[{"publist_id":"3940","abstract":[{"text":"A robust combiner for hash functions takes two candidate implementations and constructs a hash function which is secure as long as at least one of the candidates is secure. So far, hash function combiners only aim at preserving a single property such as collision-resistance or pseudorandomness. However, when hash functions are used in protocols like TLS they are often required to provide several properties simultaneously. We therefore put forward the notion of robust multi-property combiners and elaborate on different definitions for such combiners. We then propose a combiner that provably preserves (target) collision-resistance, pseudorandomness, and being a secure message authentication code. This combiner satisfies the strongest notion we propose, which requires that the combined function satisfies every security property which is satisfied by at least one of the underlying hash function. If the underlying hash functions have output length n, the combiner has output length 2 n. This basically matches a known lower bound for black-box combiners for collision-resistance only, thus the other properties can be achieved without penalizing the length of the hash values. We then propose a combiner which also preserves the property of being indifferentiable from a random oracle, slightly increasing the output length to 2 n+ω(log n). Moreover, we show how to augment our constructions in order to make them also robust for the one-wayness property, but in this case require an a priory upper bound on the input length.","lang":"eng"}],"day":"01","doi":"10.1007/s00145-013-9148-7","type":"journal_article","date_published":"2014-07-01T00:00:00Z","year":"2014","citation":{"ama":"Fischlin M, Lehmann A, Pietrzak KZ. Robust multi-property combiners for hash functions. <i>Journal of Cryptology</i>. 2014;27(3):397-428. doi:<a href=\"https://doi.org/10.1007/s00145-013-9148-7\">10.1007/s00145-013-9148-7</a>","apa":"Fischlin, M., Lehmann, A., &#38; Pietrzak, K. Z. (2014). Robust multi-property combiners for hash functions. <i>Journal of Cryptology</i>. Springer. <a href=\"https://doi.org/10.1007/s00145-013-9148-7\">https://doi.org/10.1007/s00145-013-9148-7</a>","chicago":"Fischlin, Marc, Anja Lehmann, and Krzysztof Z Pietrzak. “Robust Multi-Property Combiners for Hash Functions.” <i>Journal of Cryptology</i>. Springer, 2014. <a href=\"https://doi.org/10.1007/s00145-013-9148-7\">https://doi.org/10.1007/s00145-013-9148-7</a>.","ieee":"M. Fischlin, A. Lehmann, and K. Z. Pietrzak, “Robust multi-property combiners for hash functions,” <i>Journal of Cryptology</i>, vol. 27, no. 3. Springer, pp. 397–428, 2014.","mla":"Fischlin, Marc, et al. “Robust Multi-Property Combiners for Hash Functions.” <i>Journal of Cryptology</i>, vol. 27, no. 3, Springer, 2014, pp. 397–428, doi:<a href=\"https://doi.org/10.1007/s00145-013-9148-7\">10.1007/s00145-013-9148-7</a>.","short":"M. Fischlin, A. Lehmann, K.Z. Pietrzak, Journal of Cryptology 27 (2014) 397–428.","ista":"Fischlin M, Lehmann A, Pietrzak KZ. 2014. Robust multi-property combiners for hash functions. Journal of Cryptology. 27(3), 397–428."},"date_updated":"2023-02-23T11:17:53Z","user_id":"3FFCCD3A-F248-11E8-B48F-1D18A9856A87","related_material":{"record":[{"status":"public","relation":"earlier_version","id":"3225"}]},"status":"public","volume":27,"intvolume":"        27","month":"07","title":"Robust multi-property combiners for hash functions","date_created":"2018-12-11T11:59:56Z","department":[{"_id":"KrPi"}],"oa_version":"None","publication_status":"published","issue":"3","author":[{"first_name":"Marc","last_name":"Fischlin","full_name":"Fischlin, Marc"},{"last_name":"Lehmann","first_name":"Anja","full_name":"Lehmann, Anja"},{"id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","full_name":"Pietrzak, Krzysztof Z","orcid":"0000-0002-9139-1654","last_name":"Pietrzak","first_name":"Krzysztof Z"}],"scopus_import":1,"publication":"Journal of Cryptology","_id":"2852","publisher":"Springer","language":[{"iso":"eng"}],"quality_controlled":"1","page":"397 - 428"},{"ec_funded":1,"page":"95 - 114","editor":[{"full_name":"Abdalla, Michel","first_name":"Michel","last_name":"Abdalla"},{"full_name":"De Prisco, Roberto","last_name":"De Prisco","first_name":"Roberto"}],"publisher":"Springer","scopus_import":1,"_id":"1643","author":[{"last_name":"Fuchsbauer","first_name":"Georg","full_name":"Fuchsbauer, Georg","id":"46B4C3EE-F248-11E8-B48F-1D18A9856A87"}],"date_created":"2018-12-11T11:53:13Z","department":[{"_id":"KrPi"}],"publication_status":"published","intvolume":"      8642","title":"Constrained Verifiable Random Functions ","alternative_title":["LNCS"],"volume":8642,"citation":{"mla":"Fuchsbauer, Georg. “Constrained Verifiable Random Functions .” <i>SCN 2014</i>, edited by Michel Abdalla and Roberto De Prisco, vol. 8642, Springer, 2014, pp. 95–114, doi:<a href=\"https://doi.org/10.1007/978-3-319-10879-7_7\">10.1007/978-3-319-10879-7_7</a>.","short":"G. Fuchsbauer, in:, M. Abdalla, R. De Prisco (Eds.), SCN 2014, Springer, 2014, pp. 95–114.","ista":"Fuchsbauer G. 2014. Constrained Verifiable Random Functions . SCN 2014. SCN: Security and Cryptography for Networks, LNCS, vol. 8642, 95–114.","ama":"Fuchsbauer G. Constrained Verifiable Random Functions . In: Abdalla M, De Prisco R, eds. <i>SCN 2014</i>. Vol 8642. Springer; 2014:95-114. doi:<a href=\"https://doi.org/10.1007/978-3-319-10879-7_7\">10.1007/978-3-319-10879-7_7</a>","apa":"Fuchsbauer, G. (2014). Constrained Verifiable Random Functions . In M. Abdalla &#38; R. De Prisco (Eds.), <i>SCN 2014</i> (Vol. 8642, pp. 95–114). Amalfi, Italy: Springer. <a href=\"https://doi.org/10.1007/978-3-319-10879-7_7\">https://doi.org/10.1007/978-3-319-10879-7_7</a>","ieee":"G. Fuchsbauer, “Constrained Verifiable Random Functions ,” in <i>SCN 2014</i>, Amalfi, Italy, 2014, vol. 8642, pp. 95–114.","chicago":"Fuchsbauer, Georg. “Constrained Verifiable Random Functions .” In <i>SCN 2014</i>, edited by Michel Abdalla and Roberto De Prisco, 8642:95–114. Springer, 2014. <a href=\"https://doi.org/10.1007/978-3-319-10879-7_7\">https://doi.org/10.1007/978-3-319-10879-7_7</a>."},"year":"2014","date_updated":"2021-01-12T06:52:12Z","day":"01","doi":"10.1007/978-3-319-10879-7_7","abstract":[{"text":"We extend the notion of verifiable random functions (VRF) to constrained VRFs, which generalize the concept of constrained pseudorandom functions, put forward by Boneh and Waters (Asiacrypt’13), and independently by Kiayias et al. (CCS’13) and Boyle et al. (PKC’14), who call them delegatable PRFs and functional PRFs, respectively. In a standard VRF the secret key sk allows one to evaluate a pseudorandom function at any point of its domain; in addition, it enables computation of a non-interactive proof that the function value was computed correctly. In a constrained VRF from the key sk one can derive constrained keys skS for subsets S of the domain, which allow computation of function values and proofs only at points in S. After formally defining constrained VRFs, we derive instantiations from the multilinear-maps-based constrained PRFs by Boneh and Waters, yielding a VRF with constrained keys for any set that can be decided by a polynomial-size circuit. Our VRFs have the same function values as the Boneh-Waters PRFs and are proved secure under the same hardness assumption, showing that verifiability comes at no cost. Constrained (functional) VRFs were stated as an open problem by Boyle et al.","lang":"eng"}],"language":[{"iso":"eng"}],"conference":{"end_date":"2014-09-05","location":"Amalfi, Italy","start_date":"2014-09-03","name":"SCN: Security and Cryptography for Networks"},"publication":"SCN 2014","project":[{"name":"Provable Security for Physical Cryptography","grant_number":"259668","_id":"258C570E-B435-11E9-9278-68D0E5697425","call_identifier":"FP7"}],"oa_version":"Submitted Version","month":"01","main_file_link":[{"open_access":"1","url":"http://eprint.iacr.org/2014/537"}],"user_id":"4435EBFC-F248-11E8-B48F-1D18A9856A87","status":"public","type":"conference","date_published":"2014-01-01T00:00:00Z","oa":1,"publist_id":"5509"},{"user_id":"4435EBFC-F248-11E8-B48F-1D18A9856A87","status":"public","main_file_link":[{"open_access":"1","url":"https://eprint.iacr.org/2014/299"}],"date_published":"2014-01-01T00:00:00Z","type":"conference","date_updated":"2021-01-12T06:53:59Z","year":"2014","citation":{"chicago":"Demay, Grégory, Peter Gazi, Ueli Maurer, and Björn Tackmann. “Optimality of Non-Adaptive Strategies: The Case of Parallel Games.” In <i>IEEE International Symposium on Information Theory</i>. IEEE, 2014. <a href=\"https://doi.org/10.1109/ISIT.2014.6875125\">https://doi.org/10.1109/ISIT.2014.6875125</a>.","ieee":"G. Demay, P. Gazi, U. Maurer, and B. Tackmann, “Optimality of non-adaptive strategies: The case of parallel games,” in <i>IEEE International Symposium on Information Theory</i>, Honolulu, USA, 2014.","ama":"Demay G, Gazi P, Maurer U, Tackmann B. Optimality of non-adaptive strategies: The case of parallel games. In: <i>IEEE International Symposium on Information Theory</i>. IEEE; 2014. doi:<a href=\"https://doi.org/10.1109/ISIT.2014.6875125\">10.1109/ISIT.2014.6875125</a>","apa":"Demay, G., Gazi, P., Maurer, U., &#38; Tackmann, B. (2014). Optimality of non-adaptive strategies: The case of parallel games. In <i>IEEE International Symposium on Information Theory</i>. Honolulu, USA: IEEE. <a href=\"https://doi.org/10.1109/ISIT.2014.6875125\">https://doi.org/10.1109/ISIT.2014.6875125</a>","ista":"Demay G, Gazi P, Maurer U, Tackmann B. 2014. Optimality of non-adaptive strategies: The case of parallel games. IEEE International Symposium on Information Theory. IEEE International Symposium on Information Theory Proceedings, 6875125.","mla":"Demay, Grégory, et al. “Optimality of Non-Adaptive Strategies: The Case of Parallel Games.” <i>IEEE International Symposium on Information Theory</i>, 6875125, IEEE, 2014, doi:<a href=\"https://doi.org/10.1109/ISIT.2014.6875125\">10.1109/ISIT.2014.6875125</a>.","short":"G. Demay, P. Gazi, U. Maurer, B. Tackmann, in:, IEEE International Symposium on Information Theory, IEEE, 2014."},"abstract":[{"text":"Most cryptographic security proofs require showing that two systems are indistinguishable. A central tool in such proofs is that of a game, where winning the game means provoking a certain condition, and it is shown that the two systems considered cannot be distinguished unless this condition is provoked. Upper bounding the probability of winning such a game, i.e., provoking this condition, for an arbitrary strategy is usually hard, except in the special case where the best strategy for winning such a game is known to be non-adaptive. A sufficient criterion for ensuring the optimality of non-adaptive strategies is that of conditional equivalence to a system, a notion introduced in [1]. In this paper, we show that this criterion is not necessary to ensure the optimality of non-adaptive strategies by giving two results of independent interest: 1) the optimality of non-adaptive strategies is not preserved under parallel composition; 2) in contrast, conditional equivalence is preserved under parallel composition.","lang":"eng"}],"oa":1,"publist_id":"5188","doi":"10.1109/ISIT.2014.6875125","day":"01","language":[{"iso":"eng"}],"quality_controlled":"1","conference":{"end_date":"2014-07-04","location":"Honolulu, USA","name":"IEEE International Symposium on Information Theory Proceedings","start_date":"2014-06-29"},"publisher":"IEEE","author":[{"full_name":"Demay, Grégory","last_name":"Demay","first_name":"Grégory"},{"full_name":"Gazi, Peter","first_name":"Peter","last_name":"Gazi","id":"3E0BFE38-F248-11E8-B48F-1D18A9856A87"},{"full_name":"Maurer, Ueli","last_name":"Maurer","first_name":"Ueli"},{"first_name":"Björn","last_name":"Tackmann","full_name":"Tackmann, Björn"}],"publication":"IEEE International Symposium on Information Theory","_id":"1907","scopus_import":1,"title":"Optimality of non-adaptive strategies: The case of parallel games","month":"01","article_number":"6875125","publication_status":"published","oa_version":"Submitted Version","department":[{"_id":"KrPi"}],"date_created":"2018-12-11T11:54:39Z"},{"main_file_link":[{"open_access":"1","url":"https://eprint.iacr.org/2012/543"}],"user_id":"4435EBFC-F248-11E8-B48F-1D18A9856A87","status":"public","oa":1,"publist_id":"5006","date_published":"2014-01-01T00:00:00Z","type":"conference","conference":{"start_date":"2014-03-26","name":"PKC: Public Key Crypography","end_date":"2014-03-28","location":"Buenos Aires, Argentina"},"language":[{"iso":"eng"}],"oa_version":"Submitted Version","project":[{"name":"Provable Security for Physical Cryptography","grant_number":"259668","_id":"258C570E-B435-11E9-9278-68D0E5697425","call_identifier":"FP7"}],"month":"01","publication":"Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)","acknowledgement":"The second author was supported by EPSRC grant EP/H043454/1.","volume":8383,"doi":"10.1007/978-3-642-54631-0_19","day":"01","abstract":[{"text":"We introduce and study a new notion of enhanced chosen-ciphertext security (ECCA) for public-key encryption. Loosely speaking, in the ECCA security experiment, the decryption oracle provided to the adversary is augmented to return not only the output of the decryption algorithm on a queried ciphertext but also of a randomness-recovery algorithm associated to the scheme. Our results mainly concern the case where the randomness-recovery algorithm is efficient. We provide constructions of ECCA-secure encryption from adaptive trapdoor functions as defined by Kiltz et al. (EUROCRYPT 2010), resulting in ECCA encryption from standard number-theoretic assumptions. We then give two applications of ECCA-secure encryption: (1) We use it as a unifying concept in showing equivalence of adaptive trapdoor functions and tag-based adaptive trapdoor functions, resolving an open question of Kiltz et al. (2) We show that ECCA-secure encryption can be used to securely realize an approach to public-key encryption with non-interactive opening (PKENO) originally suggested by Damgård and Thorbek (EUROCRYPT 2007), resulting in new and practical PKENO schemes quite different from those in prior work. Our results demonstrate that ECCA security is of both practical and theoretical interest.","lang":"eng"}],"date_updated":"2021-01-12T06:54:57Z","year":"2014","citation":{"short":"D. Dachman Soled, G. Fuchsbauer, P. Mohassel, A. O’Neill, in:, H. Krawczyk (Ed.), Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), Springer, 2014, pp. 329–344.","mla":"Dachman Soled, Dana, et al. “Enhanced Chosen-Ciphertext Security and Applications.” <i>Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)</i>, edited by Hugo Krawczyk, vol. 8383, Springer, 2014, pp. 329–44, doi:<a href=\"https://doi.org/10.1007/978-3-642-54631-0_19\">10.1007/978-3-642-54631-0_19</a>.","ista":"Dachman Soled D, Fuchsbauer G, Mohassel P, O’Neill A. 2014. Enhanced chosen-ciphertext security and applications. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). PKC: Public Key Crypography, LNCS, vol. 8383, 329–344.","apa":"Dachman Soled, D., Fuchsbauer, G., Mohassel, P., &#38; O’Neill, A. (2014). Enhanced chosen-ciphertext security and applications. In H. Krawczyk (Ed.), <i>Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)</i> (Vol. 8383, pp. 329–344). Buenos Aires, Argentina: Springer. <a href=\"https://doi.org/10.1007/978-3-642-54631-0_19\">https://doi.org/10.1007/978-3-642-54631-0_19</a>","ama":"Dachman Soled D, Fuchsbauer G, Mohassel P, O’Neill A. Enhanced chosen-ciphertext security and applications. In: Krawczyk H, ed. <i>Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)</i>. Vol 8383. Springer; 2014:329-344. doi:<a href=\"https://doi.org/10.1007/978-3-642-54631-0_19\">10.1007/978-3-642-54631-0_19</a>","chicago":"Dachman Soled, Dana, Georg Fuchsbauer, Payman Mohassel, and Adam O’Neill. “Enhanced Chosen-Ciphertext Security and Applications.” In <i>Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)</i>, edited by Hugo Krawczyk, 8383:329–44. Springer, 2014. <a href=\"https://doi.org/10.1007/978-3-642-54631-0_19\">https://doi.org/10.1007/978-3-642-54631-0_19</a>.","ieee":"D. Dachman Soled, G. Fuchsbauer, P. Mohassel, and A. O’Neill, “Enhanced chosen-ciphertext security and applications,” in <i>Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)</i>, Buenos Aires, Argentina, 2014, vol. 8383, pp. 329–344."},"publisher":"Springer","editor":[{"first_name":"Hugo","last_name":"Krawczyk","full_name":"Krawczyk, Hugo"}],"page":"329 - 344","quality_controlled":"1","ec_funded":1,"publication_status":"published","department":[{"_id":"KrPi"}],"date_created":"2018-12-11T11:55:24Z","title":"Enhanced chosen-ciphertext security and applications","alternative_title":["LNCS"],"intvolume":"      8383","_id":"2045","scopus_import":1,"author":[{"first_name":"Dana","last_name":"Dachman Soled","full_name":"Dachman Soled, Dana"},{"last_name":"Fuchsbauer","first_name":"Georg","full_name":"Fuchsbauer, Georg","id":"46B4C3EE-F248-11E8-B48F-1D18A9856A87"},{"full_name":"Mohassel, Payman","first_name":"Payman","last_name":"Mohassel"},{"full_name":"O’Neill, Adam","first_name":"Adam","last_name":"O’Neill"}]},{"status":"public","user_id":"4435EBFC-F248-11E8-B48F-1D18A9856A87","main_file_link":[{"open_access":"1","url":"https://eprint.iacr.org/2013/413"}],"publist_id":"5005","oa":1,"type":"conference","date_published":"2014-01-01T00:00:00Z","conference":{"end_date":"2014-05-28","location":"Buenos Aires, Argentina","start_date":"2014-05-26","name":"PKC: Public Key Crypography"},"language":[{"iso":"eng"}],"month":"01","project":[{"_id":"258C570E-B435-11E9-9278-68D0E5697425","call_identifier":"FP7","grant_number":"259668","name":"Provable Security for Physical Cryptography"}],"oa_version":"Submitted Version","publication":"Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)","acknowledgement":"Part of his work was done while at Bristol University, supported by EPSRC grant EP/H043454/1.","volume":8383,"abstract":[{"text":"We introduce policy-based signatures (PBS), where a signer can only sign messages conforming to some authority-specified policy. The main requirements are unforgeability and privacy, the latter meaning that signatures not reveal the policy. PBS offers value along two fronts: (1) On the practical side, they allow a corporation to control what messages its employees can sign under the corporate key. (2) On the theoretical side, they unify existing work, capturing other forms of signatures as special cases or allowing them to be easily built. Our work focuses on definitions of PBS, proofs that this challenging primitive is realizable for arbitrary policies, efficient constructions for specific policies, and a few representative applications.","lang":"eng"}],"day":"01","doi":"10.1007/978-3-642-54631-0_30","year":"2014","citation":{"ista":"Bellare M, Fuchsbauer G. 2014. Policy-based signatures. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). PKC: Public Key Crypography, LNCS, vol. 8383, 520–537.","short":"M. Bellare, G. Fuchsbauer, in:, H. Krawczyk (Ed.), Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), Springer, 2014, pp. 520–537.","mla":"Bellare, Mihir, and Georg Fuchsbauer. “Policy-Based Signatures.” <i>Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)</i>, edited by Hugo Krawczyk, vol. 8383, Springer, 2014, pp. 520–37, doi:<a href=\"https://doi.org/10.1007/978-3-642-54631-0_30\">10.1007/978-3-642-54631-0_30</a>.","ieee":"M. Bellare and G. Fuchsbauer, “Policy-based signatures,” in <i>Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)</i>, Buenos Aires, Argentina, 2014, vol. 8383, pp. 520–537.","chicago":"Bellare, Mihir, and Georg Fuchsbauer. “Policy-Based Signatures.” In <i>Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)</i>, edited by Hugo Krawczyk, 8383:520–37. Springer, 2014. <a href=\"https://doi.org/10.1007/978-3-642-54631-0_30\">https://doi.org/10.1007/978-3-642-54631-0_30</a>.","ama":"Bellare M, Fuchsbauer G. Policy-based signatures. In: Krawczyk H, ed. <i>Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)</i>. Vol 8383. Springer; 2014:520-537. doi:<a href=\"https://doi.org/10.1007/978-3-642-54631-0_30\">10.1007/978-3-642-54631-0_30</a>","apa":"Bellare, M., &#38; Fuchsbauer, G. (2014). Policy-based signatures. In H. Krawczyk (Ed.), <i>Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)</i> (Vol. 8383, pp. 520–537). Buenos Aires, Argentina: Springer. <a href=\"https://doi.org/10.1007/978-3-642-54631-0_30\">https://doi.org/10.1007/978-3-642-54631-0_30</a>"},"date_updated":"2021-01-12T06:54:57Z","editor":[{"full_name":"Krawczyk, Hugo","last_name":"Krawczyk","first_name":"Hugo"}],"publisher":"Springer","quality_controlled":"1","ec_funded":1,"page":"520 - 537","intvolume":"      8383","alternative_title":["LNCS"],"title":"Policy-based signatures","department":[{"_id":"KrPi"}],"date_created":"2018-12-11T11:55:24Z","publication_status":"published","author":[{"last_name":"Bellare","first_name":"Mihir","full_name":"Bellare, Mihir"},{"full_name":"Fuchsbauer, Georg","last_name":"Fuchsbauer","first_name":"Georg","id":"46B4C3EE-F248-11E8-B48F-1D18A9856A87"}],"scopus_import":1,"_id":"2046"},{"date_updated":"2021-01-12T06:54:57Z","year":"2014","citation":{"ista":"Yu F, Rybar M, Uhler C, Fienberg S. 2014. Differentially-private logistic regression for detecting multiple-SNP association in GWAS databases. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). PSD: Privacy in Statistical Databases, LNCS, vol. 8744, 170–184.","mla":"Yu, Fei, et al. “Differentially-Private Logistic Regression for Detecting Multiple-SNP Association in GWAS Databases.” <i>Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)</i>, edited by Josep Domingo Ferrer, vol. 8744, Springer, 2014, pp. 170–84, doi:<a href=\"https://doi.org/10.1007/978-3-319-11257-2_14\">10.1007/978-3-319-11257-2_14</a>.","short":"F. Yu, M. Rybar, C. Uhler, S. Fienberg, in:, J. Domingo Ferrer (Ed.), Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), Springer, 2014, pp. 170–184.","ieee":"F. Yu, M. Rybar, C. Uhler, and S. Fienberg, “Differentially-private logistic regression for detecting multiple-SNP association in GWAS databases,” in <i>Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)</i>, Ibiza, Spain, 2014, vol. 8744, pp. 170–184.","chicago":"Yu, Fei, Michal Rybar, Caroline Uhler, and Stephen Fienberg. “Differentially-Private Logistic Regression for Detecting Multiple-SNP Association in GWAS Databases.” In <i>Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)</i>, edited by Josep Domingo Ferrer, 8744:170–84. Springer, 2014. <a href=\"https://doi.org/10.1007/978-3-319-11257-2_14\">https://doi.org/10.1007/978-3-319-11257-2_14</a>.","ama":"Yu F, Rybar M, Uhler C, Fienberg S. Differentially-private logistic regression for detecting multiple-SNP association in GWAS databases. In: Domingo Ferrer J, ed. <i>Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)</i>. Vol 8744. Springer; 2014:170-184. doi:<a href=\"https://doi.org/10.1007/978-3-319-11257-2_14\">10.1007/978-3-319-11257-2_14</a>","apa":"Yu, F., Rybar, M., Uhler, C., &#38; Fienberg, S. (2014). Differentially-private logistic regression for detecting multiple-SNP association in GWAS databases. In J. Domingo Ferrer (Ed.), <i>Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)</i> (Vol. 8744, pp. 170–184). Ibiza, Spain: Springer. <a href=\"https://doi.org/10.1007/978-3-319-11257-2_14\">https://doi.org/10.1007/978-3-319-11257-2_14</a>"},"external_id":{"arxiv":["1407.8067"]},"arxiv":1,"doi":"10.1007/978-3-319-11257-2_14","day":"01","abstract":[{"lang":"eng","text":"Following the publication of an attack on genome-wide association studies (GWAS) data proposed by Homer et al., considerable attention has been given to developing methods for releasing GWAS data in a privacy-preserving way. Here, we develop an end-to-end differentially private method for solving regression problems with convex penalty functions and selecting the penalty parameters by cross-validation. In particular, we focus on penalized logistic regression with elastic-net regularization, a method widely used to in GWAS analyses to identify disease-causing genes. We show how a differentially private procedure for penalized logistic regression with elastic-net regularization can be applied to the analysis of GWAS data and evaluate our method’s performance."}],"acknowledgement":"This research was partially supported by BCS- 0941518 to the Department of Statistics at Carnegie Mellon University.","volume":8744,"_id":"2047","scopus_import":1,"author":[{"first_name":"Fei","last_name":"Yu","full_name":"Yu, Fei"},{"id":"2B3E3DE8-F248-11E8-B48F-1D18A9856A87","full_name":"Rybar, Michal","first_name":"Michal","last_name":"Rybar"},{"id":"49ADD78E-F248-11E8-B48F-1D18A9856A87","first_name":"Caroline","last_name":"Uhler","orcid":"0000-0002-7008-0216","full_name":"Uhler, Caroline"},{"last_name":"Fienberg","first_name":"Stephen","full_name":"Fienberg, Stephen"}],"publication_status":"published","department":[{"_id":"KrPi"},{"_id":"CaUh"}],"date_created":"2018-12-11T11:55:24Z","title":"Differentially-private logistic regression for detecting multiple-SNP association in GWAS databases","alternative_title":["LNCS"],"intvolume":"      8744","page":"170 - 184","quality_controlled":"1","publisher":"Springer","editor":[{"full_name":"Domingo Ferrer, Josep","first_name":"Josep","last_name":"Domingo Ferrer"}],"date_published":"2014-01-01T00:00:00Z","type":"conference","oa":1,"publist_id":"5004","main_file_link":[{"open_access":"1","url":"http://arxiv.org/abs/1407.8067"}],"status":"public","user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","publication":"Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)","oa_version":"Submitted Version","project":[{"_id":"25636330-B435-11E9-9278-68D0E5697425","name":"ROOTS Genome-wide Analysis of Root Traits","grant_number":"11-NSF-1070"}],"month":"01","language":[{"iso":"eng"}],"conference":{"end_date":"2014-09-19","location":"Ibiza, Spain","name":"PSD: Privacy in Statistical Databases","start_date":"2014-09-17"}},{"ddc":["000","004"],"volume":8616,"abstract":[{"lang":"eng","text":"NMAC is a mode of operation which turns a fixed input-length keyed hash function f into a variable input-length function. A practical single-key variant of NMAC called HMAC is a very popular and widely deployed message authentication code (MAC). Security proofs and attacks for NMAC can typically be lifted to HMAC. NMAC was introduced by Bellare, Canetti and Krawczyk [Crypto'96], who proved it to be a secure pseudorandom function (PRF), and thus also a MAC, assuming that (1) f is a PRF and (2) the function we get when cascading f is weakly collision-resistant. Unfortunately, HMAC is typically instantiated with cryptographic hash functions like MD5 or SHA-1 for which (2) has been found to be wrong. To restore the provable guarantees for NMAC, Bellare [Crypto'06] showed its security based solely on the assumption that f is a PRF, albeit via a non-uniform reduction. - Our first contribution is a simpler and uniform proof for this fact: If f is an ε-secure PRF (against q queries) and a δ-non-adaptively secure PRF (against q queries), then NMAC f is an (ε+ℓqδ)-secure PRF against q queries of length at most ℓ blocks each. - We then show that this ε+ℓqδ bound is basically tight. For the most interesting case where ℓqδ ≥ ε we prove this by constructing an f for which an attack with advantage ℓqδ exists. This also violates the bound O(ℓε) on the PRF-security of NMAC recently claimed by Koblitz and Menezes. - Finally, we analyze the PRF-security of a modification of NMAC called NI [An and Bellare, Crypto'99] that differs mainly by using a compression function with an additional keying input. This avoids the constant rekeying on multi-block messages in NMAC and allows for a security proof starting by the standard switch from a PRF to a random function, followed by an information-theoretic analysis. We carry out such an analysis, obtaining a tight ℓq2/2 c bound for this step, improving over the trivial bound of ℓ2q2/2c. The proof borrows combinatorial techniques originally developed for proving the security of CBC-MAC [Bellare et al., Crypto'05]."}],"day":"01","doi":"10.1007/978-3-662-44371-2_7","year":"2014","citation":{"ieee":"P. Gazi, K. Z. Pietrzak, and M. Rybar, “The exact PRF-security of NMAC and HMAC,” presented at the CRYPTO: International Cryptology Conference, Santa Barbara, USA, 2014, vol. 8616, no. 1, pp. 113–130.","chicago":"Gazi, Peter, Krzysztof Z Pietrzak, and Michal Rybar. “The Exact PRF-Security of NMAC and HMAC.” edited by Juan Garay and Rosario Gennaro, 8616:113–30. Springer, 2014. <a href=\"https://doi.org/10.1007/978-3-662-44371-2_7\">https://doi.org/10.1007/978-3-662-44371-2_7</a>.","ama":"Gazi P, Pietrzak KZ, Rybar M. The exact PRF-security of NMAC and HMAC. In: Garay J, Gennaro R, eds. Vol 8616. Springer; 2014:113-130. doi:<a href=\"https://doi.org/10.1007/978-3-662-44371-2_7\">10.1007/978-3-662-44371-2_7</a>","apa":"Gazi, P., Pietrzak, K. Z., &#38; Rybar, M. (2014). The exact PRF-security of NMAC and HMAC. In J. Garay &#38; R. Gennaro (Eds.) (Vol. 8616, pp. 113–130). Presented at the CRYPTO: International Cryptology Conference, Santa Barbara, USA: Springer. <a href=\"https://doi.org/10.1007/978-3-662-44371-2_7\">https://doi.org/10.1007/978-3-662-44371-2_7</a>","ista":"Gazi P, Pietrzak KZ, Rybar M. 2014. The exact PRF-security of NMAC and HMAC. CRYPTO: International Cryptology Conference, LNCS, vol. 8616, 113–130.","mla":"Gazi, Peter, et al. <i>The Exact PRF-Security of NMAC and HMAC</i>. Edited by Juan Garay and Rosario Gennaro, vol. 8616, no. 1, Springer, 2014, pp. 113–30, doi:<a href=\"https://doi.org/10.1007/978-3-662-44371-2_7\">10.1007/978-3-662-44371-2_7</a>.","short":"P. Gazi, K.Z. Pietrzak, M. Rybar, in:, J. Garay, R. Gennaro (Eds.), Springer, 2014, pp. 113–130."},"date_updated":"2023-09-07T12:02:27Z","editor":[{"first_name":"Juan","last_name":"Garay","full_name":"Garay, Juan"},{"last_name":"Gennaro","first_name":"Rosario","full_name":"Gennaro, Rosario"}],"publisher":"Springer","file_date_updated":"2020-07-14T12:45:28Z","ec_funded":1,"quality_controlled":"1","page":"113 - 130","intvolume":"      8616","title":"The exact PRF-security of NMAC and HMAC","alternative_title":["LNCS"],"pubrep_id":"682","date_created":"2018-12-11T11:55:36Z","department":[{"_id":"KrPi"}],"publication_status":"published","issue":"1","author":[{"id":"3E0BFE38-F248-11E8-B48F-1D18A9856A87","full_name":"Gazi, Peter","first_name":"Peter","last_name":"Gazi"},{"full_name":"Pietrzak, Krzysztof Z","orcid":"0000-0002-9139-1654","last_name":"Pietrzak","first_name":"Krzysztof Z","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87"},{"id":"2B3E3DE8-F248-11E8-B48F-1D18A9856A87","full_name":"Rybar, Michal","first_name":"Michal","last_name":"Rybar"}],"_id":"2082","status":"public","user_id":"4435EBFC-F248-11E8-B48F-1D18A9856A87","related_material":{"record":[{"id":"838","relation":"dissertation_contains","status":"public"}]},"file":[{"access_level":"open_access","relation":"main_file","file_id":"4999","creator":"system","date_created":"2018-12-12T10:13:17Z","file_size":492310,"checksum":"dab6ab36a5f6af94f2b597e6404ed11d","date_updated":"2020-07-14T12:45:28Z","content_type":"application/pdf","file_name":"IST-2016-682-v1+1_578.pdf"}],"publist_id":"4955","oa":1,"type":"conference","date_published":"2014-01-01T00:00:00Z","conference":{"name":"CRYPTO: International Cryptology Conference","start_date":"2014-08-17","end_date":"2014-08-21","location":"Santa Barbara, USA"},"language":[{"iso":"eng"}],"month":"01","project":[{"name":"Provable Security for Physical Cryptography","grant_number":"259668","call_identifier":"FP7","_id":"258C570E-B435-11E9-9278-68D0E5697425"}],"oa_version":"Submitted Version","has_accepted_license":"1"},{"title":"Key derivation without entropy waste","alternative_title":["LNCS"],"pubrep_id":"680","intvolume":"      8441","publication_status":"published","date_created":"2018-12-11T11:56:12Z","department":[{"_id":"KrPi"}],"author":[{"full_name":"Dodis, Yevgeniy","first_name":"Yevgeniy","last_name":"Dodis"},{"first_name":"Krzysztof Z","last_name":"Pietrzak","orcid":"0000-0002-9139-1654","full_name":"Pietrzak, Krzysztof Z","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87"},{"first_name":"Daniel","last_name":"Wichs","full_name":"Wichs, Daniel"}],"_id":"2185","scopus_import":1,"publisher":"Springer","editor":[{"full_name":"Nguyen, Phong","first_name":"Phong","last_name":"Nguyen"},{"full_name":"Oswald, Elisabeth","last_name":"Oswald","first_name":"Elisabeth"}],"file_date_updated":"2020-07-14T12:45:31Z","page":"93 - 110","quality_controlled":"1","abstract":[{"text":"We revisit the classical problem of converting an imperfect source of randomness into a usable cryptographic key. Assume that we have some cryptographic application P that expects a uniformly random m-bit key R and ensures that the best attack (in some complexity class) against P(R) has success probability at most δ. Our goal is to design a key-derivation function (KDF) h that converts any random source X of min-entropy k into a sufficiently &quot;good&quot; key h(X), guaranteeing that P(h(X)) has comparable security δ′ which is 'close' to δ. Seeded randomness extractors provide a generic way to solve this problem for all applications P, with resulting security δ′ = O(δ), provided that we start with entropy k ≥ m + 2 log (1/δ) - O(1). By a result of Radhakrishnan and Ta-Shma, this bound on k (called the &quot;RT-bound&quot;) is also known to be tight in general. Unfortunately, in many situations the loss of 2 log (1/δ) bits of entropy is unacceptable. This motivates the study KDFs with less entropy waste by placing some restrictions on the source X or the application P. In this work we obtain the following new positive and negative results in this regard: - Efficient samplability of the source X does not help beat the RT-bound for general applications. This resolves the SRT (samplable RT) conjecture of Dachman-Soled et al. [DGKM12] in the affirmative, and also shows that the existence of computationally-secure extractors beating the RT-bound implies the existence of one-way functions. - We continue in the line of work initiated by Barak et al. [BDK+11] and construct new information-theoretic KDFs which beat the RT-bound for large but restricted classes of applications. Specifically, we design efficient KDFs that work for all unpredictability applications P (e.g., signatures, MACs, one-way functions, etc.) and can either: (1) extract all of the entropy k = m with a very modest security loss δ′ = O(δ·log (1/δ)), or alternatively, (2) achieve essentially optimal security δ′ = O(δ) with a very modest entropy loss k ≥ m + loglog (1/δ). In comparison, the best prior results from [BDK+11] for this class of applications would only guarantee δ′ = O(√δ) when k = m, and would need k ≥ m + log (1/δ) to get δ′ = O(δ). - The weaker bounds of [BDK+11] hold for a larger class of so-called &quot;square- friendly&quot; applications (which includes all unpredictability, but also some important indistinguishability, applications). Unfortunately, we show that these weaker bounds are tight for the larger class of applications. - We abstract out a clean, information-theoretic notion of (k,δ,δ′)- unpredictability extractors, which guarantee &quot;induced&quot; security δ′ for any δ-secure unpredictability application P, and characterize the parameters achievable for such unpredictability extractors. Of independent interest, we also relate this notion to the previously-known notion of (min-entropy) condensers, and improve the state-of-the-art parameters for such condensers.","lang":"eng"}],"doi":"10.1007/978-3-642-55220-5_6","day":"01","date_updated":"2021-01-12T06:55:51Z","citation":{"ama":"Dodis Y, Pietrzak KZ, Wichs D. Key derivation without entropy waste. In: Nguyen P, Oswald E, eds. Vol 8441. Springer; 2014:93-110. doi:<a href=\"https://doi.org/10.1007/978-3-642-55220-5_6\">10.1007/978-3-642-55220-5_6</a>","apa":"Dodis, Y., Pietrzak, K. Z., &#38; Wichs, D. (2014). Key derivation without entropy waste. In P. Nguyen &#38; E. Oswald (Eds.) (Vol. 8441, pp. 93–110). Presented at the EUROCRYPT: Theory and Applications of Cryptographic Techniques, Copenhagen, Denmark: Springer. <a href=\"https://doi.org/10.1007/978-3-642-55220-5_6\">https://doi.org/10.1007/978-3-642-55220-5_6</a>","ieee":"Y. Dodis, K. Z. Pietrzak, and D. Wichs, “Key derivation without entropy waste,” presented at the EUROCRYPT: Theory and Applications of Cryptographic Techniques, Copenhagen, Denmark, 2014, vol. 8441, pp. 93–110.","chicago":"Dodis, Yevgeniy, Krzysztof Z Pietrzak, and Daniel Wichs. “Key Derivation without Entropy Waste.” edited by Phong Nguyen and Elisabeth Oswald, 8441:93–110. Springer, 2014. <a href=\"https://doi.org/10.1007/978-3-642-55220-5_6\">https://doi.org/10.1007/978-3-642-55220-5_6</a>.","short":"Y. Dodis, K.Z. Pietrzak, D. Wichs, in:, P. Nguyen, E. Oswald (Eds.), Springer, 2014, pp. 93–110.","mla":"Dodis, Yevgeniy, et al. <i>Key Derivation without Entropy Waste</i>. Edited by Phong Nguyen and Elisabeth Oswald, vol. 8441, Springer, 2014, pp. 93–110, doi:<a href=\"https://doi.org/10.1007/978-3-642-55220-5_6\">10.1007/978-3-642-55220-5_6</a>.","ista":"Dodis Y, Pietrzak KZ, Wichs D. 2014. Key derivation without entropy waste. EUROCRYPT: Theory and Applications of Cryptographic Techniques, LNCS, vol. 8441, 93–110."},"year":"2014","ddc":["000","004"],"volume":8441,"month":"04","oa_version":"Submitted Version","has_accepted_license":"1","conference":{"end_date":"2014-05-15","location":"Copenhagen, Denmark","start_date":"2014-05-11","name":"EUROCRYPT: Theory and Applications of Cryptographic Techniques"},"language":[{"iso":"eng"}],"oa":1,"publist_id":"4795","date_published":"2014-04-01T00:00:00Z","type":"conference","user_id":"4435EBFC-F248-11E8-B48F-1D18A9856A87","status":"public","file":[{"file_id":"4705","creator":"system","access_level":"open_access","relation":"main_file","date_updated":"2020-07-14T12:45:31Z","file_name":"IST-2016-680-v1+1_708.pdf","content_type":"application/pdf","date_created":"2018-12-12T10:08:43Z","file_size":505389,"checksum":"da1aa01221086083b23c92e547b48ff4"}]},{"year":"2014","citation":{"ista":"Kiltz E, Masny D, Pietrzak KZ. 2014. Simple chosen-ciphertext security from low noise LPN. IACR: International Conference on Practice and Theory in Public-Key Cryptography, LNCS, vol. 8383, 1–18.","mla":"Kiltz, Eike, et al. <i>Simple Chosen-Ciphertext Security from Low Noise LPN</i>. Vol. 8383, Springer, 2014, pp. 1–18, doi:<a href=\"https://doi.org/10.1007/978-3-642-54631-0_1\">10.1007/978-3-642-54631-0_1</a>.","short":"E. Kiltz, D. Masny, K.Z. Pietrzak, in:, Springer, 2014, pp. 1–18.","chicago":"Kiltz, Eike, Daniel Masny, and Krzysztof Z Pietrzak. “Simple Chosen-Ciphertext Security from Low Noise LPN,” 8383:1–18. Springer, 2014. <a href=\"https://doi.org/10.1007/978-3-642-54631-0_1\">https://doi.org/10.1007/978-3-642-54631-0_1</a>.","ieee":"E. Kiltz, D. Masny, and K. Z. Pietrzak, “Simple chosen-ciphertext security from low noise LPN,” presented at the IACR: International Conference on Practice and Theory in Public-Key Cryptography, 2014, vol. 8383, pp. 1–18.","apa":"Kiltz, E., Masny, D., &#38; Pietrzak, K. Z. (2014). Simple chosen-ciphertext security from low noise LPN (Vol. 8383, pp. 1–18). Presented at the IACR: International Conference on Practice and Theory in Public-Key Cryptography, Springer. <a href=\"https://doi.org/10.1007/978-3-642-54631-0_1\">https://doi.org/10.1007/978-3-642-54631-0_1</a>","ama":"Kiltz E, Masny D, Pietrzak KZ. Simple chosen-ciphertext security from low noise LPN. In: Vol 8383. Springer; 2014:1-18. doi:<a href=\"https://doi.org/10.1007/978-3-642-54631-0_1\">10.1007/978-3-642-54631-0_1</a>"},"date_updated":"2021-01-12T06:56:05Z","day":"01","doi":"10.1007/978-3-642-54631-0_1","abstract":[{"lang":"eng","text":"Recently, Döttling et al. (ASIACRYPT 2012) proposed the first chosen-ciphertext (IND-CCA) secure public-key encryption scheme from the learning parity with noise (LPN) assumption. In this work we give an alternative scheme which is conceptually simpler and more efficient. At the core of our construction is a trapdoor technique originally proposed for lattices by Micciancio and Peikert (EUROCRYPT 2012), which we adapt to the LPN setting. The main technical tool is a new double-trapdoor mechanism, together with a trapdoor switching lemma based on a computational variant of the leftover hash lemma."}],"volume":8383,"scopus_import":1,"_id":"2219","author":[{"first_name":"Eike","last_name":"Kiltz","full_name":"Kiltz, Eike"},{"last_name":"Masny","first_name":"Daniel","full_name":"Masny, Daniel"},{"id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","first_name":"Krzysztof Z","last_name":"Pietrzak","orcid":"0000-0002-9139-1654","full_name":"Pietrzak, Krzysztof Z"}],"department":[{"_id":"KrPi"}],"date_created":"2018-12-11T11:56:24Z","publication_status":"published","intvolume":"      8383","alternative_title":["LNCS"],"title":"Simple chosen-ciphertext security from low noise LPN","quality_controlled":"1","page":"1 - 18","publisher":"Springer","type":"conference","date_published":"2014-03-01T00:00:00Z","publication_identifier":{"isbn":["978-364254630-3"]},"publist_id":"4748","oa":1,"main_file_link":[{"url":"https://eprint.iacr.org/2015/401","open_access":"1"}],"status":"public","user_id":"4435EBFC-F248-11E8-B48F-1D18A9856A87","oa_version":"Submitted Version","month":"03","language":[{"iso":"eng"}],"conference":{"name":"IACR: International Conference on Practice and Theory in Public-Key Cryptography"}},{"type":"conference","date_published":"2014-02-01T00:00:00Z","publist_id":"4725","oa":1,"publication_identifier":{"isbn":["978-364254241-1"]},"status":"public","user_id":"4435EBFC-F248-11E8-B48F-1D18A9856A87","main_file_link":[{"url":"https://repository.ist.ac.at/id/eprint/681","open_access":"1"}],"file":[{"date_created":"2018-12-12T10:17:21Z","file_size":313528,"checksum":"42960325c29dcd8d832edadcc3ce0045","date_updated":"2020-07-14T12:45:34Z","file_name":"IST-2016-681-v1+1_869_1_.pdf","content_type":"application/pdf","relation":"main_file","access_level":"open_access","file_id":"5275","creator":"system"}],"has_accepted_license":"1","month":"02","project":[{"_id":"258C570E-B435-11E9-9278-68D0E5697425","call_identifier":"FP7","grant_number":"259668","name":"Provable Security for Physical Cryptography"}],"oa_version":"Submitted Version","language":[{"iso":"eng"}],"conference":{"name":"TCC: Theory of Cryptography Conference","start_date":"2014-02-24","end_date":"2014-02-26","location":"San Diego, USA"},"year":"2014","citation":{"mla":"Jetchev, Dimitar, and Krzysztof Z. Pietrzak. <i>How to Fake Auxiliary Input</i>. Edited by Yehuda Lindell, vol. 8349, Springer, 2014, pp. 566–90, doi:<a href=\"https://doi.org/10.1007/978-3-642-54242-8_24\">10.1007/978-3-642-54242-8_24</a>.","short":"D. Jetchev, K.Z. Pietrzak, in:, Y. Lindell (Ed.), Springer, 2014, pp. 566–590.","ista":"Jetchev D, Pietrzak KZ. 2014. How to fake auxiliary input. TCC: Theory of Cryptography Conference, LNCS, vol. 8349, 566–590.","apa":"Jetchev, D., &#38; Pietrzak, K. Z. (2014). How to fake auxiliary input. In Y. Lindell (Ed.) (Vol. 8349, pp. 566–590). Presented at the TCC: Theory of Cryptography Conference, San Diego, USA: Springer. <a href=\"https://doi.org/10.1007/978-3-642-54242-8_24\">https://doi.org/10.1007/978-3-642-54242-8_24</a>","ama":"Jetchev D, Pietrzak KZ. How to fake auxiliary input. In: Lindell Y, ed. Vol 8349. Springer; 2014:566-590. doi:<a href=\"https://doi.org/10.1007/978-3-642-54242-8_24\">10.1007/978-3-642-54242-8_24</a>","ieee":"D. Jetchev and K. Z. Pietrzak, “How to fake auxiliary input,” presented at the TCC: Theory of Cryptography Conference, San Diego, USA, 2014, vol. 8349, pp. 566–590.","chicago":"Jetchev, Dimitar, and Krzysztof Z Pietrzak. “How to Fake Auxiliary Input.” edited by Yehuda Lindell, 8349:566–90. Springer, 2014. <a href=\"https://doi.org/10.1007/978-3-642-54242-8_24\">https://doi.org/10.1007/978-3-642-54242-8_24</a>."},"date_updated":"2021-01-12T06:56:12Z","abstract":[{"lang":"eng","text":"Consider a joint distribution (X,A) on a set. We show that for any family of distinguishers, there exists a simulator such that 1 no function in can distinguish (X,A) from (X,h(X)) with advantage ε, 2 h is only O(2 3ℓ ε -2) times less efficient than the functions in. For the most interesting settings of the parameters (in particular, the cryptographic case where X has superlogarithmic min-entropy, ε &gt; 0 is negligible and consists of circuits of polynomial size), we can make the simulator h deterministic. As an illustrative application of our theorem, we give a new security proof for the leakage-resilient stream-cipher from Eurocrypt'09. Our proof is simpler and quantitatively much better than the original proof using the dense model theorem, giving meaningful security guarantees if instantiated with a standard blockcipher like AES. Subsequent to this work, Chung, Lui and Pass gave an interactive variant of our main theorem, and used it to investigate weak notions of Zero-Knowledge. Vadhan and Zheng give a more constructive version of our theorem using their new uniform min-max theorem."}],"day":"01","doi":"10.1007/978-3-642-54242-8_24","ddc":["004"],"volume":8349,"author":[{"first_name":"Dimitar","last_name":"Jetchev","full_name":"Jetchev, Dimitar"},{"id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","last_name":"Pietrzak","first_name":"Krzysztof Z","full_name":"Pietrzak, Krzysztof Z","orcid":"0000-0002-9139-1654"}],"_id":"2236","intvolume":"      8349","alternative_title":["LNCS"],"pubrep_id":"681","title":"How to fake auxiliary input","department":[{"_id":"KrPi"}],"date_created":"2018-12-11T11:56:29Z","publication_status":"published","file_date_updated":"2020-07-14T12:45:34Z","ec_funded":1,"quality_controlled":"1","page":"566 - 590","editor":[{"first_name":"Yehuda","last_name":"Lindell","full_name":"Lindell, Yehuda"}],"publisher":"Springer"},{"scopus_import":1,"_id":"2940","author":[{"full_name":"Krenn, Stephan","orcid":"0000-0003-2835-9093","last_name":"Krenn","first_name":"Stephan","id":"329FCCF0-F248-11E8-B48F-1D18A9856A87"},{"id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","orcid":"0000-0002-9139-1654","full_name":"Pietrzak, Krzysztof Z","first_name":"Krzysztof Z","last_name":"Pietrzak"},{"last_name":"Wadia","first_name":"Akshay","full_name":"Wadia, Akshay"}],"department":[{"_id":"KrPi"}],"date_created":"2018-12-11T12:00:27Z","publication_status":"published","intvolume":"      7785","alternative_title":["LNCS"],"title":"A counterexample to the chain rule for conditional HILL entropy, and what deniable encryption has to do with it","quality_controlled":"1","ec_funded":1,"page":"23 - 39","file_date_updated":"2020-07-14T12:45:54Z","editor":[{"last_name":"Sahai","first_name":"Amit","full_name":"Sahai, Amit"}],"publisher":"Springer","citation":{"short":"S. Krenn, K.Z. Pietrzak, A. Wadia, in:, A. Sahai (Ed.), Springer, 2013, pp. 23–39.","mla":"Krenn, Stephan, et al. <i>A Counterexample to the Chain Rule for Conditional HILL Entropy, and What Deniable Encryption Has to Do with It</i>. Edited by Amit Sahai, vol. 7785, Springer, 2013, pp. 23–39, doi:<a href=\"https://doi.org/10.1007/978-3-642-36594-2_2\">10.1007/978-3-642-36594-2_2</a>.","ista":"Krenn S, Pietrzak KZ, Wadia A. 2013. A counterexample to the chain rule for conditional HILL entropy, and what deniable encryption has to do with it. TCC: Theory of Cryptography Conference, LNCS, vol. 7785, 23–39.","apa":"Krenn, S., Pietrzak, K. Z., &#38; Wadia, A. (2013). A counterexample to the chain rule for conditional HILL entropy, and what deniable encryption has to do with it. In A. Sahai (Ed.) (Vol. 7785, pp. 23–39). Presented at the TCC: Theory of Cryptography Conference, Tokyo, Japan: Springer. <a href=\"https://doi.org/10.1007/978-3-642-36594-2_2\">https://doi.org/10.1007/978-3-642-36594-2_2</a>","ama":"Krenn S, Pietrzak KZ, Wadia A. A counterexample to the chain rule for conditional HILL entropy, and what deniable encryption has to do with it. In: Sahai A, ed. Vol 7785. Springer; 2013:23-39. doi:<a href=\"https://doi.org/10.1007/978-3-642-36594-2_2\">10.1007/978-3-642-36594-2_2</a>","ieee":"S. Krenn, K. Z. Pietrzak, and A. Wadia, “A counterexample to the chain rule for conditional HILL entropy, and what deniable encryption has to do with it,” presented at the TCC: Theory of Cryptography Conference, Tokyo, Japan, 2013, vol. 7785, pp. 23–39.","chicago":"Krenn, Stephan, Krzysztof Z Pietrzak, and Akshay Wadia. “A Counterexample to the Chain Rule for Conditional HILL Entropy, and What Deniable Encryption Has to Do with It.” edited by Amit Sahai, 7785:23–39. Springer, 2013. <a href=\"https://doi.org/10.1007/978-3-642-36594-2_2\">https://doi.org/10.1007/978-3-642-36594-2_2</a>."},"year":"2013","date_updated":"2023-02-23T10:00:43Z","day":"29","doi":"10.1007/978-3-642-36594-2_2","abstract":[{"text":"A chain rule for an entropy notion H(.) states that the entropy H(X) of a variable X decreases by at most l if conditioned on an l-bit string A, i.e., H(X|A)&gt;= H(X)-l. More generally, it satisfies a chain rule for conditional entropy if H(X|Y,A)&gt;= H(X|Y)-l.\r\n\r\nAll natural information theoretic entropy notions we are aware of (like Shannon or min-entropy) satisfy some kind of chain rule for conditional entropy. Moreover, many computational entropy notions (like Yao entropy, unpredictability entropy and several variants of HILL entropy) satisfy the chain rule for conditional entropy, though here not only the quantity decreases by l, but also the quality of the entropy decreases exponentially in l. However, for \r\nthe standard notion of conditional HILL entropy (the computational equivalent of min-entropy) the existence of such a rule was unknown so far.\r\n\r\nIn this paper, we prove that for conditional HILL entropy no meaningful chain rule exists, assuming the existence of one-way permutations: there exist distributions X,Y,A, where A is a distribution over a single bit, but  $H(X|Y)&gt;&gt;H(X|Y,A)$, even if we simultaneously allow for a massive degradation in the quality of the entropy.\r\n\r\nThe idea underlying our construction is based on a surprising connection between the chain rule for HILL entropy and deniable encryption. ","lang":"eng"}],"volume":7785,"ddc":["000"],"has_accepted_license":"1","project":[{"name":"Provable Security for Physical Cryptography","grant_number":"259668","_id":"258C570E-B435-11E9-9278-68D0E5697425","call_identifier":"FP7"}],"oa_version":"Submitted Version","month":"01","language":[{"iso":"eng"}],"conference":{"end_date":"2013-03-06","location":"Tokyo, Japan","start_date":"2013-03-03","name":"TCC: Theory of Cryptography Conference"},"type":"conference","date_published":"2013-01-29T00:00:00Z","publist_id":"3795","oa":1,"file":[{"date_updated":"2020-07-14T12:45:54Z","file_name":"2013_LNCS_Krenn.pdf","content_type":"application/pdf","date_created":"2019-01-22T14:11:11Z","file_size":414823,"checksum":"beb0cc1c0579da2d2e84394230a5da78","file_id":"5875","creator":"dernst","access_level":"open_access","relation":"main_file"}],"status":"public","user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","related_material":{"record":[{"relation":"later_version","id":"1479","status":"public"}]}},{"has_accepted_license":"1","project":[{"_id":"258C570E-B435-11E9-9278-68D0E5697425","call_identifier":"FP7","name":"Provable Security for Physical Cryptography","grant_number":"259668"}],"oa_version":"Submitted Version","month":"01","language":[{"iso":"eng"}],"conference":{"end_date":"2013-08-22","location":"Santa Barbara, CA, United States","start_date":"2013-08-18","name":"CRYPTO: International Cryptology Conference"},"type":"conference","date_published":"2013-01-01T00:00:00Z","publist_id":"4688","oa":1,"file":[{"content_type":"application/pdf","file_name":"IST-2016-685-v1+1_658.pdf","date_updated":"2020-07-14T12:45:35Z","checksum":"18a3f602cb41de184dc0e16a0e907633","file_size":493175,"date_created":"2018-12-12T10:09:20Z","creator":"system","file_id":"4744","relation":"main_file","access_level":"open_access"}],"status":"public","user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","scopus_import":1,"_id":"2258","author":[{"full_name":"Kiltz, Eike","first_name":"Eike","last_name":"Kiltz"},{"id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","full_name":"Pietrzak, Krzysztof Z","orcid":"0000-0002-9139-1654","last_name":"Pietrzak","first_name":"Krzysztof Z"},{"full_name":"Szegedy, Mario","last_name":"Szegedy","first_name":"Mario"}],"department":[{"_id":"KrPi"}],"date_created":"2018-12-11T11:56:37Z","publication_status":"published","intvolume":"      8042","alternative_title":["LNCS"],"pubrep_id":"685","title":"Digital signatures with minimal overhead from indifferentiable random invertible functions","ec_funded":1,"quality_controlled":"1","series_title":"Lecture Notes in Computer Science","page":"571 - 588","file_date_updated":"2020-07-14T12:45:35Z","publisher":"Springer","year":"2013","citation":{"ieee":"E. Kiltz, K. Z. Pietrzak, and M. Szegedy, “Digital signatures with minimal overhead from indifferentiable random invertible functions,” vol. 8042. Springer, pp. 571–588, 2013.","chicago":"Kiltz, Eike, Krzysztof Z Pietrzak, and Mario Szegedy. “Digital Signatures with Minimal Overhead from Indifferentiable Random Invertible Functions.” Lecture Notes in Computer Science. Springer, 2013. <a href=\"https://doi.org/10.1007/978-3-642-40041-4_31\">https://doi.org/10.1007/978-3-642-40041-4_31</a>.","ama":"Kiltz E, Pietrzak KZ, Szegedy M. Digital signatures with minimal overhead from indifferentiable random invertible functions. 2013;8042:571-588. doi:<a href=\"https://doi.org/10.1007/978-3-642-40041-4_31\">10.1007/978-3-642-40041-4_31</a>","apa":"Kiltz, E., Pietrzak, K. Z., &#38; Szegedy, M. (2013). Digital signatures with minimal overhead from indifferentiable random invertible functions. Presented at the CRYPTO: International Cryptology Conference, Santa Barbara, CA, United States: Springer. <a href=\"https://doi.org/10.1007/978-3-642-40041-4_31\">https://doi.org/10.1007/978-3-642-40041-4_31</a>","ista":"Kiltz E, Pietrzak KZ, Szegedy M. 2013. Digital signatures with minimal overhead from indifferentiable random invertible functions. 8042, 571–588.","short":"E. Kiltz, K.Z. Pietrzak, M. Szegedy, 8042 (2013) 571–588.","mla":"Kiltz, Eike, et al. <i>Digital Signatures with Minimal Overhead from Indifferentiable Random Invertible Functions</i>. Vol. 8042, Springer, 2013, pp. 571–88, doi:<a href=\"https://doi.org/10.1007/978-3-642-40041-4_31\">10.1007/978-3-642-40041-4_31</a>."},"date_updated":"2021-01-12T06:56:21Z","day":"01","doi":"10.1007/978-3-642-40041-4_31","abstract":[{"text":"In a digital signature scheme with message recovery, rather than transmitting the message m and its signature σ, a single enhanced signature τ is transmitted. The verifier is able to recover m from τ and at the same time verify its authenticity. The two most important parameters of such a scheme are its security and overhead |τ| − |m|. A simple argument shows that for any scheme with “n bits security” |τ| − |m| ≥ n, i.e., the overhead is lower bounded by the security parameter n. Currently, the best known constructions in the random oracle model are far from this lower bound requiring an overhead of n + logq h , where q h is the number of queries to the random oracle. In this paper we give a construction which basically matches the n bit lower bound. We propose a simple digital signature scheme with n + o(logq h ) bits overhead, where q h denotes the number of random oracle queries.\r\n\r\nOur construction works in two steps. First, we propose a signature scheme with message recovery having optimal overhead in a new ideal model, the random invertible function model. Second, we show that a four-round Feistel network with random oracles as round functions is tightly “public-indifferentiable” from a random invertible function. At the core of our indifferentiability proof is an almost tight upper bound for the expected number of edges of the densest “small” subgraph of a random Cayley graph, which may be of independent interest.\r\n","lang":"eng"}],"volume":8042,"ddc":["000","004"]},{"conference":{"start_date":"2013-08-18","name":"CRYPTO: International Cryptology Conference","location":"Santa Barbara, CA, United States","end_date":"2013-08-22"},"language":[{"iso":"eng"}],"month":"01","project":[{"_id":"258C570E-B435-11E9-9278-68D0E5697425","call_identifier":"FP7","name":"Provable Security for Physical Cryptography","grant_number":"259668"}],"oa_version":"Published Version","has_accepted_license":"1","user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","status":"public","file":[{"file_id":"4912","creator":"system","relation":"main_file","access_level":"open_access","date_updated":"2020-07-14T12:45:35Z","file_name":"IST-2016-684-v1+1_098.pdf","content_type":"application/pdf","date_created":"2018-12-12T10:11:55Z","file_size":587898,"checksum":"16d428408a806b8e49eecc607deab115"}],"oa":1,"publist_id":"4687","type":"conference","date_published":"2013-01-01T00:00:00Z","publisher":"Springer","file_date_updated":"2020-07-14T12:45:35Z","quality_controlled":"1","series_title":"Lecture Notes in Computer Science","ec_funded":1,"page":"57 - 74","intvolume":"      8042","pubrep_id":"684","alternative_title":["LNCS"],"title":"Learning with rounding, revisited: New reduction properties and applications","department":[{"_id":"KrPi"}],"date_created":"2018-12-11T11:56:37Z","publication_status":"published","issue":"1","author":[{"id":"2A8DFA8C-F248-11E8-B48F-1D18A9856A87","full_name":"Alwen, Joel F","last_name":"Alwen","first_name":"Joel F"},{"first_name":"Stephan","last_name":"Krenn","orcid":"0000-0003-2835-9093","full_name":"Krenn, Stephan","id":"329FCCF0-F248-11E8-B48F-1D18A9856A87"},{"full_name":"Pietrzak, Krzysztof Z","orcid":"0000-0002-9139-1654","last_name":"Pietrzak","first_name":"Krzysztof Z","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87"},{"full_name":"Wichs, Daniel","first_name":"Daniel","last_name":"Wichs"}],"scopus_import":1,"_id":"2259","ddc":["000","004"],"volume":8042,"abstract":[{"lang":"eng","text":"The learning with rounding (LWR) problem, introduced by Banerjee, Peikert and Rosen at EUROCRYPT ’12, is a variant of learning with errors (LWE), where one replaces random errors with deterministic rounding. The LWR problem was shown to be as hard as LWE for a setting of parameters where the modulus and modulus-to-error ratio are super-polynomial. In this work we resolve the main open problem and give a new reduction that works for a larger range of parameters, allowing for a polynomial modulus and modulus-to-error ratio. In particular, a smaller modulus gives us greater efficiency, and a smaller modulus-to-error ratio gives us greater security, which now follows from the worst-case hardness of GapSVP with polynomial (rather than super-polynomial) approximation factors.\r\n\r\nAs a tool in the reduction, we show that there is a “lossy mode” for the LWR problem, in which LWR samples only reveal partial information about the secret. This property gives us several interesting new applications, including a proof that LWR remains secure with weakly random secrets of sufficient min-entropy, and very simple constructions of deterministic encryption, lossy trapdoor functions and reusable extractors.\r\n\r\nOur approach is inspired by a technique of Goldwasser et al. from ICS ’10, which implicitly showed the existence of a “lossy mode” for LWE. By refining this technique, we also improve on the parameters of that work to only requiring a polynomial (instead of super-polynomial) modulus and modulus-to-error ratio.\r\n"}],"day":"01","doi":"10.1007/978-3-642-40041-4_4","year":"2013","citation":{"short":"J.F. Alwen, S. Krenn, K.Z. Pietrzak, D. Wichs, 8042 (2013) 57–74.","mla":"Alwen, Joel F., et al. <i>Learning with Rounding, Revisited: New Reduction Properties and Applications</i>. Vol. 8042, no. 1, Springer, 2013, pp. 57–74, doi:<a href=\"https://doi.org/10.1007/978-3-642-40041-4_4\">10.1007/978-3-642-40041-4_4</a>.","ista":"Alwen JF, Krenn S, Pietrzak KZ, Wichs D. 2013. Learning with rounding, revisited: New reduction properties and applications. 8042(1), 57–74.","apa":"Alwen, J. F., Krenn, S., Pietrzak, K. Z., &#38; Wichs, D. (2013). Learning with rounding, revisited: New reduction properties and applications. Presented at the CRYPTO: International Cryptology Conference, Santa Barbara, CA, United States: Springer. <a href=\"https://doi.org/10.1007/978-3-642-40041-4_4\">https://doi.org/10.1007/978-3-642-40041-4_4</a>","ama":"Alwen JF, Krenn S, Pietrzak KZ, Wichs D. Learning with rounding, revisited: New reduction properties and applications. 2013;8042(1):57-74. doi:<a href=\"https://doi.org/10.1007/978-3-642-40041-4_4\">10.1007/978-3-642-40041-4_4</a>","chicago":"Alwen, Joel F, Stephan Krenn, Krzysztof Z Pietrzak, and Daniel Wichs. “Learning with Rounding, Revisited: New Reduction Properties and Applications.” Lecture Notes in Computer Science. Springer, 2013. <a href=\"https://doi.org/10.1007/978-3-642-40041-4_4\">https://doi.org/10.1007/978-3-642-40041-4_4</a>.","ieee":"J. F. Alwen, S. Krenn, K. Z. Pietrzak, and D. Wichs, “Learning with rounding, revisited: New reduction properties and applications,” vol. 8042, no. 1. Springer, pp. 57–74, 2013."},"date_updated":"2021-01-12T06:56:21Z"},{"month":"06","oa_version":"Submitted Version","conference":{"end_date":"2013-06-28","location":"Banff, AB, Canada","start_date":"2013-06-25","name":"ACNS: Applied Cryptography and Network Security"},"language":[{"iso":"eng"}],"oa":1,"publist_id":"4686","type":"conference","date_published":"2013-06-01T00:00:00Z","status":"public","user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","main_file_link":[{"open_access":"1","url":"http://eprint.iacr.org/2012/475"}],"intvolume":"      7954","alternative_title":["LNCS"],"title":"Efficient signatures of knowledge and DAA in the standard model","date_created":"2018-12-11T11:56:37Z","department":[{"_id":"KrPi"}],"publication_status":"published","author":[{"first_name":"David","last_name":"Bernhard","full_name":"Bernhard, David"},{"id":"46B4C3EE-F248-11E8-B48F-1D18A9856A87","first_name":"Georg","last_name":"Fuchsbauer","full_name":"Fuchsbauer, Georg"},{"full_name":"Ghadafi, Essam","first_name":"Essam","last_name":"Ghadafi"}],"scopus_import":1,"_id":"2260","publisher":"Springer","series_title":"Lecture Notes in Computer Science","quality_controlled":"1","page":"518 - 533","abstract":[{"lang":"eng","text":"Direct Anonymous Attestation (DAA) is one of the most complex cryptographic protocols deployed in practice. It allows an embedded secure processor known as a Trusted Platform Module (TPM) to attest to the configuration of its host computer without violating the owner’s privacy. DAA has been standardized by the Trusted Computing Group and ISO/IEC.\r\n\r\nThe security of the DAA standard and all existing schemes is analyzed in the random-oracle model. We provide the first constructions of DAA in the standard model, that is, without relying on random oracles. Our constructions use new building blocks, including the first efficient signatures of knowledge in the standard model, which have many applications beyond DAA.\r\n"}],"day":"01","doi":"10.1007/978-3-642-38980-1_33","citation":{"ieee":"D. Bernhard, G. Fuchsbauer, and E. Ghadafi, “Efficient signatures of knowledge and DAA in the standard model,” vol. 7954. Springer, pp. 518–533, 2013.","chicago":"Bernhard, David, Georg Fuchsbauer, and Essam Ghadafi. “Efficient Signatures of Knowledge and DAA in the Standard Model.” Lecture Notes in Computer Science. Springer, 2013. <a href=\"https://doi.org/10.1007/978-3-642-38980-1_33\">https://doi.org/10.1007/978-3-642-38980-1_33</a>.","ama":"Bernhard D, Fuchsbauer G, Ghadafi E. Efficient signatures of knowledge and DAA in the standard model. 2013;7954:518-533. doi:<a href=\"https://doi.org/10.1007/978-3-642-38980-1_33\">10.1007/978-3-642-38980-1_33</a>","apa":"Bernhard, D., Fuchsbauer, G., &#38; Ghadafi, E. (2013). Efficient signatures of knowledge and DAA in the standard model. Presented at the ACNS: Applied Cryptography and Network Security, Banff, AB, Canada: Springer. <a href=\"https://doi.org/10.1007/978-3-642-38980-1_33\">https://doi.org/10.1007/978-3-642-38980-1_33</a>","ista":"Bernhard D, Fuchsbauer G, Ghadafi E. 2013. Efficient signatures of knowledge and DAA in the standard model. 7954, 518–533.","mla":"Bernhard, David, et al. <i>Efficient Signatures of Knowledge and DAA in the Standard Model</i>. Vol. 7954, Springer, 2013, pp. 518–33, doi:<a href=\"https://doi.org/10.1007/978-3-642-38980-1_33\">10.1007/978-3-642-38980-1_33</a>.","short":"D. Bernhard, G. Fuchsbauer, E. Ghadafi, 7954 (2013) 518–533."},"year":"2013","date_updated":"2020-08-11T10:09:44Z","volume":7954},{"related_material":{"record":[{"status":"public","relation":"later_version","id":"1675"}]},"status":"public","ddc":["530"],"user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","file":[{"file_size":405870,"checksum":"37b61637b62fc079d9141c59d9f1a94f","date_created":"2018-12-12T10:16:11Z","content_type":"application/pdf","file_name":"IST-2016-671-v1+1_796.pdf","date_updated":"2020-07-14T12:45:36Z","access_level":"open_access","relation":"main_file","creator":"system","file_id":"5197"}],"date_published":"2013-11-28T00:00:00Z","type":"report","date_updated":"2023-02-23T10:09:33Z","year":"2013","citation":{"ieee":"S. Dziembowski, S. Faust, V. Kolmogorov, and K. Z. Pietrzak, <i>Proofs of Space</i>. IST Austria, 2013.","chicago":"Dziembowski, Stefan, Sebastian Faust, Vladimir Kolmogorov, and Krzysztof Z Pietrzak. <i>Proofs of Space</i>. IST Austria, 2013.","apa":"Dziembowski, S., Faust, S., Kolmogorov, V., &#38; Pietrzak, K. Z. (2013). <i>Proofs of Space</i>. IST Austria.","ama":"Dziembowski S, Faust S, Kolmogorov V, Pietrzak KZ. <i>Proofs of Space</i>. IST Austria; 2013.","ista":"Dziembowski S, Faust S, Kolmogorov V, Pietrzak KZ. 2013. Proofs of Space, IST Austria,p.","short":"S. Dziembowski, S. Faust, V. Kolmogorov, K.Z. Pietrzak, Proofs of Space, IST Austria, 2013.","mla":"Dziembowski, Stefan, et al. <i>Proofs of Space</i>. IST Austria, 2013."},"abstract":[{"lang":"eng","text":"Proofs of work (PoW) have been suggested by Dwork and Naor (Crypto'92) as protection to a shared resource. The basic idea is to ask the service requestor to dedicate some non-trivial amount of computational work to every request. The original applications included prevention of spam and protection against denial of service attacks. More recently, PoWs have been used to prevent double spending in the Bitcoin digital currency system.\r\n\r\nIn this work, we put forward an alternative concept for PoWs -- so-called proofs of space (PoS), where a service requestor must dedicate a significant amount of disk space as opposed to computation. We construct secure PoS schemes in the random oracle model, using graphs with high &quot;pebbling complexity&quot; and Merkle hash-trees. "}],"oa":1,"publist_id":"4670","day":"28","language":[{"iso":"eng"}],"file_date_updated":"2020-07-14T12:45:36Z","publisher":"IST Austria","author":[{"first_name":"Stefan","last_name":"Dziembowski","full_name":"Dziembowski, Stefan"},{"full_name":"Faust, Sebastian","first_name":"Sebastian","last_name":"Faust"},{"first_name":"Vladimir","last_name":"Kolmogorov","full_name":"Kolmogorov, Vladimir","id":"3D50B0BA-F248-11E8-B48F-1D18A9856A87"},{"full_name":"Pietrzak, Krzysztof Z","orcid":"0000-0002-9139-1654","last_name":"Pietrzak","first_name":"Krzysztof Z","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87"}],"_id":"2274","scopus_import":1,"has_accepted_license":"1","title":"Proofs of Space","month":"11","pubrep_id":"671","publication_status":"published","oa_version":"Published Version","department":[{"_id":"VlKo"},{"_id":"KrPi"}],"date_created":"2018-12-11T11:56:42Z"},{"user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","status":"public","main_file_link":[{"open_access":"1","url":"http://eprint.iacr.org/2013/492"}],"publist_id":"4637","oa":1,"abstract":[{"lang":"eng","text":"Cryptographic access control promises to offer easily distributed trust and broader applicability, while reducing reliance on low-level online monitors. Traditional implementations of cryptographic access control rely on simple cryptographic primitives whereas recent endeavors employ primitives with richer functionality and security guarantees. Worryingly, few of the existing cryptographic access-control schemes come with precise guarantees, the gap between the policy specification and the implementation being analyzed only informally, if at all. In this paper we begin addressing this shortcoming. Unlike prior work that targeted ad-hoc policy specification, we look at the well-established Role-Based Access Control (RBAC) model, as used in a typical file system. In short, we provide a precise syntax for a computational version of RBAC, offer rigorous definitions for cryptographic policy enforcement of a large class of RBAC security policies, and demonstrate that an implementation based on attribute-based encryption meets our security notions. We view our main contribution as being at the conceptual level. Although we work with RBAC for concreteness, our general methodology could guide future research for uses of cryptography in other access-control models. \r\n"}],"day":"01","doi":"10.1109/CSF.2013.15","type":"conference","date_published":"2013-09-01T00:00:00Z","citation":{"mla":"Ferrara, Anna, et al. <i>Cryptographically Enforced RBAC</i>. IEEE, 2013, pp. 115–29, doi:<a href=\"https://doi.org/10.1109/CSF.2013.15\">10.1109/CSF.2013.15</a>.","short":"A. Ferrara, G. Fuchsbauer, B. Warinschi, in:, IEEE, 2013, pp. 115–129.","ista":"Ferrara A, Fuchsbauer G, Warinschi B. 2013. Cryptographically enforced RBAC. CSF: Computer Security Foundations, 115–129.","ama":"Ferrara A, Fuchsbauer G, Warinschi B. Cryptographically enforced RBAC. In: IEEE; 2013:115-129. doi:<a href=\"https://doi.org/10.1109/CSF.2013.15\">10.1109/CSF.2013.15</a>","apa":"Ferrara, A., Fuchsbauer, G., &#38; Warinschi, B. (2013). Cryptographically enforced RBAC (pp. 115–129). Presented at the CSF: Computer Security Foundations, New Orleans, LA, United States: IEEE. <a href=\"https://doi.org/10.1109/CSF.2013.15\">https://doi.org/10.1109/CSF.2013.15</a>","chicago":"Ferrara, Anna, Georg Fuchsbauer, and Bogdan Warinschi. “Cryptographically Enforced RBAC,” 115–29. IEEE, 2013. <a href=\"https://doi.org/10.1109/CSF.2013.15\">https://doi.org/10.1109/CSF.2013.15</a>.","ieee":"A. Ferrara, G. Fuchsbauer, and B. Warinschi, “Cryptographically enforced RBAC,” presented at the CSF: Computer Security Foundations, New Orleans, LA, United States, 2013, pp. 115–129."},"year":"2013","date_updated":"2021-01-12T06:56:34Z","conference":{"name":"CSF: Computer Security Foundations","start_date":"2013-09-26","location":"New Orleans, LA, United States","end_date":"2013-09-28"},"publisher":"IEEE","language":[{"iso":"eng"}],"quality_controlled":"1","page":"115 - 129","title":"Cryptographically enforced RBAC","month":"09","department":[{"_id":"KrPi"}],"date_created":"2018-12-11T11:56:48Z","oa_version":"Submitted Version","publication_status":"published","author":[{"last_name":"Ferrara","first_name":"Anna","full_name":"Ferrara, Anna"},{"full_name":"Fuchsbauer, Georg","last_name":"Fuchsbauer","first_name":"Georg","id":"46B4C3EE-F248-11E8-B48F-1D18A9856A87"},{"full_name":"Warinschi, Bogdan","last_name":"Warinschi","first_name":"Bogdan"}],"scopus_import":1,"_id":"2291"},{"year":"2013","citation":{"chicago":"Blazy, Olivier, Georg Fuchsbauer, David Pointcheval, and Damien Vergnaud. “Short Blind Signatures.” <i>Journal of Computer Security</i>. IOS Press, 2013. <a href=\"https://doi.org/10.3233/JCS-130477\">https://doi.org/10.3233/JCS-130477</a>.","ieee":"O. Blazy, G. Fuchsbauer, D. Pointcheval, and D. Vergnaud, “Short blind signatures,” <i>Journal of Computer Security</i>, vol. 21, no. 5. IOS Press, pp. 627–661, 2013.","apa":"Blazy, O., Fuchsbauer, G., Pointcheval, D., &#38; Vergnaud, D. (2013). Short blind signatures. <i>Journal of Computer Security</i>. IOS Press. <a href=\"https://doi.org/10.3233/JCS-130477\">https://doi.org/10.3233/JCS-130477</a>","ama":"Blazy O, Fuchsbauer G, Pointcheval D, Vergnaud D. Short blind signatures. <i>Journal of Computer Security</i>. 2013;21(5):627-661. doi:<a href=\"https://doi.org/10.3233/JCS-130477\">10.3233/JCS-130477</a>","ista":"Blazy O, Fuchsbauer G, Pointcheval D, Vergnaud D. 2013. Short blind signatures. Journal of Computer Security. 21(5), 627–661.","short":"O. Blazy, G. Fuchsbauer, D. Pointcheval, D. Vergnaud, Journal of Computer Security 21 (2013) 627–661.","mla":"Blazy, Olivier, et al. “Short Blind Signatures.” <i>Journal of Computer Security</i>, vol. 21, no. 5, IOS Press, 2013, pp. 627–61, doi:<a href=\"https://doi.org/10.3233/JCS-130477\">10.3233/JCS-130477</a>."},"date_updated":"2021-01-12T08:01:09Z","type":"journal_article","date_published":"2013-11-22T00:00:00Z","day":"22","doi":"10.3233/JCS-130477","publist_id":"7318","abstract":[{"text":"Blind signatures allow users to obtain signatures on messages hidden from the signer; moreover, the signer cannot link the resulting message/signature pair to the signing session. This paper presents blind signature schemes, in which the number of interactions between the user and the signer is minimal and whose blind signatures are short. Our schemes are defined over bilinear groups and are proved secure in the common-reference-string model without random oracles and under standard assumptions: CDH and the decision-linear assumption. (We also give variants over asymmetric groups based on similar assumptions.) The blind signatures are Waters signatures, which consist of 2 group elements. Moreover, we instantiate partially blind signatures, where the message consists of a part hidden from the signer and a commonly known public part, and schemes achieving perfect blindness. We propose new variants of blind signatures, such as signer-friendly partially blind signatures, where the public part can be chosen by the signer without prior agreement, 3-party blind signatures, as well as blind signatures on multiple aggregated messages provided by independent sources. We also extend Waters signatures to non-binary alphabets by proving a new result on the underlying hash function. ","lang":"eng"}],"volume":21,"status":"public","user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","scopus_import":1,"_id":"502","publication":"Journal of Computer Security","issue":"5","author":[{"full_name":"Blazy, Olivier","first_name":"Olivier","last_name":"Blazy"},{"id":"46B4C3EE-F248-11E8-B48F-1D18A9856A87","full_name":"Fuchsbauer, Georg","first_name":"Georg","last_name":"Fuchsbauer"},{"full_name":"Pointcheval, David","first_name":"David","last_name":"Pointcheval"},{"first_name":"Damien","last_name":"Vergnaud","full_name":"Vergnaud, Damien"}],"date_created":"2018-12-11T11:46:50Z","department":[{"_id":"KrPi"}],"publication_status":"published","oa_version":"None","intvolume":"        21","title":"Short blind signatures","month":"11","quality_controlled":"1","page":"627 - 661","language":[{"iso":"eng"}],"publisher":"IOS Press"},{"month":"10","title":"Full proof cryptography: Verifiable compilation of efficient zero-knowledge protocols","department":[{"_id":"KrPi"}],"date_created":"2018-12-11T12:00:26Z","publication_status":"published","oa_version":"Submitted Version","author":[{"first_name":"José","last_name":"Almeida","full_name":"Almeida, José"},{"full_name":"Barbosa, Manuel","first_name":"Manuel","last_name":"Barbosa"},{"full_name":"Bangerter, Endre","last_name":"Bangerter","first_name":"Endre"},{"last_name":"Barthe","first_name":"Gilles","full_name":"Barthe, Gilles"},{"last_name":"Krenn","first_name":"Stephan","full_name":"Krenn, Stephan","orcid":"0000-0003-2835-9093","id":"329FCCF0-F248-11E8-B48F-1D18A9856A87"},{"full_name":"Béguelin, Santiago","first_name":"Santiago","last_name":"Béguelin"}],"scopus_import":1,"_id":"2937","publication":"Proceedings of the 2012 ACM conference on Computer and communications security","conference":{"name":"CCS: Computer and Communications Security","start_date":"2012-10-16","end_date":"2012-10-18","location":"Raleigh, NC, USA"},"publisher":"ACM","language":[{"iso":"eng"}],"quality_controlled":"1","page":"488 - 500","oa":1,"publist_id":"3798","abstract":[{"text":"Developers building cryptography into security-sensitive applications face a daunting task. Not only must they understand the security guarantees delivered by the constructions they choose, they must also implement and combine them correctly and efficiently. Cryptographic compilers free developers from this task by turning high-level specifications of security goals into efficient implementations. Yet, trusting such tools is hard as they rely on complex mathematical machinery and claim security properties that are subtle and difficult to verify. In this paper we present ZKCrypt, an optimizing cryptographic compiler achieving an unprecedented level of assurance without sacrificing practicality for a comprehensive class of cryptographic protocols, known as Zero-Knowledge Proofs of Knowledge. The pipeline of ZKCrypt integrates purpose-built verified compilers and verifying compilers producing formal proofs in the CertiCrypt framework. By combining the guarantees delivered by each stage, ZKCrypt provides assurance that the output implementation securely realizes the abstract proof goal given as input. We report on the main characteristics of ZKCrypt, highlight new definitions and concepts at its foundations, and illustrate its applicability through a representative example of an anonymous credential system.","lang":"eng"}],"day":"01","doi":"10.1145/2382196.2382249","type":"conference","date_published":"2012-10-01T00:00:00Z","year":"2012","citation":{"apa":"Almeida, J., Barbosa, M., Bangerter, E., Barthe, G., Krenn, S., &#38; Béguelin, S. (2012). Full proof cryptography: Verifiable compilation of efficient zero-knowledge protocols. In <i>Proceedings of the 2012 ACM conference on Computer and communications security</i> (pp. 488–500). Raleigh, NC, USA: ACM. <a href=\"https://doi.org/10.1145/2382196.2382249\">https://doi.org/10.1145/2382196.2382249</a>","ama":"Almeida J, Barbosa M, Bangerter E, Barthe G, Krenn S, Béguelin S. Full proof cryptography: Verifiable compilation of efficient zero-knowledge protocols. In: <i>Proceedings of the 2012 ACM Conference on Computer and Communications Security</i>. ACM; 2012:488-500. doi:<a href=\"https://doi.org/10.1145/2382196.2382249\">10.1145/2382196.2382249</a>","chicago":"Almeida, José, Manuel Barbosa, Endre Bangerter, Gilles Barthe, Stephan Krenn, and Santiago Béguelin. “Full Proof Cryptography: Verifiable Compilation of Efficient Zero-Knowledge Protocols.” In <i>Proceedings of the 2012 ACM Conference on Computer and Communications Security</i>, 488–500. ACM, 2012. <a href=\"https://doi.org/10.1145/2382196.2382249\">https://doi.org/10.1145/2382196.2382249</a>.","ieee":"J. Almeida, M. Barbosa, E. Bangerter, G. Barthe, S. Krenn, and S. Béguelin, “Full proof cryptography: Verifiable compilation of efficient zero-knowledge protocols,” in <i>Proceedings of the 2012 ACM conference on Computer and communications security</i>, Raleigh, NC, USA, 2012, pp. 488–500.","short":"J. Almeida, M. Barbosa, E. Bangerter, G. Barthe, S. Krenn, S. Béguelin, in:, Proceedings of the 2012 ACM Conference on Computer and Communications Security, ACM, 2012, pp. 488–500.","mla":"Almeida, José, et al. “Full Proof Cryptography: Verifiable Compilation of Efficient Zero-Knowledge Protocols.” <i>Proceedings of the 2012 ACM Conference on Computer and Communications Security</i>, ACM, 2012, pp. 488–500, doi:<a href=\"https://doi.org/10.1145/2382196.2382249\">10.1145/2382196.2382249</a>.","ista":"Almeida J, Barbosa M, Bangerter E, Barthe G, Krenn S, Béguelin S. 2012. Full proof cryptography: Verifiable compilation of efficient zero-knowledge protocols. Proceedings of the 2012 ACM conference on Computer and communications security. CCS: Computer and Communications Security, 488–500."},"date_updated":"2021-01-12T07:39:53Z","status":"public","user_id":"3E5EF7F0-F248-11E8-B48F-1D18A9856A87","main_file_link":[{"open_access":"1","url":"https://eprint.iacr.org/2012/258"}],"acknowledgement":"This work was partially funded by National Funds through the FCT - Fundação para a Ciência e a Tecnologia (Portuguese Foundation for Science and Technology) within project ENI-AC/2224/2009, by ENIAC Joint Undertaking under grant agreement number 120224, European Projects FP7-256980 NESSoS and FP7-229599 AMAROUT, Spanish National project TIN2009-14599 DESAFIOS 10, and Madrid Regional project S2009TIC-1465 PROMETIDOS."},{"editor":[{"first_name":"Xiaoyun","last_name":"Wang","full_name":"Wang, Xiaoyun"},{"full_name":"Sako, Kazue","first_name":"Kazue","last_name":"Sako"}],"publisher":"Springer","file_date_updated":"2020-07-14T12:45:58Z","ec_funded":1,"page":"663 - 680","intvolume":"      7658","title":"Commitments and efficient zero knowledge proofs from learning parity with noise","alternative_title":["LNCS"],"pubrep_id":"721","date_created":"2018-12-11T12:00:38Z","department":[{"_id":"KrPi"}],"publication_status":"published","author":[{"full_name":"Jain, Abhishek","first_name":"Abhishek","last_name":"Jain"},{"id":"329FCCF0-F248-11E8-B48F-1D18A9856A87","first_name":"Stephan","last_name":"Krenn","orcid":"0000-0003-2835-9093","full_name":"Krenn, Stephan"},{"id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","orcid":"0000-0002-9139-1654","full_name":"Pietrzak, Krzysztof Z","first_name":"Krzysztof Z","last_name":"Pietrzak"},{"full_name":"Tentes, Aris","first_name":"Aris","last_name":"Tentes"}],"scopus_import":1,"_id":"2974","ddc":["004","005"],"acknowledgement":"We are grateful to Petros Mol for helpful discussions on the reduction for the hardness of the xLPN problem.\r\n","volume":7658,"abstract":[{"text":"We construct a perfectly binding string commitment scheme whose security is based on the learning parity with noise (LPN) assumption, or equivalently, the hardness of decoding random linear codes. Our scheme not only allows for a simple and efficient zero-knowledge proof of knowledge for committed values (essentially a Σ-protocol), but also for such proofs showing any kind of relation amongst committed values, i.e. proving that messages m_0,...,m_u, are such that m_0=C(m_1,...,m_u) for any circuit C.\r\n\r\nTo get soundness which is exponentially small in a security parameter t, and when the zero-knowledge property relies on the LPN problem with secrets of length l, our 3 round protocol has communication complexity O(t|C|l log(l)) and computational complexity of O(t|C|l) bit operations. The hidden constants are small, and the computation consists mostly of computing inner products of bit-vectors.","lang":"eng"}],"day":"01","doi":"10.1007/978-3-642-34961-4_40","citation":{"ieee":"A. Jain, S. Krenn, K. Z. Pietrzak, and A. Tentes, “Commitments and efficient zero knowledge proofs from learning parity with noise,” presented at the ASIACRYPT: Theory and Application of Cryptology and Information Security, Beijing, China, 2012, vol. 7658, pp. 663–680.","chicago":"Jain, Abhishek, Stephan Krenn, Krzysztof Z Pietrzak, and Aris Tentes. “Commitments and Efficient Zero Knowledge Proofs from Learning Parity with Noise.” edited by Xiaoyun Wang and Kazue Sako, 7658:663–80. Springer, 2012. <a href=\"https://doi.org/10.1007/978-3-642-34961-4_40\">https://doi.org/10.1007/978-3-642-34961-4_40</a>.","ama":"Jain A, Krenn S, Pietrzak KZ, Tentes A. Commitments and efficient zero knowledge proofs from learning parity with noise. In: Wang X, Sako K, eds. Vol 7658. Springer; 2012:663-680. doi:<a href=\"https://doi.org/10.1007/978-3-642-34961-4_40\">10.1007/978-3-642-34961-4_40</a>","apa":"Jain, A., Krenn, S., Pietrzak, K. Z., &#38; Tentes, A. (2012). Commitments and efficient zero knowledge proofs from learning parity with noise. In X. Wang &#38; K. Sako (Eds.) (Vol. 7658, pp. 663–680). Presented at the ASIACRYPT: Theory and Application of Cryptology and Information Security, Beijing, China: Springer. <a href=\"https://doi.org/10.1007/978-3-642-34961-4_40\">https://doi.org/10.1007/978-3-642-34961-4_40</a>","ista":"Jain A, Krenn S, Pietrzak KZ, Tentes A. 2012. Commitments and efficient zero knowledge proofs from learning parity with noise. ASIACRYPT: Theory and Application of Cryptology and Information Security, LNCS, vol. 7658, 663–680.","short":"A. Jain, S. Krenn, K.Z. Pietrzak, A. Tentes, in:, X. Wang, K. Sako (Eds.), Springer, 2012, pp. 663–680.","mla":"Jain, Abhishek, et al. <i>Commitments and Efficient Zero Knowledge Proofs from Learning Parity with Noise</i>. Edited by Xiaoyun Wang and Kazue Sako, vol. 7658, Springer, 2012, pp. 663–80, doi:<a href=\"https://doi.org/10.1007/978-3-642-34961-4_40\">10.1007/978-3-642-34961-4_40</a>."},"year":"2012","date_updated":"2021-01-12T07:40:11Z","conference":{"location":"Beijing, China","end_date":"2012-12-06","start_date":"2012-12-02","name":"ASIACRYPT: Theory and Application of Cryptology and Information Security"},"language":[{"iso":"eng"}],"month":"12","project":[{"call_identifier":"FP7","_id":"258C570E-B435-11E9-9278-68D0E5697425","name":"Provable Security for Physical Cryptography","grant_number":"259668"}],"oa_version":"Submitted Version","has_accepted_license":"1","status":"public","user_id":"3E5EF7F0-F248-11E8-B48F-1D18A9856A87","file":[{"file_name":"IST-2016-721-v1+1_513.pdf","content_type":"application/pdf","date_updated":"2020-07-14T12:45:58Z","checksum":"ab879537385efc4cb4203e7ef0fea17b","file_size":482570,"date_created":"2018-12-12T10:14:00Z","creator":"system","file_id":"5048","relation":"main_file","access_level":"open_access"}],"publist_id":"3730","oa":1,"type":"conference","date_published":"2012-12-01T00:00:00Z","tmp":{"legal_code_url":"https://creativecommons.org/licenses/by/4.0/legalcode","short":"CC BY (4.0)","image":"/images/cc_by.png","name":"Creative Commons Attribution 4.0 International Public License (CC-BY 4.0)"}},{"user_id":"3E5EF7F0-F248-11E8-B48F-1D18A9856A87","status":"public","volume":7147,"abstract":[{"text":"The Learning Parity with Noise (LPN) problem has recently found many applications in cryptography as the hardness assumption underlying the constructions of &quot;provably secure&quot; cryptographic schemes like encryption or authentication protocols. Being provably secure means that the scheme comes with a proof showing that the existence of an efficient adversary against the scheme implies that the underlying hardness assumption is wrong. LPN based schemes are appealing for theoretical and practical reasons. On the theoretical side, LPN based schemes offer a very strong security guarantee. The LPN problem is equivalent to the problem of decoding random linear codes, a problem that has been extensively studied in the last half century. The fastest known algorithms run in exponential time and unlike most number-theoretic problems used in cryptography, the LPN problem does not succumb to known quantum algorithms. On the practical side, LPN based schemes are often extremely simple and efficient in terms of code-size as well as time and space requirements. This makes them prime candidates for light-weight devices like RFID tags, which are too weak to implement standard cryptographic primitives like the AES block-cipher. This talk will be a gentle introduction to provable security using simple LPN based schemes as examples. Starting from pseudorandom generators and symmetric key encryption, over secret-key authentication protocols, and, if time admits, touching on recent constructions of public-key identification, commitments and zero-knowledge proofs.","lang":"eng"}],"publist_id":"3407","doi":"10.1007/978-3-642-27660-6_9","day":"19","date_published":"2012-02-19T00:00:00Z","type":"conference","date_updated":"2021-01-12T07:42:07Z","citation":{"ista":"Pietrzak KZ. 2012. Cryptography from learning parity with noise. SOFSEM: Current Trends in Theory and Practice of Computer Science, LNCS, vol. 7147, 99–114.","short":"K.Z. Pietrzak, in:, Springer, 2012, pp. 99–114.","mla":"Pietrzak, Krzysztof Z. <i>Cryptography from Learning Parity with Noise</i>. Vol. 7147, Springer, 2012, pp. 99–114, doi:<a href=\"https://doi.org/10.1007/978-3-642-27660-6_9\">10.1007/978-3-642-27660-6_9</a>.","ieee":"K. Z. Pietrzak, “Cryptography from learning parity with noise,” presented at the SOFSEM: Current Trends in Theory and Practice of Computer Science, Špindlerův Mlýn, Czech Republic, 2012, vol. 7147, pp. 99–114.","chicago":"Pietrzak, Krzysztof Z. “Cryptography from Learning Parity with Noise,” 7147:99–114. Springer, 2012. <a href=\"https://doi.org/10.1007/978-3-642-27660-6_9\">https://doi.org/10.1007/978-3-642-27660-6_9</a>.","apa":"Pietrzak, K. Z. (2012). Cryptography from learning parity with noise (Vol. 7147, pp. 99–114). Presented at the SOFSEM: Current Trends in Theory and Practice of Computer Science, Špindlerův Mlýn, Czech Republic: Springer. <a href=\"https://doi.org/10.1007/978-3-642-27660-6_9\">https://doi.org/10.1007/978-3-642-27660-6_9</a>","ama":"Pietrzak KZ. Cryptography from learning parity with noise. In: Vol 7147. Springer; 2012:99-114. doi:<a href=\"https://doi.org/10.1007/978-3-642-27660-6_9\">10.1007/978-3-642-27660-6_9</a>"},"year":"2012","conference":{"start_date":"2012-01-21","name":"SOFSEM: Current Trends in Theory and Practice of Computer Science","location":"Špindlerův Mlýn, Czech Republic","end_date":"2012-01-27"},"publisher":"Springer","language":[{"iso":"eng"}],"page":"99 - 114","quality_controlled":"1","month":"02","alternative_title":["LNCS"],"title":"Cryptography from learning parity with noise","intvolume":"      7147","oa_version":"None","publication_status":"published","department":[{"_id":"KrPi"}],"date_created":"2018-12-11T12:02:15Z","author":[{"full_name":"Pietrzak, Krzysztof Z","orcid":"0000-0002-9139-1654","last_name":"Pietrzak","first_name":"Krzysztof Z","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87"}],"_id":"3250","scopus_import":1}]