[{"scopus_import":1,"citation":{"short":"J.F. Alwen, J. Blocki, in:, Springer, 2016, pp. 241–271.","ama":"Alwen JF, Blocki J. Efficiently computing data-independent memory-hard functions. In: Vol 9815. Springer; 2016:241-271. doi:<a href=\"https://doi.org/10.1007/978-3-662-53008-5_9\">10.1007/978-3-662-53008-5_9</a>","apa":"Alwen, J. F., &#38; Blocki, J. (2016). Efficiently computing data-independent memory-hard functions (Vol. 9815, pp. 241–271). Presented at the CRYPTO: International Cryptology Conference, Santa Barbara, CA, USA: Springer. <a href=\"https://doi.org/10.1007/978-3-662-53008-5_9\">https://doi.org/10.1007/978-3-662-53008-5_9</a>","ista":"Alwen JF, Blocki J. 2016. Efficiently computing data-independent memory-hard functions. CRYPTO: International Cryptology Conference, LNCS, vol. 9815, 241–271.","chicago":"Alwen, Joel F, and Jeremiah Blocki. “Efficiently Computing Data-Independent Memory-Hard Functions,” 9815:241–71. Springer, 2016. <a href=\"https://doi.org/10.1007/978-3-662-53008-5_9\">https://doi.org/10.1007/978-3-662-53008-5_9</a>.","ieee":"J. F. Alwen and J. Blocki, “Efficiently computing data-independent memory-hard functions,” presented at the CRYPTO: International Cryptology Conference, Santa Barbara, CA, USA, 2016, vol. 9815, pp. 241–271.","mla":"Alwen, Joel F., and Jeremiah Blocki. <i>Efficiently Computing Data-Independent Memory-Hard Functions</i>. Vol. 9815, Springer, 2016, pp. 241–71, doi:<a href=\"https://doi.org/10.1007/978-3-662-53008-5_9\">10.1007/978-3-662-53008-5_9</a>."},"intvolume":"      9815","main_file_link":[{"url":"http://eprint.iacr.org/2016/115","open_access":"1"}],"day":"01","abstract":[{"text":"A memory-hard function (MHF) f is equipped with a space cost σ and time cost τ parameter such that repeatedly computing fσ,τ on an application specific integrated circuit (ASIC) is not economically advantageous relative to a general purpose computer. Technically we would like that any (generalized) circuit for evaluating an iMHF fσ,τ has area × time (AT) complexity at Θ(σ2 ∗ τ). A data-independent MHF (iMHF) has the added property that it can be computed with almost optimal memory and time complexity by an algorithm which accesses memory in a pattern independent of the input value. Such functions can be specified by fixing a directed acyclic graph (DAG) G on n = Θ(σ ∗ τ) nodes representing its computation graph. In this work we develop new tools for analyzing iMHFs. First we define and motivate a new complexity measure capturing the amount of energy (i.e. electricity) required to compute a function. We argue that, in practice, this measure is at least as important as the more traditional AT-complexity. Next we describe an algorithm A for repeatedly evaluating an iMHF based on an arbitrary DAG G. We upperbound both its energy and AT complexities per instance evaluated in terms of a certain combinatorial property of G. Next we instantiate our attack for several general classes of DAGs which include those underlying many of the most important iMHF candidates in the literature. In particular, we obtain the following results which hold for all choices of parameters σ and τ (and thread-count) such that n = σ ∗ τ. -The Catena-Dragonfly function of [FLW13] has AT and energy complexities O(n1.67). -The Catena-Butterfly function of [FLW13] has complexities is O(n1.67). -The Double-Buffer and the Linear functions of [CGBS16] both have complexities in O(n1.67). -The Argon2i function of [BDK15] (winner of the Password Hashing Competition [PHC]) has complexities O(n7/4 log(n)). -The Single-Buffer function of [CGBS16] has complexities O(n7/4 log(n)). -Any iMHF can be computed by an algorithm with complexities O(n2/ log1 −ε(n)) for all ε &gt; 0. In particular when τ = 1 this shows that the goal of constructing an iMHF with AT-complexity Θ(σ2 ∗ τ ) is unachievable. Along the way we prove a lemma upper-bounding the depth-robustness of any DAG which may prove to be of independent interest.","lang":"eng"}],"volume":9815,"status":"public","date_updated":"2021-01-12T06:50:11Z","page":"241 - 271","quality_controlled":"1","year":"2016","date_created":"2018-12-11T11:51:36Z","author":[{"full_name":"Alwen, Joel F","first_name":"Joel F","last_name":"Alwen","id":"2A8DFA8C-F248-11E8-B48F-1D18A9856A87"},{"full_name":"Blocki, Jeremiah","first_name":"Jeremiah","last_name":"Blocki"}],"alternative_title":["LNCS"],"publist_id":"5876","date_published":"2016-08-01T00:00:00Z","department":[{"_id":"KrPi"}],"conference":{"end_date":"2016-08-18","location":"Santa Barbara, CA, USA","start_date":"2016-08-14","name":"CRYPTO: International Cryptology Conference"},"oa_version":"Preprint","type":"conference","title":"Efficiently computing data-independent memory-hard functions","oa":1,"publication_status":"published","language":[{"iso":"eng"}],"publisher":"Springer","user_id":"3E5EF7F0-F248-11E8-B48F-1D18A9856A87","_id":"1365","doi":"10.1007/978-3-662-53008-5_9","month":"08"},{"volume":9665,"date_created":"2018-12-11T11:51:36Z","year":"2016","page":"87 - 116","quality_controlled":"1","project":[{"_id":"258C570E-B435-11E9-9278-68D0E5697425","name":"Provable Security for Physical Cryptography","grant_number":"259668","call_identifier":"FP7"}],"date_updated":"2021-01-12T06:50:11Z","main_file_link":[{"open_access":"1","url":"https://eprint.iacr.org/2016/169/20160219:201940"}],"scopus_import":1,"language":[{"iso":"eng"}],"type":"conference","doi":"10.1007/978-3-662-49890-3_4","publisher":"Springer","publist_id":"5872","author":[{"id":"3E0BFE38-F248-11E8-B48F-1D18A9856A87","last_name":"Gazi","full_name":"Gazi, Peter","first_name":"Peter"},{"last_name":"Tessaro","first_name":"Stefano","full_name":"Tessaro, Stefano"}],"conference":{"location":"Vienna, Austria","end_date":"2016-05-12","name":"EUROCRYPT: Theory and Applications of Cryptographic Techniques","start_date":"2016-05-08"},"oa_version":"Preprint","date_published":"2016-05-01T00:00:00Z","status":"public","abstract":[{"lang":"eng","text":"We study the problem of devising provably secure PRNGs with input based on the sponge paradigm. Such constructions are very appealing, as efficient software/hardware implementations of SHA-3 can easily be translated into a PRNG in a nearly black-box way. The only existing sponge-based construction, proposed by Bertoni et al. (CHES 2010), fails to achieve the security notion of robustness recently considered by Dodis et al. (CCS 2013), for two reasons: (1) The construction is deterministic, and thus there are high-entropy input distributions on which the construction fails to extract random bits, and (2) The construction is not forward secure, and presented solutions aiming at restoring forward security have not been rigorously analyzed. We propose a seeded variant of Bertoni et al.’s PRNG with input which we prove secure in the sense of robustness, delivering in particular concrete security bounds. On the way, we make what we believe to be an important conceptual contribution, developing a variant of the security framework of Dodis et al. tailored at the ideal permutation model that captures PRNG security in settings where the weakly random inputs are provided from a large class of possible adversarial samplers which are also allowed to query the random permutation. As a further application of our techniques, we also present an efficient sponge-based key-derivation function (which can be instantiated from SHA-3 in a black-box fashion), which we also prove secure when fed with samples from permutation-dependent distributions."}],"ec_funded":1,"intvolume":"      9665","citation":{"ista":"Gazi P, Tessaro S. 2016. Provably robust sponge-based PRNGs and KDFs. EUROCRYPT: Theory and Applications of Cryptographic Techniques, LNCS, vol. 9665, 87–116.","apa":"Gazi, P., &#38; Tessaro, S. (2016). Provably robust sponge-based PRNGs and KDFs (Vol. 9665, pp. 87–116). Presented at the EUROCRYPT: Theory and Applications of Cryptographic Techniques, Vienna, Austria: Springer. <a href=\"https://doi.org/10.1007/978-3-662-49890-3_4\">https://doi.org/10.1007/978-3-662-49890-3_4</a>","chicago":"Gazi, Peter, and Stefano Tessaro. “Provably Robust Sponge-Based PRNGs and KDFs,” 9665:87–116. Springer, 2016. <a href=\"https://doi.org/10.1007/978-3-662-49890-3_4\">https://doi.org/10.1007/978-3-662-49890-3_4</a>.","mla":"Gazi, Peter, and Stefano Tessaro. <i>Provably Robust Sponge-Based PRNGs and KDFs</i>. Vol. 9665, Springer, 2016, pp. 87–116, doi:<a href=\"https://doi.org/10.1007/978-3-662-49890-3_4\">10.1007/978-3-662-49890-3_4</a>.","ieee":"P. Gazi and S. Tessaro, “Provably robust sponge-based PRNGs and KDFs,” presented at the EUROCRYPT: Theory and Applications of Cryptographic Techniques, Vienna, Austria, 2016, vol. 9665, pp. 87–116.","short":"P. Gazi, S. Tessaro, in:, Springer, 2016, pp. 87–116.","ama":"Gazi P, Tessaro S. Provably robust sponge-based PRNGs and KDFs. In: Vol 9665. Springer; 2016:87-116. doi:<a href=\"https://doi.org/10.1007/978-3-662-49890-3_4\">10.1007/978-3-662-49890-3_4</a>"},"day":"01","publication_status":"published","title":"Provably robust sponge-based PRNGs and KDFs","oa":1,"_id":"1366","month":"05","user_id":"3E5EF7F0-F248-11E8-B48F-1D18A9856A87","alternative_title":["LNCS"],"department":[{"_id":"KrPi"}]},{"year":"2016","date_created":"2018-12-11T11:50:33Z","quality_controlled":"1","page":"1321 - 1362","date_updated":"2021-01-12T06:48:52Z","status":"public","abstract":[{"text":"Boldyreva, Palacio and Warinschi introduced a multiple forking game as an extension of general forking. The notion of (multiple) forking is a useful abstraction from the actual simulation of cryptographic scheme to the adversary in a security reduction, and is achieved through the intermediary of a so-called wrapper algorithm. Multiple forking has turned out to be a useful tool in the security argument of several cryptographic protocols. However, a reduction employing multiple forking incurs a significant degradation of (Formula presented.) , where (Formula presented.) denotes the upper bound on the underlying random oracle calls and (Formula presented.) , the number of forkings. In this work we take a closer look at the reasons for the degradation with a tighter security bound in mind. We nail down the exact set of conditions for success in the multiple forking game. A careful analysis of the cryptographic schemes and corresponding security reduction employing multiple forking leads to the formulation of ‘dependence’ and ‘independence’ conditions pertaining to the output of the wrapper in different rounds. Based on the (in)dependence conditions we propose a general framework of multiple forking and a General Multiple Forking Lemma. Leveraging (in)dependence to the full allows us to improve the degradation factor in the multiple forking game by a factor of (Formula presented.). By implication, the cost of a single forking involving two random oracles (augmented forking) matches that involving a single random oracle (elementary forking). Finally, we study the effect of these observations on the concrete security of existing schemes employing multiple forking. We conclude that by careful design of the protocol (and the wrapper in the security reduction) it is possible to harness our observations to the full extent.","lang":"eng"}],"volume":74,"day":"01","main_file_link":[{"open_access":"1","url":"http://eprint.iacr.org/2013/651"}],"citation":{"ista":"Kamath Hosdurg C, Chatterjee S. 2016. A closer look at multiple-forking: Leveraging (in)dependence for a tighter bound. Algorithmica. 74(4), 1321–1362.","chicago":"Kamath Hosdurg, Chethan, and Sanjit Chatterjee. “A Closer Look at Multiple-Forking: Leveraging (in)Dependence for a Tighter Bound.” <i>Algorithmica</i>. Springer, 2016. <a href=\"https://doi.org/10.1007/s00453-015-9997-6\">https://doi.org/10.1007/s00453-015-9997-6</a>.","apa":"Kamath Hosdurg, C., &#38; Chatterjee, S. (2016). A closer look at multiple-forking: Leveraging (in)dependence for a tighter bound. <i>Algorithmica</i>. Springer. <a href=\"https://doi.org/10.1007/s00453-015-9997-6\">https://doi.org/10.1007/s00453-015-9997-6</a>","ieee":"C. Kamath Hosdurg and S. Chatterjee, “A closer look at multiple-forking: Leveraging (in)dependence for a tighter bound,” <i>Algorithmica</i>, vol. 74, no. 4. Springer, pp. 1321–1362, 2016.","mla":"Kamath Hosdurg, Chethan, and Sanjit Chatterjee. “A Closer Look at Multiple-Forking: Leveraging (in)Dependence for a Tighter Bound.” <i>Algorithmica</i>, vol. 74, no. 4, Springer, 2016, pp. 1321–62, doi:<a href=\"https://doi.org/10.1007/s00453-015-9997-6\">10.1007/s00453-015-9997-6</a>.","short":"C. Kamath Hosdurg, S. Chatterjee, Algorithmica 74 (2016) 1321–1362.","ama":"Kamath Hosdurg C, Chatterjee S. A closer look at multiple-forking: Leveraging (in)dependence for a tighter bound. <i>Algorithmica</i>. 2016;74(4):1321-1362. doi:<a href=\"https://doi.org/10.1007/s00453-015-9997-6\">10.1007/s00453-015-9997-6</a>"},"intvolume":"        74","doi":"10.1007/s00453-015-9997-6","_id":"1177","month":"04","user_id":"3E5EF7F0-F248-11E8-B48F-1D18A9856A87","publisher":"Springer","publication_status":"published","language":[{"iso":"eng"}],"title":"A closer look at multiple-forking: Leveraging (in)dependence for a tighter bound","oa":1,"type":"journal_article","oa_version":"Submitted Version","acknowledgement":"We are grateful to the anonymous reviewers for their insightful comments. The\r\ndetailed reports helped us a lot to address the technical mistakes as well as to improve the overall presentation of the paper.","department":[{"_id":"KrPi"}],"date_published":"2016-04-01T00:00:00Z","publist_id":"6177","issue":"4","publication":"Algorithmica","author":[{"last_name":"Kamath Hosdurg","full_name":"Kamath Hosdurg, Chethan","first_name":"Chethan","id":"4BD3F30E-F248-11E8-B48F-1D18A9856A87"},{"last_name":"Chatterjee","full_name":"Chatterjee, Sanjit","first_name":"Sanjit"}]},{"abstract":[{"text":"Computational notions of entropy have recently found many applications, including leakage-resilient cryptography, deterministic encryption or memory delegation. The two main types of results which make computational notions so useful are (1) Chain rules, which quantify by how much the computational entropy of a variable decreases if conditioned on some other variable (2) Transformations, which quantify to which extend one type of entropy implies another.\r\n\r\nSuch chain rules and transformations typically lose a significant amount in quality of the entropy, and are the reason why applying these results one gets rather weak quantitative security bounds. In this paper we for the first time prove lower bounds in this context, showing that existing results for transformations are, unfortunately, basically optimal for non-adaptive black-box reductions (and it’s hard to imagine how non black-box reductions or adaptivity could be useful here.)\r\n\r\nA variable X has k bits of HILL entropy of quality (ϵ,s)\r\nif there exists a variable Y with k bits min-entropy which cannot be distinguished from X with advantage ϵ\r\n\r\nby distinguishing circuits of size s. A weaker notion is Metric entropy, where we switch quantifiers, and only require that for every distinguisher of size s, such a Y exists.\r\n\r\nWe first describe our result concerning transformations. By definition, HILL implies Metric without any loss in quality. Metric entropy often comes up in applications, but must be transformed to HILL for meaningful security guarantees. The best known result states that if a variable X has k bits of Metric entropy of quality (ϵ,s)\r\n, then it has k bits of HILL with quality (2ϵ,s⋅ϵ2). We show that this loss of a factor Ω(ϵ−2)\r\n\r\nin circuit size is necessary. In fact, we show the stronger result that this loss is already necessary when transforming so called deterministic real valued Metric entropy to randomised boolean Metric (both these variants of Metric entropy are implied by HILL without loss in quality).\r\n\r\nThe chain rule for HILL entropy states that if X has k bits of HILL entropy of quality (ϵ,s)\r\n, then for any variable Z of length m, X conditioned on Z has k−m bits of HILL entropy with quality (ϵ,s⋅ϵ2/2m). We show that a loss of Ω(2m/ϵ) in circuit size necessary here. Note that this still leaves a gap of ϵ between the known bound and our lower bound.","lang":"eng"}],"status":"public","ec_funded":1,"intvolume":"      9985","citation":{"short":"K.Z. Pietrzak, S. Maciej, in:, Springer, 2016, pp. 183–203.","ama":"Pietrzak KZ, Maciej S. Pseudoentropy: Lower-bounds for chain rules and transformations. In: Vol 9985. Springer; 2016:183-203. doi:<a href=\"https://doi.org/10.1007/978-3-662-53641-4_8\">10.1007/978-3-662-53641-4_8</a>","apa":"Pietrzak, K. Z., &#38; Maciej, S. (2016). Pseudoentropy: Lower-bounds for chain rules and transformations (Vol. 9985, pp. 183–203). Presented at the TCC: Theory of Cryptography Conference, Beijing, China: Springer. <a href=\"https://doi.org/10.1007/978-3-662-53641-4_8\">https://doi.org/10.1007/978-3-662-53641-4_8</a>","chicago":"Pietrzak, Krzysztof Z, and Skorski Maciej. “Pseudoentropy: Lower-Bounds for Chain Rules and Transformations,” 9985:183–203. Springer, 2016. <a href=\"https://doi.org/10.1007/978-3-662-53641-4_8\">https://doi.org/10.1007/978-3-662-53641-4_8</a>.","ista":"Pietrzak KZ, Maciej S. 2016. Pseudoentropy: Lower-bounds for chain rules and transformations. TCC: Theory of Cryptography Conference, LNCS, vol. 9985, 183–203.","mla":"Pietrzak, Krzysztof Z., and Skorski Maciej. <i>Pseudoentropy: Lower-Bounds for Chain Rules and Transformations</i>. Vol. 9985, Springer, 2016, pp. 183–203, doi:<a href=\"https://doi.org/10.1007/978-3-662-53641-4_8\">10.1007/978-3-662-53641-4_8</a>.","ieee":"K. Z. Pietrzak and S. Maciej, “Pseudoentropy: Lower-bounds for chain rules and transformations,” presented at the TCC: Theory of Cryptography Conference, Beijing, China, 2016, vol. 9985, pp. 183–203."},"day":"22","oa":1,"title":"Pseudoentropy: Lower-bounds for chain rules and transformations","publication_status":"published","user_id":"3E5EF7F0-F248-11E8-B48F-1D18A9856A87","month":"10","_id":"1179","alternative_title":["LNCS"],"acknowledgement":"K. Pietrzak—Supported by the European Research Council consolidator grant (682815-TOCNeT).\r\nM. Skórski—Supported by the National Science Center, Poland (2015/17/N/ST6/03564).","department":[{"_id":"KrPi"}],"volume":9985,"date_updated":"2021-01-12T06:48:53Z","project":[{"call_identifier":"H2020","_id":"258AA5B2-B435-11E9-9278-68D0E5697425","name":"Teaching Old Crypto New Tricks","grant_number":"682815"}],"quality_controlled":"1","page":"183 - 203","year":"2016","date_created":"2018-12-11T11:50:34Z","scopus_import":1,"main_file_link":[{"url":"https://eprint.iacr.org/2016/159","open_access":"1"}],"type":"conference","language":[{"iso":"eng"}],"publisher":"Springer","doi":"10.1007/978-3-662-53641-4_8","author":[{"last_name":"Pietrzak","full_name":"Pietrzak, Krzysztof Z","first_name":"Krzysztof Z","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","orcid":"0000-0002-9139-1654"},{"first_name":"Skorski","full_name":"Maciej, Skorski","last_name":"Maciej"}],"publist_id":"6175","date_published":"2016-10-22T00:00:00Z","conference":{"name":"TCC: Theory of Cryptography Conference","start_date":"2016-10-31","location":"Beijing, China","end_date":"2016-11-03"},"oa_version":"Preprint"},{"alternative_title":["LNCS"],"department":[{"_id":"KrPi"}],"oa":1,"title":"Query-complexity amplification for random oracles","publication_status":"published","user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","_id":"1644","month":"01","citation":{"ama":"Demay G, Gazi P, Maurer U, Tackmann B. Query-complexity amplification for random oracles. In: Vol 9063. Springer; 2015:159-180. doi:<a href=\"https://doi.org/10.1007/978-3-319-17470-9_10\">10.1007/978-3-319-17470-9_10</a>","short":"G. Demay, P. Gazi, U. Maurer, B. Tackmann, in:, Springer, 2015, pp. 159–180.","mla":"Demay, Grégory, et al. <i>Query-Complexity Amplification for Random Oracles</i>. Vol. 9063, Springer, 2015, pp. 159–80, doi:<a href=\"https://doi.org/10.1007/978-3-319-17470-9_10\">10.1007/978-3-319-17470-9_10</a>.","ieee":"G. Demay, P. Gazi, U. Maurer, and B. Tackmann, “Query-complexity amplification for random oracles,” presented at the ICITS: International Conference on Information Theoretic Security, Lugano, Switzerland, 2015, vol. 9063, pp. 159–180.","apa":"Demay, G., Gazi, P., Maurer, U., &#38; Tackmann, B. (2015). Query-complexity amplification for random oracles (Vol. 9063, pp. 159–180). Presented at the ICITS: International Conference on Information Theoretic Security, Lugano, Switzerland: Springer. <a href=\"https://doi.org/10.1007/978-3-319-17470-9_10\">https://doi.org/10.1007/978-3-319-17470-9_10</a>","ista":"Demay G, Gazi P, Maurer U, Tackmann B. 2015. Query-complexity amplification for random oracles. ICITS: International Conference on Information Theoretic Security, LNCS, vol. 9063, 159–180.","chicago":"Demay, Grégory, Peter Gazi, Ueli Maurer, and Björn Tackmann. “Query-Complexity Amplification for Random Oracles,” 9063:159–80. Springer, 2015. <a href=\"https://doi.org/10.1007/978-3-319-17470-9_10\">https://doi.org/10.1007/978-3-319-17470-9_10</a>."},"intvolume":"      9063","day":"01","abstract":[{"text":"Increasing the computational complexity of evaluating a hash function, both for the honest users as well as for an adversary, is a useful technique employed for example in password-based cryptographic schemes to impede brute-force attacks, and also in so-called proofs of work (used in protocols like Bitcoin) to show that a certain amount of computation was performed by a legitimate user. A natural approach to adjust the complexity of a hash function is to iterate it c times, for some parameter c, in the hope that any query to the scheme requires c evaluations of the underlying hash function. However, results by Dodis et al. (Crypto 2012) imply that plain iteration falls short of achieving this goal, and designing schemes which provably have such a desirable property remained an open problem. This paper formalizes explicitly what it means for a given scheme to amplify the query complexity of a hash function. In the random oracle model, the goal of a secure query-complexity amplifier (QCA) scheme is captured as transforming, in the sense of indifferentiability, a random oracle allowing R queries (for the adversary) into one provably allowing only r &lt; R queries. Turned around, this means that making r queries to the scheme requires at least R queries to the actual random oracle. Second, a new scheme, called collision-free iteration, is proposed and proven to achieve c-fold QCA for both the honest parties and the adversary, for any fixed parameter c.","lang":"eng"}],"status":"public","ec_funded":1,"author":[{"first_name":"Grégory","full_name":"Demay, Grégory","last_name":"Demay"},{"last_name":"Gazi","first_name":"Peter","full_name":"Gazi, Peter","id":"3E0BFE38-F248-11E8-B48F-1D18A9856A87"},{"first_name":"Ueli","full_name":"Maurer, Ueli","last_name":"Maurer"},{"first_name":"Björn","full_name":"Tackmann, Björn","last_name":"Tackmann"}],"publist_id":"5507","date_published":"2015-01-01T00:00:00Z","conference":{"location":"Lugano, Switzerland","end_date":"2015-05-05","name":"ICITS: International Conference on Information Theoretic Security","start_date":"2015-05-02"},"oa_version":"Submitted Version","type":"conference","language":[{"iso":"eng"}],"publisher":"Springer","doi":"10.1007/978-3-319-17470-9_10","scopus_import":1,"main_file_link":[{"url":"http://eprint.iacr.org/2015/315","open_access":"1"}],"volume":9063,"date_updated":"2021-01-12T06:52:13Z","project":[{"call_identifier":"FP7","grant_number":"259668","name":"Provable Security for Physical Cryptography","_id":"258C570E-B435-11E9-9278-68D0E5697425"}],"page":"159 - 180","quality_controlled":"1","date_created":"2018-12-11T11:53:13Z","year":"2015"},{"day":"24","scopus_import":1,"citation":{"ama":"Gazi P, Tessaro S. Secret-key cryptography from ideal primitives: A systematic verview. In: <i>2015 IEEE Information Theory Workshop</i>. IEEE; 2015. doi:<a href=\"https://doi.org/10.1109/ITW.2015.7133163\">10.1109/ITW.2015.7133163</a>","short":"P. Gazi, S. Tessaro, in:, 2015 IEEE Information Theory Workshop, IEEE, 2015.","mla":"Gazi, Peter, and Stefano Tessaro. “Secret-Key Cryptography from Ideal Primitives: A Systematic Verview.” <i>2015 IEEE Information Theory Workshop</i>, 7133163, IEEE, 2015, doi:<a href=\"https://doi.org/10.1109/ITW.2015.7133163\">10.1109/ITW.2015.7133163</a>.","ieee":"P. Gazi and S. Tessaro, “Secret-key cryptography from ideal primitives: A systematic verview,” in <i>2015 IEEE Information Theory Workshop</i>, Jerusalem, Israel, 2015.","ista":"Gazi P, Tessaro S. 2015. Secret-key cryptography from ideal primitives: A systematic verview. 2015 IEEE Information Theory Workshop. ITW 2015: IEEE Information Theory Workshop, 7133163.","apa":"Gazi, P., &#38; Tessaro, S. (2015). Secret-key cryptography from ideal primitives: A systematic verview. In <i>2015 IEEE Information Theory Workshop</i>. Jerusalem, Israel: IEEE. <a href=\"https://doi.org/10.1109/ITW.2015.7133163\">https://doi.org/10.1109/ITW.2015.7133163</a>","chicago":"Gazi, Peter, and Stefano Tessaro. “Secret-Key Cryptography from Ideal Primitives: A Systematic Verview.” In <i>2015 IEEE Information Theory Workshop</i>. IEEE, 2015. <a href=\"https://doi.org/10.1109/ITW.2015.7133163\">https://doi.org/10.1109/ITW.2015.7133163</a>."},"date_updated":"2021-01-12T06:52:13Z","ec_funded":1,"project":[{"_id":"258C570E-B435-11E9-9278-68D0E5697425","name":"Provable Security for Physical Cryptography","grant_number":"259668","call_identifier":"FP7"}],"quality_controlled":"1","date_created":"2018-12-11T11:53:13Z","year":"2015","abstract":[{"lang":"eng","text":"Secret-key constructions are often proved secure in a model where one or more underlying components are replaced by an idealized oracle accessible to the attacker. This model gives rise to information-theoretic security analyses, and several advances have been made in this area over the last few years. This paper provides a systematic overview of what is achievable in this model, and how existing works fit into this view."}],"article_number":"7133163","status":"public","date_published":"2015-06-24T00:00:00Z","department":[{"_id":"KrPi"}],"oa_version":"None","conference":{"name":"ITW 2015: IEEE Information Theory Workshop","start_date":"2015-04-26","location":"Jerusalem, Israel","end_date":"2015-05-01"},"author":[{"id":"3E0BFE38-F248-11E8-B48F-1D18A9856A87","first_name":"Peter","full_name":"Gazi, Peter","last_name":"Gazi"},{"last_name":"Tessaro","full_name":"Tessaro, Stefano","first_name":"Stefano"}],"publist_id":"5506","publication":"2015 IEEE Information Theory Workshop","publisher":"IEEE","user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","_id":"1645","doi":"10.1109/ITW.2015.7133163","month":"06","type":"conference","title":"Secret-key cryptography from ideal primitives: A systematic verview","language":[{"iso":"eng"}],"publication_status":"published"},{"department":[{"_id":"KrPi"}],"pubrep_id":"679","alternative_title":["LNCS"],"user_id":"8b945eb4-e2f2-11eb-945a-df72226e66a9","month":"03","_id":"1646","title":"Key-homomorphic constrained pseudorandom functions","oa":1,"publication_status":"published","day":"01","has_accepted_license":"1","intvolume":"      9015","citation":{"ama":"Banerjee A, Fuchsbauer G, Peikert C, Pietrzak KZ, Stevens S. Key-homomorphic constrained pseudorandom functions. In: <i>12th Theory of Cryptography Conference</i>. Vol 9015. Springer Nature; 2015:31-60. doi:<a href=\"https://doi.org/10.1007/978-3-662-46497-7_2\">10.1007/978-3-662-46497-7_2</a>","short":"A. Banerjee, G. Fuchsbauer, C. Peikert, K.Z. Pietrzak, S. Stevens, in:, 12th Theory of Cryptography Conference, Springer Nature, 2015, pp. 31–60.","mla":"Banerjee, Abishek, et al. “Key-Homomorphic Constrained Pseudorandom Functions.” <i>12th Theory of Cryptography Conference</i>, vol. 9015, Springer Nature, 2015, pp. 31–60, doi:<a href=\"https://doi.org/10.1007/978-3-662-46497-7_2\">10.1007/978-3-662-46497-7_2</a>.","ieee":"A. Banerjee, G. Fuchsbauer, C. Peikert, K. Z. Pietrzak, and S. Stevens, “Key-homomorphic constrained pseudorandom functions,” in <i>12th Theory of Cryptography Conference</i>, Warsaw, Poland, 2015, vol. 9015, pp. 31–60.","apa":"Banerjee, A., Fuchsbauer, G., Peikert, C., Pietrzak, K. Z., &#38; Stevens, S. (2015). Key-homomorphic constrained pseudorandom functions. In <i>12th Theory of Cryptography Conference</i> (Vol. 9015, pp. 31–60). Warsaw, Poland: Springer Nature. <a href=\"https://doi.org/10.1007/978-3-662-46497-7_2\">https://doi.org/10.1007/978-3-662-46497-7_2</a>","chicago":"Banerjee, Abishek, Georg Fuchsbauer, Chris Peikert, Krzysztof Z Pietrzak, and Sophie Stevens. “Key-Homomorphic Constrained Pseudorandom Functions.” In <i>12th Theory of Cryptography Conference</i>, 9015:31–60. Springer Nature, 2015. <a href=\"https://doi.org/10.1007/978-3-662-46497-7_2\">https://doi.org/10.1007/978-3-662-46497-7_2</a>.","ista":"Banerjee A, Fuchsbauer G, Peikert C, Pietrzak KZ, Stevens S. 2015. Key-homomorphic constrained pseudorandom functions. 12th Theory of Cryptography Conference. TCC: Theory of Cryptography Conference, LNCS, vol. 9015, 31–60."},"ec_funded":1,"status":"public","abstract":[{"text":"A pseudorandom function (PRF) is a keyed function F : K × X → Y where, for a random key k ∈ K, the function F(k, ·) is indistinguishable from a uniformly random function, given black-box access. A key-homomorphic PRF has the additional feature that for any keys k, k' and any input x, we have F(k+k', x) = F(k, x)⊕F(k', x) for some group operations +,⊕ on K and Y, respectively. A constrained PRF for a family of setsS ⊆ P(X) has the property that, given any key k and set S ∈ S, one can efficiently compute a “constrained” key kS that enables evaluation of F(k, x) on all inputs x ∈ S, while the values F(k, x) for x /∈ S remain pseudorandom even given kS. In this paper we construct PRFs that are simultaneously constrained and key homomorphic, where the homomorphic property holds even for constrained keys. We first show that the multilinear map-based bit-fixing and circuit-constrained PRFs of Boneh and Waters (Asiacrypt 2013) can be modified to also be keyhomomorphic. We then show that the LWE-based key-homomorphic PRFs of Banerjee and Peikert (Crypto 2014) are essentially already prefix-constrained PRFs, using a (non-obvious) definition of constrained keys and associated group operation. Moreover, the constrained keys themselves are pseudorandom, and the constraining and evaluation functions can all be computed in low depth. As an application of key-homomorphic constrained PRFs,we construct a proxy re-encryption schemewith fine-grained access control. This scheme allows storing encrypted data on an untrusted server, where each file can be encrypted relative to some attributes, so that only parties whose constrained keys match the attributes can decrypt. Moreover, the server can re-key (arbitrary subsets of) the ciphertexts without learning anything about the plaintexts, thus permitting efficient and finegrained revocation.","lang":"eng"}],"conference":{"start_date":"2015-03-23","name":"TCC: Theory of Cryptography Conference","end_date":"2015-03-25","location":"Warsaw, Poland"},"oa_version":"Submitted Version","date_published":"2015-03-01T00:00:00Z","publist_id":"5505","publication":"12th Theory of Cryptography Conference","ddc":["000","004"],"author":[{"last_name":"Banerjee","first_name":"Abishek","full_name":"Banerjee, Abishek"},{"id":"46B4C3EE-F248-11E8-B48F-1D18A9856A87","last_name":"Fuchsbauer","full_name":"Fuchsbauer, Georg","first_name":"Georg"},{"last_name":"Peikert","first_name":"Chris","full_name":"Peikert, Chris"},{"full_name":"Pietrzak, Krzysztof Z","first_name":"Krzysztof Z","last_name":"Pietrzak","orcid":"0000-0002-9139-1654","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87"},{"last_name":"Stevens","first_name":"Sophie","full_name":"Stevens, Sophie"}],"doi":"10.1007/978-3-662-46497-7_2","publisher":"Springer Nature","language":[{"iso":"eng"}],"file_date_updated":"2020-07-14T12:45:08Z","type":"conference","article_processing_charge":"No","publication_identifier":{"isbn":["978-3-662-46496-0"]},"scopus_import":"1","main_file_link":[{"url":"https://eprint.iacr.org/2015/180","open_access":"1"}],"page":"31 - 60","quality_controlled":"1","year":"2015","date_created":"2018-12-11T11:53:14Z","date_updated":"2022-02-03T08:41:46Z","project":[{"_id":"258C570E-B435-11E9-9278-68D0E5697425","grant_number":"259668","name":"Provable Security for Physical Cryptography","call_identifier":"FP7"}],"volume":9015,"file":[{"file_id":"5136","content_type":"application/pdf","date_created":"2018-12-12T10:15:17Z","access_level":"open_access","date_updated":"2020-07-14T12:45:08Z","file_name":"IST-2016-679-v1+1_180.pdf","file_size":450665,"creator":"system","relation":"main_file","checksum":"3c5093bda5783c89beaacabf1aa0e60e"}]},{"main_file_link":[{"url":"https://eprint.iacr.org/2015/626.pdf","open_access":"1"}],"scopus_import":1,"article_processing_charge":"No","volume":9216,"date_created":"2018-12-11T11:53:14Z","year":"2015","page":"233 - 253","quality_controlled":"1","project":[{"call_identifier":"FP7","grant_number":"259668","name":"Provable Security for Physical Cryptography","_id":"258C570E-B435-11E9-9278-68D0E5697425"}],"date_updated":"2023-02-21T16:44:51Z","publist_id":"5503","author":[{"first_name":"Georg","full_name":"Fuchsbauer, Georg","last_name":"Fuchsbauer","id":"46B4C3EE-F248-11E8-B48F-1D18A9856A87"},{"full_name":"Hanser, Christian","first_name":"Christian","last_name":"Hanser"},{"last_name":"Slamanig","first_name":"Daniel","full_name":"Slamanig, Daniel"}],"conference":{"end_date":"2015-08-20","location":"Santa Barbara, CA, United States","start_date":"2015-08-16","name":"CRYPTO: International Cryptology Conference"},"oa_version":"Submitted Version","date_published":"2015-08-01T00:00:00Z","language":[{"iso":"eng"}],"type":"conference","doi":"10.1007/978-3-662-48000-7_12","publisher":"Springer","intvolume":"      9216","citation":{"mla":"Fuchsbauer, Georg, et al. <i>Practical Round-Optimal Blind Signatures in the Standard Model</i>. Vol. 9216, Springer, 2015, pp. 233–53, doi:<a href=\"https://doi.org/10.1007/978-3-662-48000-7_12\">10.1007/978-3-662-48000-7_12</a>.","ieee":"G. Fuchsbauer, C. Hanser, and D. Slamanig, “Practical round-optimal blind signatures in the standard model,” presented at the CRYPTO: International Cryptology Conference, Santa Barbara, CA, United States, 2015, vol. 9216, pp. 233–253.","ista":"Fuchsbauer G, Hanser C, Slamanig D. 2015. Practical round-optimal blind signatures in the standard model. CRYPTO: International Cryptology Conference, LNCS, vol. 9216, 233–253.","apa":"Fuchsbauer, G., Hanser, C., &#38; Slamanig, D. (2015). Practical round-optimal blind signatures in the standard model (Vol. 9216, pp. 233–253). Presented at the CRYPTO: International Cryptology Conference, Santa Barbara, CA, United States: Springer. <a href=\"https://doi.org/10.1007/978-3-662-48000-7_12\">https://doi.org/10.1007/978-3-662-48000-7_12</a>","chicago":"Fuchsbauer, Georg, Christian Hanser, and Daniel Slamanig. “Practical Round-Optimal Blind Signatures in the Standard Model,” 9216:233–53. Springer, 2015. <a href=\"https://doi.org/10.1007/978-3-662-48000-7_12\">https://doi.org/10.1007/978-3-662-48000-7_12</a>.","ama":"Fuchsbauer G, Hanser C, Slamanig D. Practical round-optimal blind signatures in the standard model. In: Vol 9216. Springer; 2015:233-253. doi:<a href=\"https://doi.org/10.1007/978-3-662-48000-7_12\">10.1007/978-3-662-48000-7_12</a>","short":"G. Fuchsbauer, C. Hanser, D. Slamanig, in:, Springer, 2015, pp. 233–253."},"day":"01","status":"public","abstract":[{"lang":"eng","text":"Round-optimal blind signatures are notoriously hard to construct in the standard model, especially in the malicious-signer model, where blindness must hold under adversarially chosen keys. This is substantiated by several impossibility results. The only construction that can be termed theoretically efficient, by Garg and Gupta (Eurocrypt’14), requires complexity leveraging, inducing an exponential security loss. We present a construction of practically efficient round-optimal blind signatures in the standard model. It is conceptually simple and builds on the recent structure-preserving signatures on equivalence classes (SPSEQ) from Asiacrypt’14. While the traditional notion of blindness follows from standard assumptions, we prove blindness under adversarially chosen keys under an interactive variant of DDH. However, we neither require non-uniform assumptions nor complexity leveraging. We then show how to extend our construction to partially blind signatures and to blind signatures on message vectors, which yield a construction of one-show anonymous credentials à la “anonymous credentials light” (CCS’13) in the standard model. Furthermore, we give the first SPS-EQ construction under noninteractive assumptions and show how SPS-EQ schemes imply conventional structure-preserving signatures, which allows us to apply optimality results for the latter to SPS-EQ."}],"ec_funded":1,"alternative_title":["LNCS"],"department":[{"_id":"KrPi"}],"publication_status":"published","oa":1,"title":"Practical round-optimal blind signatures in the standard model","related_material":{"record":[{"relation":"later_version","status":"public","id":"1225"}]},"_id":"1647","month":"08","user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87"},{"status":"public","abstract":[{"text":"Generalized Selective Decryption (GSD), introduced by Panjwani [TCC’07], is a game for a symmetric encryption scheme Enc that captures the difficulty of proving adaptive security of certain protocols, most notably the Logical Key Hierarchy (LKH) multicast encryption protocol. In the GSD game there are n keys k1,..., kn, which the adversary may adaptively corrupt (learn); moreover, it can ask for encryptions Encki (kj) of keys under other keys. The adversary’s task is to distinguish keys (which it cannot trivially compute) from random. Proving the hardness of GSD assuming only IND-CPA security of Enc is surprisingly hard. Using “complexity leveraging” loses a factor exponential in n, which makes the proof practically meaningless. We can think of the GSD game as building a graph on n vertices, where we add an edge i → j when the adversary asks for an encryption of kj under ki. If restricted to graphs of depth ℓ, Panjwani gave a reduction that loses only a factor exponential in ℓ (not n). To date, this is the only non-trivial result known for GSD. In this paper we give almost-polynomial reductions for large classes of graphs. Most importantly, we prove the security of the GSD game restricted to trees losing only a quasi-polynomial factor n3 log n+5. Trees are an important special case capturing real-world protocols like the LKH protocol. Our new bound improves upon Panjwani’s on some LKH variants proposed in the literature where the underlying tree is not balanced. Our proof builds on ideas from the “nested hybrids” technique recently introduced by Fuchsbauer et al. [Asiacrypt’14] for proving the adaptive security of constrained PRFs.","lang":"eng"}],"ec_funded":1,"citation":{"ama":"Fuchsbauer G, Jafargholi Z, Pietrzak KZ. A quasipolynomial reduction for generalized selective decryption on trees. In: Vol 9215. Springer; 2015:601-620. doi:<a href=\"https://doi.org/10.1007/978-3-662-47989-6_29\">10.1007/978-3-662-47989-6_29</a>","short":"G. Fuchsbauer, Z. Jafargholi, K.Z. Pietrzak, in:, Springer, 2015, pp. 601–620.","mla":"Fuchsbauer, Georg, et al. <i>A Quasipolynomial Reduction for Generalized Selective Decryption on Trees</i>. Vol. 9215, Springer, 2015, pp. 601–20, doi:<a href=\"https://doi.org/10.1007/978-3-662-47989-6_29\">10.1007/978-3-662-47989-6_29</a>.","ieee":"G. Fuchsbauer, Z. Jafargholi, and K. Z. Pietrzak, “A quasipolynomial reduction for generalized selective decryption on trees,” presented at the CRYPTO: International Cryptology Conference, Santa Barbara, CA, USA, 2015, vol. 9215, pp. 601–620.","ista":"Fuchsbauer G, Jafargholi Z, Pietrzak KZ. 2015. A quasipolynomial reduction for generalized selective decryption on trees. CRYPTO: International Cryptology Conference, LNCS, vol. 9215, 601–620.","apa":"Fuchsbauer, G., Jafargholi, Z., &#38; Pietrzak, K. Z. (2015). A quasipolynomial reduction for generalized selective decryption on trees (Vol. 9215, pp. 601–620). Presented at the CRYPTO: International Cryptology Conference, Santa Barbara, CA, USA: Springer. <a href=\"https://doi.org/10.1007/978-3-662-47989-6_29\">https://doi.org/10.1007/978-3-662-47989-6_29</a>","chicago":"Fuchsbauer, Georg, Zahra Jafargholi, and Krzysztof Z Pietrzak. “A Quasipolynomial Reduction for Generalized Selective Decryption on Trees,” 9215:601–20. Springer, 2015. <a href=\"https://doi.org/10.1007/978-3-662-47989-6_29\">https://doi.org/10.1007/978-3-662-47989-6_29</a>."},"intvolume":"      9215","day":"01","has_accepted_license":"1","publication_status":"published","title":"A quasipolynomial reduction for generalized selective decryption on trees","oa":1,"_id":"1648","month":"08","user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","pubrep_id":"674","alternative_title":["LNCS"],"department":[{"_id":"KrPi"}],"file":[{"relation":"main_file","checksum":"99b76b3263d5082554d0a9cbdeca3a22","file_size":505618,"creator":"system","file_name":"IST-2016-674-v1+1_389.pdf","file_id":"5015","date_created":"2018-12-12T10:13:31Z","content_type":"application/pdf","access_level":"open_access","date_updated":"2020-07-14T12:45:08Z"}],"volume":9215,"date_created":"2018-12-11T11:53:14Z","year":"2015","quality_controlled":"1","page":"601 - 620","project":[{"call_identifier":"FP7","grant_number":"259668","name":"Provable Security for Physical Cryptography","_id":"258C570E-B435-11E9-9278-68D0E5697425"}],"date_updated":"2021-01-12T06:52:14Z","scopus_import":1,"tmp":{"legal_code_url":"https://creativecommons.org/licenses/by/4.0/legalcode","name":"Creative Commons Attribution 4.0 International Public License (CC-BY 4.0)","image":"/images/cc_by.png","short":"CC BY (4.0)"},"language":[{"iso":"eng"}],"type":"conference","file_date_updated":"2020-07-14T12:45:08Z","doi":"10.1007/978-3-662-47989-6_29","publisher":"Springer","publist_id":"5502","author":[{"last_name":"Fuchsbauer","first_name":"Georg","full_name":"Fuchsbauer, Georg","id":"46B4C3EE-F248-11E8-B48F-1D18A9856A87"},{"last_name":"Jafargholi","first_name":"Zahra","full_name":"Jafargholi, Zahra"},{"last_name":"Pietrzak","first_name":"Krzysztof Z","full_name":"Pietrzak, Krzysztof Z","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","orcid":"0000-0002-9139-1654"}],"ddc":["004"],"oa_version":"Submitted Version","conference":{"start_date":"2015-08-16","name":"CRYPTO: International Cryptology Conference","end_date":"2015-08-20","location":"Santa Barbara, CA, USA"},"date_published":"2015-08-01T00:00:00Z"},{"date_published":"2015-01-01T00:00:00Z","license":"https://creativecommons.org/licenses/by-nc/4.0/","oa_version":"Published Version","conference":{"name":"ESORICS: European Symposium on Research in Computer Security","start_date":"2015-09-21","location":"Vienna, Austria","end_date":"2015-09-25"},"ddc":["000","004"],"author":[{"last_name":"Benhamouda","first_name":"Fabrice","full_name":"Benhamouda, Fabrice"},{"first_name":"Stephan","full_name":"Krenn, Stephan","last_name":"Krenn"},{"last_name":"Lyubashevsky","first_name":"Vadim","full_name":"Lyubashevsky, Vadim"},{"first_name":"Krzysztof Z","full_name":"Pietrzak, Krzysztof Z","last_name":"Pietrzak","orcid":"0000-0002-9139-1654","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87"}],"publist_id":"5501","publisher":"Springer","doi":"10.1007/978-3-319-24174-6_16","file_date_updated":"2020-07-14T12:45:08Z","type":"conference","language":[{"iso":"eng"}],"tmp":{"short":"CC BY-NC (4.0)","name":"Creative Commons Attribution-NonCommercial 4.0 International (CC BY-NC 4.0)","legal_code_url":"https://creativecommons.org/licenses/by-nc/4.0/legalcode","image":"/images/cc_by_nc.png"},"scopus_import":1,"date_updated":"2021-01-12T06:52:14Z","project":[{"call_identifier":"FP7","grant_number":"259668","name":"Provable Security for Physical Cryptography","_id":"258C570E-B435-11E9-9278-68D0E5697425"}],"page":"305 - 325","quality_controlled":"1","series_title":"Lecture Notes in Computer Science","year":"2015","date_created":"2018-12-11T11:53:15Z","volume":9326,"file":[{"date_updated":"2020-07-14T12:45:08Z","access_level":"open_access","date_created":"2018-12-12T10:11:28Z","content_type":"application/pdf","file_id":"4883","file_name":"IST-2016-678-v1+1_889.pdf","creator":"system","file_size":494239,"checksum":"6eac4a485b2aa644b2d3f753ed0b280b","relation":"main_file"}],"department":[{"_id":"KrPi"}],"alternative_title":["LNCS"],"pubrep_id":"678","user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","month":"01","_id":"1649","oa":1,"title":"Efficient zero-knowledge proofs for commitments from learning with errors over rings","publication_status":"published","has_accepted_license":"1","day":"01","citation":{"short":"F. Benhamouda, S. Krenn, V. Lyubashevsky, K.Z. Pietrzak, 9326 (2015) 305–325.","ama":"Benhamouda F, Krenn S, Lyubashevsky V, Pietrzak KZ. Efficient zero-knowledge proofs for commitments from learning with errors over rings. 2015;9326:305-325. doi:<a href=\"https://doi.org/10.1007/978-3-319-24174-6_16\">10.1007/978-3-319-24174-6_16</a>","apa":"Benhamouda, F., Krenn, S., Lyubashevsky, V., &#38; Pietrzak, K. Z. (2015). Efficient zero-knowledge proofs for commitments from learning with errors over rings. Presented at the ESORICS: European Symposium on Research in Computer Security, Vienna, Austria: Springer. <a href=\"https://doi.org/10.1007/978-3-319-24174-6_16\">https://doi.org/10.1007/978-3-319-24174-6_16</a>","ista":"Benhamouda F, Krenn S, Lyubashevsky V, Pietrzak KZ. 2015. Efficient zero-knowledge proofs for commitments from learning with errors over rings. 9326, 305–325.","chicago":"Benhamouda, Fabrice, Stephan Krenn, Vadim Lyubashevsky, and Krzysztof Z Pietrzak. “Efficient Zero-Knowledge Proofs for Commitments from Learning with Errors over Rings.” Lecture Notes in Computer Science. Springer, 2015. <a href=\"https://doi.org/10.1007/978-3-319-24174-6_16\">https://doi.org/10.1007/978-3-319-24174-6_16</a>.","ieee":"F. Benhamouda, S. Krenn, V. Lyubashevsky, and K. Z. Pietrzak, “Efficient zero-knowledge proofs for commitments from learning with errors over rings,” vol. 9326. Springer, pp. 305–325, 2015.","mla":"Benhamouda, Fabrice, et al. <i>Efficient Zero-Knowledge Proofs for Commitments from Learning with Errors over Rings</i>. Vol. 9326, Springer, 2015, pp. 305–25, doi:<a href=\"https://doi.org/10.1007/978-3-319-24174-6_16\">10.1007/978-3-319-24174-6_16</a>."},"intvolume":"      9326","ec_funded":1,"abstract":[{"text":"We extend a commitment scheme based on the learning with errors over rings (RLWE) problem, and present efficient companion zeroknowledge proofs of knowledge. Our scheme maps elements from the ring (or equivalently, n elements from ","lang":"eng"}],"status":"public"},{"_id":"1650","month":"06","user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","publication_status":"published","title":"Condensed unpredictability ","oa":1,"department":[{"_id":"KrPi"}],"alternative_title":["LNCS"],"pubrep_id":"675","ec_funded":1,"status":"public","abstract":[{"lang":"eng","text":"We consider the task of deriving a key with high HILL entropy (i.e., being computationally indistinguishable from a key with high min-entropy) from an unpredictable source.\r\n\r\nPrevious to this work, the only known way to transform unpredictability into a key that was ϵ indistinguishable from having min-entropy was via pseudorandomness, for example by Goldreich-Levin (GL) hardcore bits. This approach has the inherent limitation that from a source with k bits of unpredictability entropy one can derive a key of length (and thus HILL entropy) at most k−2log(1/ϵ) bits. In many settings, e.g. when dealing with biometric data, such a 2log(1/ϵ) bit entropy loss in not an option. Our main technical contribution is a theorem that states that in the high entropy regime, unpredictability implies HILL entropy. Concretely, any variable K with |K|−d bits of unpredictability entropy has the same amount of so called metric entropy (against real-valued, deterministic distinguishers), which is known to imply the same amount of HILL entropy. The loss in circuit size in this argument is exponential in the entropy gap d, and thus this result only applies for small d (i.e., where the size of distinguishers considered is exponential in d).\r\n\r\nTo overcome the above restriction, we investigate if it’s possible to first “condense” unpredictability entropy and make the entropy gap small. We show that any source with k bits of unpredictability can be condensed into a source of length k with k−3 bits of unpredictability entropy. Our condenser simply “abuses&quot; the GL construction and derives a k bit key from a source with k bits of unpredicatibily. The original GL theorem implies nothing when extracting that many bits, but we show that in this regime, GL still behaves like a “condenser&quot; for unpredictability. This result comes with two caveats (1) the loss in circuit size is exponential in k and (2) we require that the source we start with has no HILL entropy (equivalently, one can efficiently check if a guess is correct). We leave it as an intriguing open problem to overcome these restrictions or to prove they’re inherent."}],"day":"20","has_accepted_license":"1","citation":{"short":"M. Skórski, A. Golovnev, K.Z. Pietrzak, in:, Springer, 2015, pp. 1046–1057.","ama":"Skórski M, Golovnev A, Pietrzak KZ. Condensed unpredictability . In: Vol 9134. Springer; 2015:1046-1057. doi:<a href=\"https://doi.org/10.1007/978-3-662-47672-7_85\">10.1007/978-3-662-47672-7_85</a>","chicago":"Skórski, Maciej, Alexander Golovnev, and Krzysztof Z Pietrzak. “Condensed Unpredictability ,” 9134:1046–57. Springer, 2015. <a href=\"https://doi.org/10.1007/978-3-662-47672-7_85\">https://doi.org/10.1007/978-3-662-47672-7_85</a>.","apa":"Skórski, M., Golovnev, A., &#38; Pietrzak, K. Z. (2015). Condensed unpredictability  (Vol. 9134, pp. 1046–1057). Presented at the ICALP: Automata, Languages and Programming, Kyoto, Japan: Springer. <a href=\"https://doi.org/10.1007/978-3-662-47672-7_85\">https://doi.org/10.1007/978-3-662-47672-7_85</a>","ista":"Skórski M, Golovnev A, Pietrzak KZ. 2015. Condensed unpredictability . ICALP: Automata, Languages and Programming, LNCS, vol. 9134, 1046–1057.","mla":"Skórski, Maciej, et al. <i>Condensed Unpredictability </i>. Vol. 9134, Springer, 2015, pp. 1046–57, doi:<a href=\"https://doi.org/10.1007/978-3-662-47672-7_85\">10.1007/978-3-662-47672-7_85</a>.","ieee":"M. Skórski, A. Golovnev, and K. Z. Pietrzak, “Condensed unpredictability ,” presented at the ICALP: Automata, Languages and Programming, Kyoto, Japan, 2015, vol. 9134, pp. 1046–1057."},"intvolume":"      9134","doi":"10.1007/978-3-662-47672-7_85","publisher":"Springer","language":[{"iso":"eng"}],"type":"conference","file_date_updated":"2020-07-14T12:45:08Z","conference":{"start_date":"2015-07-06","name":"ICALP: Automata, Languages and Programming","end_date":"2015-07-10","location":"Kyoto, Japan"},"oa_version":"Published Version","date_published":"2015-06-20T00:00:00Z","publist_id":"5500","author":[{"full_name":"Skórski, Maciej","first_name":"Maciej","last_name":"Skórski"},{"last_name":"Golovnev","first_name":"Alexander","full_name":"Golovnev, Alexander"},{"id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","orcid":"0000-0002-9139-1654","full_name":"Pietrzak, Krzysztof Z","first_name":"Krzysztof Z","last_name":"Pietrzak"}],"ddc":["000","005"],"year":"2015","date_created":"2018-12-11T11:53:15Z","quality_controlled":"1","page":"1046 - 1057","project":[{"call_identifier":"FP7","_id":"258C570E-B435-11E9-9278-68D0E5697425","name":"Provable Security for Physical Cryptography","grant_number":"259668"}],"date_updated":"2021-01-12T06:52:15Z","file":[{"creator":"system","file_size":525503,"checksum":"e808c7eecb631336fc9f9bf2e8d4ecae","relation":"main_file","access_level":"open_access","date_updated":"2020-07-14T12:45:08Z","content_type":"application/pdf","date_created":"2018-12-12T10:08:32Z","file_id":"4693","file_name":"IST-2016-675-v1+1_384.pdf"}],"volume":9134,"tmp":{"legal_code_url":"https://creativecommons.org/licenses/by/4.0/legalcode","name":"Creative Commons Attribution 4.0 International Public License (CC-BY 4.0)","image":"/images/cc_by.png","short":"CC BY (4.0)"},"scopus_import":1},{"date_published":"2015-03-17T00:00:00Z","conference":{"end_date":"2015-04-01","location":"Gaithersburg, MD, United States","start_date":"2015-03-30","name":"PKC: Public Key Crypography"},"oa_version":"Published Version","author":[{"last_name":"Baldimtsi","first_name":"Foteini","full_name":"Baldimtsi, Foteini"},{"first_name":"Melissa","full_name":"Chase, Melissa","last_name":"Chase"},{"full_name":"Fuchsbauer, Georg","first_name":"Georg","last_name":"Fuchsbauer","id":"46B4C3EE-F248-11E8-B48F-1D18A9856A87"},{"first_name":"Markulf","full_name":"Kohlweiss, Markulf","last_name":"Kohlweiss"}],"publication":"Public-Key Cryptography - PKC 2015","publist_id":"5499","publisher":"Springer","doi":"10.1007/978-3-662-46447-2_5","type":"conference","language":[{"iso":"eng"}],"article_processing_charge":"No","scopus_import":"1","main_file_link":[{"url":"https://doi.org/10.1007/978-3-662-46447-2_5","open_access":"1"}],"publication_identifier":{"isbn":["978-3-662-46446-5"]},"date_updated":"2022-05-23T10:08:37Z","project":[{"call_identifier":"FP7","_id":"258C570E-B435-11E9-9278-68D0E5697425","name":"Provable Security for Physical Cryptography","grant_number":"259668"}],"quality_controlled":"1","page":"101 - 124","date_created":"2018-12-11T11:53:15Z","year":"2015","volume":9020,"department":[{"_id":"KrPi"}],"acknowledgement":"Work done as an intern in Microsoft Research Redmond and as a student at Brown University, where supported by NSF grant 0964379. Supported by the European Research Council, ERC Starting Grant (259668-PSPC).","alternative_title":["LNCS"],"user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","month":"03","_id":"1651","oa":1,"title":"Anonymous transferable e-cash","publication_status":"published","day":"17","intvolume":"      9020","citation":{"apa":"Baldimtsi, F., Chase, M., Fuchsbauer, G., &#38; Kohlweiss, M. (2015). Anonymous transferable e-cash. In <i>Public-Key Cryptography - PKC 2015</i> (Vol. 9020, pp. 101–124). Gaithersburg, MD, United States: Springer. <a href=\"https://doi.org/10.1007/978-3-662-46447-2_5\">https://doi.org/10.1007/978-3-662-46447-2_5</a>","chicago":"Baldimtsi, Foteini, Melissa Chase, Georg Fuchsbauer, and Markulf Kohlweiss. “Anonymous Transferable E-Cash.” In <i>Public-Key Cryptography - PKC 2015</i>, 9020:101–24. Springer, 2015. <a href=\"https://doi.org/10.1007/978-3-662-46447-2_5\">https://doi.org/10.1007/978-3-662-46447-2_5</a>.","ista":"Baldimtsi F, Chase M, Fuchsbauer G, Kohlweiss M. 2015. Anonymous transferable e-cash. Public-Key Cryptography - PKC 2015. PKC: Public Key Crypography, LNCS, vol. 9020, 101–124.","mla":"Baldimtsi, Foteini, et al. “Anonymous Transferable E-Cash.” <i>Public-Key Cryptography - PKC 2015</i>, vol. 9020, Springer, 2015, pp. 101–24, doi:<a href=\"https://doi.org/10.1007/978-3-662-46447-2_5\">10.1007/978-3-662-46447-2_5</a>.","ieee":"F. Baldimtsi, M. Chase, G. Fuchsbauer, and M. Kohlweiss, “Anonymous transferable e-cash,” in <i>Public-Key Cryptography - PKC 2015</i>, Gaithersburg, MD, United States, 2015, vol. 9020, pp. 101–124.","short":"F. Baldimtsi, M. Chase, G. Fuchsbauer, M. Kohlweiss, in:, Public-Key Cryptography - PKC 2015, Springer, 2015, pp. 101–124.","ama":"Baldimtsi F, Chase M, Fuchsbauer G, Kohlweiss M. Anonymous transferable e-cash. In: <i>Public-Key Cryptography - PKC 2015</i>. Vol 9020. Springer; 2015:101-124. doi:<a href=\"https://doi.org/10.1007/978-3-662-46447-2_5\">10.1007/978-3-662-46447-2_5</a>"},"ec_funded":1,"abstract":[{"lang":"eng","text":"Cryptographic e-cash allows off-line electronic transactions between a bank, users and merchants in a secure and anonymous fashion. A plethora of e-cash constructions has been proposed in the literature; however, these traditional e-cash schemes only allow coins to be transferred once between users and merchants. Ideally, we would like users to be able to transfer coins between each other multiple times before deposit, as happens with physical cash. “Transferable” e-cash schemes are the solution to this problem. Unfortunately, the currently proposed schemes are either completely impractical or do not achieve the desirable anonymity properties without compromises, such as assuming the existence of a trusted “judge” who can trace all coins and users in the system. This paper presents the first efficient and fully anonymous transferable e-cash scheme without any trusted third parties. We start by revising the security and anonymity properties of transferable e-cash to capture issues that were previously overlooked. For our construction we use the recently proposed malleable signatures by Chase et al. to allow the secure and anonymous transfer of coins, combined with a new efficient double-spending detection mechanism. Finally, we discuss an instantiation of our construction."}],"status":"public"},{"department":[{"_id":"KrPi"}],"date_published":"2015-06-01T00:00:00Z","conference":{"start_date":"2015-06-14","name":"STOC: Symposium on the Theory of Computing","end_date":"2015-06-17","location":"Portland, OR, United States"},"oa_version":"Submitted Version","author":[{"full_name":"Alwen, Joel F","first_name":"Joel F","last_name":"Alwen","id":"2A8DFA8C-F248-11E8-B48F-1D18A9856A87"},{"full_name":"Serbinenko, Vladimir","first_name":"Vladimir","last_name":"Serbinenko"}],"publist_id":"5498","publication":"Proceedings of the 47th annual ACM symposium on Theory of computing","publisher":"ACM","_id":"1652","doi":"10.1145/2746539.2746622","month":"06","user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","type":"conference","language":[{"iso":"eng"}],"publication_status":"published","title":"High parallel complexity graphs and memory-hard functions","oa":1,"day":"01","citation":{"ama":"Alwen JF, Serbinenko V. High parallel complexity graphs and memory-hard functions. In: <i>Proceedings of the 47th Annual ACM Symposium on Theory of Computing</i>. ACM; 2015:595-603. doi:<a href=\"https://doi.org/10.1145/2746539.2746622\">10.1145/2746539.2746622</a>","short":"J.F. Alwen, V. Serbinenko, in:, Proceedings of the 47th Annual ACM Symposium on Theory of Computing, ACM, 2015, pp. 595–603.","ieee":"J. F. Alwen and V. Serbinenko, “High parallel complexity graphs and memory-hard functions,” in <i>Proceedings of the 47th annual ACM symposium on Theory of computing</i>, Portland, OR, United States, 2015, pp. 595–603.","mla":"Alwen, Joel F., and Vladimir Serbinenko. “High Parallel Complexity Graphs and Memory-Hard Functions.” <i>Proceedings of the 47th Annual ACM Symposium on Theory of Computing</i>, ACM, 2015, pp. 595–603, doi:<a href=\"https://doi.org/10.1145/2746539.2746622\">10.1145/2746539.2746622</a>.","apa":"Alwen, J. F., &#38; Serbinenko, V. (2015). High parallel complexity graphs and memory-hard functions. In <i>Proceedings of the 47th annual ACM symposium on Theory of computing</i> (pp. 595–603). Portland, OR, United States: ACM. <a href=\"https://doi.org/10.1145/2746539.2746622\">https://doi.org/10.1145/2746539.2746622</a>","chicago":"Alwen, Joel F, and Vladimir Serbinenko. “High Parallel Complexity Graphs and Memory-Hard Functions.” In <i>Proceedings of the 47th Annual ACM Symposium on Theory of Computing</i>, 595–603. ACM, 2015. <a href=\"https://doi.org/10.1145/2746539.2746622\">https://doi.org/10.1145/2746539.2746622</a>.","ista":"Alwen JF, Serbinenko V. 2015. High parallel complexity graphs and memory-hard functions. Proceedings of the 47th annual ACM symposium on Theory of computing. STOC: Symposium on the Theory of Computing, 595–603."},"main_file_link":[{"open_access":"1","url":"http://eprint.iacr.org/2014/238"}],"scopus_import":1,"project":[{"grant_number":"259668","name":"Provable Security for Physical Cryptography","_id":"258C570E-B435-11E9-9278-68D0E5697425","call_identifier":"FP7"}],"date_updated":"2021-01-12T06:52:16Z","ec_funded":1,"year":"2015","date_created":"2018-12-11T11:53:16Z","page":"595 - 603","quality_controlled":"1","abstract":[{"lang":"eng","text":"We develop new theoretical tools for proving lower-bounds on the (amortized) complexity of certain functions in models of parallel computation. We apply the tools to construct a class of functions with high amortized memory complexity in the parallel Random Oracle Model (pROM); a variant of the standard ROM allowing for batches of simultaneous queries. In particular we obtain a new, more robust, type of Memory-Hard Functions (MHF); a security primitive which has recently been gaining acceptance in practice as an effective means of countering brute-force attacks on security relevant functions. Along the way we also demonstrate an important shortcoming of previous definitions of MHFs and give a new definition addressing the problem. The tools we develop represent an adaptation of the powerful pebbling paradigm (initially introduced by Hewitt and Paterson [HP70] and Cook [Coo73]) to a simple and intuitive parallel setting. We define a simple pebbling game Gp over graphs which aims to abstract parallel computation in an intuitive way. As a conceptual contribution we define a measure of pebbling complexity for graphs called cumulative complexity (CC) and show how it overcomes a crucial shortcoming (in the parallel setting) exhibited by more traditional complexity measures used in the past. As a main technical contribution we give an explicit construction of a constant in-degree family of graphs whose CC in Gp approaches maximality to within a polylogarithmic factor for any graph of equal size (analogous to the graphs of Tarjan et. al. [PTC76, LT82] for sequential pebbling games). Finally, for a given graph G and related function fG, we derive a lower-bound on the amortized memory complexity of fG in the pROM in terms of the CC of G in the game Gp."}],"status":"public"},{"oa_version":"Submitted Version","conference":{"name":"ASIACRYPT: Theory and Application of Cryptology and Information Security","start_date":"2015-11-29","location":"Auckland, New Zealand","end_date":"2015-12-03"},"date_published":"2015-12-30T00:00:00Z","publist_id":"5496","author":[{"id":"3E0BFE38-F248-11E8-B48F-1D18A9856A87","full_name":"Gazi, Peter","first_name":"Peter","last_name":"Gazi"},{"last_name":"Pietrzak","first_name":"Krzysztof Z","full_name":"Pietrzak, Krzysztof Z","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","orcid":"0000-0002-9139-1654"},{"full_name":"Tessaro, Stefano","first_name":"Stefano","last_name":"Tessaro"}],"ddc":["004","005"],"doi":"10.1007/978-3-662-48800-3_4","publisher":"Springer","language":[{"iso":"eng"}],"type":"conference","file_date_updated":"2020-07-14T12:45:08Z","scopus_import":1,"date_created":"2018-12-11T11:53:17Z","year":"2015","series_title":"Lecture Notes in Computer Science","quality_controlled":"1","page":"85 - 109","project":[{"name":"Provable Security for Physical Cryptography","grant_number":"259668","_id":"258C570E-B435-11E9-9278-68D0E5697425","call_identifier":"FP7"}],"date_updated":"2021-01-12T06:52:16Z","file":[{"file_name":"IST-2016-676-v1+1_881.pdf","date_updated":"2020-07-14T12:45:08Z","access_level":"open_access","file_id":"4732","date_created":"2018-12-12T10:09:09Z","content_type":"application/pdf","checksum":"d1e53203db2d8573a560995ccdffac62","relation":"main_file","creator":"system","file_size":512071}],"volume":9453,"department":[{"_id":"KrPi"}],"alternative_title":["LNCS"],"pubrep_id":"676","_id":"1654","month":"12","user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","publication_status":"published","oa":1,"title":"Generic security of NMAC and HMAC with input whitening","day":"30","has_accepted_license":"1","intvolume":"      9453","citation":{"ama":"Gazi P, Pietrzak KZ, Tessaro S. Generic security of NMAC and HMAC with input whitening. 2015;9453:85-109. doi:<a href=\"https://doi.org/10.1007/978-3-662-48800-3_4\">10.1007/978-3-662-48800-3_4</a>","short":"P. Gazi, K.Z. Pietrzak, S. Tessaro, 9453 (2015) 85–109.","mla":"Gazi, Peter, et al. <i>Generic Security of NMAC and HMAC with Input Whitening</i>. Vol. 9453, Springer, 2015, pp. 85–109, doi:<a href=\"https://doi.org/10.1007/978-3-662-48800-3_4\">10.1007/978-3-662-48800-3_4</a>.","ieee":"P. Gazi, K. Z. Pietrzak, and S. Tessaro, “Generic security of NMAC and HMAC with input whitening,” vol. 9453. Springer, pp. 85–109, 2015.","ista":"Gazi P, Pietrzak KZ, Tessaro S. 2015. Generic security of NMAC and HMAC with input whitening. 9453, 85–109.","apa":"Gazi, P., Pietrzak, K. Z., &#38; Tessaro, S. (2015). Generic security of NMAC and HMAC with input whitening. Presented at the ASIACRYPT: Theory and Application of Cryptology and Information Security, Auckland, New Zealand: Springer. <a href=\"https://doi.org/10.1007/978-3-662-48800-3_4\">https://doi.org/10.1007/978-3-662-48800-3_4</a>","chicago":"Gazi, Peter, Krzysztof Z Pietrzak, and Stefano Tessaro. “Generic Security of NMAC and HMAC with Input Whitening.” Lecture Notes in Computer Science. Springer, 2015. <a href=\"https://doi.org/10.1007/978-3-662-48800-3_4\">https://doi.org/10.1007/978-3-662-48800-3_4</a>."},"ec_funded":1,"status":"public","abstract":[{"lang":"eng","text":"HMAC and its variant NMAC are the most popular approaches to deriving a MAC (and more generally, a PRF) from a cryptographic hash function. Despite nearly two decades of research, their exact security still remains far from understood in many different contexts. Indeed, recent works have re-surfaced interest for {\\em generic} attacks, i.e., attacks that treat the compression function of the underlying hash function as a black box.\r\n\r\nGeneric security can be proved in a model where the underlying compression function is modeled as a random function -- yet, to date, the question of proving tight, non-trivial bounds on the generic security of HMAC/NMAC even as a PRF remains a challenging open question.\r\n\r\nIn this paper, we ask the question of whether a small modification to HMAC and NMAC can allow us to exactly characterize the security of the resulting constructions, while only incurring little penalty with respect to efficiency. To this end, we present simple variants of NMAC and HMAC, for which we prove tight bounds on the generic PRF security, expressed in terms of numbers of construction and compression function queries necessary to break the construction. All of our constructions are obtained via a (near) {\\em black-box} modification of NMAC and HMAC, which can be interpreted as an initial step of key-dependent message pre-processing.\r\n\r\nWhile our focus is on PRF security, a further attractive feature of our new constructions is that they clearly defeat all recent generic attacks against properties such as state recovery and universal forgery. These exploit properties of the so-called ``functional graph'' which are not directly accessible in our new constructions. "}]},{"user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","_id":"1668","month":"08","title":"Relaxing full-codebook security: A refined analysis of key-length extension schemes","oa":1,"publication_status":"published","department":[{"_id":"KrPi"}],"alternative_title":["LNCS"],"ec_funded":1,"abstract":[{"text":"We revisit the security (as a pseudorandom permutation) of cascading-based constructions for block-cipher key-length extension. Previous works typically considered the extreme case where the adversary is given the entire codebook of the construction, the only complexity measure being the number qe of queries to the underlying ideal block cipher, representing adversary’s secret-key-independent computation. Here, we initiate a systematic study of the more natural case of an adversary restricted to adaptively learning a number qc of plaintext/ciphertext pairs that is less than the entire codebook. For any such qc, we aim to determine the highest number of block-cipher queries qe the adversary can issue without being able to successfully distinguish the construction (under a secret key) from a random permutation.\r\nMore concretely, we show the following results for key-length extension schemes using a block cipher with n-bit blocks and κ-bit keys:\r\nPlain cascades of length ℓ=2r+1 are secure whenever qcqre≪2r(κ+n), qc≪2κ and qe≪22κ. The bound for r=1 also applies to two-key triple encryption (as used within Triple DES).\r\nThe r-round XOR-cascade is secure as long as qcqre≪2r(κ+n), matching an attack by Gaži (CRYPTO 2013).\r\nWe fully characterize the security of Gaži and Tessaro’s two-call ","lang":"eng"}],"status":"public","day":"12","intvolume":"      9054","citation":{"ama":"Gazi P, Lee J, Seurin Y, Steinberger J, Tessaro S. Relaxing full-codebook security: A refined analysis of key-length extension schemes. 2015;9054:319-341. doi:<a href=\"https://doi.org/10.1007/978-3-662-48116-5_16\">10.1007/978-3-662-48116-5_16</a>","short":"P. Gazi, J. Lee, Y. Seurin, J. Steinberger, S. Tessaro, 9054 (2015) 319–341.","mla":"Gazi, Peter, et al. <i>Relaxing Full-Codebook Security: A Refined Analysis of Key-Length Extension Schemes</i>. Vol. 9054, Springer, 2015, pp. 319–41, doi:<a href=\"https://doi.org/10.1007/978-3-662-48116-5_16\">10.1007/978-3-662-48116-5_16</a>.","ieee":"P. Gazi, J. Lee, Y. Seurin, J. Steinberger, and S. Tessaro, “Relaxing full-codebook security: A refined analysis of key-length extension schemes,” vol. 9054. Springer, pp. 319–341, 2015.","chicago":"Gazi, Peter, Jooyoung Lee, Yannick Seurin, John Steinberger, and Stefano Tessaro. “Relaxing Full-Codebook Security: A Refined Analysis of Key-Length Extension Schemes.” Lecture Notes in Computer Science. Springer, 2015. <a href=\"https://doi.org/10.1007/978-3-662-48116-5_16\">https://doi.org/10.1007/978-3-662-48116-5_16</a>.","apa":"Gazi, P., Lee, J., Seurin, Y., Steinberger, J., &#38; Tessaro, S. (2015). Relaxing full-codebook security: A refined analysis of key-length extension schemes. Presented at the FSE: Fast Software Encryption, Istanbul, Turkey: Springer. <a href=\"https://doi.org/10.1007/978-3-662-48116-5_16\">https://doi.org/10.1007/978-3-662-48116-5_16</a>","ista":"Gazi P, Lee J, Seurin Y, Steinberger J, Tessaro S. 2015. Relaxing full-codebook security: A refined analysis of key-length extension schemes. 9054, 319–341."},"publisher":"Springer","doi":"10.1007/978-3-662-48116-5_16","type":"conference","language":[{"iso":"eng"}],"date_published":"2015-08-12T00:00:00Z","oa_version":"Submitted Version","conference":{"end_date":"2015-03-11","location":"Istanbul, Turkey","start_date":"2015-03-08","name":"FSE: Fast Software Encryption"},"author":[{"id":"3E0BFE38-F248-11E8-B48F-1D18A9856A87","last_name":"Gazi","full_name":"Gazi, Peter","first_name":"Peter"},{"last_name":"Lee","first_name":"Jooyoung","full_name":"Lee, Jooyoung"},{"last_name":"Seurin","full_name":"Seurin, Yannick","first_name":"Yannick"},{"first_name":"John","full_name":"Steinberger, John","last_name":"Steinberger"},{"full_name":"Tessaro, Stefano","first_name":"Stefano","last_name":"Tessaro"}],"publist_id":"5481","date_updated":"2020-08-11T10:09:26Z","project":[{"call_identifier":"FP7","_id":"258C570E-B435-11E9-9278-68D0E5697425","name":"Provable Security for Physical Cryptography","grant_number":"259668"}],"quality_controlled":"1","page":"319 - 341","date_created":"2018-12-11T11:53:22Z","series_title":"Lecture Notes in Computer Science","year":"2015","volume":9054,"scopus_import":1,"main_file_link":[{"url":"http://eprint.iacr.org/2015/397","open_access":"1"}]},{"publication_status":"published","title":"The chain rule for HILL pseudoentropy, revisited","oa":1,"month":"08","_id":"1669","user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","alternative_title":["LNCS"],"pubrep_id":"669","department":[{"_id":"KrPi"}],"status":"public","abstract":[{"text":"Computational notions of entropy (a.k.a. pseudoentropy) have found many applications, including leakage-resilient cryptography, deterministic encryption or memory delegation. The most important tools to argue about pseudoentropy are chain rules, which quantify by how much (in terms of quantity and quality) the pseudoentropy of a given random variable X decreases when conditioned on some other variable Z (think for example of X as a secret key and Z as information leaked by a side-channel). In this paper we give a very simple and modular proof of the chain rule for HILL pseudoentropy, improving best known parameters. Our version allows for increasing the acceptable length of leakage in applications up to a constant factor compared to the best previous bounds. As a contribution of independent interest, we provide a comprehensive study of all known versions of the chain rule, comparing their worst-case strength and limitations.","lang":"eng"}],"ec_funded":1,"intvolume":"      9230","citation":{"short":"K.Z. Pietrzak, M. Skórski, 9230 (2015) 81–98.","ama":"Pietrzak KZ, Skórski M. The chain rule for HILL pseudoentropy, revisited. 2015;9230:81-98. doi:<a href=\"https://doi.org/10.1007/978-3-319-22174-8_5\">10.1007/978-3-319-22174-8_5</a>","apa":"Pietrzak, K. Z., &#38; Skórski, M. (2015). The chain rule for HILL pseudoentropy, revisited. Presented at the LATINCRYPT: Cryptology and Information Security in Latin America, Guadalajara, Mexico: Springer. <a href=\"https://doi.org/10.1007/978-3-319-22174-8_5\">https://doi.org/10.1007/978-3-319-22174-8_5</a>","ista":"Pietrzak KZ, Skórski M. 2015. The chain rule for HILL pseudoentropy, revisited. 9230, 81–98.","chicago":"Pietrzak, Krzysztof Z, and Maciej Skórski. “The Chain Rule for HILL Pseudoentropy, Revisited.” Lecture Notes in Computer Science. Springer, 2015. <a href=\"https://doi.org/10.1007/978-3-319-22174-8_5\">https://doi.org/10.1007/978-3-319-22174-8_5</a>.","mla":"Pietrzak, Krzysztof Z., and Maciej Skórski. <i>The Chain Rule for HILL Pseudoentropy, Revisited</i>. Vol. 9230, Springer, 2015, pp. 81–98, doi:<a href=\"https://doi.org/10.1007/978-3-319-22174-8_5\">10.1007/978-3-319-22174-8_5</a>.","ieee":"K. Z. Pietrzak and M. Skórski, “The chain rule for HILL pseudoentropy, revisited,” vol. 9230. Springer, pp. 81–98, 2015."},"day":"15","has_accepted_license":"1","language":[{"iso":"eng"}],"type":"conference","file_date_updated":"2020-07-14T12:45:11Z","doi":"10.1007/978-3-319-22174-8_5","publisher":"Springer","publist_id":"5480","author":[{"full_name":"Pietrzak, Krzysztof Z","first_name":"Krzysztof Z","last_name":"Pietrzak","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","orcid":"0000-0002-9139-1654"},{"full_name":"Skórski, Maciej","first_name":"Maciej","last_name":"Skórski"}],"ddc":["005"],"oa_version":"Submitted Version","conference":{"end_date":"2015-08-26","location":"Guadalajara, Mexico","start_date":"2015-08-23","name":"LATINCRYPT: Cryptology and Information Security in Latin America"},"date_published":"2015-08-15T00:00:00Z","file":[{"file_name":"IST-2016-669-v1+1_599.pdf","content_type":"application/pdf","file_id":"5351","date_created":"2018-12-12T10:18:29Z","date_updated":"2020-07-14T12:45:11Z","access_level":"open_access","relation":"main_file","checksum":"8cd4215b83efba720e8cf27c23ff4781","file_size":443340,"creator":"system"}],"volume":9230,"year":"2015","series_title":"Lecture Notes in Computer Science","date_created":"2018-12-11T11:53:22Z","quality_controlled":"1","page":"81 - 98","project":[{"_id":"258C570E-B435-11E9-9278-68D0E5697425","grant_number":"259668","name":"Provable Security for Physical Cryptography","call_identifier":"FP7"}],"date_updated":"2021-01-12T06:52:24Z","scopus_import":1},{"language":[{"iso":"eng"}],"type":"conference","file_date_updated":"2020-07-14T12:45:11Z","doi":"10.1007/978-3-662-47989-6_18","publisher":"Springer","publist_id":"5478","author":[{"id":"3E0BFE38-F248-11E8-B48F-1D18A9856A87","full_name":"Gazi, Peter","first_name":"Peter","last_name":"Gazi"},{"last_name":"Pietrzak","full_name":"Pietrzak, Krzysztof Z","first_name":"Krzysztof Z","orcid":"0000-0002-9139-1654","id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87"},{"last_name":"Tessaro","first_name":"Stefano","full_name":"Tessaro, Stefano"}],"ddc":["004","005"],"conference":{"start_date":"2015-08-16","name":"CRYPTO: International Cryptology Conference","end_date":"2015-08-20","location":"Santa Barbara, CA, United States"},"oa_version":"Submitted Version","date_published":"2015-08-01T00:00:00Z","file":[{"file_size":592296,"creator":"system","relation":"main_file","checksum":"17d854227b3b753fd34f5d29e5b5a32e","date_created":"2018-12-12T10:10:38Z","file_id":"4827","content_type":"application/pdf","access_level":"open_access","date_updated":"2020-07-14T12:45:11Z","file_name":"IST-2016-673-v1+1_053.pdf"}],"volume":9215,"date_created":"2018-12-11T11:53:23Z","year":"2015","page":"368 - 387","quality_controlled":"1","project":[{"_id":"258C570E-B435-11E9-9278-68D0E5697425","grant_number":"259668","name":"Provable Security for Physical Cryptography","call_identifier":"FP7"}],"date_updated":"2021-01-12T06:52:25Z","scopus_import":1,"publication_status":"published","title":"The exact PRF security of truncation: Tight bounds for keyed sponges and truncated CBC","oa":1,"_id":"1671","month":"08","user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","pubrep_id":"673","alternative_title":["LNCS"],"department":[{"_id":"KrPi"}],"status":"public","abstract":[{"lang":"eng","text":"This paper studies the concrete security of PRFs and MACs obtained by keying hash functions based on the sponge paradigm. One such hash function is KECCAK, selected as NIST’s new SHA-3 standard. In contrast to other approaches like HMAC, the exact security of keyed sponges is not well understood. Indeed, recent security analyses delivered concrete security bounds which are far from existing attacks. This paper aims to close this gap. We prove (nearly) exact bounds on the concrete PRF security of keyed sponges using a random permutation. These bounds are tight for the most relevant ranges of parameters, i.e., for messages of length (roughly) l ≤ min{2n/4, 2r} blocks, where n is the state size and r is the desired output length; and for l ≤ q queries (to the construction or the underlying permutation). Moreover, we also improve standard-model bounds. As an intermediate step of independent interest, we prove tight bounds on the PRF security of the truncated CBC-MAC construction, which operates as plain CBC-MAC, but only returns a prefix of the output."}],"ec_funded":1,"citation":{"ista":"Gazi P, Pietrzak KZ, Tessaro S. 2015. The exact PRF security of truncation: Tight bounds for keyed sponges and truncated CBC. CRYPTO: International Cryptology Conference, LNCS, vol. 9215, 368–387.","chicago":"Gazi, Peter, Krzysztof Z Pietrzak, and Stefano Tessaro. “The Exact PRF Security of Truncation: Tight Bounds for Keyed Sponges and Truncated CBC,” 9215:368–87. Springer, 2015. <a href=\"https://doi.org/10.1007/978-3-662-47989-6_18\">https://doi.org/10.1007/978-3-662-47989-6_18</a>.","apa":"Gazi, P., Pietrzak, K. Z., &#38; Tessaro, S. (2015). The exact PRF security of truncation: Tight bounds for keyed sponges and truncated CBC (Vol. 9215, pp. 368–387). Presented at the CRYPTO: International Cryptology Conference, Santa Barbara, CA, United States: Springer. <a href=\"https://doi.org/10.1007/978-3-662-47989-6_18\">https://doi.org/10.1007/978-3-662-47989-6_18</a>","mla":"Gazi, Peter, et al. <i>The Exact PRF Security of Truncation: Tight Bounds for Keyed Sponges and Truncated CBC</i>. Vol. 9215, Springer, 2015, pp. 368–87, doi:<a href=\"https://doi.org/10.1007/978-3-662-47989-6_18\">10.1007/978-3-662-47989-6_18</a>.","ieee":"P. Gazi, K. Z. Pietrzak, and S. Tessaro, “The exact PRF security of truncation: Tight bounds for keyed sponges and truncated CBC,” presented at the CRYPTO: International Cryptology Conference, Santa Barbara, CA, United States, 2015, vol. 9215, pp. 368–387.","short":"P. Gazi, K.Z. Pietrzak, S. Tessaro, in:, Springer, 2015, pp. 368–387.","ama":"Gazi P, Pietrzak KZ, Tessaro S. The exact PRF security of truncation: Tight bounds for keyed sponges and truncated CBC. In: Vol 9215. Springer; 2015:368-387. doi:<a href=\"https://doi.org/10.1007/978-3-662-47989-6_18\">10.1007/978-3-662-47989-6_18</a>"},"intvolume":"      9215","day":"01","has_accepted_license":"1"},{"quality_controlled":"1","page":"763 - 780","series_title":"Lecture Notes in Computer Science","date_created":"2018-12-11T11:53:23Z","year":"2015","date_updated":"2022-06-07T09:51:55Z","project":[{"call_identifier":"FP7","grant_number":"259668","name":"Provable Security for Physical Cryptography","_id":"258C570E-B435-11E9-9278-68D0E5697425"}],"volume":9216,"file":[{"file_size":397363,"creator":"dernst","relation":"main_file","checksum":"5b6649e80d1f781a8910f7cce6427f78","content_type":"application/pdf","date_created":"2020-05-15T08:55:29Z","file_id":"7853","date_updated":"2020-07-14T12:45:11Z","access_level":"open_access","file_name":"2015_CRYPTO_Alwen.pdf"}],"article_processing_charge":"No","publication_identifier":{"isbn":["978-3-662-47999-5"],"eisbn":["978-3-662-48000-7"]},"scopus_import":"1","doi":"10.1007/978-3-662-48000-7_37","publisher":"Springer","language":[{"iso":"eng"}],"file_date_updated":"2020-07-14T12:45:11Z","type":"conference","oa_version":"Submitted Version","conference":{"end_date":"2015-08-20","location":"Santa Barbara, CA, United States","start_date":"2015-08-16","name":"CRYPTO: International Cryptology Conference"},"date_published":"2015-08-01T00:00:00Z","publication":"Advances in Cryptology - CRYPTO 2015","publist_id":"5476","ddc":["000"],"author":[{"id":"2A8DFA8C-F248-11E8-B48F-1D18A9856A87","last_name":"Alwen","first_name":"Joel F","full_name":"Alwen, Joel F"},{"first_name":"Rafail","full_name":"Ostrovsky, Rafail","last_name":"Ostrovsky"},{"last_name":"Zhou","full_name":"Zhou, Hongsheng","first_name":"Hongsheng"},{"last_name":"Zikas","full_name":"Zikas, Vassilis","first_name":"Vassilis"}],"ec_funded":1,"status":"public","abstract":[{"lang":"eng","text":"Composable notions of incoercibility aim to forbid a coercer from using anything beyond the coerced parties’ inputs and outputs to catch them when they try to deceive him. Existing definitions are restricted to weak coercion types, and/or are not universally composable. Furthermore, they often make too strong assumptions on the knowledge of coerced parties—e.g., they assume they known the identities and/or the strategies of other coerced parties, or those of corrupted parties— which makes them unsuitable for applications of incoercibility such as e-voting, where colluding adversarial parties may attempt to coerce honest voters, e.g., by offering them money for a promised vote, and use their own view to check that the voter keeps his end of the bargain. In this work we put forward the first universally composable notion of incoercible multi-party computation, which satisfies the above intuition and does not assume collusions among coerced parties or knowledge of the corrupted set. We define natural notions of UC incoercibility corresponding to standard coercion-types, i.e., receipt-freeness and resistance to full-active coercion. Importantly, our suggested notion has the unique property that it builds on top of the well studied UC framework by Canetti instead of modifying it. This guarantees backwards compatibility, and allows us to inherit results from the rich UC literature. We then present MPC protocols which realize our notions of UC incoercibility given access to an arguably minimal setup—namely honestly generate tamper-proof hardware performing a very simple cryptographic operation—e.g., a smart card. This is, to our knowledge, the first proposed construction of an MPC protocol (for more than two parties) that is incoercibly secure and universally composable, and therefore the first construction of a universally composable receipt-free e-voting protocol."}],"day":"01","has_accepted_license":"1","intvolume":"      9216","citation":{"short":"J.F. Alwen, R. Ostrovsky, H. Zhou, V. Zikas, in:, Advances in Cryptology - CRYPTO 2015, Springer, 2015, pp. 763–780.","ama":"Alwen JF, Ostrovsky R, Zhou H, Zikas V. Incoercible multi-party computation and universally composable receipt-free voting. In: <i>Advances in Cryptology - CRYPTO 2015</i>. Vol 9216. Lecture Notes in Computer Science. Springer; 2015:763-780. doi:<a href=\"https://doi.org/10.1007/978-3-662-48000-7_37\">10.1007/978-3-662-48000-7_37</a>","chicago":"Alwen, Joel F, Rafail Ostrovsky, Hongsheng Zhou, and Vassilis Zikas. “Incoercible Multi-Party Computation and Universally Composable Receipt-Free Voting.” In <i>Advances in Cryptology - CRYPTO 2015</i>, 9216:763–80. Lecture Notes in Computer Science. Springer, 2015. <a href=\"https://doi.org/10.1007/978-3-662-48000-7_37\">https://doi.org/10.1007/978-3-662-48000-7_37</a>.","apa":"Alwen, J. F., Ostrovsky, R., Zhou, H., &#38; Zikas, V. (2015). Incoercible multi-party computation and universally composable receipt-free voting. In <i>Advances in Cryptology - CRYPTO 2015</i> (Vol. 9216, pp. 763–780). Santa Barbara, CA, United States: Springer. <a href=\"https://doi.org/10.1007/978-3-662-48000-7_37\">https://doi.org/10.1007/978-3-662-48000-7_37</a>","ista":"Alwen JF, Ostrovsky R, Zhou H, Zikas V. 2015. Incoercible multi-party computation and universally composable receipt-free voting. Advances in Cryptology - CRYPTO 2015. CRYPTO: International Cryptology ConferenceLecture Notes in Computer Science, LNCS, vol. 9216, 763–780.","ieee":"J. F. Alwen, R. Ostrovsky, H. Zhou, and V. Zikas, “Incoercible multi-party computation and universally composable receipt-free voting,” in <i>Advances in Cryptology - CRYPTO 2015</i>, Santa Barbara, CA, United States, 2015, vol. 9216, pp. 763–780.","mla":"Alwen, Joel F., et al. “Incoercible Multi-Party Computation and Universally Composable Receipt-Free Voting.” <i>Advances in Cryptology - CRYPTO 2015</i>, vol. 9216, Springer, 2015, pp. 763–80, doi:<a href=\"https://doi.org/10.1007/978-3-662-48000-7_37\">10.1007/978-3-662-48000-7_37</a>."},"user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","_id":"1672","month":"08","title":"Incoercible multi-party computation and universally composable receipt-free voting","oa":1,"publication_status":"published","department":[{"_id":"KrPi"}],"acknowledgement":"Joël Alwen was supported by the ERC starting grant (259668-PSPC). Rafail Ostrovsky was supported in part by NSF grants 09165174, 1065276, 1118126 and 1136174, US-Israel BSF grant 2008411, OKAWA Foundation Research Award, IBM Faculty Research Award, Xerox Faculty Research Award, B. John Garrick Foundation Award, Teradata Research Award, Lockheed-Martin Corporation Research Award, and the Defense Advanced Research Projects Agency through the U.S. Office of Naval Research under Contract N00014 -11 -1-0392. The views expressed are those of the author and do not reflect the official policy or position of the Department of Defense or the U.S. Government. Vassilis Zikas was supported in part by the Swiss National Science Foundation (SNF) via the Ambizione grant PZ00P-2142549.","alternative_title":["LNCS"]},{"abstract":[{"lang":"eng","text":"Proofs of work (PoW) have been suggested by Dwork and Naor (Crypto’92) as protection to a shared resource. The basic idea is to ask the service requestor to dedicate some non-trivial amount of computational work to every request. The original applications included prevention of spam and protection against denial of service attacks. More recently, PoWs have been used to prevent double spending in the Bitcoin digital currency system. In this work, we put forward an alternative concept for PoWs - so-called proofs of space (PoS), where a service requestor must dedicate a significant amount of disk space as opposed to computation. We construct secure PoS schemes in the random oracle model (with one additional mild assumption required for the proof to go through), using graphs with high “pebbling complexity” and Merkle hash-trees. We discuss some applications, including follow-up work where a decentralized digital currency scheme called Spacecoin is constructed that uses PoS (instead of wasteful PoW like in Bitcoin) to prevent double spending. The main technical contribution of this work is the construction of (directed, loop-free) graphs on N vertices with in-degree O(log logN) such that even if one places Θ(N) pebbles on the nodes of the graph, there’s a constant fraction of nodes that needs Θ(N) steps to be pebbled (where in every step one can put a pebble on a node if all its parents have a pebble)."}],"status":"public","ec_funded":1,"citation":{"ama":"Dziembowski S, Faust S, Kolmogorov V, Pietrzak KZ. Proofs of space. 2015;9216:585-605. doi:<a href=\"https://doi.org/10.1007/978-3-662-48000-7_29\">10.1007/978-3-662-48000-7_29</a>","short":"S. Dziembowski, S. Faust, V. Kolmogorov, K.Z. Pietrzak, 9216 (2015) 585–605.","mla":"Dziembowski, Stefan, et al. <i>Proofs of Space</i>. Vol. 9216, Springer, 2015, pp. 585–605, doi:<a href=\"https://doi.org/10.1007/978-3-662-48000-7_29\">10.1007/978-3-662-48000-7_29</a>.","ieee":"S. Dziembowski, S. Faust, V. Kolmogorov, and K. Z. Pietrzak, “Proofs of space,” vol. 9216. Springer, pp. 585–605, 2015.","ista":"Dziembowski S, Faust S, Kolmogorov V, Pietrzak KZ. 2015. Proofs of space. 9216, 585–605.","chicago":"Dziembowski, Stefan, Sebastian Faust, Vladimir Kolmogorov, and Krzysztof Z Pietrzak. “Proofs of Space.” Lecture Notes in Computer Science. Springer, 2015. <a href=\"https://doi.org/10.1007/978-3-662-48000-7_29\">https://doi.org/10.1007/978-3-662-48000-7_29</a>.","apa":"Dziembowski, S., Faust, S., Kolmogorov, V., &#38; Pietrzak, K. Z. (2015). Proofs of space. Presented at the CRYPTO: International Cryptology Conference, Santa Barbara, CA, United States: Springer. <a href=\"https://doi.org/10.1007/978-3-662-48000-7_29\">https://doi.org/10.1007/978-3-662-48000-7_29</a>"},"intvolume":"      9216","day":"01","publication_status":"published","related_material":{"record":[{"id":"2274","status":"public","relation":"earlier_version"}]},"title":"Proofs of space","month":"08","_id":"1675","user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","alternative_title":["LNCS"],"pubrep_id":"671","department":[{"_id":"VlKo"},{"_id":"KrPi"}],"volume":9216,"project":[{"call_identifier":"FP7","grant_number":"616160","name":"Discrete Optimization in Computer Vision: Theory and Practice","_id":"25FBA906-B435-11E9-9278-68D0E5697425"},{"_id":"258C570E-B435-11E9-9278-68D0E5697425","grant_number":"259668","name":"Provable Security for Physical Cryptography","call_identifier":"FP7"}],"date_updated":"2023-02-23T10:35:50Z","series_title":"Lecture Notes in Computer Science","year":"2015","date_created":"2018-12-11T11:53:24Z","quality_controlled":"1","page":"585 - 605","scopus_import":1,"type":"conference","language":[{"iso":"eng"}],"publisher":"Springer","doi":"10.1007/978-3-662-48000-7_29","author":[{"last_name":"Dziembowski","full_name":"Dziembowski, Stefan","first_name":"Stefan"},{"first_name":"Sebastian","full_name":"Faust, Sebastian","last_name":"Faust"},{"full_name":"Kolmogorov, Vladimir","first_name":"Vladimir","last_name":"Kolmogorov","id":"3D50B0BA-F248-11E8-B48F-1D18A9856A87"},{"id":"3E04A7AA-F248-11E8-B48F-1D18A9856A87","orcid":"0000-0002-9139-1654","full_name":"Pietrzak, Krzysztof Z","first_name":"Krzysztof Z","last_name":"Pietrzak"}],"publist_id":"5474","date_published":"2015-08-01T00:00:00Z","conference":{"start_date":"2015-08-16","name":"CRYPTO: International Cryptology Conference","end_date":"2015-08-20","location":"Santa Barbara, CA, United States"},"oa_version":"None"},{"_id":"1474","doi":"10.1109/CSF.2015.11","month":"09","user_id":"2DF688A6-F248-11E8-B48F-1D18A9856A87","publisher":"IEEE","language":[{"iso":"eng"}],"publication_status":"published","oa":1,"title":"Policy privacy in cryptographic access control","type":"conference","oa_version":"Submitted Version","conference":{"location":"Verona, Italy","end_date":"2015-07-17","name":"CSF: Computer Security Foundations","start_date":"2015-07-13"},"department":[{"_id":"KrPi"}],"date_published":"2015-09-04T00:00:00Z","publist_id":"5722","author":[{"last_name":"Ferrara","first_name":"Anna","full_name":"Ferrara, Anna"},{"id":"46B4C3EE-F248-11E8-B48F-1D18A9856A87","full_name":"Fuchsbauer, Georg","first_name":"Georg","last_name":"Fuchsbauer"},{"full_name":"Liu, Bin","first_name":"Bin","last_name":"Liu"},{"last_name":"Warinschi","first_name":"Bogdan","full_name":"Warinschi, Bogdan"}],"year":"2015","date_created":"2018-12-11T11:52:14Z","page":"46-60","quality_controlled":"1","project":[{"call_identifier":"FP7","grant_number":"259668","name":"Provable Security for Physical Cryptography","_id":"258C570E-B435-11E9-9278-68D0E5697425"}],"date_updated":"2021-01-12T06:50:59Z","ec_funded":1,"status":"public","abstract":[{"text":"Cryptographic access control offers selective access to encrypted data via a combination of key management and functionality-rich cryptographic schemes, such as attribute-based encryption. Using this approach, publicly available meta-data may inadvertently leak information on the access policy that is enforced by cryptography, which renders cryptographic access control unusable in settings where this information is highly sensitive. We begin to address this problem by presenting rigorous definitions for policy privacy in cryptographic access control. For concreteness we set our results in the model of Role-Based Access Control (RBAC), where we identify and formalize several different flavors of privacy, however, our framework should serve as inspiration for other models of access control. Based on our insights we propose a new system which significantly improves on the privacy properties of state-of-the-art constructions. Our design is based on a novel type of privacy-preserving attribute-based encryption, which we introduce and show how to instantiate. We present our results in the context of a cryptographic RBAC system by Ferrara et al. (CSF'13), which uses cryptography to control read access to files, while write access is still delegated to trusted monitors. We give an extension of the construction that permits cryptographic control over write access. Our construction assumes that key management uses out-of-band channels between the policy enforcer and the users but eliminates completely the need for monitoring read/write access to the data.","lang":"eng"}],"day":"04","article_processing_charge":"No","main_file_link":[{"open_access":"1","url":"http://epubs.surrey.ac.uk/808055/"}],"citation":{"ama":"Ferrara A, Fuchsbauer G, Liu B, Warinschi B. Policy privacy in cryptographic access control. In: IEEE; 2015:46-60. doi:<a href=\"https://doi.org/10.1109/CSF.2015.11\">10.1109/CSF.2015.11</a>","short":"A. Ferrara, G. Fuchsbauer, B. Liu, B. Warinschi, in:, IEEE, 2015, pp. 46–60.","ieee":"A. Ferrara, G. Fuchsbauer, B. Liu, and B. Warinschi, “Policy privacy in cryptographic access control,” presented at the CSF: Computer Security Foundations, Verona, Italy, 2015, pp. 46–60.","mla":"Ferrara, Anna, et al. <i>Policy Privacy in Cryptographic Access Control</i>. IEEE, 2015, pp. 46–60, doi:<a href=\"https://doi.org/10.1109/CSF.2015.11\">10.1109/CSF.2015.11</a>.","chicago":"Ferrara, Anna, Georg Fuchsbauer, Bin Liu, and Bogdan Warinschi. “Policy Privacy in Cryptographic Access Control,” 46–60. IEEE, 2015. <a href=\"https://doi.org/10.1109/CSF.2015.11\">https://doi.org/10.1109/CSF.2015.11</a>.","apa":"Ferrara, A., Fuchsbauer, G., Liu, B., &#38; Warinschi, B. (2015). Policy privacy in cryptographic access control (pp. 46–60). Presented at the CSF: Computer Security Foundations, Verona, Italy: IEEE. <a href=\"https://doi.org/10.1109/CSF.2015.11\">https://doi.org/10.1109/CSF.2015.11</a>","ista":"Ferrara A, Fuchsbauer G, Liu B, Warinschi B. 2015. Policy privacy in cryptographic access control. CSF: Computer Security Foundations, 46–60."}}]