union’s Horizon 2020 research and innovation programme under the Marie Skłodowska-Curie Grant Agreement No. 101034413.","date_updated":"2023-12-11T10:55:52Z","oa":1,"issue":"4","external_id":{"arxiv":["2305.09529"]},"year":"2023","volume":5,"tmp":{"image":"/images/cc_by.png","legal_code_url":"https://creativecommons.org/licenses/by/4.0/legalcode","name":"Creative Commons Attribution 4.0 International Public License (CC-BY 4.0)","short":"CC BY (4.0)"},"ddc":["530"],"date_created":"2023-12-10T23:00:58Z","status":"public","day":"12","publication":"Physical Review Research","doi":"10.1103/PhysRevResearch.5.043039","oa_version":"Published Version","ec_funded":1},{"acknowledgement":"This work was carried out within the framework of the EV-K2-CNR and Nepal Academy of Science and Technology. K.Y. was supported by the Second Tibetan Plateau Scientific Expedition and Research Program (grant no. 2019QZKK0206). N.C. was supported by the project NODES, which has received funding from the MUR–M4C2 1.5 of PNRR funded by the European Union - NextGeneration EU (Grant agreement no. ECS00000036). T.E.S. has received funding from the European Union’s Horizon 2020 research and innovation programme under the Marie Sklodowska-Curie grant no. 101026058. F.P. has received funding from the European Research Council under the European Union’s Horizon 2020 research and innovation programme grant no. 772751, RAVEN, ‘Rapid mass losses of debris-covered glaciers in High Mountain Asia’ and has been supported by the SNSF grant ‘High-elevation precipitation in High Mountain Asia’ (grant no. 183633). A.A. was supported by the European Union’s Horizon 2020 research and innovation program under grant agreement no. 101004156 (CONFESS project) and by the European Union’s Horizon Europe research and innovation program under grant agreement no. 101081193 (OptimESM project). We thank H. Wehrli for valuable comments and suggestions and J. Giannitrapani for the graphic support. We thank A. Da Polenza and K. Bista of EV-K2-CNR for believing that studying the high elevations is relevant for the whole globe.","date_published":"2023-12-04T00:00:00Z","intvolume":"        16","month":"12","oa":1,"date_updated":"2023-12-13T11:01:10Z","page":"1120-1127","year":"2023","volume":16,"day":"04","status":"public","tmp":{"image":"/images/cc_by.png","legal_code_url":"https://creativecommons.org/licenses/by/4.0/legalcode","name":"Creative Commons Attribution 4.0 International Public License (CC-BY 4.0)","short":"CC BY (4.0)"},"ddc":["550"],"date_created":"2023-12-10T23:00:58Z","publication":"Nature Geoscience","doi":"10.1038/s41561-023-01331-y","oa_version":"Published Version","related_material":{"link":[{"relation":"press_release","description":"News on ISTA website","url":"https://ista.ac.at/en/news/wind-of-climate-change/"}]},"publisher":"Springer Nature","has_accepted_license":"1","title":"Local cooling and drying induced by Himalayan glaciers under global warming","user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","author":[{"first_name":"Franco","last_name":"Salerno","full_name":"Salerno, Franco"},{"full_name":"Guyennon, Nicolas","last_name":"Guyennon","first_name":"Nicolas"},{"full_name":"Yang, Kun","last_name":"Yang","first_name":"Kun"},{"full_name":"Shaw, Thomas","last_name":"Shaw","orcid":"0000-0001-7640-6152","first_name":"Thomas","id":"3caa3f91-1f03-11ee-96ce-e0e553054d6e"},{"first_name":"Changgui","last_name":"Lin","full_name":"Lin, Changgui"},{"last_name":"Colombo","first_name":"Nicola","full_name":"Colombo, Nicola"},{"full_name":"Romano, Emanuele","first_name":"Emanuele","last_name":"Romano"},{"full_name":"Gruber, Stephan","last_name":"Gruber","first_name":"Stephan"},{"last_name":"Bolch","first_name":"Tobias","full_name":"Bolch, Tobias"},{"last_name":"Alessandri","first_name":"Andrea","full_name":"Alessandri, Andrea"},{"full_name":"Cristofanelli, Paolo","last_name":"Cristofanelli","first_name":"Paolo"},{"full_name":"Putero, Davide","first_name":"Davide","last_name":"Putero"},{"full_name":"Diolaiuti, Guglielmina","last_name":"Diolaiuti","first_name":"Guglielmina"},{"full_name":"Tartari, Gianni","last_name":"Tartari","first_name":"Gianni"},{"full_name":"Verza, Gianpietro","last_name":"Verza","first_name":"Gianpietro"},{"first_name":"Sudeep","last_name":"Thakuri","full_name":"Thakuri, Sudeep"},{"first_name":"Gianpaolo","last_name":"Balsamo","full_name":"Balsamo, Gianpaolo"},{"full_name":"Miles, Evan S.","last_name":"Miles","first_name":"Evan S."},{"full_name":"Pellicciotti, Francesca","last_name":"Pellicciotti","orcid":"0000-0002-5554-8087","id":"b28f055a-81ea-11ed-b70c-a9fe7f7b0e70","first_name":"Francesca"}],"file":[{"checksum":"d5ae0d17069eebc6f454c8608cf83e21","relation":"main_file","access_level":"open_access","creator":"dernst","file_size":6072603,"file_id":"14671","content_type":"application/pdf","date_created":"2023-12-11T10:11:19Z","date_updated":"2023-12-11T10:11:19Z","file_name":"2023_NatureGeoscience_Salerno.pdf","success":1}],"department":[{"_id":"FrPe"}],"article_processing_charge":"Yes (in subscription journal)","article_type":"original","language":[{"iso":"eng"}],"abstract":[{"lang":"eng","text":"Understanding the response of Himalayan glaciers to global warming is vital because of their role as a water source for the Asian subcontinent. However, great uncertainties still exist on the climate drivers of past and present glacier changes across scales. Here, we analyse continuous hourly climate station data from a glacierized elevation (Pyramid station, Mount Everest) since 1994 together with other ground observations and climate reanalysis. We show that a decrease in maximum air temperature and precipitation occurred during the last three decades at Pyramid in response to global warming. Reanalysis data suggest a broader occurrence of this effect in the glacierized areas of the Himalaya. We hypothesize that the counterintuitive cooling is caused by enhanced sensible heat exchange and the associated increase in glacier katabatic wind, which draws cool air downward from higher elevations. The stronger katabatic winds have also lowered the elevation of local wind convergence, thereby diminishing precipitation in glacial areas and negatively affecting glacier mass balance. This local cooling may have partially preserved glaciers from melting and could help protect the periglacial environment."}],"scopus_import":"1","type":"journal_article","file_date_updated":"2023-12-11T10:11:19Z","publication_identifier":{"issn":["1752-0894"],"eissn":["1752-0908"]},"citation":{"mla":"Salerno, Franco, et al. “Local Cooling and Drying Induced by Himalayan Glaciers under Global Warming.” <i>Nature Geoscience</i>, vol. 16, Springer Nature, 2023, pp. 1120–27, doi:<a href=\"https://doi.org/10.1038/s41561-023-01331-y\">10.1038/s41561-023-01331-y</a>.","apa":"Salerno, F., Guyennon, N., Yang, K., Shaw, T., Lin, C., Colombo, N., … Pellicciotti, F. (2023). Local cooling and drying induced by Himalayan glaciers under global warming. <i>Nature Geoscience</i>. Springer Nature. <a href=\"https://doi.org/10.1038/s41561-023-01331-y\">https://doi.org/10.1038/s41561-023-01331-y</a>","chicago":"Salerno, Franco, Nicolas Guyennon, Kun Yang, Thomas Shaw, Changgui Lin, Nicola Colombo, Emanuele Romano, et al. “Local Cooling and Drying Induced by Himalayan Glaciers under Global Warming.” <i>Nature Geoscience</i>. Springer Nature, 2023. <a href=\"https://doi.org/10.1038/s41561-023-01331-y\">https://doi.org/10.1038/s41561-023-01331-y</a>.","ama":"Salerno F, Guyennon N, Yang K, et al. Local cooling and drying induced by Himalayan glaciers under global warming. <i>Nature Geoscience</i>. 2023;16:1120-1127. doi:<a href=\"https://doi.org/10.1038/s41561-023-01331-y\">10.1038/s41561-023-01331-y</a>","short":"F. Salerno, N. Guyennon, K. Yang, T. Shaw, C. Lin, N. Colombo, E. Romano, S. Gruber, T. Bolch, A. Alessandri, P. Cristofanelli, D. Putero, G. Diolaiuti, G. Tartari, G. Verza, S. Thakuri, G. Balsamo, E.S. Miles, F. Pellicciotti, Nature Geoscience 16 (2023) 1120–1127.","ieee":"F. Salerno <i>et al.</i>, “Local cooling and drying induced by Himalayan glaciers under global warming,” <i>Nature Geoscience</i>, vol. 16. Springer Nature, pp. 1120–1127, 2023.","ista":"Salerno F, Guyennon N, Yang K, Shaw T, Lin C, Colombo N, Romano E, Gruber S, Bolch T, Alessandri A, Cristofanelli P, Putero D, Diolaiuti G, Tartari G, Verza G, Thakuri S, Balsamo G, Miles ES, Pellicciotti F. 2023. Local cooling and drying induced by Himalayan glaciers under global warming. Nature Geoscience. 16, 1120–1127."},"quality_controlled":"1","_id":"14659","publication_status":"published"},{"publication_status":"epub_ahead","publication_identifier":{"issn":["0024-6093"],"eissn":["1469-2120"]},"citation":{"chicago":"Ivanov, Grigory, and Márton Naszódi. “Quantitative Steinitz Theorem: A Polynomial Bound.” <i>Bulletin of the London Mathematical Society</i>. London Mathematical Society, 2023. <a href=\"https://doi.org/10.1112/blms.12965\">https://doi.org/10.1112/blms.12965</a>.","ama":"Ivanov G, Naszódi M. Quantitative Steinitz theorem: A polynomial bound. <i>Bulletin of the London Mathematical Society</i>. 2023. doi:<a href=\"https://doi.org/10.1112/blms.12965\">10.1112/blms.12965</a>","short":"G. Ivanov, M. Naszódi, Bulletin of the London Mathematical Society (2023).","ieee":"G. Ivanov and M. Naszódi, “Quantitative Steinitz theorem: A polynomial bound,” <i>Bulletin of the London Mathematical Society</i>. London Mathematical Society, 2023.","ista":"Ivanov G, Naszódi M. 2023. Quantitative Steinitz theorem: A polynomial bound. Bulletin of the London Mathematical Society.","mla":"Ivanov, Grigory, and Márton Naszódi. “Quantitative Steinitz Theorem: A Polynomial Bound.” <i>Bulletin of the London Mathematical Society</i>, London Mathematical Society, 2023, doi:<a href=\"https://doi.org/10.1112/blms.12965\">10.1112/blms.12965</a>.","apa":"Ivanov, G., &#38; Naszódi, M. (2023). Quantitative Steinitz theorem: A polynomial bound. <i>Bulletin of the London Mathematical Society</i>. London Mathematical Society. <a href=\"https://doi.org/10.1112/blms.12965\">https://doi.org/10.1112/blms.12965</a>"},"type":"journal_article","abstract":[{"lang":"eng","text":"The classical Steinitz theorem states that if the origin belongs to the interior of the convex hull of a set 𝑆⊂ℝ𝑑, then there are at most 2𝑑 points of 𝑆 whose convex hull contains the origin in the interior. Bárány, Katchalski,and Pach proved the following quantitative version of Steinitz’s theorem. Let 𝑄 be a convex polytope in ℝ𝑑 containing the standard Euclidean unit ball 𝐁𝑑. Then there exist at most 2𝑑 vertices of 𝑄 whose convex hull 𝑄′ satisfies 𝑟𝐁𝑑⊂𝑄′ with 𝑟⩾𝑑−2𝑑. They conjectured that 𝑟⩾𝑐𝑑−1∕2 holds with a universal constant 𝑐>0. We prove 𝑟⩾15𝑑2, the first polynomial lower bound on 𝑟. Furthermore, we show that 𝑟 is not greater than 2/√𝑑."}],"scopus_import":"1","arxiv":1,"_id":"14660","quality_controlled":"1","article_processing_charge":"Yes (via OA deal)","department":[{"_id":"UlWa"}],"language":[{"iso":"eng"}],"article_type":"original","publisher":"London Mathematical Society","author":[{"full_name":"Ivanov, Grigory","last_name":"Ivanov","first_name":"Grigory","id":"87744F66-5C6F-11EA-AFE0-D16B3DDC885E"},{"last_name":"Naszódi","first_name":"Márton","full_name":"Naszódi, Márton"}],"user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","title":"Quantitative Steinitz theorem: A polynomial bound","main_file_link":[{"url":" https://doi.org/10.1112/blms.12965","open_access":"1"}],"doi":"10.1112/blms.12965","publication":"Bulletin of the London Mathematical Society","oa_version":"Published Version","date_created":"2023-12-10T23:00:58Z","day":"04","status":"public","external_id":{"arxiv":["2212.04308"]},"year":"2023","month":"12","date_published":"2023-12-04T00:00:00Z","acknowledgement":"M.N. was supported by the János Bolyai Scholarship of the Hungarian Academy of Sciences aswell as the National Research, Development and Innovation Fund (NRDI) grants K119670 andK131529, and the ÚNKP-22-5 New National Excellence Program of the Ministry for Innovationand Technology from the source of the NRDI as well as the ELTE TKP 2021-NKTA-62 fundingscheme","date_updated":"2023-12-11T10:03:54Z","oa":1},{"publisher":"Heldermann Verlag","title":"External forces in the continuum limit of discrete systems with non-convex interaction potentials: Compactness for a Γ-development","author":[{"last_name":"Carioni","first_name":"Marcello","full_name":"Carioni, Marcello"},{"last_name":"Fischer","orcid":"0000-0002-0479-558X","id":"2C12A0B0-F248-11E8-B48F-1D18A9856A87","first_name":"Julian L","full_name":"Fischer, Julian L"},{"full_name":"Schlömerkemper, Anja","last_name":"Schlömerkemper","first_name":"Anja"}],"user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","department":[{"_id":"JuFi"}],"article_processing_charge":"No","article_type":"original","language":[{"iso":"eng"}],"type":"journal_article","abstract":[{"text":"This paper is concerned with equilibrium configurations of one-dimensional particle systems with non-convex nearest-neighbour and next-to-nearest-neighbour interactions and its passage to the continuum. The goal is to derive compactness results for a Γ-development of the energy with the novelty that external forces are allowed. In particular, the forces may depend on Lagrangian or Eulerian coordinates and thus may model dead as well as live loads. Our result is based on a new technique for deriving compactness results which are required for calculating the first-order Γ-limit in the presence of external forces: instead of comparing a configuration of n atoms to a global minimizer of the Γ-limit, we compare the configuration to a minimizer in some subclass of functions which in some sense are \"close to\" the configuration. The paper is complemented with the study of the minimizers of the Γ-limit.","lang":"eng"}],"arxiv":1,"scopus_import":"1","publication_identifier":{"eissn":["2363-6394"],"issn":["0944-6532"]},"citation":{"mla":"Carioni, Marcello, et al. “External Forces in the Continuum Limit of Discrete Systems with Non-Convex Interaction Potentials: Compactness for a Γ-Development.” <i>Journal of Convex Analysis</i>, vol. 30, no. 1, Heldermann Verlag, 2023, pp. 217–47.","apa":"Carioni, M., Fischer, J. L., &#38; Schlömerkemper, A. (2023). External forces in the continuum limit of discrete systems with non-convex interaction potentials: Compactness for a Γ-development. <i>Journal of Convex Analysis</i>. Heldermann Verlag.","chicago":"Carioni, Marcello, Julian L Fischer, and Anja Schlömerkemper. “External Forces in the Continuum Limit of Discrete Systems with Non-Convex Interaction Potentials: Compactness for a Γ-Development.” <i>Journal of Convex Analysis</i>. Heldermann Verlag, 2023.","ama":"Carioni M, Fischer JL, Schlömerkemper A. External forces in the continuum limit of discrete systems with non-convex interaction potentials: Compactness for a Γ-development. <i>Journal of Convex Analysis</i>. 2023;30(1):217-247.","ieee":"M. Carioni, J. L. Fischer, and A. Schlömerkemper, “External forces in the continuum limit of discrete systems with non-convex interaction potentials: Compactness for a Γ-development,” <i>Journal of Convex Analysis</i>, vol. 30, no. 1. Heldermann Verlag, pp. 217–247, 2023.","short":"M. Carioni, J.L. Fischer, A. Schlömerkemper, Journal of Convex Analysis 30 (2023) 217–247.","ista":"Carioni M, Fischer JL, Schlömerkemper A. 2023. External forces in the continuum limit of discrete systems with non-convex interaction potentials: Compactness for a Γ-development. Journal of Convex Analysis. 30(1), 217–247."},"quality_controlled":"1","_id":"14661","publication_status":"published","month":"01","intvolume":"        30","date_published":"2023-01-01T00:00:00Z","issue":"1","oa":1,"date_updated":"2024-01-16T12:03:05Z","external_id":{"arxiv":["1811.09857"],"isi":["001115503400013"]},"page":"217-247","year":"2023","volume":30,"day":"01","status":"public","date_created":"2023-12-10T23:00:59Z","main_file_link":[{"open_access":"1","url":"https://arxiv.org/abs/1811.09857"}],"publication":"Journal of Convex Analysis","isi":1,"oa_version":"Preprint"},{"year":"2023","external_id":{"arxiv":["2210.17123"]},"page":"1045-1055","oa":1,"issue":"3","date_updated":"2023-12-11T12:12:14Z","date_published":"2023-11-25T00:00:00Z","month":"11","intvolume":"        13","oa_version":"None","publication":"Journal of Spectral Theory","doi":"10.4171/JST/469","status":"public","day":"25","ddc":["510"],"tmp":{"image":"/images/cc_by.png","legal_code_url":"https://creativecommons.org/licenses/by/4.0/legalcode","name":"Creative Commons Attribution 4.0 International Public License (CC-BY 4.0)","short":"CC BY (4.0)"},"date_created":"2023-12-10T23:00:59Z","volume":13,"article_type":"original","language":[{"iso":"eng"}],"department":[{"_id":"RoSe"}],"article_processing_charge":"Yes","title":"Absence of excited eigenvalues for Fröhlich type polaron models at weak coupling","author":[{"last_name":"Seiringer","orcid":"0000-0002-6781-0521","id":"4AFD0470-F248-11E8-B48F-1D18A9856A87","first_name":"Robert","full_name":"Seiringer, Robert"}],"user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","file":[{"date_created":"2023-12-11T12:03:12Z","date_updated":"2023-12-11T12:03:12Z","file_name":"2023_JST_Seiringer.pdf","success":1,"access_level":"open_access","relation":"main_file","checksum":"9ce96ca87d56ea9a70d2eb9a32839f8d","creator":"dernst","file_size":201513,"file_id":"14677","content_type":"application/pdf"}],"publisher":"EMS Press","has_accepted_license":"1","publication_status":"published","quality_controlled":"1","_id":"14662","scopus_import":"1","abstract":[{"lang":"eng","text":"We consider a class of polaron models, including the Fröhlich model, at zero total\r\nmomentum, and show that at sufficiently weak coupling there are no excited eigenvalues below\r\nthe essential spectrum."}],"arxiv":1,"file_date_updated":"2023-12-11T12:03:12Z","type":"journal_article","publication_identifier":{"eissn":["1664-0403"],"issn":["1664-039X"]},"citation":{"mla":"Seiringer, Robert. “Absence of Excited Eigenvalues for Fröhlich Type Polaron Models at Weak Coupling.” <i>Journal of Spectral Theory</i>, vol. 13, no. 3, EMS Press, 2023, pp. 1045–55, doi:<a href=\"https://doi.org/10.4171/JST/469\">10.4171/JST/469</a>.","apa":"Seiringer, R. (2023). Absence of excited eigenvalues for Fröhlich type polaron models at weak coupling. <i>Journal of Spectral Theory</i>. EMS Press. <a href=\"https://doi.org/10.4171/JST/469\">https://doi.org/10.4171/JST/469</a>","chicago":"Seiringer, Robert. “Absence of Excited Eigenvalues for Fröhlich Type Polaron Models at Weak Coupling.” <i>Journal of Spectral Theory</i>. EMS Press, 2023. <a href=\"https://doi.org/10.4171/JST/469\">https://doi.org/10.4171/JST/469</a>.","ama":"Seiringer R. Absence of excited eigenvalues for Fröhlich type polaron models at weak coupling. <i>Journal of Spectral Theory</i>. 2023;13(3):1045-1055. doi:<a href=\"https://doi.org/10.4171/JST/469\">10.4171/JST/469</a>","ista":"Seiringer R. 2023. Absence of excited eigenvalues for Fröhlich type polaron models at weak coupling. Journal of Spectral Theory. 13(3), 1045–1055.","short":"R. Seiringer, Journal of Spectral Theory 13 (2023) 1045–1055.","ieee":"R. Seiringer, “Absence of excited eigenvalues for Fröhlich type polaron models at weak coupling,” <i>Journal of Spectral Theory</i>, vol. 13, no. 3. EMS Press, pp. 1045–1055, 2023."}},{"publisher":"American Chemical Society","has_accepted_license":"1","author":[{"first_name":"Jinyan","last_name":"Zhao","full_name":"Zhao, Jinyan"},{"last_name":"Yao","first_name":"Zihao","full_name":"Yao, Zihao"},{"id":"91deeae8-1207-11ec-b130-c194ad5b50c6","first_name":"Rhys","orcid":"0000-0001-6928-074X","last_name":"Bunting","full_name":"Bunting, Rhys"},{"first_name":"P.","last_name":"Hu","full_name":"Hu, P."},{"full_name":"Wang, Jianguo","first_name":"Jianguo","last_name":"Wang"}],"user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","title":"Microkinetic modeling with size-dependent and adsorbate-adsorbate interactions for the direct synthesis of H₂O₂ over Pd nanoparticles","file":[{"date_updated":"2023-12-11T11:55:09Z","date_created":"2023-12-11T11:55:09Z","success":1,"file_name":"2023_ACSCatalysis_.pdf","access_level":"open_access","checksum":"a97c771077af71ddfb2249e34530895c","relation":"main_file","file_id":"14676","content_type":"application/pdf","file_size":14813812,"creator":"dernst"}],"department":[{"_id":"MaIb"}],"article_processing_charge":"Yes (in subscription journal)","article_type":"original","language":[{"iso":"eng"}],"abstract":[{"text":"As a bottleneck in the direct synthesis of hydrogen peroxide, the development of an efficient palladium-based catalyst has garnered great attention. However, elusive active centers and reaction mechanism issues inhibit further optimization of its performance. In this work, advanced microkinetic modeling with the adsorbate–adsorbate interaction and nanoparticle size effect based on first-principles calculations is developed. A full mechanism uncovering the significance of adsorbate–adsorbate interaction is determined on Pd nanoparticles. We demonstrate unambiguously that Pd(100) with main coverage species of O2 and H is beneficial to H2O2 production, being consistent with experimental operando observation, while H2O forms on Pd(111) covered by O species and Pd(211) covered by O and OH species. Kinetic analyses further enable quantitative estimation of the influence of temperature, pressure, and particle size. Large-size Pd nanoparticles are found to achieve a high H2O2 reaction rate when the operating conditions are moderate temperature and higher oxygen partial pressure. We reveal that specific facets of the Pd nanoparticles are crucial factors for their selectivity and activity. Consistent with the experiment, the production of H2O2 is discovered to be more favorable on Pd nanoparticles containing Pd(100) facets. The ratio of H2/O2 induces substantial variations in the coverage of intermediates of O2 and H on Pd(100), resulting in a change in product selectivity.","lang":"eng"}],"scopus_import":"1","type":"journal_article","file_date_updated":"2023-12-11T11:55:09Z","publication_identifier":{"eissn":["2155-5435"]},"citation":{"mla":"Zhao, Jinyan, et al. “Microkinetic Modeling with Size-Dependent and Adsorbate-Adsorbate Interactions for the Direct Synthesis of H₂O₂ over Pd Nanoparticles.” <i>ACS Catalysis</i>, vol. 13, no. 22, American Chemical Society, 2023, pp. 15054–73, doi:<a href=\"https://doi.org/10.1021/acscatal.3c03893\">10.1021/acscatal.3c03893</a>.","apa":"Zhao, J., Yao, Z., Bunting, R., Hu, P., &#38; Wang, J. (2023). Microkinetic modeling with size-dependent and adsorbate-adsorbate interactions for the direct synthesis of H₂O₂ over Pd nanoparticles. <i>ACS Catalysis</i>. American Chemical Society. <a href=\"https://doi.org/10.1021/acscatal.3c03893\">https://doi.org/10.1021/acscatal.3c03893</a>","chicago":"Zhao, Jinyan, Zihao Yao, Rhys Bunting, P. Hu, and Jianguo Wang. “Microkinetic Modeling with Size-Dependent and Adsorbate-Adsorbate Interactions for the Direct Synthesis of H₂O₂ over Pd Nanoparticles.” <i>ACS Catalysis</i>. American Chemical Society, 2023. <a href=\"https://doi.org/10.1021/acscatal.3c03893\">https://doi.org/10.1021/acscatal.3c03893</a>.","ieee":"J. Zhao, Z. Yao, R. Bunting, P. Hu, and J. Wang, “Microkinetic modeling with size-dependent and adsorbate-adsorbate interactions for the direct synthesis of H₂O₂ over Pd nanoparticles,” <i>ACS Catalysis</i>, vol. 13, no. 22. American Chemical Society, pp. 15054–15073, 2023.","ista":"Zhao J, Yao Z, Bunting R, Hu P, Wang J. 2023. Microkinetic modeling with size-dependent and adsorbate-adsorbate interactions for the direct synthesis of H₂O₂ over Pd nanoparticles. ACS Catalysis. 13(22), 15054–15073.","short":"J. Zhao, Z. Yao, R. Bunting, P. Hu, J. Wang, ACS Catalysis 13 (2023) 15054–15073.","ama":"Zhao J, Yao Z, Bunting R, Hu P, Wang J. Microkinetic modeling with size-dependent and adsorbate-adsorbate interactions for the direct synthesis of H₂O₂ over Pd nanoparticles. <i>ACS Catalysis</i>. 2023;13(22):15054-15073. doi:<a href=\"https://doi.org/10.1021/acscatal.3c03893\">10.1021/acscatal.3c03893</a>"},"quality_controlled":"1","_id":"14663","publication_status":"published","acknowledgement":"The authors acknowledge the financial support from the National Natural Science Foundation of China (22008211, 92045303, U21A20298), the National Key Research and Development Project of China (2021YFA1500900, 2022YFE0113800), and Zhejiang Innovation Team (2017R5203).","date_published":"2023-11-06T00:00:00Z","intvolume":"        13","month":"11","oa":1,"issue":"22","date_updated":"2023-12-11T11:55:35Z","page":"15054-15073","year":"2023","volume":13,"day":"06","status":"public","ddc":["540"],"tmp":{"image":"/images/cc_by.png","legal_code_url":"https://creativecommons.org/licenses/by/4.0/legalcode","name":"Creative Commons Attribution 4.0 International Public License (CC-BY 4.0)","short":"CC BY (4.0)"},"date_created":"2023-12-10T23:00:59Z","publication":"ACS Catalysis","doi":"10.1021/acscatal.3c03893","oa_version":"Published Version"},{"citation":{"ama":"Hema K, Grommet AB, Białek MJ, et al. Guest encapsulation alters the thermodynamic landscape of a coordination host. <i>Journal of the American Chemical Society</i>. 2023;145(45):24755-24764. doi:<a href=\"https://doi.org/10.1021/jacs.3c08666\">10.1021/jacs.3c08666</a>","ista":"Hema K, Grommet AB, Białek MJ, Wang J, Schneider L, Drechsler C, Yanshyna O, Diskin-Posner Y, Clever GH, Klajn R. 2023. Guest encapsulation alters the thermodynamic landscape of a coordination host. Journal of the American Chemical Society. 145(45), 24755–24764.","ieee":"K. Hema <i>et al.</i>, “Guest encapsulation alters the thermodynamic landscape of a coordination host,” <i>Journal of the American Chemical Society</i>, vol. 145, no. 45. American Chemical Society, pp. 24755–24764, 2023.","short":"K. Hema, A.B. Grommet, M.J. Białek, J. Wang, L. Schneider, C. Drechsler, O. Yanshyna, Y. Diskin-Posner, G.H. Clever, R. Klajn, Journal of the American Chemical Society 145 (2023) 24755–24764.","chicago":"Hema, Kuntrapakam, Angela B. Grommet, Michał J. Białek, Jinhua Wang, Laura Schneider, Christoph Drechsler, Oksana Yanshyna, Yael Diskin-Posner, Guido H. Clever, and Rafal Klajn. “Guest Encapsulation Alters the Thermodynamic Landscape of a Coordination Host.” <i>Journal of the American Chemical Society</i>. American Chemical Society, 2023. <a href=\"https://doi.org/10.1021/jacs.3c08666\">https://doi.org/10.1021/jacs.3c08666</a>.","apa":"Hema, K., Grommet, A. B., Białek, M. J., Wang, J., Schneider, L., Drechsler, C., … Klajn, R. (2023). Guest encapsulation alters the thermodynamic landscape of a coordination host. <i>Journal of the American Chemical Society</i>. American Chemical Society. <a href=\"https://doi.org/10.1021/jacs.3c08666\">https://doi.org/10.1021/jacs.3c08666</a>","mla":"Hema, Kuntrapakam, et al. “Guest Encapsulation Alters the Thermodynamic Landscape of a Coordination Host.” <i>Journal of the American Chemical Society</i>, vol. 145, no. 45, American Chemical Society, 2023, pp. 24755–64, doi:<a href=\"https://doi.org/10.1021/jacs.3c08666\">10.1021/jacs.3c08666</a>."},"publication_identifier":{"eissn":["1520-5126"],"issn":["0002-7863"]},"scopus_import":"1","abstract":[{"text":"The architecture of self-assembled host molecules can profoundly affect the properties of the encapsulated guests. For example, a rigid cage with small windows can efficiently protect its contents from the environment; in contrast, tube-shaped, flexible hosts with large openings and an easily accessible cavity are ideally suited for catalysis. Here, we report a “Janus” nature of a Pd6L4 coordination host previously reported to exist exclusively as a tube isomer (T). We show that upon encapsulating various tetrahedrally shaped guests, T can reconfigure into a cage-shaped host (C) in quantitative yield. Extracting the guest affords empty C, which is metastable and spontaneously relaxes to T, and the T⇄C interconversion can be repeated for multiple cycles. Reversible toggling between two vastly different isomers paves the way toward controlling functional properties of coordination hosts “on demand”.","lang":"eng"}],"type":"journal_article","file_date_updated":"2023-12-11T11:44:54Z","_id":"14664","quality_controlled":"1","publication_status":"published","has_accepted_license":"1","publisher":"American Chemical Society","user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","title":"Guest encapsulation alters the thermodynamic landscape of a coordination host","author":[{"full_name":"Hema, Kuntrapakam","first_name":"Kuntrapakam","last_name":"Hema"},{"last_name":"Grommet","first_name":"Angela B.","full_name":"Grommet, Angela B."},{"full_name":"Białek, Michał J.","last_name":"Białek","first_name":"Michał J."},{"first_name":"Jinhua","last_name":"Wang","full_name":"Wang, Jinhua"},{"full_name":"Schneider, Laura","last_name":"Schneider","first_name":"Laura"},{"first_name":"Christoph","last_name":"Drechsler","full_name":"Drechsler, Christoph"},{"last_name":"Yanshyna","first_name":"Oksana","full_name":"Yanshyna, Oksana"},{"full_name":"Diskin-Posner, Yael","last_name":"Diskin-Posner","first_name":"Yael"},{"last_name":"Clever","first_name":"Guido H.","full_name":"Clever, Guido H."},{"last_name":"Klajn","id":"8e84690e-1e48-11ed-a02b-a1e6fb8bb53b","first_name":"Rafal","full_name":"Klajn, Rafal"}],"file":[{"content_type":"application/pdf","file_id":"14675","file_size":4304472,"creator":"dernst","access_level":"open_access","relation":"main_file","checksum":"a1f37df6b83f88f51ba64468ce0c1589","success":1,"file_name":"2023_JACS_Hema.pdf","date_created":"2023-12-11T11:44:54Z","date_updated":"2023-12-11T11:44:54Z"}],"article_processing_charge":"Yes (in subscription journal)","department":[{"_id":"RaKl"}],"language":[{"iso":"eng"}],"article_type":"original","volume":145,"pmid":1,"ddc":["540"],"tmp":{"image":"/images/cc_by.png","legal_code_url":"https://creativecommons.org/licenses/by/4.0/legalcode","name":"Creative Commons Attribution 4.0 International Public License (CC-BY 4.0)","short":"CC BY (4.0)"},"date_created":"2023-12-10T23:00:59Z","day":"02","status":"public","publication":"Journal of the American Chemical Society","doi":"10.1021/jacs.3c08666","oa_version":"Published Version","date_published":"2023-11-02T00:00:00Z","month":"11","intvolume":"       145","acknowledgement":"We acknowledge funding from the European Union’s Horizon 2020 Research and Innovation Program under the European Research Council (grant agreement 820008).We also thank the Deutsche Forschungsgemeinschaft (DFG) for support through priority program SPP1807(CL489/3-2) and RESOLV Cluster of Excellence EXC2033 (project number 390677874). A.B.G. acknowledges funding from the Zuckerman STEM Leadership Program. DFT calculations were carried out using resources provided by the Wrocław Center for Networking and Supercomputing, grant 329.","date_updated":"2023-12-11T11:47:07Z","oa":1,"issue":"45","page":"24755-24764","external_id":{"pmid":["37917939"]},"year":"2023"},{"type":"journal_article","abstract":[{"lang":"eng","text":"We derive lower bounds on the maximal rates for multiple packings in high-dimensional Euclidean spaces. For any N > 0 and L ∈ Z ≥2 , a multiple packing is a set C of points in R n such that any point in R n lies in the intersection of at most L - 1 balls of radius √ nN around points in C . This is a natural generalization of the sphere packing problem. We study the multiple packing problem for both bounded point sets whose points have norm at most √ nP for some constant P > 0, and unbounded point sets whose points are allowed to be anywhere in R n . Given a well-known connection with coding theory, multiple packings can be viewed as the Euclidean analog of list-decodable codes, which are well-studied over finite fields. We derive the best known lower bounds on the optimal multiple packing density. This is accomplished by establishing an inequality which relates the list-decoding error exponent for additive white Gaussian noise channels, a quantity of average-case nature, to the list-decoding radius, a quantity of worst-case nature. We also derive novel bounds on the list-decoding error exponent for infinite constellations and closed-form expressions for the list-decoding error exponents for the power-constrained AWGN channel, which may be of independent interest beyond multiple packing."}],"arxiv":1,"scopus_import":"1","publication_identifier":{"eissn":["1557-9654"],"issn":["0018-9448"]},"citation":{"apa":"Zhang, Y., &#38; Vatedka, S. (2023). Multiple packing: Lower bounds via error exponents. <i>IEEE Transactions on Information Theory</i>. IEEE. <a href=\"https://doi.org/10.1109/TIT.2023.3334032\">https://doi.org/10.1109/TIT.2023.3334032</a>","mla":"Zhang, Yihan, and Shashank Vatedka. “Multiple Packing: Lower Bounds via Error Exponents.” <i>IEEE Transactions on Information Theory</i>, IEEE, 2023, doi:<a href=\"https://doi.org/10.1109/TIT.2023.3334032\">10.1109/TIT.2023.3334032</a>.","ama":"Zhang Y, Vatedka S. Multiple packing: Lower bounds via error exponents. <i>IEEE Transactions on Information Theory</i>. 2023. doi:<a href=\"https://doi.org/10.1109/TIT.2023.3334032\">10.1109/TIT.2023.3334032</a>","short":"Y. Zhang, S. Vatedka, IEEE Transactions on Information Theory (2023).","ista":"Zhang Y, Vatedka S. 2023. Multiple packing: Lower bounds via error exponents. IEEE Transactions on Information Theory.","ieee":"Y. Zhang and S. Vatedka, “Multiple packing: Lower bounds via error exponents,” <i>IEEE Transactions on Information Theory</i>. IEEE, 2023.","chicago":"Zhang, Yihan, and Shashank Vatedka. “Multiple Packing: Lower Bounds via Error Exponents.” <i>IEEE Transactions on Information Theory</i>. IEEE, 2023. <a href=\"https://doi.org/10.1109/TIT.2023.3334032\">https://doi.org/10.1109/TIT.2023.3334032</a>."},"quality_controlled":"1","day":"16","status":"public","date_created":"2023-12-10T23:01:00Z","_id":"14665","main_file_link":[{"open_access":"1","url":"https://doi.org/10.48550/arXiv.2211.04408"}],"publication_status":"epub_ahead","doi":"10.1109/TIT.2023.3334032","publication":"IEEE Transactions on Information Theory","oa_version":"Preprint","publisher":"IEEE","month":"11","date_published":"2023-11-16T00:00:00Z","author":[{"full_name":"Zhang, Yihan","orcid":"0000-0002-6465-6258","last_name":"Zhang","id":"2ce5da42-b2ea-11eb-bba5-9f264e9d002c","first_name":"Yihan"},{"first_name":"Shashank","last_name":"Vatedka","full_name":"Vatedka, Shashank"}],"user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","title":"Multiple packing: Lower bounds via error exponents","oa":1,"date_updated":"2023-12-18T07:46:45Z","department":[{"_id":"MaMo"}],"external_id":{"arxiv":["2211.04408"]},"article_processing_charge":"No","year":"2023","article_type":"original","language":[{"iso":"eng"}]},{"oa":1,"issue":"48","date_updated":"2023-12-11T12:47:41Z","acknowledgement":"We thank Prof. C. Nazaret and Prof. J.-P. Mazat for sharing the code of their mitochondrial model. We also thank G. Miesenböck, E. Marder, L. Abbott, A. Kempf, P. Hasenhuetl, W. Podlaski, F. Zenke, E. Agnes, P. Bozelos, J. Watson, B. Confavreux, and G. Christodoulou, and the rest of the Vogels Lab for their feedback. This work was funded by Wellcome Trust and Royal Society Sir Henry Dale Research Fellowship (WT100000), a Wellcome Trust Senior Research Fellowship (214316/Z/18/Z), and a UK Research and Innovation, Biotechnology and Biological Sciences Research Council grant (UKRI-BBSRC BB/N019512/1).","article_number":"e2306525120","date_published":"2023-11-21T00:00:00Z","intvolume":"       120","month":"11","year":"2023","external_id":{"pmid":["37988463"]},"day":"21","status":"public","date_created":"2023-12-10T23:01:00Z","tmp":{"image":"/images/cc_by.png","legal_code_url":"https://creativecommons.org/licenses/by/4.0/legalcode","name":"Creative Commons Attribution 4.0 International Public License (CC-BY 4.0)","short":"CC BY (4.0)"},"ddc":["570"],"volume":120,"pmid":1,"oa_version":"None","related_material":{"link":[{"url":"https://github.com/ccluri/metabolic_spiking","relation":"software"}]},"publication":"Proceedings of the National Academy of Sciences of the United States of America","doi":"10.1073/pnas.2306525120","user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","title":"Metabolically regulated spiking could serve neuronal energy homeostasis and protect from reactive oxygen species","author":[{"last_name":"Chintaluri","first_name":"Chaitanya","id":"E4EDB536-3485-11EA-98D2-20AF3DDC885E","full_name":"Chintaluri, Chaitanya"},{"id":"CB6FF8D2-008F-11EA-8E08-2637E6697425","first_name":"Tim P","last_name":"Vogels","orcid":"0000-0003-3295-6181","full_name":"Vogels, Tim P"}],"file":[{"creator":"dernst","file_size":16891602,"file_id":"14678","content_type":"application/pdf","checksum":"bf4ec38602a70dae4338077a5a4d497f","access_level":"open_access","relation":"main_file","file_name":"2023_PNAS_Chintaluri.pdf","success":1,"date_updated":"2023-12-11T12:45:12Z","date_created":"2023-12-11T12:45:12Z"}],"publisher":"National Academy of Sciences","has_accepted_license":"1","article_type":"original","language":[{"iso":"eng"}],"department":[{"_id":"TiVo"}],"article_processing_charge":"Yes (in subscription journal)","quality_controlled":"1","_id":"14666","abstract":[{"text":"So-called spontaneous activity is a central hallmark of most nervous systems. Such non-causal firing is contrary to the tenet of spikes as a means of communication, and its purpose remains unclear. We propose that self-initiated firing can serve as a release valve to protect neurons from the toxic conditions arising in mitochondria from lower-than-baseline energy consumption. To demonstrate the viability of our hypothesis, we built a set of models that incorporate recent experimental results indicating homeostatic control of metabolic products—Adenosine triphosphate (ATP), adenosine diphosphate (ADP), and reactive oxygen species (ROS)—by changes in firing. We explore the relationship of metabolic cost of spiking with its effect on the temporal patterning of spikes and reproduce experimentally observed changes in intrinsic firing in the fruitfly dorsal fan-shaped body neuron in a model with ROS-modulated potassium channels. We also show that metabolic spiking homeostasis can produce indefinitely sustained avalanche dynamics in cortical circuits. Our theory can account for key features of neuronal activity observed in many studies ranging from ion channel function all the way to resting state dynamics. We finish with a set of experimental predictions that would confirm an integrated, crucial role for metabolically regulated spiking and firmly link metabolic homeostasis and neuronal function.","lang":"eng"}],"scopus_import":"1","type":"journal_article","file_date_updated":"2023-12-11T12:45:12Z","citation":{"short":"C. Chintaluri, T.P. Vogels, Proceedings of the National Academy of Sciences of the United States of America 120 (2023).","ista":"Chintaluri C, Vogels TP. 2023. Metabolically regulated spiking could serve neuronal energy homeostasis and protect from reactive oxygen species. Proceedings of the National Academy of Sciences of the United States of America. 120(48), e2306525120.","ieee":"C. Chintaluri and T. P. Vogels, “Metabolically regulated spiking could serve neuronal energy homeostasis and protect from reactive oxygen species,” <i>Proceedings of the National Academy of Sciences of the United States of America</i>, vol. 120, no. 48. National Academy of Sciences, 2023.","ama":"Chintaluri C, Vogels TP. Metabolically regulated spiking could serve neuronal energy homeostasis and protect from reactive oxygen species. <i>Proceedings of the National Academy of Sciences of the United States of America</i>. 2023;120(48). doi:<a href=\"https://doi.org/10.1073/pnas.2306525120\">10.1073/pnas.2306525120</a>","chicago":"Chintaluri, Chaitanya, and Tim P Vogels. “Metabolically Regulated Spiking Could Serve Neuronal Energy Homeostasis and Protect from Reactive Oxygen Species.” <i>Proceedings of the National Academy of Sciences of the United States of America</i>. National Academy of Sciences, 2023. <a href=\"https://doi.org/10.1073/pnas.2306525120\">https://doi.org/10.1073/pnas.2306525120</a>.","apa":"Chintaluri, C., &#38; Vogels, T. P. (2023). Metabolically regulated spiking could serve neuronal energy homeostasis and protect from reactive oxygen species. <i>Proceedings of the National Academy of Sciences of the United States of America</i>. National Academy of Sciences. <a href=\"https://doi.org/10.1073/pnas.2306525120\">https://doi.org/10.1073/pnas.2306525120</a>","mla":"Chintaluri, Chaitanya, and Tim P. Vogels. “Metabolically Regulated Spiking Could Serve Neuronal Energy Homeostasis and Protect from Reactive Oxygen Species.” <i>Proceedings of the National Academy of Sciences of the United States of America</i>, vol. 120, no. 48, e2306525120, National Academy of Sciences, 2023, doi:<a href=\"https://doi.org/10.1073/pnas.2306525120\">10.1073/pnas.2306525120</a>."},"publication_identifier":{"eissn":["1091-6490"],"issn":["0027-8424"]},"publication_status":"published","project":[{"grant_number":"214316/Z/18/Z","_id":"c084a126-5a5b-11eb-8a69-d75314a70a87","name":"What’s in a memory? Spatiotemporal dynamics in strongly coupled recurrent neuronal networks."}]},{"publication_status":"published","project":[{"grant_number":"101020331","call_identifier":"H2020","name":"Random matrices beyond Wigner-Dyson-Mehta","_id":"62796744-2b32-11ec-9570-940b20777f1d"}],"type":"journal_article","abstract":[{"text":"For large dimensional non-Hermitian random matrices X with real or complex independent, identically distributed, centered entries, we consider the fluctuations of f (X) as a matrix where f is an analytic function around the spectrum of X. We prove that for a generic bounded square matrix A, the quantity Tr f (X)A exhibits Gaussian fluctuations as the matrix size grows to infinity, which consists of two independent modes corresponding to the tracial and traceless parts of A. We find a new formula for the variance of the traceless part that involves the Frobenius norm of A and the L2-norm of f on the boundary of the limiting spectrum. ","lang":"eng"},{"text":"On étudie les fluctuations de f (X), où X est une matrice aléatoire non-hermitienne de grande taille à coefficients i.i.d. (réels ou complexes), et f une fonction analytique sur un domaine qui contient le spectre de X. On prouve que, pour une matrice carrée générique et bornée A, les fluctuations de la quantité tr f (X)A sont asymptotiquement gaussiennes et comportent deux modes indépendants, correspondant aux composantes traciale et de trace nulle de A. Une nouvelle formule est établie pour la variance de la composante de trace nulle, qui fait intervenir la norme de Frobenius de A et la norme L2 de f sur la frontière du spectre limite.","lang":"fre"}],"scopus_import":"1","arxiv":1,"publication_identifier":{"issn":["0246-0203"]},"citation":{"apa":"Erdös, L., &#38; Ji, H. C. (2023). Functional CLT for non-Hermitian random matrices. <i>Annales de l’institut Henri Poincare (B) Probability and Statistics</i>. Institute of Mathematical Statistics. <a href=\"https://doi.org/10.1214/22-AIHP1304\">https://doi.org/10.1214/22-AIHP1304</a>","mla":"Erdös, László, and Hong Chang Ji. “Functional CLT for Non-Hermitian Random Matrices.” <i>Annales de l’institut Henri Poincare (B) Probability and Statistics</i>, vol. 59, no. 4, Institute of Mathematical Statistics, 2023, pp. 2083–105, doi:<a href=\"https://doi.org/10.1214/22-AIHP1304\">10.1214/22-AIHP1304</a>.","ama":"Erdös L, Ji HC. Functional CLT for non-Hermitian random matrices. <i>Annales de l’institut Henri Poincare (B) Probability and Statistics</i>. 2023;59(4):2083-2105. doi:<a href=\"https://doi.org/10.1214/22-AIHP1304\">10.1214/22-AIHP1304</a>","ieee":"L. Erdös and H. C. Ji, “Functional CLT for non-Hermitian random matrices,” <i>Annales de l’institut Henri Poincare (B) Probability and Statistics</i>, vol. 59, no. 4. Institute of Mathematical Statistics, pp. 2083–2105, 2023.","short":"L. Erdös, H.C. Ji, Annales de l’institut Henri Poincare (B) Probability and Statistics 59 (2023) 2083–2105.","ista":"Erdös L, Ji HC. 2023. Functional CLT for non-Hermitian random matrices. Annales de l’institut Henri Poincare (B) Probability and Statistics. 59(4), 2083–2105.","chicago":"Erdös, László, and Hong Chang Ji. “Functional CLT for Non-Hermitian Random Matrices.” <i>Annales de l’institut Henri Poincare (B) Probability and Statistics</i>. Institute of Mathematical Statistics, 2023. <a href=\"https://doi.org/10.1214/22-AIHP1304\">https://doi.org/10.1214/22-AIHP1304</a>."},"quality_controlled":"1","_id":"14667","department":[{"_id":"LaEr"}],"article_processing_charge":"No","article_type":"original","language":[{"iso":"eng"}],"publisher":"Institute of Mathematical Statistics","user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","title":"Functional CLT for non-Hermitian random matrices","author":[{"full_name":"Erdös, László","last_name":"Erdös","orcid":"0000-0001-5366-9603","id":"4DBD5372-F248-11E8-B48F-1D18A9856A87","first_name":"László"},{"full_name":"Ji, Hong Chang","first_name":"Hong Chang","id":"dd216c0a-c1f9-11eb-beaf-e9ea9d2de76d","last_name":"Ji"}],"main_file_link":[{"url":"https://doi.org/10.48550/arXiv.2112.11382","open_access":"1"}],"doi":"10.1214/22-AIHP1304","publication":"Annales de l'institut Henri Poincare (B) Probability and Statistics","ec_funded":1,"oa_version":"Preprint","volume":59,"day":"01","status":"public","date_created":"2023-12-10T23:01:00Z","page":"2083-2105","external_id":{"arxiv":["2112.11382"]},"year":"2023","acknowledgement":"The first author was partially supported by ERC Advanced Grant “RMTBeyond” No. 101020331. The second author was supported by ERC Advanced Grant “RMTBeyond” No. 101020331.\r\nThe authors are grateful to the anonymous referees and associated editor for carefully reading this paper and providing helpful comments that improved the quality of the article. Also the authors would like to thank Peter Forrester for pointing out the reference [12] that was absent in the previous version of the manuscript.","month":"11","intvolume":"        59","date_published":"2023-11-01T00:00:00Z","issue":"4","oa":1,"date_updated":"2023-12-11T12:36:56Z"},{"article_type":"review","language":[{"iso":"eng"}],"department":[{"_id":"SiHi"}],"article_processing_charge":"No","author":[{"last_name":"Amberg","orcid":"0000-0002-3183-8207","first_name":"Nicole","id":"4CD6AAC6-F248-11E8-B48F-1D18A9856A87","full_name":"Amberg, Nicole"},{"last_name":"Cheung","orcid":"0000-0001-8457-2572","id":"471195F6-F248-11E8-B48F-1D18A9856A87","first_name":"Giselle T","full_name":"Cheung, Giselle T"},{"first_name":"Simon","id":"37B36620-F248-11E8-B48F-1D18A9856A87","orcid":"0000-0003-2279-1061","last_name":"Hippenmeyer","full_name":"Hippenmeyer, Simon"}],"user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","title":"Protocol for sorting cells from mouse brains labeled with mosaic analysis with double markers by flow cytometry","publisher":"Elsevier","publication_status":"epub_ahead","project":[{"call_identifier":"FWF","grant_number":"T0101031","name":"Role of Eed in neural stem cell lineage progression","_id":"268F8446-B435-11E9-9278-68D0E5697425"},{"_id":"260C2330-B435-11E9-9278-68D0E5697425","name":"ISTplus - Postdoctoral Fellowships","grant_number":"754411","call_identifier":"H2020"},{"_id":"059F6AB4-7A3F-11EA-A408-12923DDC885E","name":"Molecular Mechanisms of Neural Stem Cell Lineage Progression","grant_number":"F07805"},{"call_identifier":"H2020","grant_number":"725780","name":"Principles of Neural Stem Cell Lineage Progression in Cerebral Cortex Development","_id":"260018B0-B435-11E9-9278-68D0E5697425"}],"quality_controlled":"1","_id":"14683","type":"journal_article","scopus_import":"1","abstract":[{"lang":"eng","text":"Mosaic analysis with double markers (MADM) technology enables the generation of genetic mosaic tissue in mice and high-resolution phenotyping at the individual cell level. Here, we present a protocol for isolating MADM-labeled cells with high yield for downstream molecular analyses using fluorescence-activated cell sorting (FACS). We describe steps for generating MADM-labeled mice, perfusion, single-cell suspension, and debris removal. We then detail procedures for cell sorting by FACS and downstream analysis. This protocol is suitable for embryonic to adult mice.\r\nFor complete details on the use and execution of this protocol, please refer to Contreras et al. (2021).1"}],"publication_identifier":{"issn":["2666-1667"]},"citation":{"ama":"Amberg N, Cheung GT, Hippenmeyer S. Protocol for sorting cells from mouse brains labeled with mosaic analysis with double markers by flow cytometry. <i>STAR Protocols</i>. 2023;5(1). doi:<a href=\"https://doi.org/10.1016/j.xpro.2023.102771\">10.1016/j.xpro.2023.102771</a>","ista":"Amberg N, Cheung GT, Hippenmeyer S. 2023. Protocol for sorting cells from mouse brains labeled with mosaic analysis with double markers by flow cytometry. STAR Protocols. 5(1), 102771.","short":"N. Amberg, G.T. Cheung, S. Hippenmeyer, STAR Protocols 5 (2023).","ieee":"N. Amberg, G. T. Cheung, and S. Hippenmeyer, “Protocol for sorting cells from mouse brains labeled with mosaic analysis with double markers by flow cytometry,” <i>STAR Protocols</i>, vol. 5, no. 1. Elsevier, 2023.","chicago":"Amberg, Nicole, Giselle T Cheung, and Simon Hippenmeyer. “Protocol for Sorting Cells from Mouse Brains Labeled with Mosaic Analysis with Double Markers by Flow Cytometry.” <i>STAR Protocols</i>. Elsevier, 2023. <a href=\"https://doi.org/10.1016/j.xpro.2023.102771\">https://doi.org/10.1016/j.xpro.2023.102771</a>.","apa":"Amberg, N., Cheung, G. T., &#38; Hippenmeyer, S. (2023). Protocol for sorting cells from mouse brains labeled with mosaic analysis with double markers by flow cytometry. <i>STAR Protocols</i>. Elsevier. <a href=\"https://doi.org/10.1016/j.xpro.2023.102771\">https://doi.org/10.1016/j.xpro.2023.102771</a>","mla":"Amberg, Nicole, et al. “Protocol for Sorting Cells from Mouse Brains Labeled with Mosaic Analysis with Double Markers by Flow Cytometry.” <i>STAR Protocols</i>, vol. 5, no. 1, 102771, Elsevier, 2023, doi:<a href=\"https://doi.org/10.1016/j.xpro.2023.102771\">10.1016/j.xpro.2023.102771</a>."},"year":"2023","external_id":{"pmid":["38070137"]},"issue":"1","acknowledged_ssus":[{"_id":"Bio"},{"_id":"PreCl"}],"oa":1,"date_updated":"2023-12-18T08:06:14Z","keyword":["General Immunology and Microbiology","General Biochemistry","Genetics and Molecular Biology","General Neuroscience"],"article_number":"102771","acknowledgement":"This research was supported by the Scientific Service Units (SSU) at IST Austria through resources provided by the Imaging & Optics Facility (IOF) and Preclinical Facilities (PCF). N.A. received support from FWF Firnberg-Programme (T 1031). G.C. received support from the European Union’s Horizon 2020 research and innovation programme under the Marie Skłodowska-Curie grant agreement no. 754411 as an ISTplus postdoctoral fellow. This work was also supported by IST Austria institutional funds, FWF SFB F78 to S.H., and the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation programme (grant agreement no. 725780 LinPro) to S.H.","intvolume":"         5","month":"12","date_published":"2023-12-08T00:00:00Z","ec_funded":1,"oa_version":"Submitted Version","doi":"10.1016/j.xpro.2023.102771","main_file_link":[{"url":"https://doi.org/10.1016/j.xpro.2023.102771","open_access":"1"}],"publication":"STAR Protocols","status":"public","day":"08","ddc":["570"],"tmp":{"image":"/images/cc_by.png","legal_code_url":"https://creativecommons.org/licenses/by/4.0/legalcode","name":"Creative Commons Attribution 4.0 International Public License (CC-BY 4.0)","short":"CC BY (4.0)"},"date_created":"2023-12-13T11:48:05Z","pmid":1,"volume":5},{"publication_identifier":{"eissn":["1521-3773"],"issn":["1433-7851"]},"citation":{"chicago":"Jethwa, Rajesh B, Soumyadip Mondal, Bhargavi Pant, and Stefan Alexander Freunberger. “To DISP or Not? The Far‐reaching Reaction Mechanisms Underpinning Lithium‐air Batteries.” <i>Angewandte Chemie International Edition</i>. Wiley, 2023. <a href=\"https://doi.org/10.1002/anie.202316476\">https://doi.org/10.1002/anie.202316476</a>.","ieee":"R. B. Jethwa, S. Mondal, B. Pant, and S. A. Freunberger, “To DISP or not? The far‐reaching reaction mechanisms underpinning Lithium‐air batteries,” <i>Angewandte Chemie International Edition</i>. Wiley, 2023.","short":"R.B. Jethwa, S. Mondal, B. Pant, S.A. Freunberger, Angewandte Chemie International Edition (2023).","ista":"Jethwa RB, Mondal S, Pant B, Freunberger SA. 2023. To DISP or not? The far‐reaching reaction mechanisms underpinning Lithium‐air batteries. Angewandte Chemie International Edition., e202316476.","ama":"Jethwa RB, Mondal S, Pant B, Freunberger SA. To DISP or not? The far‐reaching reaction mechanisms underpinning Lithium‐air batteries. <i>Angewandte Chemie International Edition</i>. 2023. doi:<a href=\"https://doi.org/10.1002/anie.202316476\">10.1002/anie.202316476</a>","mla":"Jethwa, Rajesh B., et al. “To DISP or Not? The Far‐reaching Reaction Mechanisms Underpinning Lithium‐air Batteries.” <i>Angewandte Chemie International Edition</i>, e202316476, Wiley, 2023, doi:<a href=\"https://doi.org/10.1002/anie.202316476\">10.1002/anie.202316476</a>.","apa":"Jethwa, R. B., Mondal, S., Pant, B., &#38; Freunberger, S. A. (2023). To DISP or not? The far‐reaching reaction mechanisms underpinning Lithium‐air batteries. <i>Angewandte Chemie International Edition</i>. Wiley. <a href=\"https://doi.org/10.1002/anie.202316476\">https://doi.org/10.1002/anie.202316476</a>"},"scopus_import":"1","abstract":[{"text":"The short history of research on Li-O2 batteries has seen a remarkable number of mechanistic U-turns over the years. From the initial use of carbonate electrolytes, that were then found to be entirely unsuitable, to the belief that (su)peroxide was solely responsible for degradation, before the more reactive singlet oxygen was found to form, to the hypothesis that capacity depends on a competing surface/solution mechanism before a practically exclusive solution mechanism was identified. Herein, we argue for an ever-fresh look at the reported data without bias towards supposedly established explanations. We explain how the latest findings on rate and capacity limits, as well as the origin of side reactions, are connected via the disproportionation (DISP) step in the (dis)charge mechanism. Therefrom, directions emerge for the design of electrolytes and mediators on how to suppress side reactions and to enable high rate and high reversible capacity.","lang":"eng"}],"type":"journal_article","_id":"14687","date_created":"2023-12-15T16:10:13Z","status":"public","quality_controlled":"1","day":"14","publication":"Angewandte Chemie International Edition","doi":"10.1002/anie.202316476","publication_status":"epub_ahead","main_file_link":[{"open_access":"1","url":" https://doi.org/10.1002/anie.202316476"}],"oa_version":"Published Version","date_published":"2023-12-14T00:00:00Z","month":"12","publisher":"Wiley","article_number":"e202316476","keyword":["General Chemistry","Catalysis"],"date_updated":"2024-02-15T14:43:05Z","user_id":"3E5EF7F0-F248-11E8-B48F-1D18A9856A87","title":"To DISP or not? The far‐reaching reaction mechanisms underpinning Lithium‐air batteries","author":[{"last_name":"Jethwa","orcid":"0000-0002-0404-4356","first_name":"Rajesh B","id":"4cc538d5-803f-11ed-ab7e-8139573aad8f","full_name":"Jethwa, Rajesh B"},{"first_name":"Soumyadip","id":"d25d21ef-dc8d-11ea-abe3-ec4576307f48","last_name":"Mondal","full_name":"Mondal, Soumyadip"},{"full_name":"Pant, Bhargavi","first_name":"Bhargavi","id":"50c64d4d-eb97-11eb-a6c2-d33e5e14f112","last_name":"Pant"},{"first_name":"Stefan Alexander","id":"A8CA28E6-CE23-11E9-AD2D-EC27E6697425","last_name":"Freunberger","orcid":"0000-0003-2902-5319","full_name":"Freunberger, Stefan Alexander"}],"oa":1,"article_processing_charge":"Yes (via OA deal)","department":[{"_id":"StFr"},{"_id":"GradSch"}],"language":[{"iso":"eng"}],"article_type":"review","year":"2023"},{"_id":"14689","quality_controlled":"1","citation":{"mla":"Ing-Simmons, Elizabeth, et al. “Reply to: Revisiting the Use of Structural Similarity Index in Hi-C.” <i>Nature Genetics</i>, vol. 55, no. 12, Springer Nature, 2023, pp. 2053–55, doi:<a href=\"https://doi.org/10.1038/s41588-023-01595-5\">10.1038/s41588-023-01595-5</a>.","apa":"Ing-Simmons, E., Machnik, N. N., &#38; Vaquerizas, J. M. (2023). Reply to: Revisiting the use of structural similarity index in Hi-C. <i>Nature Genetics</i>. Springer Nature. <a href=\"https://doi.org/10.1038/s41588-023-01595-5\">https://doi.org/10.1038/s41588-023-01595-5</a>","chicago":"Ing-Simmons, Elizabeth, Nick N Machnik, and Juan M. Vaquerizas. “Reply to: Revisiting the Use of Structural Similarity Index in Hi-C.” <i>Nature Genetics</i>. Springer Nature, 2023. <a href=\"https://doi.org/10.1038/s41588-023-01595-5\">https://doi.org/10.1038/s41588-023-01595-5</a>.","ista":"Ing-Simmons E, Machnik NN, Vaquerizas JM. 2023. Reply to: Revisiting the use of structural similarity index in Hi-C. Nature Genetics. 55(12), 2053–2055.","short":"E. Ing-Simmons, N.N. Machnik, J.M. Vaquerizas, Nature Genetics 55 (2023) 2053–2055.","ieee":"E. Ing-Simmons, N. N. Machnik, and J. M. Vaquerizas, “Reply to: Revisiting the use of structural similarity index in Hi-C,” <i>Nature Genetics</i>, vol. 55, no. 12. Springer Nature, pp. 2053–2055, 2023.","ama":"Ing-Simmons E, Machnik NN, Vaquerizas JM. Reply to: Revisiting the use of structural similarity index in Hi-C. <i>Nature Genetics</i>. 2023;55(12):2053-2055. doi:<a href=\"https://doi.org/10.1038/s41588-023-01595-5\">10.1038/s41588-023-01595-5</a>"},"publication_identifier":{"eissn":["1546-1718"],"issn":["1061-4036"]},"scopus_import":"1","type":"journal_article","publication_status":"published","user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","title":"Reply to: Revisiting the use of structural similarity index in Hi-C","author":[{"last_name":"Ing-Simmons","first_name":"Elizabeth","full_name":"Ing-Simmons, Elizabeth"},{"last_name":"Machnik","orcid":"0000-0001-6617-9742","first_name":"Nick N","id":"3591A0AA-F248-11E8-B48F-1D18A9856A87","full_name":"Machnik, Nick N"},{"full_name":"Vaquerizas, Juan M.","last_name":"Vaquerizas","first_name":"Juan M."}],"publisher":"Springer Nature","language":[{"iso":"eng"}],"article_type":"letter_note","article_processing_charge":"No","department":[{"_id":"MaRo"}],"date_created":"2023-12-17T23:00:53Z","day":"01","status":"public","volume":55,"pmid":1,"oa_version":"None","publication":"Nature Genetics","doi":"10.1038/s41588-023-01595-5","date_updated":"2023-12-18T08:51:38Z","issue":"12","date_published":"2023-12-01T00:00:00Z","intvolume":"        55","month":"12","year":"2023","page":"2053-2055","external_id":{"pmid":["38052961"]}},{"language":[{"iso":"eng"}],"article_type":"original","article_processing_charge":"No","department":[{"_id":"MaSe"}],"author":[{"full_name":"Babkin, Serafim","id":"41e64307-6672-11ee-b9ad-cc7a0075a479","first_name":"Serafim","orcid":"0009-0003-7382-8036","last_name":"Babkin"},{"last_name":"Burmistrov","first_name":"I","full_name":"Burmistrov, I"}],"title":"Boundary multifractality in the spin quantum Hall symmetry class with interaction","user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","publisher":"American Physical Society","publication_status":"published","_id":"14690","quality_controlled":"1","citation":{"ama":"Babkin S, Burmistrov I. Boundary multifractality in the spin quantum Hall symmetry class with interaction. <i>Physical Review B</i>. 2023;108(20). doi:<a href=\"https://doi.org/10.1103/PhysRevB.108.205429\">10.1103/PhysRevB.108.205429</a>","short":"S. Babkin, I. Burmistrov, Physical Review B 108 (2023).","ista":"Babkin S, Burmistrov I. 2023. Boundary multifractality in the spin quantum Hall symmetry class with interaction. Physical Review B. 108(20), 205429.","ieee":"S. Babkin and I. Burmistrov, “Boundary multifractality in the spin quantum Hall symmetry class with interaction,” <i>Physical Review B</i>, vol. 108, no. 20. American Physical Society, 2023.","chicago":"Babkin, Serafim, and I Burmistrov. “Boundary Multifractality in the Spin Quantum Hall Symmetry Class with Interaction.” <i>Physical Review B</i>. American Physical Society, 2023. <a href=\"https://doi.org/10.1103/PhysRevB.108.205429\">https://doi.org/10.1103/PhysRevB.108.205429</a>.","apa":"Babkin, S., &#38; Burmistrov, I. (2023). Boundary multifractality in the spin quantum Hall symmetry class with interaction. <i>Physical Review B</i>. American Physical Society. <a href=\"https://doi.org/10.1103/PhysRevB.108.205429\">https://doi.org/10.1103/PhysRevB.108.205429</a>","mla":"Babkin, Serafim, and I. Burmistrov. “Boundary Multifractality in the Spin Quantum Hall Symmetry Class with Interaction.” <i>Physical Review B</i>, vol. 108, no. 20, 205429, American Physical Society, 2023, doi:<a href=\"https://doi.org/10.1103/PhysRevB.108.205429\">10.1103/PhysRevB.108.205429</a>."},"publication_identifier":{"issn":["2469-9950"],"eissn":["2469-9969"]},"scopus_import":"1","abstract":[{"text":"Generalized multifractality characterizes system size dependence of pure scaling local observables at Anderson transitions in all 10 symmetry classes of disordered systems. Recently, the concept of generalized multifractality has been extended to boundaries of critical disordered noninteracting systems. Here we study the generalized boundary multifractality in the presence of electron-electron interaction, focusing on the spin quantum Hall symmetry class (class C). Employing the two-loop renormalization group analysis within the Finkel'stein nonlinear sigma model, we compute the anomalous dimensions of the pure scaling operators located at the boundary of the system. We find that generalized boundary multifractal exponents are twice larger than their bulk counterparts. Exact symmetry relations between generalized boundary multifractal exponents in the case of noninteracting systems are explicitly broken by the interaction.","lang":"eng"}],"arxiv":1,"type":"journal_article","year":"2023","external_id":{"arxiv":["2308.16852"]},"date_updated":"2023-12-18T08:45:28Z","oa":1,"issue":"20","date_published":"2023-11-15T00:00:00Z","intvolume":"       108","month":"11","article_number":"205429","acknowledgement":"The authors are grateful to J. Karcher and A. Mirlin for collaboration on the related project. We thank I. Gruzberg and A. Mirlin for useful discussions and comments. I.S.B. is grateful to M. Parfenov and P. Ostrovsky for collaboration on the related project. The research was supported by Russian Science Foundation (Grant No. 22-42-04416).","oa_version":"Preprint","publication":"Physical Review B","main_file_link":[{"url":" https://doi.org/10.48550/arXiv.2308.16852","open_access":"1"}],"doi":"10.1103/PhysRevB.108.205429","date_created":"2023-12-17T23:00:53Z","status":"public","day":"15","volume":108},{"quality_controlled":"1","_id":"14691","type":"conference","abstract":[{"text":"Continuous Group-Key Agreement (CGKA) allows a group of users to maintain a shared key. It is the fundamental cryptographic primitive underlying group messaging schemes and related protocols, most notably TreeKEM, the underlying key agreement protocol of the Messaging Layer Security (MLS) protocol, a standard for group messaging by the IETF. CKGA works in an asynchronous setting where parties only occasionally must come online, and their messages are relayed by an untrusted server. The most expensive operation provided by CKGA is that which allows for a user to refresh their key material in order to achieve forward secrecy (old messages are secure when a user is compromised) and post-compromise security (users can heal from compromise). One caveat of early CGKA protocols is that these update operations had to be performed sequentially, with any user wanting to update their key material having had to receive and process all previous updates. Late versions of TreeKEM do allow for concurrent updates at the cost of a communication overhead per update message that is linear in the number of updating parties. This was shown to be indeed necessary when achieving PCS in just two rounds of communication by [Bienstock et al. TCC’20].\r\nThe recently proposed protocol CoCoA [Alwen et al. Eurocrypt’22], however, shows that this overhead can be reduced if PCS requirements are relaxed, and only a logarithmic number of rounds is required. The natural question, thus, is whether CoCoA is optimal in this setting.\r\nIn this work we answer this question, providing a lower bound on the cost (concretely, the amount of data to be uploaded to the server) for CGKA protocols that heal in an arbitrary k number of rounds, that shows that CoCoA is very close to optimal. Additionally, we extend CoCoA to heal in an arbitrary number of rounds, and propose a modification of it, with a reduced communication cost for certain k.\r\nWe prove our bound in a combinatorial setting where the state of the protocol progresses in rounds, and the state of the protocol in each round is captured by a set system, each set specifying a set of users who share a secret key. We show this combinatorial model is equivalent to a symbolic model capturing building blocks including PRFs and public-key encryption, related to the one used by Bienstock et al.\r\nOur lower bound is of order k•n1+1/(k-1)/log(k), where 2≤k≤log(n) is the number of updates per user the protocol requires to heal. This generalizes the n2 bound for k=2 from Bienstock et al.. This bound almost matches the k⋅n1+2/(k-1) or k2⋅n1+1/(k-1) efficiency we get for the variants of the CoCoA protocol also introduced in this paper.","lang":"eng"}],"scopus_import":"1","citation":{"apa":"Auerbach, B., Cueto Noval, M., Pascual Perez, G., &#38; Pietrzak, K. Z. (2023). On the cost of post-compromise security in concurrent Continuous Group-Key Agreement. In <i>21st International Conference on Theory of Cryptography</i> (Vol. 14371, pp. 271–300). Taipei, Taiwan: Springer Nature. <a href=\"https://doi.org/10.1007/978-3-031-48621-0_10\">https://doi.org/10.1007/978-3-031-48621-0_10</a>","mla":"Auerbach, Benedikt, et al. “On the Cost of Post-Compromise Security in Concurrent Continuous Group-Key Agreement.” <i>21st International Conference on Theory of Cryptography</i>, vol. 14371, Springer Nature, 2023, pp. 271–300, doi:<a href=\"https://doi.org/10.1007/978-3-031-48621-0_10\">10.1007/978-3-031-48621-0_10</a>.","short":"B. Auerbach, M. Cueto Noval, G. Pascual Perez, K.Z. Pietrzak, in:, 21st International Conference on Theory of Cryptography, Springer Nature, 2023, pp. 271–300.","ista":"Auerbach B, Cueto Noval M, Pascual Perez G, Pietrzak KZ. 2023. On the cost of post-compromise security in concurrent Continuous Group-Key Agreement. 21st International Conference on Theory of Cryptography. TCC: Theory of Cryptography, LNCS, vol. 14371, 271–300.","ieee":"B. Auerbach, M. Cueto Noval, G. Pascual Perez, and K. Z. Pietrzak, “On the cost of post-compromise security in concurrent Continuous Group-Key Agreement,” in <i>21st International Conference on Theory of Cryptography</i>, Taipei, Taiwan, 2023, vol. 14371, pp. 271–300.","ama":"Auerbach B, Cueto Noval M, Pascual Perez G, Pietrzak KZ. On the cost of post-compromise security in concurrent Continuous Group-Key Agreement. In: <i>21st International Conference on Theory of Cryptography</i>. Vol 14371. Springer Nature; 2023:271-300. doi:<a href=\"https://doi.org/10.1007/978-3-031-48621-0_10\">10.1007/978-3-031-48621-0_10</a>","chicago":"Auerbach, Benedikt, Miguel Cueto Noval, Guillermo Pascual Perez, and Krzysztof Z Pietrzak. “On the Cost of Post-Compromise Security in Concurrent Continuous Group-Key Agreement.” In <i>21st International Conference on Theory of Cryptography</i>, 14371:271–300. Springer Nature, 2023. <a href=\"https://doi.org/10.1007/978-3-031-48621-0_10\">https://doi.org/10.1007/978-3-031-48621-0_10</a>."},"publication_identifier":{"eissn":["1611-3349"],"isbn":["9783031486203"],"issn":["0302-9743"]},"publication_status":"published","author":[{"full_name":"Auerbach, Benedikt","orcid":"0000-0002-7553-6606","last_name":"Auerbach","id":"D33D2B18-E445-11E9-ABB7-15F4E5697425","first_name":"Benedikt"},{"full_name":"Cueto Noval, Miguel","id":"ffc563a3-f6e0-11ea-865d-e3cce03d17cc","first_name":"Miguel","last_name":"Cueto Noval"},{"full_name":"Pascual Perez, Guillermo","last_name":"Pascual Perez","orcid":"0000-0001-8630-415X","first_name":"Guillermo","id":"2D7ABD02-F248-11E8-B48F-1D18A9856A87"},{"full_name":"Pietrzak, Krzysztof Z","first_name":"Krzysztof Z","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","last_name":"Pietrzak","orcid":"0000-0002-9139-1654"}],"title":"On the cost of post-compromise security in concurrent Continuous Group-Key Agreement","user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","publisher":"Springer Nature","language":[{"iso":"eng"}],"department":[{"_id":"KrPi"}],"article_processing_charge":"No","status":"public","day":"27","date_created":"2023-12-17T23:00:53Z","volume":14371,"oa_version":"Preprint","main_file_link":[{"open_access":"1","url":"https://eprint.iacr.org/2023/1123"}],"doi":"10.1007/978-3-031-48621-0_10","publication":"21st International Conference on Theory of Cryptography","oa":1,"date_updated":"2023-12-18T08:36:51Z","intvolume":"     14371","month":"11","date_published":"2023-11-27T00:00:00Z","alternative_title":["LNCS"],"year":"2023","conference":{"location":"Taipei, Taiwan","end_date":"2023-12-02","start_date":"2023-11-29","name":"TCC: Theory of Cryptography"},"page":"271-300"},{"department":[{"_id":"KrPi"}],"article_processing_charge":"No","language":[{"iso":"eng"}],"publisher":"Springer Nature","author":[{"id":"D33D2B18-E445-11E9-ABB7-15F4E5697425","first_name":"Benedikt","last_name":"Auerbach","orcid":"0000-0002-7553-6606","full_name":"Auerbach, Benedikt"},{"first_name":"Charlotte","id":"0f78d746-dc7d-11ea-9b2f-83f92091afe7","orcid":"0000-0003-2027-5549","last_name":"Hoffmann","full_name":"Hoffmann, Charlotte"},{"full_name":"Pascual Perez, Guillermo","last_name":"Pascual Perez","orcid":"0000-0001-8630-415X","id":"2D7ABD02-F248-11E8-B48F-1D18A9856A87","first_name":"Guillermo"}],"user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","title":"Generic-group lower bounds via reductions between geometric-search problems: With and without preprocessing","publication_status":"published","abstract":[{"lang":"eng","text":"The generic-group model (GGM) aims to capture algorithms working over groups of prime order that only rely on the group operation, but do not exploit any additional structure given by the concrete implementation of the group. In it, it is possible to prove information-theoretic lower bounds on the hardness of problems like the discrete logarithm (DL) or computational Diffie-Hellman (CDH). Thus, since its introduction, it has served as a valuable tool to assess the concrete security provided by cryptographic schemes based on such problems. A work on the related algebraic-group model (AGM) introduced a method, used by many subsequent works, to adapt GGM lower bounds for one problem to another, by means of conceptually simple reductions.\r\nIn this work, we propose an alternative approach to extend GGM bounds from one problem to another. Following an idea by Yun [EC15], we show that, in the GGM, the security of a large class of problems can be reduced to that of geometric search-problems. By reducing the security of the resulting geometric-search problems to variants of the search-by-hypersurface problem, for which information theoretic lower bounds exist, we give alternative proofs of several results that used the AGM approach.\r\nThe main advantage of our approach is that our reduction from geometric search-problems works, as well, for the GGM with preprocessing (more precisely the bit-fixing GGM introduced by Coretti, Dodis and Guo [Crypto18]). As a consequence, this opens up the possibility of transferring preprocessing GGM bounds from one problem to another, also by means of simple reductions. Concretely, we prove novel preprocessing bounds on the hardness of the d-strong discrete logarithm, the d-strong Diffie-Hellman inversion, and multi-instance CDH problems, as well as a large class of Uber assumptions. Additionally, our approach applies to Shoup’s GGM without additional restrictions on the query behavior of the adversary, while the recent works of Zhang, Zhou, and Katz [AC22] and Zhandry [Crypto22] highlight that this is not the case for the AGM approach."}],"scopus_import":"1","type":"conference","publication_identifier":{"isbn":["9783031486203"],"eissn":["1611-3349"],"issn":["0302-9743"]},"citation":{"chicago":"Auerbach, Benedikt, Charlotte Hoffmann, and Guillermo Pascual Perez. “Generic-Group Lower Bounds via Reductions between Geometric-Search Problems: With and without Preprocessing.” In <i>21st International Conference on Theory of Cryptography</i>, 14371:301–30. Springer Nature, 2023. <a href=\"https://doi.org/10.1007/978-3-031-48621-0_11\">https://doi.org/10.1007/978-3-031-48621-0_11</a>.","ista":"Auerbach B, Hoffmann C, Pascual Perez G. 2023. Generic-group lower bounds via reductions between geometric-search problems: With and without preprocessing. 21st International Conference on Theory of Cryptography. , LNCS, vol. 14371, 301–330.","short":"B. Auerbach, C. Hoffmann, G. Pascual Perez, in:, 21st International Conference on Theory of Cryptography, Springer Nature, 2023, pp. 301–330.","ieee":"B. Auerbach, C. Hoffmann, and G. Pascual Perez, “Generic-group lower bounds via reductions between geometric-search problems: With and without preprocessing,” in <i>21st International Conference on Theory of Cryptography</i>, 2023, vol. 14371, pp. 301–330.","ama":"Auerbach B, Hoffmann C, Pascual Perez G. Generic-group lower bounds via reductions between geometric-search problems: With and without preprocessing. In: <i>21st International Conference on Theory of Cryptography</i>. Vol 14371. Springer Nature; 2023:301-330. doi:<a href=\"https://doi.org/10.1007/978-3-031-48621-0_11\">10.1007/978-3-031-48621-0_11</a>","mla":"Auerbach, Benedikt, et al. “Generic-Group Lower Bounds via Reductions between Geometric-Search Problems: With and without Preprocessing.” <i>21st International Conference on Theory of Cryptography</i>, vol. 14371, Springer Nature, 2023, pp. 301–30, doi:<a href=\"https://doi.org/10.1007/978-3-031-48621-0_11\">10.1007/978-3-031-48621-0_11</a>.","apa":"Auerbach, B., Hoffmann, C., &#38; Pascual Perez, G. (2023). Generic-group lower bounds via reductions between geometric-search problems: With and without preprocessing. In <i>21st International Conference on Theory of Cryptography</i> (Vol. 14371, pp. 301–330). Springer Nature. <a href=\"https://doi.org/10.1007/978-3-031-48621-0_11\">https://doi.org/10.1007/978-3-031-48621-0_11</a>"},"quality_controlled":"1","_id":"14692","page":"301-330","year":"2023","date_published":"2023-11-27T00:00:00Z","alternative_title":["LNCS"],"month":"11","intvolume":"     14371","oa":1,"date_updated":"2023-12-18T09:17:03Z","publication":"21st International Conference on Theory of Cryptography","doi":"10.1007/978-3-031-48621-0_11","main_file_link":[{"url":"https://eprint.iacr.org/2023/808","open_access":"1"}],"oa_version":"Preprint","volume":14371,"status":"public","day":"27","date_created":"2023-12-17T23:00:54Z"},{"date_created":"2023-12-17T23:00:54Z","status":"public","day":"27","volume":14372,"oa_version":"Preprint","main_file_link":[{"open_access":"1","url":"https://eprint.iacr.org/2023/1404"}],"doi":"10.1007/978-3-031-48624-1_13","publication":"21st International Conference on Theory of Cryptography","date_updated":"2023-12-18T09:00:00Z","oa":1,"month":"11","intvolume":"     14372","alternative_title":["LNCS"],"date_published":"2023-11-27T00:00:00Z","acknowledgement":"Home  Theory of Cryptography  Conference paper\r\n(Verifiable) Delay Functions from Lucas Sequences\r\nDownload book PDF\r\nDownload book EPUB\r\nSimilar content being viewed by others\r\n\r\nSlider with three content items shown per slide. Use the Previous and Next buttons to navigate the slides or the slide controller buttons at the end to navigate through each slide.\r\nPrevious slide\r\nGeneric-Group Delay Functions Require Hidden-Order Groups\r\nChapter© 2020\r\n\r\nShifted powers in Lucas–Lehmer sequences\r\nArticle30 January 2019\r\n\r\nA New Class of Trapdoor Verifiable Delay Functions\r\nChapter© 2023\r\n\r\nWeak Pseudoprimality Associated with the Generalized Lucas Sequences\r\nChapter© 2022\r\n\r\nOn the Security of Time-Lock Puzzles and Timed Commitments\r\nChapter© 2020\r\n\r\nGeneration of full cycles by a composition of NLFSRs\r\nArticle08 March 2014\r\n\r\nCryptographically Strong de Bruijn Sequences with Large Periods\r\nChapter© 2013\r\n\r\nOpen Problems on With-Carry Sequence Generators\r\nChapter© 2014\r\n\r\nGenerically Speeding-Up Repeated Squaring Is Equivalent to Factoring: Sharp Thresholds for All Generic-Ring Delay Functions\r\nChapter© 2020\r\n\r\nNext slide\r\nGo to slide 1\r\nGo to slide 2\r\nGo to slide 3\r\n(Verifiable) Delay Functions from Lucas Sequences\r\nCharlotte Hoffmann, Pavel Hubáček, Chethan Kamath & Tomáš Krňák \r\nConference paper\r\nFirst Online: 27 November 2023\r\n83 Accesses\r\n\r\nPart of the Lecture Notes in Computer Science book series (LNCS,volume 14372)\r\n\r\nAbstract\r\nLucas sequences are constant-recursive integer sequences with a long history of applications in cryptography, both in the design of cryptographic schemes and cryptanalysis. In this work, we study the sequential hardness of computing Lucas sequences over an RSA modulus.\r\n\r\nFirst, we show that modular Lucas sequences are at least as sequentially hard as the classical delay function given by iterated modular squaring proposed by Rivest, Shamir, and Wagner (MIT Tech. Rep. 1996) in the context of time-lock puzzles. Moreover, there is no obvious reduction in the other direction, which suggests that the assumption of sequential hardness of modular Lucas sequences is strictly weaker than that of iterated modular squaring. In other words, the sequential hardness of modular Lucas sequences might hold even in the case of an algorithmic improvement violating the sequential hardness of iterated modular squaring.\r\n\r\nSecond, we demonstrate the feasibility of constructing practically-efficient verifiable delay functions based on the sequential hardness of modular Lucas sequences. Our construction builds on the work of Pietrzak (ITCS 2019) by leveraging the intrinsic connection between the problem of computing modular Lucas sequences and exponentiation in an appropriate extension field.\r\n\r\nKeywords\r\nDelay functions\r\nVerifiable delay functions\r\nLucas sequences\r\nDownload conference paper PDF\r\n\r\n1 Introduction\r\nA verifiable delay function (VDF) \r\n is a function that satisfies two properties. First, it is a delay function, which means it must take a prescribed (wall) time T to compute f, irrespective of the amount of parallelism available. Second, it should be possible for anyone to quickly verify – say, given a short proof \r\n – the value of the function (even without resorting to parallelism), where by quickly we mean that the verification time should be independent of or significantly smaller than T (e.g., logarithmic in T). If we drop either of the two requirements, then the primitive turns out trivial to construct. For instance, for an appropriately chosen hash function h, the delay function \r\n defined by T-times iterated hashing of the input is a natural heuristic for an inherently sequential task which, however, seems hard to verify more efficiently than by recomputing. On the other hand, the identity function \r\n is trivial to verify but also easily computable. Designing a simple function satisfying the two properties simultaneously proved to be a nontrivial task.\r\n\r\nThe notion of VDFs was introduced in [31] and later formalised in [9]. In principle, since the task of constructing a VDF reduces to the task of incrementally-verifiable computation [9, 53], constructions of VDFs could leverage succinct non-interactive arguments of knowledge (SNARKs): take any sequentially-hard function f (for instance, iterated hashing) as the delay function and then use the SNARK on top of it as the mechanism for verifying the computation of the delay function. However, as discussed in [9], the resulting construction is not quite practical since we would rely on a general-purpose machinery of SNARKs with significant overhead.\r\n\r\nEfficient VDFs via Algebraic Delay Functions. VDFs have recently found interesting applications in design of blockchains [17], randomness beacons [43, 51], proofs of data replication [9], or short-lived zero-knowledge proofs and signatures [3]. Since efficiency is an important factor there, this has resulted in a flurry of constructions of VDFs that are tailored with application and practicality in mind. They rely on more algebraic, structured delay functions that often involve iterating an atomic operation so that one can resort to custom proof systems to achieve verifiability. These constructions involve a range of algebraic settings like the RSA or class groups [5, 8, 25, 42, 55], permutation polynomials over finite fields [9], isogenies of elliptic curves [21, 52] and, very recently, lattices [15, 28]. The constructions in [42, 55] are arguably the most practical and the mechanism that underlies their delay function is the same: carry out iterated squaring in groups of unknown order, like RSA groups [47] or class groups [12]. What distinguishes these two proposals is the way verification is carried out, i.e., how the underlying “proof of exponentiation” works: while Pietrzak [42] resorts to an LFKN-style recursive proof system [35], Wesolowski [55] uses a clever linear decomposition of the exponent.\r\n\r\nIterated Modular Squaring and Sequentiality. The delay function that underlies the VDFs in [5, 25, 42, 55] is the same, and its security relies on the conjectured sequential hardness of iterated squaring in a group of unknown order (suggested in the context of time-lock puzzles by Rivest, Shamir, and Wagner [48]). Given that the practically efficient VDFs all rely on the above single delay function, an immediate open problem is to identify additional sources of sequential hardness that are structured enough to support practically efficient verifiability.\r\n\r\n1.1 Our Approach to (Verifiable) Delay Functions\r\nIn this work, we study an alternative source of sequential hardness in the algebraic setting and use it to construct efficient verifiable delay functions. The sequentiality of our delay function relies on an atomic operation that is related to the computation of so-called Lucas sequences [29, 34, 57], explained next.\r\n\r\nLucas Sequences. A Lucas sequence is a constant-recursive integer sequence that satisfies the recurrence relation\r\n\r\nfor integers P and Q.Footnote1 Specifically, the Lucas sequences of integers \r\n and \r\n of the first and second type (respectively) are defined recursively as\r\n\r\nwith \r\n, and\r\n\r\nwith \r\n.\r\n\r\nThese sequences can be alternatively defined by the characteristic polynomial \r\n. Specifically, given the discriminant \r\n of the characteristic polynomial, one can alternatively compute the above sequences by performing operations in the extension field\r\n\r\nusing the identities\r\n\r\nwhere \r\n and its conjugate \r\n are roots of the characteristic polynomial. Since conjugation and exponentiation commute in the extension field (i.e., \r\n), computing the i-th terms of the two Lucas sequences over integers reduces to computing \r\n in the extension field, and vice versa.\r\n\r\nThe intrinsic connection between computing the terms in the Lucas sequences and that of exponentiation in the extension has been leveraged to provide alternative instantiations of public-key encryption schemes like RSA and ElGamal in terms of Lucas sequences [7, 30]. However, as we explain later, the corresponding underlying computational hardness assumptions are not necessarily equivalent.\r\n\r\nOverview of Our Delay Function. The delay function in [5, 25, 42, 55] is defined as the iterated squaring base x in a (safe) RSA groupFootnote2 modulo N:\r\n\r\nOur delay function is its analogue in the setting of Lucas sequences:\r\n\r\nAs mentioned above, computing \r\n can be carried out equivalently in the extension field \r\n using the known relationship to roots of the characteristic polynomial of the Lucas sequence. Thus, the delay function can be alternatively defined as\r\n\r\nNote that the atomic operation of our delay function is “doubling” the index of an element of the Lucas sequence modulo N (i.e., \r\n) or, equivalently, squaring in the extension field \r\n (as opposed to squaring in \r\n). Using the representation of \r\n as \r\n, squaring in \r\n can be expressed as a combination of squaring, multiplication and addition modulo N, since\r\n\r\n(1)\r\nSince \r\n is a group of unknown order (provided the factorization of N is kept secret), iterated squaring remains hard here. In fact, we show in Sect. 3.2 that iterated squaring in \r\n is at least as hard as iterated squaring for RSA moduli N. Moreover, we conjecture in Conjecture 1 that it is, in fact, strictly harder (also see discussion below on advantages of our approach).\r\n\r\nVerifying Modular Lucas Sequence. To obtain a VDF, we need to show how to efficiently verify our delay function. To this end, we show how to adapt the interactive proof of exponentiation from [42] to our setting, which then – via the Fiat-Shamir Transform [22] – yields the non-interactive verification algorithm.Footnote3 Thus, our main result is stated informally below.\r\n\r\nTheorem 1\r\n(Informally stated, see Theorem 2). Assuming sequential hardness of modular Lucas sequence, there exists statistically-sound VDF in the random-oracle model.\r\n\r\nHowever, the modification of Pietrzak’s protocol is not trivial and we have to overcome several hurdles that we face in this task, which we elaborate on in Sect. 1.2. We conclude this section with discussions about our results.\r\n\r\nAdvantage of Our Approach. Our main advantage is the reliance on a potentially weaker (sequential) hardness assumption while maintaining efficiency: we show in Sect. 3.2 that modular Lucas sequences are at least as sequentially-hard as the classical delay function given by iterated modular squaring [48]. Despite the linear recursive structure of Lucas sequences, there is no obvious reduction in the other direction, which suggests that the assumption of sequential hardness of modular Lucas sequences is strictly weaker than that of iterated modular squaring (Conjecture 1). In other words, the sequential hardness of modular Lucas sequences might hold even in the case of an algorithmic improvement violating the sequential hardness of iterated modular squaring. Even though both assumptions need the group order to be hidden, we believe that there is need for a nuanced analysis of sequential hardness assumptions in hidden order groups, especially because all current delay functions that provide sufficient structure for applications are based on iterated modular squaring. If the iterated modular squaring assumption is broken, our delay function is currently the only practical alternative in the RSA group.\r\n\r\nDelay Functions in Idealised Models. Recent works studied the relationship of group-theoretic (verifiable) delay functions to the hardness of factoring in idealised models such as the algebraic group model and the generic ring model [27, 50]. In the generic ring model, Rotem and Segev [50] showed the equivalence of straight-line delay functions in the RSA setting and factoring. Our construction gives rise to a straight-line delay function and, by their result, its sequentiality is equivalent to factoring for generic algorithms. However, their result holds only in the generic ring model and leaves the relationship between the two assumptions unresolved in the standard model.\r\n\r\nCompare this with the status of the RSA assumption and factoring. On one hand, we know that in the generic ring model, RSA and factoring are equivalent [2]. Yet, it is possible to rule out certain classes of reductions from factoring to RSA in the standard model [11]. Most importantly, despite the equivalence in the generic ring model, there is currently no reduction from factoring to RSA in the standard model and it remains one of the major open problems in number theory related to cryptography since the introduction of the RSA assumption.\r\n\r\nIn summary, speeding up iterated squaring by a non-generic algorithm could be possible (necessarily exploiting the representations of ring elements modulo N), while such an algorithm may not lead to a speed-up in the computation of modular Lucas sequences despite the result of Rotem and Segev [50].\r\n\r\n1.2 Technical Overview\r\nPietrzak’s VDF. Let \r\n be an RSA modulus where p and q are safe primes and let x be a random element from \r\n. At its core, Pietrzak’s VDF relies on the interactive protocol for the statement\r\n\r\n“(N, x, y, T) satisfies \r\n”.\r\n\r\nThe protocol is recursive and, in a round-by-round fashion, reduces the claim to a smaller statement by halving the time parameter. To be precise, in each round, the (honest) prover sends the “midpoint” \r\n of the current statement to the verifier and they together reduce the statement to\r\n\r\n“\r\n satisfies \r\n”,\r\n\r\nwhere \r\n and \r\n for a random challenge r. This is continued till \r\n is obtained at which point the verifier simply checks whether \r\n using a single modular squaring.\r\n\r\nSince the challenges r are public, the protocol can be compiled into a non-interactive one using the Fiat-Shamir transform [22] and this yields a means to verify the delay function\r\n\r\nIt is worth pointing out that the choice of safe primes is crucial for proving soundness: in case the group has easy-to-find elements of small order then it becomes easy to break soundness (see, e.g., [10]).\r\n\r\nAdapting Pietrzak’s Protocol to Lucas Sequences. For a modulus \r\n and integers \r\n, recall that our delay function is defined as\r\n\r\nor equivalently\r\n\r\nfor the discriminant \r\n of the characteristic polynomial \r\n. Towards building a verification algorithm for this delay function, the natural first step is to design an interactive protocol for the statement\r\n\r\n“(N, P, Q, y, T) satisfies \r\n.”\r\n\r\nIt turns out that the interactive protocol from [42] can be adapted for this purpose. However, we encounter two technicalities in this process.\r\n\r\nDealing with elements of small order. The main problem that we face while designing our protocol is avoiding elements of small order. In the case of [42], this was accomplished by moving to the setting of signed quadratic residues [26] in which the sub-groups are all of large order. It is not clear whether a corresponding object exists for our algebraic setting. However, in an earlier draft of Pietrzak’s protocol [41], this problem was dealt with in a different manner: the prover sends a square root of \r\n, from which the original \r\n can be recovered easily (by squaring it) with a guarantee that the result lies in a group of quadratic residues \r\n. Notice that the prover knows the square root of \r\n, because it is just a previous term in the sequence he computed.\r\n\r\nIn our setting, we cannot simply ask for the square root of the midpoint as the subgroup of \r\n we effectively work in has a different structure. Nevertheless, we can use a similar approach: for an appropriately chosen small a, we provide an a-th root of \r\n (instead of \r\n itself) to the prover in the beginning of the protocol. The prover then computes the whole sequence for \r\n. In the end, he has the a-th root of every term of the original sequence and he can recover any element of the original sequence by raising to the a-th power.\r\n\r\nSampling strong modulus. The second technicality is related to the first one. In order to ensure that we can use the above trick, we require a modulus where the small subgroups are reasonably small not only in the group \r\n but also in the extension \r\n. Thus the traditional sampling algorithms that are used to sample strong primes (e.g., [46]) are not sufficient for our purposes. However, sampling strong primes that suit our criteria can still be carried out efficiently as we show in the full version.\r\n\r\nComparing Our Technique with [8, 25]. The VDFs in [8, 25] are also inspired by [42] and, hence, faced the same problem of low-order elements. In [8], this is dealt with by amplifying the soundness at the cost of parallel repetition and hence larger proofs and extra computation. In [25], the number of repetitions of [8] is reduced significantly by introducing the following technique: The exponent of the initial instance is reduced by some parameter \r\n and at the end of an interactive phase, the verifier performs final exponentiation with \r\n, thereby weeding out potential false low-order elements in the claim. This technique differs from the approach taken in our work in the following ways: The technique from [25] works in arbitrary groups but it requires the parameter \r\n to be large and of a specific form. In particular, the VDF becomes more efficient when \r\n is larger than \r\n. In our protocol, we work in RSA groups whose modulus is the product of primes that satisfy certain conditions depending on a. This enables us to choose a parameter a that is smaller than a statistical security parameter and thereby makes the final exponentiation performed by the verifier much more efficient. Further, a can be any natural number, while \r\n must be set as powers of all small prime numbers up a certain bound in [25].\r\n\r\n1.3 More Related Work\r\nTimed Primitives. The notion of VDFs was introduced in [31] and later formalised in [9]. VDFs are closely related to the notions of time-lock puzzles [48] and proofs of sequential work [36]. Roughly speaking, a time-lock puzzle is a delay function that additionally allows efficient sampling of the output via a trapdoor. A proof of sequential work, on the other hand, is a delay “multi-function”, in the sense that the output is not necessarily unique. Constructions of time-lock puzzles are rare [6, 38, 48], and there are known limitations: e.g., that it cannot exist in the random-oracle model [36]. However, we know how to construct proofs of sequential work in the random-oracle model [1, 16, 19, 36].\r\n\r\nSince VDFs have found several applications, e.g., in the design of resource-efficient blockchains [17], randomness beacons [43, 51] and proof of data replication [9], there have been several constructions. Among them, the most notable are the iterated-squaring based construction from [8, 25, 42, 55], the permutation-polynomial based construction from [9], the isogenies-based construction from [13, 21, 52] and the construction from lattice problems [15, 28]. The constructions in [42, 55] are quite practical (see the survey [10]) and the VDF deployed in the cryptocurrency Chia is basically their construction adapted to the algebraic setting of class groups [17]. This is arguably the closest work to ours. On the other hand, the constructions from [21, 52], which work in the algebraic setting of isogenies of elliptic curves where no analogue of square and multiply is known, simply rely on “exponentiation”. Although, these constructions provide a certain form of quantum resistance, they are presently far from efficient. Freitag et al. [23] constructed VDFs from any sequentially hard function and polynomial hardness of learning with errors, the first from standard assumptions. The works of Cini, Lai, and Malavolta [15, 28] constructed the first VDF from lattice-based assumptions and conjectured it to be post-quantum secure.\r\n\r\nSeveral variants of VDFs have also been proposed. A VDF is said to be unique if the proof that is used for verification is unique [42]. Recently, Choudhuri et al. [5] constructed unique VDFs from the sequential hardness of iterated squaring in any RSA group and polynomial hardness of LWE. A VDF is tight [18] if the gap between simply computing the function and computing it with a proof is small. Yet another extension is a continuous VDF [20]. The feasibility of time-lock puzzles and proofs of sequential works were recently extended to VDFs. It was shown [50] that the latter requirement, i.e., working in a group of unknown order, is inherent in a black-box sense. It was shown in [18, 37] that there are barriers to constructing tight VDFs in the random-oracle model.\r\n\r\nVDFs also have surprising connection to complexity theory [14, 20, 33].\r\n\r\nWork Related to Lucas Sequences. Lucas sequences have long been studied in the context of number theory: see for example [45] or [44] for a survey of its applications to number theory. Its earliest application to cryptography can be traced to the \r\n factoring algorithm [56]. Constructive applications were found later thanks to the parallels with exponentiation. Several encryption and signature schemes were proposed, most notably the LUC family of encryption and signatures [30, 39]. It was later shown that some of these schemes can be broken or that the advantages it claimed were not present [7]. Other applications can be found in [32].\r\n\r\n2 Preliminaries\r\n2.1 Interactive Proof Systems\r\nInteractive Protocols. An interactive protocol consists of a pair \r\n of interactive Turing machines that are run on a common input \r\n. The first machine \r\n is the prover and is computationally unbounded. The second machine \r\n is the verifier and is probabilistic polynomial-time.\r\n\r\nIn an \r\n-round (i.e., \r\n-message) interactive protocol, in each round \r\n, first \r\n sends a message \r\n to \r\n and then \r\n sends a message \r\n to \r\n, where \r\n is a finite alphabet. At the end of the interaction, \r\n runs a (deterministic) Turing machine on input \r\n. The interactive protocol is public-coin if \r\n is a uniformly distributed random string in \r\n.\r\n\r\nInteractive Proof Systems. The notion of an interactive proof for a language L is due to Goldwasser, Micali and Rackoff [24].\r\n\r\nDefinition 1\r\nFor a function \r\n, an interactive protocol \r\n is an \r\n-statistically-sound interactive proof system for L if:\r\n\r\nCompleteness: For every \r\n, if \r\n interacts with \r\n on common input \r\n, then \r\n accepts with probability 1.\r\n\r\nSoundness: For every \r\n and every (computationally-unbounded) cheating prover strategy \r\n, the verifier \r\n accepts when interacting with \r\n with probability less than \r\n, where \r\n is called the soundness error.\r\n\r\n2.2 Verifiable Delay Functions\r\nWe adapt the definition of verifiable delay functions from [9] but we decouple the verifiability and sequentiality properties for clarity of exposition of our results. First, we present the definition of a delay function.\r\n\r\nDefinition 2\r\nA delay function \r\n consists of a triple of algorithms with the following syntax:\r\n\r\n:\r\n\r\nOn input a security parameter \r\n, the algorithm \r\n outputs public parameters \r\n.\r\n\r\n:\r\n\r\nOn input public parameters \r\n and a time parameter \r\n, the algorithm \r\n outputs a challenge x.\r\n\r\n:\r\n\r\nOn input a challenge pair (x, T), the (deterministic) algorithm \r\n outputs the value y of the delay function in time T.\r\n\r\nThe security property required of a delay function is sequential hardness as defined below.\r\n\r\nDefinition 3\r\n(Sequentiality). We say that a delay function \r\n satisfies the sequentiality property, if there exists an \r\n such that for all \r\n and for every adversary \r\n, where \r\n uses \r\n processors and runs in time \r\n, there exists a negligible function \r\n such that\r\n\r\nfigure a\r\nA few remarks about our definition of sequentiality are in order:\r\n\r\n1.\r\nWe require computing \r\n to be hard in less than T sequential steps even using any polynomially-bounded amount of parallelism and precomputation. Note that it is necessary to bound the amount of parallelism, as an adversary could otherwise break the underlying hardness assumption (e.g. hardness of factorization). Analogously, T should be polynomial in \r\n as, otherwise, breaking the underlying hardness assumptions becomes easier than computing \r\n itself for large values of T.\r\n\r\n2.\r\nAnother issue is what bound on the number of sequential steps of the adversary should one impose. For example, the delay function based on T repeated modular squarings can be computed in sequential time \r\n using polynomial parallelism [4]. Thus, one cannot simply bound the sequential time of the adversary by o(T). Similarly to [38], we adapt the \r\n bound for \r\n which, in particular, is asymptotically smaller than \r\n.\r\n\r\n3.\r\nWithout loss of generality, we assume that the size of \r\n is at least linear in n and the adversary A does not have to get the unary representation of the security parameter \r\n as its input.\r\n\r\nThe definition of verifiable delay function extends a delay function with the possibility to compute publicly-verifiable proofs of correctness of the output value.\r\n\r\nDefinition 4\r\nA delay function \r\n is a verifiable delay function if it is equipped with two additional algorithms \r\n and \r\n with the following syntax:\r\n\r\n:\r\n\r\nOn input public parameters and a challenge pair (x, T), the \r\n algorithm outputs \r\n, where \r\n is a proof that the output y is the output of \r\n.\r\n\r\n:\r\n\r\nOn input public parameters, a challenge pair (x, T), and an output/proof pair \r\n, the (deterministic) algorithm \r\n outputs either \r\n or \r\n.\r\n\r\nIn addition to sequentiality (inherited from the underlying delay function), the \r\n and \r\n algorithms must together satisfy correctness and (statistical) soundness as defined below.\r\n\r\nDefinition 5\r\n(Correctness). A verifiable delay function \r\n is correct if for all \r\n\r\nfigure b\r\nDefinition 6\r\n(Statistical soundness). A verifiable delay function \r\n is statistically sound if for every (computationally unbounded) malicious prover \r\n there exists a negligible function \r\n such that for all \r\n\r\nfigure c\r\n3 Delay Functions from Lucas Sequences\r\nIn this section, we propose a delay function based on Lucas sequences and prove its sequentiality assuming that iterated squaring in a group of unknown order is sequential (Sect. 3.1). Further, we conjecture (Sect. 3.2) that our delay function candidate is even more robust than its predecessor proposed by Rivest, Shamir, and Wagner [48]. Finally, we turn our delay function candidate into a verifiable delay function (Sect. 4).\r\n\r\n3.1 The Atomic Operation\r\nOur delay function is based on subsequences of Lucas sequences, whose indexes are powers of two. Below, we use \r\n to denote the set of non-negative integers.\r\n\r\nDefinition 7\r\nFor integers \r\n, the Lucas sequences \r\n and \r\n are defined for all \r\n as\r\n\r\nwith \r\n and \r\n, and\r\n\r\nwith \r\n and \r\n.\r\n\r\nWe define subsequences \r\n, respectively \r\n, of \r\n, respectively \r\n for all \r\n as\r\n\r\n(2)\r\nAlthough the value of \r\n depends on parameters (P, Q), we omit (P, Q) from the notation because these parameters will be always obvious from the context.\r\n\r\nThe underlying atomic operation for our delay function is\r\n\r\nThere are several ways to compute \r\n in T sequential steps, and we describe two of them below.\r\n\r\nAn Approach Based on Squaring in a Suitable Extension Ring. To compute the value \r\n, we can use the extension ring \r\n, where \r\n is the discriminant of the characteristic polynomial \r\n of the Lucas sequence. The characteristic polynomial f(z) has a root \r\n, and it is known that, for all \r\n, it holds that\r\n\r\nThus, by iterated squaring of \r\n, we can compute terms of our target subsequences. To get a better understanding of squaring in the extension ring, consider the representation of the root \r\n for some \r\n. Then,\r\n\r\nThen, the atomic operation of our delay function can be interpreted as \r\n, defined for all \r\n as\r\n\r\n(3)\r\nAn Approach Based on Known Identities. Many useful identities for members of modular Lucas sequences are known, such as\r\n\r\n(4)\r\nSetting \r\n we get\r\n\r\n(5)\r\nThe above identities are not hard to derive (see, e.g., Lemma 12.5 in [40]). Indexes are doubled on each of application of the identities in Eq. (5), and, thus, for \r\n, we define an auxiliary sequence \r\n by \r\n. Using the identities in Eq. (5), we get recursive equations\r\n\r\n(6)\r\nThen, the atomic operation of our delay function can be interpreted as \r\n, defined for all \r\n as\r\n\r\n(7)\r\nAfter a closer inspection, the reader may have an intuition that an auxiliary sequence \r\n, which introduces a third state variable, is redundant. This intuition is indeed right. In fact, there is another easily derivable identity\r\n\r\n(8)\r\nwhich can be found, e.g., as Lemma 12.2 in [40]. On the other hand, Eq. (8) is quite interesting because it allows us to compute large powers of an element \r\n using two Lucas sequences. We use this fact in the security reduction in Sect. 3.2. Our construction of a delay function, denoted \r\n, is given in Fig. 1.\r\n\r\nFig. 1.\r\nfigure 1\r\nOur delay function candidate \r\n based on a modular Lucas sequence.\r\n\r\nFull size image\r\nOn the Discriminant D. Notice that whenever D is a quadratic residue modulo N, the value \r\n is an element of \r\n and hence \r\n. By definition, LCS.Gen generates a parameter D that is a quadratic residue with probability 1/4, so it might seem that in one fourth of the cases there is another approach to compute \r\n: find the element \r\n and then perform n sequential squarings in the group \r\n. However, it is well known that finding square roots of uniform elements in \r\n is equivalent to factoring the modulus N, so this approach is not feasible. We can therefore omit any restrictions on the discriminant D in the definition of our delay function LCS.\r\n\r\n3.2 Reduction from RSW Delay Function\r\nIn order to prove the sequentiality property (Definition 3) of our candidate \r\n, we rely on the standard conjecture of the sequentiality of the \r\n time-lock puzzles, implicitly stated in [48] as the underlying hardness assumption.\r\n\r\nDefinition 8\r\n(\r\n delay function). The \r\n delay function is defined as follows:\r\n\r\n: Samples two n-bit primes p and q and outputs \r\n.\r\n\r\n: Outputs an x sampled from the uniform distribution on \r\n.\r\n\r\n: Outputs \r\n.\r\n\r\nTheorem 2\r\nIf the \r\n delay function has the sequentiality property, then the \r\n delay function has the sequentiality property.\r\n\r\nProof\r\nSuppose there exists an adversary \r\n who contradicts the sequentiality of \r\n, where \r\n is a precomputation algorithm and \r\n is an online algorithm. We construct an adversary \r\n who contradicts the sequentiality of \r\n as follows:\r\n\r\nThe algorithm \r\n is defined identically to the algorithm \r\n.\r\n\r\nOn input \r\n, \r\n picks a P from the uniform distribution on \r\n, sets\r\n\r\nand it runs \r\n to compute \r\n. The algorithm \r\n computes \r\n using the identity in Eq. (8).\r\n\r\nNote that the input distribution for the algorithm \r\n produced by \r\n differs from the one produced by \r\n, because the \r\n generator samples Q from the uniform distribution on \r\n (instead of \r\n). However, this is not a problem since the size of \r\n is negligible compared to the size of \r\n, so the statistical distance between the distribution of D produced by \r\n and the distribution of D sampled by \r\n is negligible in the security parameter. Thus, except for a negligible multiplicative loss, the adversary \r\n attains the same success probability of breaking the sequentiality of \r\n as the probability of \r\n breaking the sequentiality of \r\n – a contradiction to the assumption of the theorem.   \r\n\r\nWe believe that the converse implication to Theorem 2 is not true, i.e., that breaking the sequentiality of \r\n does not necessarily imply breaking the sequentiality of \r\n. Below, we state it as a conjecture.\r\n\r\nConjecture 1\r\nSequentiality of \r\n cannot be reduced to sequentiality of \r\n.\r\n\r\nOne reason why the above conjecture might be true is that, while the \r\n delay function is based solely only on multiplication in the group \r\n, our \r\n delay function uses the full arithmetic (addition and multiplication) of the commutative ring \r\n.\r\n\r\nOne way to support the conjecture would be to construct an algorithm that speeds up iterated squaring but is not immediately applicable to Lucas sequences. By [49] we know that this cannot be achieved by a generic algorithm. A non-generic algorithm that solves iterated squaring in time \r\n is presented in [4]. The main tool of their construction is the Explicit Chinese Remainder Theorem modulo N. However, a similiar theorem exists also for univariate polynomial rings, which suggests that a similar speed-up can be obtained for our delay function by adapting the techniques in [4] to our setting.\r\n\r\n4 VDF from Lucas Sequences\r\nIn Sect. 3.1 we saw different ways of computing the atomic operation of the delay function. Computing \r\n in the extension field seems to be the more natural and time and space effective approach. Furthermore, writing the atomic operation \r\n as \r\n is very clear, and, thus, we follow this approach throughout the rest of the paper.\r\n\r\n4.1 Structure of \r\nTo construct a VDF based on Lucas sequences, we use an algebraic extension\r\n\r\n(9)\r\nwhere N is an RSA modulus and \r\n. In this section, we describe the structure of the algebraic extension given in Expression (9). Based on our understanding of the structure of the above algebraic extension, we can conclude that using modulus N composed of safe primes (i.e., for all prime factors p of N, \r\n has a large prime divisor) is necessary but not sufficient condition for security of our construction. We specify some sufficient conditions on factors of N in the subsequent Sect. 4.2.\r\n\r\nFirst, we introduce some simplifying notation for quotient rings.\r\n\r\nDefinition 9\r\nFor \r\n and \r\n, we denote by \r\n the quotient ring \r\n, where (m, f(x)) denotes the ideal of the ring \r\n generated by m and f(x).\r\n\r\nObservation 1, below, allows us to restrict our analysis only to the structure of \r\n for prime \r\n.\r\n\r\nObservation 1\r\nLet \r\n be distinct primes, \r\n and \r\n. Then\r\n\r\nProof\r\nUsing the Chinese reminder theorem, we get\r\n\r\nas claimed.   \r\n\r\nThe following lemma characterizes the structure of \r\n with respect to the discriminant of f. We use \r\n to denote the standard Legendre symbol.\r\n\r\nLemma 1\r\nLet \r\n and \r\n be a polynomial of degree 2 with the discriminant D. Then\r\n\r\nProof\r\nWe consider each case separately:\r\n\r\nIf \r\n, then f(x) is irreducible over \r\n and \r\n is a field with \r\n elements. Since \r\n is a finite field, \r\n is cyclic and contains \r\n elements.\r\n\r\nIf \r\n, then \r\n and f has some double root \r\n and it can be written as \r\n for some \r\n. Since the ring \r\n is isomorphic to the ring \r\n (consider the isomorphism \r\n), we can restrict ourselves to describing the structure of \r\n.\r\n\r\nWe will prove that the function \r\n,\r\n\r\nis an isomorphism. First, the polynomial \r\n is invertible if and only if \r\n (inverse is \r\n). For the choice \r\n, we have\r\n\r\nThus \r\n is onto. Second, \r\n is, in fact, a bijection, because\r\n\r\n(10)\r\nFinally, \r\n is a homomorphism, because\r\n\r\nIf \r\n, then f(x) has two roots \r\n. We have an isomorphism\r\n\r\nand \r\n.    \r\n\r\n4.2 Strong Groups and Strong Primes\r\nTo achieve the verifiability property of our construction, we need \r\n to contain a strong subgroup (defined next) of order asymptotically linear in p. We remark that our definition of strong primes is stronger than the one by Rivest and Silverman [46].\r\n\r\nDefinition 10\r\n(Strong groups). For \r\n, we say that a non-trivial group \r\n is \r\n-strong, if the order of each non-trivial subgroup of \r\n is greater than \r\n.\r\n\r\nObservation 2\r\nIf \r\n and \r\n are \r\n-strong groups, then \r\n is a \r\n-strong group.\r\n\r\nIt can be seen from Lemma 1 that \r\n always contains groups of small order (e.g. \r\n). To avoid these, we descend into the subgroup of a-th powers of elements of \r\n. Below, we introduce the corresponding notation.\r\n\r\nDefinition 11\r\nFor an Abelian group \r\n and \r\n, we define the subgroup \r\n of \r\n in the multiplicative notation and \r\n in the additive notation.\r\n\r\nFurther, we show in Lemma 2 below that \r\n-strong primality (defined next) is a sufficient condition for \r\n to be a \r\n-strong group.\r\n\r\nDefinition 12\r\n(Strong primes). Let \r\n and \r\n. We say that p is a \r\n-strong prime, if \r\n and there exists \r\n, \r\n, such that \r\n and every prime factor of W is greater than \r\n.\r\n\r\nSince a is a public parameter in our setup, super-polynomial a could reveal partial information about the factorization of N. However, we could allow a to be polynomial in \r\n while maintaining hardness of factoring N.Footnote4 For the sake of simplicity of Definition 12, we rather use stronger condition \r\n. The following simple observation will be useful for proving Lemma 2.\r\n\r\nObservation 3\r\nFor \r\n.\r\n\r\nLemma 2\r\nLet p be a \r\n-strong prime and \r\n be a quadratic polynomial. Then, \r\n is a \r\n-strong group.\r\n\r\nProof\r\nFrom definition of the strong primes, there exists \r\n, whose factors are bigger than \r\n and \r\n. We denote \r\n a factor of W. Applying Observation 3 to Lemma 1, we get\r\n\r\nIn particular, we used above the fact that Observation 2 implies that \r\n as explained next. Since \r\n, all divisors of \r\n are divisors of aW. By definition of a and W in Definition 12, we also have that \r\n, which implies that any factor of \r\n divides either a or W, but not both. When we divide \r\n by all the common divisors with a, only the common divisors with W are left, which implies \r\n. The proof of the lemma is now completed by Observation 2.\r\n\r\nCorollary 1\r\nLet p be a \r\n-strong prime, q be a \r\n-strong prime, \r\n, \r\n, \r\n and \r\n. Then \r\n is \r\n-strong.\r\n\r\n4.3 Our Interactive Protocol\r\nOur interactive protocol is formally described in Fig. 3. To understand this protocol, we first recall the outline of Pietrzak’s interactive protocol from Sect. 1.2 and then highlight the hurdles. Let \r\n be an RSA modulus where p and q are strong primes and let x be a random element from \r\n. The interactive protocol in [42] allows a prover to convince the verifier of the statement\r\n\r\n“(N, x, y, T) satisfies \r\n”.\r\n\r\nThe protocol is recursive and in a round-by-round fashion reduces the claim to a smaller statement by halving the time parameter. To be precise, in each round the (honest) prover sends the “midpoint” \r\n of the current statement to the verifier and they together reduce the statement to\r\n\r\n“\r\n satisfies \r\n”,\r\n\r\nwhere \r\n and \r\n for a random challenge r. This is continued until \r\n is obtained at which point the verifier simply checks whether \r\n.\r\n\r\nThe main problem, we face while designing our protocol is ensuring that the verifier can check whether \r\n sent by prover lies in an appropriate subgroup of \r\n. In the first draft of Pietrzak’s protocol [41], prover sends a square root of \r\n, from which the original \r\n can be recovered easily (by simply squaring it) with a guarantee, that the result lies in a group of quadratic residues \r\n. Notice that the prover knows the square root of \r\n, because it is just a previous term in the sequence he computed.\r\n\r\nUsing Pietrzak’s protocol directly for our delay function would require computing a-th roots in RSA group for some arbitrary a. Since this is a computationally hard problem, we cannot use the same trick. In fact, the VDF construction of Wesolowski [54] is based on similar hardness assumption.\r\n\r\nWhile Pietrzak shifted from \r\n to the group of signed quadratic residues \r\n in his following paper [42] to get unique proofs, we resort to his old idea of ‘squaring a square root’ and generalise it.\r\n\r\nThe high level idea is simple. First, on input \r\n, prover computes the sequence \r\n. Next, during the protocol, verifier maps all elements sent by the prover by homomorphism\r\n\r\n(11)\r\ninto the target strong group \r\n. This process is illustrated in Fig. 2. Notice that the equality \r\n for the original sequence implies the equality \r\n for the mapped sequence \r\n.\r\n\r\nFig. 2.\r\nfigure 2\r\nIllustration of our computation of the iterated squaring using the a-th root of \r\n. Horizontal arrows are \r\n and diagonal arrows are \r\n.\r\n\r\nFull size image\r\nRestriction to Elements of \r\n. Mapping Eq. (11) introduces a new technical difficulty. Since \r\n is not injective, we narrow the domain inputs, for which the output of our VDF is verifiable, from \r\n to \r\n. Furthermore, the only way to verify that a certain x is an element of \r\n is to get an a-th root of x and raise it to the ath power. So we have to represent elements of \r\n by elements of \r\n anyway. To resolve these two issues, we introduce a non-unique representation of elements of \r\n.\r\n\r\nDefinition 13\r\nFor \r\n and \r\n, we denote \r\n (an element of \r\n) by [x]. Since this representation of \r\n is not unique, we define an equality relation by\r\n\r\nWe will denote by tilde () the elements that were already powered to the a by a verifier (i.e. ). Thus tilded variables verifiably belong to the target group \r\n.\r\n\r\nIn the following text, the goal of the brackets notation in Definition 13 is to distinguish places where the equality means the equality of elements of \r\n from those places, where the equality holds up to \r\n. A reader can also see the notation in Definition 13 as a concrete representation of elements of a factor group \r\n.\r\n\r\nOur security reduction 2 required the delay function to operate everywhere on \r\n. This is not a problem if the \r\n algorithm is modified to output the set \r\n.\r\n\r\nFig. 3.\r\nfigure 3\r\nOur Interactive Protocol for \r\n.\r\n\r\nFull size image\r\n4.4 Security\r\nRecall here that \r\n is \r\n-strong group, so there exist\r\n\r\n and \r\n such that\r\n\r\n(12)\r\nDefinition 14\r\nFor \r\n and \r\n, we define \r\n as i-th coordinate of \r\n, where \r\n is the isomorphism given by Eq. (12).\r\n\r\nLemma 3\r\nLet \r\n and \r\n. If \r\n, then\r\n\r\n\t(13)\r\nProof\r\nFix \r\n, \r\n and y. Let some \r\n satisfy\r\n\r\n(14)\r\nUsing notation from Definition 14, we rewrite Eq. (14) as a set of equations\r\n\r\nFor every \r\n, by reordering the terms, the j-th equation becomes\r\n\r\n(15)\r\nIf \r\n, then \r\n. Further for every \r\n. It follows that \r\n. Putting these two equations together gives us \r\n, which contradicts our assumption \r\n.\r\n\r\nIt follows that there exists \r\n such that\r\n\r\n(16)\r\nThereafter there exists \r\n such that \r\n divides \r\n and\r\n\r\n(17)\r\nFurthermore, from Eq. (15), \r\n divides \r\n. Finally, dividing eq. Eq. (15) by \r\n, we get that r is determined uniquely (\r\n),\r\n\r\nUsing the fact that \r\n, this uniqueness of r upper bounds number of \r\n, such that Eq. (14) holds, to one. It follows that the probability that Eq. (14) holds for r chosen randomly from the uniform distribution over \r\n is less than \r\n.    \r\n\r\nCorollary 2\r\nThe halving protocol will turn an invalid input tuple (i.e. \r\n) into a valid output tuple (i.e. \r\n) with probability less than \r\n.\r\n\r\nTheorem 3\r\nFor any computationally unbounded prover who submits anything other than \r\n such that \r\n in phase 2 of the protocol, the soundness error is upper-bounded by \r\n\r\nProof\r\nIn each round of the protocol, T decreases to \r\n. It follows that the number of rounds of the halving protocol before reaching \r\n is upper bounded by \r\n.\r\n\r\nIf the verifier accepts the solution tuple \r\n in the last round, then the equality \r\n must hold. It follows that the initial inequality must have turned into equality in some round of the halving protocol. By Lemma 3, the probability of this event is bounded by \r\n. Finally, using the union bound for all rounds, we obtain the upper bound (\r\n.    \r\n\r\n4.5 Our VDF\r\nAnalogously to the VDF of Pietrzak [42], we compile our public-coin interactive proof given in Fig. 3 into a VDF using the Fiat-Shamir heuristic. The complete construction is given in Fig. 4. For ease of exposition, we assume that the time parameter T is always a power of two.\r\n\r\nFig. 4.\r\nfigure 4\r\n based on Lucas sequences\r\n\r\nFull size image\r\nAs discussed in Sect. 4.3, it is crucial for the security of the protocol that the prover computes a sequence of powers of the a-th root of the challenge and the resulting value (as well as the intermediate values) received from the prover is lifted to the appropriate group by raising it to the a-th power. We use the tilde notation in Fig. 4 in order to denote elements on the sequence relative to the a-th root.\r\n\r\nNote that, by the construction, the output of our VDF is the \r\n-th power of the root of the characteristic polynomial for Lucas sequence with parameters P and Q. Therefore, the value of the delay function implicitly corresponds to the \r\n-th term of the Lucas sequence.\r\n\r\nTheorem 4\r\nLet \r\n be the statistical security parameter. The \r\n VDF defined in Fig. 4 is correct and statistically-sound with a negligible soundness error if \r\n is modelled as a random oracle, against any adversary that makes \r\n oracle queries.\r\n\r\nProof\r\nThe correctness follows directly by construction.\r\n\r\nTo prove its statistical soundness, we proceed in a similar way to [42]. We cannot apply Fiat-Shamir transformation directly, because our protocol does not have constant number of rounds, thus we use Fiat-Shamir heuristic to each round separately.\r\n\r\nFirst, we use a random oracle as the \r\n function. Second, if a malicious prover computed a proof accepted by verifier for some tuple \r\n such that\r\n\r\n(19)\r\nthen he must have succeeded in turning inequality from Eq. (19) into equality in some round. By Lemma 3, probability of such a flipping is bounded by \r\n. Every such an attempt requires one query to random oracle. Using a union bound, it follows that the probability that a malicious prover who made q queries to random oracle succeeds in flipping initial inequality into equality in some round is upper-bounded by \r\n.\r\n\r\nSince q is \r\n, \r\n is a negligible function and thus the soundness error is negligible.    \r\n\r\nNotes\r\n1.\r\nNote that integer sequences like Fibonacci numbers and Mersenne numbers are special cases of Lucas sequences.\r\n\r\n2.\r\nThe choice of modulus N is said to be safe if \r\n for safe primes \r\n and \r\n, where \r\n and \r\n are also prime.\r\n\r\n3.\r\nFurther, using the ideas from [14, 20], it is possible to construct so-called continuous VDFs from Lucas sequences.\r\n\r\n4.\r\nSince we set a to be at most polynomial in \r\n, its is possible to go over all possible candidate values for a in time polynomial in \r\n. Thus, any algorithm that could factor N using the knowledge of a can be efficiently simulated even without the knowledge of a.\r\n\r\nReferences\r\nAbusalah, H., Kamath, C., Klein, K., Pietrzak, K., Walter, M.: Reversible proofs of sequential work. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11477, pp. 277–291. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17656-3_10\r\n\r\nCrossRef\r\n \r\nGoogle Scholar\r\n \r\n\r\nAggarwal, D., Maurer, U.: Breaking RSA generically is equivalent to factoring. IEEE Trans. Inf. Theory 62(11), 6251–6259 (2016). https://doi.org/10.1109/TIT.2016.2594197\r\n\r\nCrossRef\r\n \r\nMathSciNet\r\n \r\nMATH\r\n \r\nGoogle Scholar\r\n \r\n\r\nArun, A., Bonneau, J., Clark, J.: Short-lived zero-knowledge proofs and signatures. In: Agrawal, S., Lin, D. (eds.) Advances in Cryptology – ASIACRYPT 2022. Lecture Notes in Computer Science, vol. 13793, pp. 487–516. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-22969-5_17\r\n\r\nCrossRef\r\n \r\nGoogle Scholar\r\n \r\n\r\nBernstein, D., Sorenson, J.: Modular exponentiation via the explicit Chinese remainder theorem. Math. Comput. 76, 443–454 (2007). https://doi.org/10.1090/S0025-5718-06-01849-7\r\n\r\nCrossRef\r\n \r\nMathSciNet\r\n \r\nMATH\r\n \r\nGoogle Scholar\r\n \r\n\r\nBitansky, N., et al.: PPAD is as hard as LWE and iterated squaring. IACR Cryptol. ePrint Arch., p. 1072 (2022)\r\n\r\nGoogle Scholar\r\n \r\n\r\nBitansky, N., Goldwasser, S., Jain, A., Paneth, O., Vaikuntanathan, V., Waters, B.: Time-lock puzzles from randomized encodings. In: ITCS, pp. 345–356. ACM (2016)\r\n\r\nGoogle Scholar\r\n \r\n\r\nBleichenbacher, D., Bosma, W., Lenstra, A.K.: Some remarks on Lucas-based cryptosystems. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 386–396. Springer, Heidelberg (1995). https://doi.org/10.1007/3-540-44750-4_31\r\n\r\nCrossRef\r\n \r\nGoogle Scholar\r\n \r\n\r\nBlock, A.R., Holmgren, J., Rosen, A., Rothblum, R.D., Soni, P.: Time- and space-efficient arguments from groups of unknown order. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021. LNCS, vol. 12828, pp. 123–152. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84259-8_5\r\n\r\nCrossRef\r\n \r\nGoogle Scholar\r\n \r\n\r\nBoneh, D., Bonneau, J., Bünz, B., Fisch, B.: Verifiable delay functions. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10991, pp. 757–788. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96884-1_25\r\n\r\nCrossRef\r\n \r\nGoogle Scholar\r\n \r\n\r\nBoneh, D., Bünz, B., Fisch, B.: A survey of two verifiable delay functions. IACR Cryptol. ePrint Arch. 2018, 712 (2018)\r\n\r\nMATH\r\n \r\nGoogle Scholar\r\n \r\n\r\nBoneh, D., Venkatesan, R.: Breaking RSA may not be equivalent to factoring. In: Nyberg, K. (ed.) Advances in Cryptology - EUROCRYPT ’98. Lecture Notes in Computer Science, vol. 1403, pp. 59–71. Springer, Cham (1998). https://doi.org/10.1007/BFb0054117\r\n\r\nCrossRef\r\n \r\nGoogle Scholar\r\n \r\n\r\nBuchmann, J., Williams, H.C.: A key-exchange system based on imaginary quadratic fields. J. Cryptol. 1(2), 107–118 (1988). https://doi.org/10.1007/BF02351719\r\n\r\nCrossRef\r\n \r\nMathSciNet\r\n \r\nMATH\r\n \r\nGoogle Scholar\r\n \r\n\r\nChavez-Saab, J., Rodríguez-Henríquez, F., Tibouchi, M.: Verifiable Isogeny walks: towards an isogeny-based postquantum VDF. In: AlTawy, R., Hülsing, A. (eds.) SAC 2021. LNCS, vol. 13203, pp. 441–460. Springer, Cham (2022). https://doi.org/10.1007/978-3-030-99277-4_21\r\n\r\nCrossRef\r\n \r\nGoogle Scholar\r\n \r\n\r\nChoudhuri, A.R., Hubáček, P., Kamath, C., Pietrzak, K., Rosen, A., Rothblum, G.N.: PPAD-hardness via iterated squaring modulo a composite. IACR Cryptol. ePrint Arch. 2019, 667 (2019)\r\n\r\nGoogle Scholar\r\n \r\n\r\nCini, V., Lai, R.W.F., Malavolta, G.: Lattice-based succinct arguments from vanishing polynomials. In: Handschuh, H., Lysyanskaya, A. (eds.) Advances in Cryptology - CRYPTO 2023. Lecture Notes in Computer Science, pp. 72–105. Springer Nature Switzerland, Cham (2023). https://doi.org/10.1007/978-3-031-38545-2_3\r\n\r\nCrossRef\r\n \r\nGoogle Scholar\r\n \r\n\r\nCohen, B., Pietrzak, K.: Simple proofs of sequential work. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10821, pp. 451–467. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78375-8_15\r\n\r\nCrossRef\r\n \r\nGoogle Scholar\r\n \r\n\r\nCohen, B., Pietrzak, K.: The Chia network blockchain. Technical report, Chia Network (2019). https://www.chia.net/assets/ChiaGreenPaper.pdf. Accessed 29 July 2022\r\n\r\nDöttling, N., Garg, S., Malavolta, G., Vasudevan, P.N.: Tight verifiable delay functions. In: Galdi, C., Kolesnikov, V. (eds.) SCN 2020. LNCS, vol. 12238, pp. 65–84. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-57990-6_4\r\n\r\nCrossRef\r\n \r\nGoogle Scholar\r\n \r\n\r\nDöttling, N., Lai, R.W.F., Malavolta, G.: Incremental proofs of sequential work. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11477, pp. 292–323. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17656-3_11\r\n\r\nCrossRef\r\n \r\nGoogle Scholar\r\n \r\n\r\nEphraim, N., Freitag, C., Komargodski, I., Pass, R.: Continuous verifiable delay functions. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12107, pp. 125–154. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45727-3_5\r\n\r\nCrossRef\r\n \r\nGoogle Scholar\r\n \r\n\r\nDe Feo, L., Masson, S., Petit, C., Sanso, A.: Verifiable delay functions from supersingular isogenies and pairings. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019. LNCS, vol. 11921, pp. 248–277. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34578-5_10\r\n\r\nCrossRef\r\n \r\nGoogle Scholar\r\n \r\n\r\nFiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). https://doi.org/10.1007/3-540-47721-7_12\r\n\r\nCrossRef\r\n \r\nGoogle Scholar\r\n \r\n\r\nFreitag, C., Pass, R., Sirkin, N.: Parallelizable delegation from LWE. IACR Cryptol. ePrint Arch., p. 1025 (2022)\r\n\r\nGoogle Scholar\r\n \r\n\r\nGoldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proof systems. SIAM J. Comput. 18(1), 186–208 (1989)\r\n\r\nCrossRef\r\n \r\nMathSciNet\r\n \r\nMATH\r\n \r\nGoogle Scholar\r\n \r\n\r\nHoffmann, C., Hubáček, P., Kamath, C., Klein, K., Pietrzak, K.: Practical statistically sound proofs of exponentiation in any group. In: Dodis, Y., Shrimpton, T. (eds.) Advances in Cryptology – CRYPTO 2022. Lecture Notes in Computer Science, vol. 13508, pp. 1–30. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-15979-4_13\r\n\r\nCrossRef\r\n \r\nMATH\r\n \r\nGoogle Scholar\r\n \r\n\r\nHofheinz, D., Kiltz, E.: The group of signed quadratic residues and applications. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 637–653. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03356-8_37\r\n\r\nCrossRef\r\n \r\nGoogle Scholar\r\n \r\n\r\nKatz, J., Loss, J., Xu, J.: On the security of time-lock puzzles and timed commitments. In: Pass, R., Pietrzak, K. (eds.) TCC 2020, Part III. LNCS, vol. 12552, pp. 390–413. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64381-2_14\r\n\r\nCrossRef\r\n \r\nMATH\r\n \r\nGoogle Scholar\r\n \r\n\r\nLai, R.W.F., Malavolta, G.: Lattice-based timed cryptography. In: Handschuh, H., Lysyanskaya, A. (eds.) Advances in Cryptology - CRYPTO 2023. Lecture Notes in Computer Science, pp. 782–804. Springer Nature Switzerland, Cham (2023). https://doi.org/10.1007/978-3-031-38554-4_25\r\n\r\nCrossRef\r\n \r\nGoogle Scholar\r\n \r\n\r\nLehmer, D.H.: An extended theory of Lucas’ functions. Ann. Math. 31(3), 419–448 (1930). https://www.jstor.org/stable/1968235\r\n\r\nLennon, M.J.J., Smith, P.J.: LUC: A new public key system. In: Douglas, E.G. (ed.) Ninth IFIP Symposium on Computer Security, pp. 103–117. Elsevier Science Publishers (1993)\r\n\r\nGoogle Scholar\r\n \r\n\r\nLenstra, A.K., Wesolowski, B.: Trustworthy public randomness with sloth, unicorn, and trx. IJACT 3(4), 330–343 (2017)\r\n\r\nCrossRef\r\n \r\nMathSciNet\r\n \r\nMATH\r\n \r\nGoogle Scholar\r\n \r\n\r\nLipmaa, H.: On Diophantine complexity and statistical zero-knowledge arguments. In: Laih, C.-S. (ed.) ASIACRYPT 2003. LNCS, vol. 2894, pp. 398–415. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-40061-5_26\r\n\r\nCrossRef\r\n \r\nGoogle Scholar\r\n \r\n\r\nLombardi, A., Vaikuntanathan, V.: Fiat-Shamir for repeated squaring with applications to PPAD-hardness and VDFs. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12172, pp. 632–651. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56877-1_22\r\n\r\nCrossRef\r\n \r\nGoogle Scholar\r\n \r\n\r\nLucas, E.: Théorie des fonctions numériques simplement périodiques. Am. J. Math. 1(4), 289–321 (1878). https://www.jstor.org/stable/2369373\r\n\r\nLund, C., Fortnow, L., Karloff, H.J., Nisan, N.: Algebraic methods for interactive proof systems. J. ACM 39(4), 859–868 (1992)\r\n\r\nCrossRef\r\n \r\nMathSciNet\r\n \r\nMATH\r\n \r\nGoogle Scholar\r\n \r\n\r\nMahmoody, M., Moran, T., Vadhan, S.P.: Publicly verifiable proofs of sequential work. In: ITCS, pp. 373–388. ACM (2013)\r\n\r\nGoogle Scholar\r\n \r\n\r\nMahmoody, M., Smith, C., Wu, D.J.: A note on the (Im)possibility of verifiable delay functions in the random oracle model. IACR Cryptol. ePrint Arch. 2019, 663 (2019)\r\n\r\nGoogle Scholar\r\n \r\n\r\nMalavolta, G., Thyagarajan, S.A.K.: Homomorphic time-lock puzzles and applications. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11692, pp. 620–649. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26948-7_22\r\n\r\nCrossRef\r\n \r\nGoogle Scholar\r\n \r\n\r\nMüller, W.B., Nöbauer, W.: Some remarks on public-key cryptosystems. Studia Sci. Math. Hungar. 16, 71–76 (1981)\r\n\r\nMathSciNet\r\n \r\nMATH\r\n \r\nGoogle Scholar\r\n \r\n\r\nBressoud, D.M.: Factorization and primality testing. Math. Comput. 56(193), 400 (1991)\r\n\r\nCrossRef\r\n \r\nGoogle Scholar\r\n \r\n\r\nPietrzak, K.: Simple verifiable delay functions. IACR Cryptol. ePrint Arch. 2018, 627 (2018). https://eprint.iacr.org/2018/627/20180720:081000\r\n\r\nPietrzak, K.: Simple verifiable delay functions. In: ITCS. LIPIcs, vol. 124, pp. 1–15. Schloss Dagstuhl - Leibniz-Zentrum für Informatik (2019)\r\n\r\nGoogle Scholar\r\n \r\n\r\nRabin, M.O.: Transaction protection by beacons. J. Comput. Syst. Sci. 27(2), 256–267 (1983)\r\n\r\nCrossRef\r\n \r\nMathSciNet\r\n \r\nMATH\r\n \r\nGoogle Scholar\r\n \r\n\r\nRibenboim, P.: My Numbers, My Friends: Popular Lectures on Number Theory. Springer-Verlag, New York (2000)\r\n\r\nCrossRef\r\n \r\nMATH\r\n \r\nGoogle Scholar\r\n \r\n\r\nRiesel, H.: Prime Numbers and Computer Methods for Factorization, Progress in Mathematics, vol. 57. Birkhäuser, Basel (1985)\r\n\r\nCrossRef\r\n \r\nMATH\r\n \r\nGoogle Scholar\r\n \r\n\r\nRivest, R., Silverman, R.: Are ’strong’ primes needed for RSA. Cryptology ePrint Archive, Report 2001/007 (2001). https://eprint.iacr.org/2001/007\r\n\r\nRivest, R.L., Shamir, A., Adleman, L.M.: A method for obtaining digital signatures and public-key cryptosystems (reprint). Commun. ACM 26(1), 96–99 (1983)\r\n\r\nCrossRef\r\n \r\nMATH\r\n \r\nGoogle Scholar\r\n \r\n\r\nRivest, R.L., Shamir, A., Wagner, D.A.: Time-lock puzzles and timed-release crypto. Technical report, Massachusetts Institute of Technology (1996)\r\n\r\nGoogle Scholar\r\n \r\n\r\nRotem, L., Segev, G.: Generically speeding-up repeated squaring is equivalent to factoring: sharp thresholds for all generic-ring delay functions. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12172, pp. 481–509. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56877-1_17\r\n\r\nCrossRef\r\n \r\nGoogle Scholar\r\n \r\n\r\nRotem, L., Segev, G., Shahaf, I.: Generic-group delay functions require hidden-order groups. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12107, pp. 155–180. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45727-3_6\r\n\r\nCrossRef\r\n \r\nGoogle Scholar\r\n \r\n\r\nSchindler, P., Judmayer, A., Hittmeir, M., Stifter, N., Weippl, E.R.: RandRunner: distributed randomness from trapdoor VDFs with strong uniqueness. In: 28th Annual Network and Distributed System Security Symposium, NDSS 2021, virtually, 21–25 February 2021. The Internet Society (2021)\r\n\r\nGoogle Scholar\r\n \r\n\r\nShani, B.: A note on isogeny-based hybrid verifiable delay functions. IACR Cryptol. ePrint Arch. 2019, 205 (2019)\r\n\r\nGoogle Scholar\r\n \r\n\r\nValiant, P.: Incrementally verifiable computation or proofs of knowledge imply time/space efficiency. In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948, pp. 1–18. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78524-8_1\r\n\r\nCrossRef\r\n \r\nMATH\r\n \r\nGoogle Scholar\r\n \r\n\r\nWesolowski, B.: Efficient verifiable delay functions. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11478, pp. 379–407. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17659-4_13\r\n\r\nCrossRef\r\n \r\nGoogle Scholar\r\n \r\n\r\nWesolowski, B.: Efficient verifiable delay functions. J. Cryptol. 33(4), 2113–2147 (2020). https://doi.org/10.1007/s00145-020-09364-x\r\n\r\nCrossRef\r\n \r\nMathSciNet\r\n \r\nMATH\r\n \r\nGoogle Scholar\r\n \r\n\r\nWilliams, H.C.: A \r\n method of factoring. Math. Comput. 39(159), 225–234 (1982)\r\n\r\nMathSciNet\r\n \r\nMATH\r\n \r\nGoogle Scholar\r\n \r\n\r\nWilliams, H.C.: Édouard lucas and primality testing. Math. Gaz. 83, 173 (1999)\r\n\r\nCrossRef\r\n \r\nGoogle Scholar\r\n \r\n\r\nDownload references\r\n\r\nAcknowledgements\r\nWe thank Krzysztof Pietrzak and Alon Rosen for several fruitful discussions about this work and the anonymous reviewers of SCN 2022 and TCC 2023 for valuable suggestions.\r\n\r\nPavel Hubáček is supported by the Czech Academy of Sciences (RVO 67985840), by the Grant Agency of the Czech Republic under the grant agreement no. 19-27871X, and by the Charles University project UNCE/SCI/004. Chethan Kamath is supported by Azrieli International Postdoctoral Fellowship, by the European Research Council (ERC) under the European Union’s Horizon Europe research and innovation programme (grant agreement No. 101042417, acronym SPP), and by ISF grant 1789/19.","year":"2023","page":"336-362","conference":{"name":"TCC: Theory of Cryptography","start_date":"2023-11-29","end_date":"2023-12-02","location":"Taipei, Taiwan"},"_id":"14693","quality_controlled":"1","publication_identifier":{"issn":["0302-9743"],"eissn":["1611-3349"],"isbn":["9783031486234"]},"citation":{"chicago":"Hoffmann, Charlotte, Pavel Hubáček, Chethan Kamath, and Tomáš Krňák. “(Verifiable) Delay Functions from Lucas Sequences.” In <i>21st International Conference on Theory of Cryptography</i>, 14372:336–62. Springer Nature, 2023. <a href=\"https://doi.org/10.1007/978-3-031-48624-1_13\">https://doi.org/10.1007/978-3-031-48624-1_13</a>.","short":"C. Hoffmann, P. Hubáček, C. Kamath, T. Krňák, in:, 21st International Conference on Theory of Cryptography, Springer Nature, 2023, pp. 336–362.","ieee":"C. Hoffmann, P. Hubáček, C. Kamath, and T. Krňák, “(Verifiable) delay functions from Lucas sequences,” in <i>21st International Conference on Theory of Cryptography</i>, Taipei, Taiwan, 2023, vol. 14372, pp. 336–362.","ista":"Hoffmann C, Hubáček P, Kamath C, Krňák T. 2023. (Verifiable) delay functions from Lucas sequences. 21st International Conference on Theory of Cryptography. TCC: Theory of Cryptography, LNCS, vol. 14372, 336–362.","ama":"Hoffmann C, Hubáček P, Kamath C, Krňák T. (Verifiable) delay functions from Lucas sequences. In: <i>21st International Conference on Theory of Cryptography</i>. Vol 14372. Springer Nature; 2023:336-362. doi:<a href=\"https://doi.org/10.1007/978-3-031-48624-1_13\">10.1007/978-3-031-48624-1_13</a>","mla":"Hoffmann, Charlotte, et al. “(Verifiable) Delay Functions from Lucas Sequences.” <i>21st International Conference on Theory of Cryptography</i>, vol. 14372, Springer Nature, 2023, pp. 336–62, doi:<a href=\"https://doi.org/10.1007/978-3-031-48624-1_13\">10.1007/978-3-031-48624-1_13</a>.","apa":"Hoffmann, C., Hubáček, P., Kamath, C., &#38; Krňák, T. (2023). (Verifiable) delay functions from Lucas sequences. In <i>21st International Conference on Theory of Cryptography</i> (Vol. 14372, pp. 336–362). Taipei, Taiwan: Springer Nature. <a href=\"https://doi.org/10.1007/978-3-031-48624-1_13\">https://doi.org/10.1007/978-3-031-48624-1_13</a>"},"type":"conference","scopus_import":"1","abstract":[{"lang":"eng","text":"Lucas sequences are constant-recursive integer sequences with a long history of applications in cryptography, both in the design of cryptographic schemes and cryptanalysis. In this work, we study the sequential hardness of computing Lucas sequences over an RSA modulus.\r\nFirst, we show that modular Lucas sequences are at least as sequentially hard as the classical delay function given by iterated modular squaring proposed by Rivest, Shamir, and Wagner (MIT Tech. Rep. 1996) in the context of time-lock puzzles. Moreover, there is no obvious reduction in the other direction, which suggests that the assumption of sequential hardness of modular Lucas sequences is strictly weaker than that of iterated modular squaring. In other words, the sequential hardness of modular Lucas sequences might hold even in the case of an algorithmic improvement violating the sequential hardness of iterated modular squaring.\r\nSecond, we demonstrate the feasibility of constructing practically-efficient verifiable delay functions based on the sequential hardness of modular Lucas sequences. Our construction builds on the work of Pietrzak (ITCS 2019) by leveraging the intrinsic connection between the problem of computing modular Lucas sequences and exponentiation in an appropriate extension field."}],"title":"(Verifiable) delay functions from Lucas sequences","user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","author":[{"orcid":"0000-0003-2027-5549","last_name":"Hoffmann","id":"0f78d746-dc7d-11ea-9b2f-83f92091afe7","first_name":"Charlotte","full_name":"Hoffmann, Charlotte"},{"last_name":"Hubáček","first_name":"Pavel","full_name":"Hubáček, Pavel"},{"first_name":"Chethan","last_name":"Kamath","full_name":"Kamath, Chethan"},{"full_name":"Krňák, Tomáš","first_name":"Tomáš","last_name":"Krňák"}],"publisher":"Springer Nature","language":[{"iso":"eng"}],"article_processing_charge":"No","department":[{"_id":"KrPi"}]},{"project":[{"grant_number":"665385","call_identifier":"H2020","_id":"2564DBCA-B435-11E9-9278-68D0E5697425","name":"International IST Doctoral Program"}],"publication_status":"published","citation":{"apa":"Stopp, J. A. (2023). <i>Neutrophils on the hunt: Migratory strategies employed by neutrophils to fulfill their effector function</i>. Institute of Science and Technology Austria. <a href=\"https://doi.org/10.15479/at:ista:14697\">https://doi.org/10.15479/at:ista:14697</a>","mla":"Stopp, Julian A. <i>Neutrophils on the Hunt: Migratory Strategies Employed by Neutrophils to Fulfill Their Effector Function</i>. Institute of Science and Technology Austria, 2023, doi:<a href=\"https://doi.org/10.15479/at:ista:14697\">10.15479/at:ista:14697</a>.","ama":"Stopp JA. Neutrophils on the hunt: Migratory strategies employed by neutrophils to fulfill their effector function. 2023. doi:<a href=\"https://doi.org/10.15479/at:ista:14697\">10.15479/at:ista:14697</a>","ista":"Stopp JA. 2023. Neutrophils on the hunt: Migratory strategies employed by neutrophils to fulfill their effector function. Institute of Science and Technology Austria.","short":"J.A. Stopp, Neutrophils on the Hunt: Migratory Strategies Employed by Neutrophils to Fulfill Their Effector Function, Institute of Science and Technology Austria, 2023.","ieee":"J. A. Stopp, “Neutrophils on the hunt: Migratory strategies employed by neutrophils to fulfill their effector function,” Institute of Science and Technology Austria, 2023.","chicago":"Stopp, Julian A. “Neutrophils on the Hunt: Migratory Strategies Employed by Neutrophils to Fulfill Their Effector Function.” Institute of Science and Technology Austria, 2023. <a href=\"https://doi.org/10.15479/at:ista:14697\">https://doi.org/10.15479/at:ista:14697</a>."},"publication_identifier":{"issn":["2663 - 337X"],"isbn":["978-3-99078-038-1"]},"file_date_updated":"2023-12-20T10:41:42Z","type":"dissertation","_id":"14697","article_processing_charge":"No","department":[{"_id":"GradSch"},{"_id":"MiSi"}],"language":[{"iso":"eng"}],"has_accepted_license":"1","publisher":"Institute of Science and Technology Austria","file":[{"checksum":"457927165d5d556305d3086f6b83e5c7","relation":"main_file","access_level":"closed","embargo":"2024-12-20","creator":"jstopp","file_size":51585778,"embargo_to":"open_access","file_id":"14699","content_type":"application/pdf","date_created":"2023-12-20T09:35:34Z","date_updated":"2023-12-20T09:35:34Z","file_name":"Thesis.pdf"},{"file_name":"Thesis.docx","date_updated":"2023-12-20T10:41:42Z","date_created":"2023-12-20T09:35:35Z","file_size":69625950,"creator":"jstopp","file_id":"14700","content_type":"application/vnd.openxmlformats-officedocument.wordprocessingml.document","checksum":"e8d26449ac461f5e8478a62c9507506f","access_level":"closed","relation":"source_file"}],"user_id":"8b945eb4-e2f2-11eb-945a-df72226e66a9","title":"Neutrophils on the hunt: Migratory strategies employed by neutrophils to fulfill their effector function","author":[{"full_name":"Stopp, Julian A","last_name":"Stopp","first_name":"Julian A","id":"489E3F00-F248-11E8-B48F-1D18A9856A87"}],"degree_awarded":"PhD","doi":"10.15479/at:ista:14697","related_material":{"record":[{"id":"6328","status":"public","relation":"part_of_dissertation"},{"relation":"part_of_dissertation","status":"public","id":"7885"},{"id":"12272","relation":"part_of_dissertation","status":"public"},{"id":"14274","status":"public","relation":"part_of_dissertation"},{"id":"14360","status":"public","relation":"part_of_dissertation"}]},"ec_funded":1,"oa_version":"Published Version","date_created":"2023-12-18T19:14:28Z","ddc":["570"],"supervisor":[{"full_name":"Sixt, Michael K","last_name":"Sixt","orcid":"0000-0002-6620-9179","first_name":"Michael K","id":"41E9FBEA-F248-11E8-B48F-1D18A9856A87"}],"status":"public","day":"20","page":"226","year":"2023","month":"12","alternative_title":["ISTA Thesis"],"date_published":"2023-12-20T00:00:00Z","date_updated":"2023-12-21T14:30:02Z","acknowledged_ssus":[{"_id":"LifeSc"},{"_id":"Bio"}]},{"article_processing_charge":"No","department":[{"_id":"StFr"}],"language":[{"iso":"eng"}],"year":"2023","article_type":"review","month":"12","date_published":"2023-12-19T00:00:00Z","publisher":"Royal Society of Chemistry","date_updated":"2023-12-20T11:54:06Z","keyword":["Physical and Theoretical Chemistry"],"author":[{"full_name":"Archer, Lynden A.","first_name":"Lynden A.","last_name":"Archer"},{"first_name":"Peter G.","last_name":"Bruce","full_name":"Bruce, Peter G."},{"full_name":"Calvo, Ernesto J.","last_name":"Calvo","first_name":"Ernesto J."},{"first_name":"Daniel","last_name":"Dewar","full_name":"Dewar, Daniel"},{"last_name":"Ellison","first_name":"James H. J.","full_name":"Ellison, James H. J."},{"full_name":"Freunberger, Stefan Alexander","id":"A8CA28E6-CE23-11E9-AD2D-EC27E6697425","first_name":"Stefan Alexander","last_name":"Freunberger","orcid":"0000-0003-2902-5319"},{"full_name":"Gao, Xiangwen","last_name":"Gao","first_name":"Xiangwen"},{"full_name":"Hardwick, Laurence J.","first_name":"Laurence J.","last_name":"Hardwick"},{"full_name":"Horwitz, Gabriela","last_name":"Horwitz","first_name":"Gabriela"},{"full_name":"Janek, Jürgen","last_name":"Janek","first_name":"Jürgen"},{"full_name":"Johnson, Lee R.","first_name":"Lee R.","last_name":"Johnson"},{"full_name":"Jordan, Jack W.","first_name":"Jack W.","last_name":"Jordan"},{"full_name":"Matsuda, Shoichi","first_name":"Shoichi","last_name":"Matsuda"},{"first_name":"Svetlana","last_name":"Menkin","full_name":"Menkin, Svetlana"},{"last_name":"Mondal","first_name":"Soumyadip","id":"d25d21ef-dc8d-11ea-abe3-ec4576307f48","full_name":"Mondal, Soumyadip"},{"first_name":"Qianyuan","last_name":"Qiu","full_name":"Qiu, Qianyuan"},{"last_name":"Samarakoon","first_name":"Thukshan","full_name":"Samarakoon, Thukshan"},{"full_name":"Temprano, Israel","last_name":"Temprano","first_name":"Israel"},{"full_name":"Uosaki, Kohei","last_name":"Uosaki","first_name":"Kohei"},{"full_name":"Vailaya, Ganesh","first_name":"Ganesh","last_name":"Vailaya"},{"full_name":"Wachsman, Eric D.","last_name":"Wachsman","first_name":"Eric D."},{"full_name":"Wu, Yiying","first_name":"Yiying","last_name":"Wu"},{"last_name":"Ye","first_name":"Shen","full_name":"Ye, Shen"}],"user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","title":"Towards practical metal–oxygen batteries: General discussion","publication_status":"epub_ahead","doi":"10.1039/d3fd90062b","publication":"Faraday Discussions","oa_version":"None","publication_identifier":{"issn":["1359-6640"],"eissn":["1364-5498"]},"citation":{"apa":"Archer, L. A., Bruce, P. G., Calvo, E. J., Dewar, D., Ellison, J. H. J., Freunberger, S. A., … Ye, S. (2023). Towards practical metal–oxygen batteries: General discussion. <i>Faraday Discussions</i>. Royal Society of Chemistry. <a href=\"https://doi.org/10.1039/d3fd90062b\">https://doi.org/10.1039/d3fd90062b</a>","mla":"Archer, Lynden A., et al. “Towards Practical Metal–Oxygen Batteries: General Discussion.” <i>Faraday Discussions</i>, Royal Society of Chemistry, 2023, doi:<a href=\"https://doi.org/10.1039/d3fd90062b\">10.1039/d3fd90062b</a>.","short":"L.A. Archer, P.G. Bruce, E.J. Calvo, D. Dewar, J.H.J. Ellison, S.A. Freunberger, X. Gao, L.J. Hardwick, G. Horwitz, J. Janek, L.R. Johnson, J.W. Jordan, S. Matsuda, S. Menkin, S. Mondal, Q. Qiu, T. Samarakoon, I. Temprano, K. Uosaki, G. Vailaya, E.D. Wachsman, Y. Wu, S. Ye, Faraday Discussions (2023).","ista":"Archer LA, Bruce PG, Calvo EJ, Dewar D, Ellison JHJ, Freunberger SA, Gao X, Hardwick LJ, Horwitz G, Janek J, Johnson LR, Jordan JW, Matsuda S, Menkin S, Mondal S, Qiu Q, Samarakoon T, Temprano I, Uosaki K, Vailaya G, Wachsman ED, Wu Y, Ye S. 2023. Towards practical metal–oxygen batteries: General discussion. Faraday Discussions.","ieee":"L. A. Archer <i>et al.</i>, “Towards practical metal–oxygen batteries: General discussion,” <i>Faraday Discussions</i>. Royal Society of Chemistry, 2023.","ama":"Archer LA, Bruce PG, Calvo EJ, et al. Towards practical metal–oxygen batteries: General discussion. <i>Faraday Discussions</i>. 2023. doi:<a href=\"https://doi.org/10.1039/d3fd90062b\">10.1039/d3fd90062b</a>","chicago":"Archer, Lynden A., Peter G. Bruce, Ernesto J. Calvo, Daniel Dewar, James H. J. Ellison, Stefan Alexander Freunberger, Xiangwen Gao, et al. “Towards Practical Metal–Oxygen Batteries: General Discussion.” <i>Faraday Discussions</i>. Royal Society of Chemistry, 2023. <a href=\"https://doi.org/10.1039/d3fd90062b\">https://doi.org/10.1039/d3fd90062b</a>."},"type":"journal_article","date_created":"2023-12-20T10:48:09Z","_id":"14701","status":"public","quality_controlled":"1","day":"19"},{"month":"12","date_published":"2023-12-18T00:00:00Z","publisher":"Royal Society of Chemistry","date_updated":"2023-12-20T11:58:12Z","keyword":["Physical and Theoretical Chemistry"],"user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","title":"Materials for stable metal–oxygen battery cathodes: general discussion","author":[{"full_name":"Attard, Gary A.","first_name":"Gary A.","last_name":"Attard"},{"full_name":"Calvo, Ernesto J.","first_name":"Ernesto J.","last_name":"Calvo"},{"full_name":"Curtiss, Larry A.","first_name":"Larry A.","last_name":"Curtiss"},{"full_name":"Dewar, Daniel","first_name":"Daniel","last_name":"Dewar"},{"full_name":"Ellison, James H. J.","first_name":"James H. J.","last_name":"Ellison"},{"full_name":"Gao, Xiangwen","first_name":"Xiangwen","last_name":"Gao"},{"last_name":"Grey","first_name":"Clare P.","full_name":"Grey, Clare P."},{"first_name":"Laurence J.","last_name":"Hardwick","full_name":"Hardwick, Laurence J."},{"last_name":"Horwitz","first_name":"Gabriela","full_name":"Horwitz, Gabriela"},{"last_name":"Janek","first_name":"Juergen","full_name":"Janek, Juergen"},{"first_name":"Lee R.","last_name":"Johnson","full_name":"Johnson, Lee R."},{"last_name":"Jordan","first_name":"Jack W.","full_name":"Jordan, Jack W."},{"last_name":"Matsuda","first_name":"Shoichi","full_name":"Matsuda, Shoichi"},{"id":"d25d21ef-dc8d-11ea-abe3-ec4576307f48","first_name":"Soumyadip","last_name":"Mondal","full_name":"Mondal, Soumyadip"},{"last_name":"Neale","first_name":"Alex R.","full_name":"Neale, Alex R."},{"first_name":"Nagore","last_name":"Ortiz-Vitoriano","full_name":"Ortiz-Vitoriano, Nagore"},{"first_name":"Israel","last_name":"Temprano","full_name":"Temprano, Israel"},{"first_name":"Ganesh","last_name":"Vailaya","full_name":"Vailaya, Ganesh"},{"full_name":"Wachsman, Eric D.","first_name":"Eric D.","last_name":"Wachsman"},{"full_name":"Wang, Hsien-Hau","first_name":"Hsien-Hau","last_name":"Wang"},{"full_name":"Wu, Yiying","first_name":"Yiying","last_name":"Wu"},{"full_name":"Ye, Shen","last_name":"Ye","first_name":"Shen"}],"article_processing_charge":"No","department":[{"_id":"StFr"}],"language":[{"iso":"eng"}],"year":"2023","article_type":"review","citation":{"mla":"Attard, Gary A., et al. “Materials for Stable Metal–Oxygen Battery Cathodes: General Discussion.” <i>Faraday Discussions</i>, Royal Society of Chemistry, 2023, doi:<a href=\"https://doi.org/10.1039/d3fd90059b\">10.1039/d3fd90059b</a>.","apa":"Attard, G. A., Calvo, E. J., Curtiss, L. A., Dewar, D., Ellison, J. H. J., Gao, X., … Ye, S. (2023). Materials for stable metal–oxygen battery cathodes: general discussion. <i>Faraday Discussions</i>. Royal Society of Chemistry. <a href=\"https://doi.org/10.1039/d3fd90059b\">https://doi.org/10.1039/d3fd90059b</a>","chicago":"Attard, Gary A., Ernesto J. Calvo, Larry A. Curtiss, Daniel Dewar, James H. J. Ellison, Xiangwen Gao, Clare P. Grey, et al. “Materials for Stable Metal–Oxygen Battery Cathodes: General Discussion.” <i>Faraday Discussions</i>. Royal Society of Chemistry, 2023. <a href=\"https://doi.org/10.1039/d3fd90059b\">https://doi.org/10.1039/d3fd90059b</a>.","short":"G.A. Attard, E.J. Calvo, L.A. Curtiss, D. Dewar, J.H.J. Ellison, X. Gao, C.P. Grey, L.J. Hardwick, G. Horwitz, J. Janek, L.R. Johnson, J.W. Jordan, S. Matsuda, S. Mondal, A.R. Neale, N. Ortiz-Vitoriano, I. Temprano, G. Vailaya, E.D. Wachsman, H.-H. Wang, Y. Wu, S. Ye, Faraday Discussions (2023).","ieee":"G. A. Attard <i>et al.</i>, “Materials for stable metal–oxygen battery cathodes: general discussion,” <i>Faraday Discussions</i>. Royal Society of Chemistry, 2023.","ista":"Attard GA, Calvo EJ, Curtiss LA, Dewar D, Ellison JHJ, Gao X, Grey CP, Hardwick LJ, Horwitz G, Janek J, Johnson LR, Jordan JW, Matsuda S, Mondal S, Neale AR, Ortiz-Vitoriano N, Temprano I, Vailaya G, Wachsman ED, Wang H-H, Wu Y, Ye S. 2023. Materials for stable metal–oxygen battery cathodes: general discussion. Faraday Discussions.","ama":"Attard GA, Calvo EJ, Curtiss LA, et al. Materials for stable metal–oxygen battery cathodes: general discussion. <i>Faraday Discussions</i>. 2023. doi:<a href=\"https://doi.org/10.1039/d3fd90059b\">10.1039/d3fd90059b</a>"},"publication_identifier":{"issn":["1359-6640"],"eissn":["1364-5498"]},"type":"journal_article","date_created":"2023-12-20T10:49:43Z","_id":"14702","status":"public","day":"18","quality_controlled":"1","doi":"10.1039/d3fd90059b","publication_status":"epub_ahead","publication":"Faraday Discussions","oa_version":"None"}]