---
_id: '2852'
abstract:
- lang: eng
  text: A robust combiner for hash functions takes two candidate implementations and
    constructs a hash function which is secure as long as at least one of the candidates
    is secure. So far, hash function combiners only aim at preserving a single property
    such as collision-resistance or pseudorandomness. However, when hash functions
    are used in protocols like TLS they are often required to provide several properties
    simultaneously. We therefore put forward the notion of robust multi-property combiners
    and elaborate on different definitions for such combiners. We then propose a combiner
    that provably preserves (target) collision-resistance, pseudorandomness, and being
    a secure message authentication code. This combiner satisfies the strongest notion
    we propose, which requires that the combined function satisfies every security
    property which is satisfied by at least one of the underlying hash function. If
    the underlying hash functions have output length n, the combiner has output length
    2 n. This basically matches a known lower bound for black-box combiners for collision-resistance
    only, thus the other properties can be achieved without penalizing the length
    of the hash values. We then propose a combiner which also preserves the property
    of being indifferentiable from a random oracle, slightly increasing the output
    length to 2 n+ω(log n). Moreover, we show how to augment our constructions in
    order to make them also robust for the one-wayness property, but in this case
    require an a priory upper bound on the input length.
author:
- first_name: Marc
  full_name: Fischlin, Marc
  last_name: Fischlin
- first_name: Anja
  full_name: Lehmann, Anja
  last_name: Lehmann
- first_name: Krzysztof Z
  full_name: Pietrzak, Krzysztof Z
  id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
  last_name: Pietrzak
  orcid: 0000-0002-9139-1654
citation:
  ama: Fischlin M, Lehmann A, Pietrzak KZ. Robust multi-property combiners for hash
    functions. <i>Journal of Cryptology</i>. 2014;27(3):397-428. doi:<a href="https://doi.org/10.1007/s00145-013-9148-7">10.1007/s00145-013-9148-7</a>
  apa: Fischlin, M., Lehmann, A., &#38; Pietrzak, K. Z. (2014). Robust multi-property
    combiners for hash functions. <i>Journal of Cryptology</i>. Springer. <a href="https://doi.org/10.1007/s00145-013-9148-7">https://doi.org/10.1007/s00145-013-9148-7</a>
  chicago: Fischlin, Marc, Anja Lehmann, and Krzysztof Z Pietrzak. “Robust Multi-Property
    Combiners for Hash Functions.” <i>Journal of Cryptology</i>. Springer, 2014. <a
    href="https://doi.org/10.1007/s00145-013-9148-7">https://doi.org/10.1007/s00145-013-9148-7</a>.
  ieee: M. Fischlin, A. Lehmann, and K. Z. Pietrzak, “Robust multi-property combiners
    for hash functions,” <i>Journal of Cryptology</i>, vol. 27, no. 3. Springer, pp.
    397–428, 2014.
  ista: Fischlin M, Lehmann A, Pietrzak KZ. 2014. Robust multi-property combiners
    for hash functions. Journal of Cryptology. 27(3), 397–428.
  mla: Fischlin, Marc, et al. “Robust Multi-Property Combiners for Hash Functions.”
    <i>Journal of Cryptology</i>, vol. 27, no. 3, Springer, 2014, pp. 397–428, doi:<a
    href="https://doi.org/10.1007/s00145-013-9148-7">10.1007/s00145-013-9148-7</a>.
  short: M. Fischlin, A. Lehmann, K.Z. Pietrzak, Journal of Cryptology 27 (2014) 397–428.
date_created: 2018-12-11T11:59:56Z
date_published: 2014-07-01T00:00:00Z
date_updated: 2023-02-23T11:17:53Z
day: '01'
department:
- _id: KrPi
doi: 10.1007/s00145-013-9148-7
intvolume: '        27'
issue: '3'
language:
- iso: eng
month: '07'
oa_version: None
page: 397 - 428
publication: Journal of Cryptology
publication_status: published
publisher: Springer
publist_id: '3940'
quality_controlled: '1'
related_material:
  record:
  - id: '3225'
    relation: earlier_version
    status: public
scopus_import: 1
status: public
title: Robust multi-property combiners for hash functions
type: journal_article
user_id: 3FFCCD3A-F248-11E8-B48F-1D18A9856A87
volume: 27
year: '2014'
...
---
_id: '1643'
abstract:
- lang: eng
  text: We extend the notion of verifiable random functions (VRF) to constrained VRFs,
    which generalize the concept of constrained pseudorandom functions, put forward
    by Boneh and Waters (Asiacrypt’13), and independently by Kiayias et al. (CCS’13)
    and Boyle et al. (PKC’14), who call them delegatable PRFs and functional PRFs,
    respectively. In a standard VRF the secret key sk allows one to evaluate a pseudorandom
    function at any point of its domain; in addition, it enables computation of a
    non-interactive proof that the function value was computed correctly. In a constrained
    VRF from the key sk one can derive constrained keys skS for subsets S of the domain,
    which allow computation of function values and proofs only at points in S. After
    formally defining constrained VRFs, we derive instantiations from the multilinear-maps-based
    constrained PRFs by Boneh and Waters, yielding a VRF with constrained keys for
    any set that can be decided by a polynomial-size circuit. Our VRFs have the same
    function values as the Boneh-Waters PRFs and are proved secure under the same
    hardness assumption, showing that verifiability comes at no cost. Constrained
    (functional) VRFs were stated as an open problem by Boyle et al.
alternative_title:
- LNCS
author:
- first_name: Georg
  full_name: Fuchsbauer, Georg
  id: 46B4C3EE-F248-11E8-B48F-1D18A9856A87
  last_name: Fuchsbauer
citation:
  ama: 'Fuchsbauer G. Constrained Verifiable Random Functions . In: Abdalla M, De
    Prisco R, eds. <i>SCN 2014</i>. Vol 8642. Springer; 2014:95-114. doi:<a href="https://doi.org/10.1007/978-3-319-10879-7_7">10.1007/978-3-319-10879-7_7</a>'
  apa: 'Fuchsbauer, G. (2014). Constrained Verifiable Random Functions . In M. Abdalla
    &#38; R. De Prisco (Eds.), <i>SCN 2014</i> (Vol. 8642, pp. 95–114). Amalfi, Italy:
    Springer. <a href="https://doi.org/10.1007/978-3-319-10879-7_7">https://doi.org/10.1007/978-3-319-10879-7_7</a>'
  chicago: Fuchsbauer, Georg. “Constrained Verifiable Random Functions .” In <i>SCN
    2014</i>, edited by Michel Abdalla and Roberto De Prisco, 8642:95–114. Springer,
    2014. <a href="https://doi.org/10.1007/978-3-319-10879-7_7">https://doi.org/10.1007/978-3-319-10879-7_7</a>.
  ieee: G. Fuchsbauer, “Constrained Verifiable Random Functions ,” in <i>SCN 2014</i>,
    Amalfi, Italy, 2014, vol. 8642, pp. 95–114.
  ista: 'Fuchsbauer G. 2014. Constrained Verifiable Random Functions . SCN 2014. SCN:
    Security and Cryptography for Networks, LNCS, vol. 8642, 95–114.'
  mla: Fuchsbauer, Georg. “Constrained Verifiable Random Functions .” <i>SCN 2014</i>,
    edited by Michel Abdalla and Roberto De Prisco, vol. 8642, Springer, 2014, pp.
    95–114, doi:<a href="https://doi.org/10.1007/978-3-319-10879-7_7">10.1007/978-3-319-10879-7_7</a>.
  short: G. Fuchsbauer, in:, M. Abdalla, R. De Prisco (Eds.), SCN 2014, Springer,
    2014, pp. 95–114.
conference:
  end_date: 2014-09-05
  location: Amalfi, Italy
  name: 'SCN: Security and Cryptography for Networks'
  start_date: 2014-09-03
date_created: 2018-12-11T11:53:13Z
date_published: 2014-01-01T00:00:00Z
date_updated: 2021-01-12T06:52:12Z
day: '01'
department:
- _id: KrPi
doi: 10.1007/978-3-319-10879-7_7
ec_funded: 1
editor:
- first_name: Michel
  full_name: Abdalla, Michel
  last_name: Abdalla
- first_name: Roberto
  full_name: De Prisco, Roberto
  last_name: De Prisco
intvolume: '      8642'
language:
- iso: eng
main_file_link:
- open_access: '1'
  url: http://eprint.iacr.org/2014/537
month: '01'
oa: 1
oa_version: Submitted Version
page: 95 - 114
project:
- _id: 258C570E-B435-11E9-9278-68D0E5697425
  call_identifier: FP7
  grant_number: '259668'
  name: Provable Security for Physical Cryptography
publication: SCN 2014
publication_status: published
publisher: Springer
publist_id: '5509'
scopus_import: 1
status: public
title: 'Constrained Verifiable Random Functions '
type: conference
user_id: 4435EBFC-F248-11E8-B48F-1D18A9856A87
volume: 8642
year: '2014'
...
---
_id: '1907'
abstract:
- lang: eng
  text: 'Most cryptographic security proofs require showing that two systems are indistinguishable.
    A central tool in such proofs is that of a game, where winning the game means
    provoking a certain condition, and it is shown that the two systems considered
    cannot be distinguished unless this condition is provoked. Upper bounding the
    probability of winning such a game, i.e., provoking this condition, for an arbitrary
    strategy is usually hard, except in the special case where the best strategy for
    winning such a game is known to be non-adaptive. A sufficient criterion for ensuring
    the optimality of non-adaptive strategies is that of conditional equivalence to
    a system, a notion introduced in [1]. In this paper, we show that this criterion
    is not necessary to ensure the optimality of non-adaptive strategies by giving
    two results of independent interest: 1) the optimality of non-adaptive strategies
    is not preserved under parallel composition; 2) in contrast, conditional equivalence
    is preserved under parallel composition.'
article_number: '6875125'
author:
- first_name: Grégory
  full_name: Demay, Grégory
  last_name: Demay
- first_name: Peter
  full_name: Gazi, Peter
  id: 3E0BFE38-F248-11E8-B48F-1D18A9856A87
  last_name: Gazi
- first_name: Ueli
  full_name: Maurer, Ueli
  last_name: Maurer
- first_name: Björn
  full_name: Tackmann, Björn
  last_name: Tackmann
citation:
  ama: 'Demay G, Gazi P, Maurer U, Tackmann B. Optimality of non-adaptive strategies:
    The case of parallel games. In: <i>IEEE International Symposium on Information
    Theory</i>. IEEE; 2014. doi:<a href="https://doi.org/10.1109/ISIT.2014.6875125">10.1109/ISIT.2014.6875125</a>'
  apa: 'Demay, G., Gazi, P., Maurer, U., &#38; Tackmann, B. (2014). Optimality of
    non-adaptive strategies: The case of parallel games. In <i>IEEE International
    Symposium on Information Theory</i>. Honolulu, USA: IEEE. <a href="https://doi.org/10.1109/ISIT.2014.6875125">https://doi.org/10.1109/ISIT.2014.6875125</a>'
  chicago: 'Demay, Grégory, Peter Gazi, Ueli Maurer, and Björn Tackmann. “Optimality
    of Non-Adaptive Strategies: The Case of Parallel Games.” In <i>IEEE International
    Symposium on Information Theory</i>. IEEE, 2014. <a href="https://doi.org/10.1109/ISIT.2014.6875125">https://doi.org/10.1109/ISIT.2014.6875125</a>.'
  ieee: 'G. Demay, P. Gazi, U. Maurer, and B. Tackmann, “Optimality of non-adaptive
    strategies: The case of parallel games,” in <i>IEEE International Symposium on
    Information Theory</i>, Honolulu, USA, 2014.'
  ista: 'Demay G, Gazi P, Maurer U, Tackmann B. 2014. Optimality of non-adaptive strategies:
    The case of parallel games. IEEE International Symposium on Information Theory.
    IEEE International Symposium on Information Theory Proceedings, 6875125.'
  mla: 'Demay, Grégory, et al. “Optimality of Non-Adaptive Strategies: The Case of
    Parallel Games.” <i>IEEE International Symposium on Information Theory</i>, 6875125,
    IEEE, 2014, doi:<a href="https://doi.org/10.1109/ISIT.2014.6875125">10.1109/ISIT.2014.6875125</a>.'
  short: G. Demay, P. Gazi, U. Maurer, B. Tackmann, in:, IEEE International Symposium
    on Information Theory, IEEE, 2014.
conference:
  end_date: 2014-07-04
  location: Honolulu, USA
  name: IEEE International Symposium on Information Theory Proceedings
  start_date: 2014-06-29
date_created: 2018-12-11T11:54:39Z
date_published: 2014-01-01T00:00:00Z
date_updated: 2021-01-12T06:53:59Z
day: '01'
department:
- _id: KrPi
doi: 10.1109/ISIT.2014.6875125
language:
- iso: eng
main_file_link:
- open_access: '1'
  url: https://eprint.iacr.org/2014/299
month: '01'
oa: 1
oa_version: Submitted Version
publication: IEEE International Symposium on Information Theory
publication_status: published
publisher: IEEE
publist_id: '5188'
quality_controlled: '1'
scopus_import: 1
status: public
title: 'Optimality of non-adaptive strategies: The case of parallel games'
type: conference
user_id: 4435EBFC-F248-11E8-B48F-1D18A9856A87
year: '2014'
...
---
_id: '2045'
abstract:
- lang: eng
  text: 'We introduce and study a new notion of enhanced chosen-ciphertext security
    (ECCA) for public-key encryption. Loosely speaking, in the ECCA security experiment,
    the decryption oracle provided to the adversary is augmented to return not only
    the output of the decryption algorithm on a queried ciphertext but also of a randomness-recovery
    algorithm associated to the scheme. Our results mainly concern the case where
    the randomness-recovery algorithm is efficient. We provide constructions of ECCA-secure
    encryption from adaptive trapdoor functions as defined by Kiltz et al. (EUROCRYPT
    2010), resulting in ECCA encryption from standard number-theoretic assumptions.
    We then give two applications of ECCA-secure encryption: (1) We use it as a unifying
    concept in showing equivalence of adaptive trapdoor functions and tag-based adaptive
    trapdoor functions, resolving an open question of Kiltz et al. (2) We show that
    ECCA-secure encryption can be used to securely realize an approach to public-key
    encryption with non-interactive opening (PKENO) originally suggested by Damgård
    and Thorbek (EUROCRYPT 2007), resulting in new and practical PKENO schemes quite
    different from those in prior work. Our results demonstrate that ECCA security
    is of both practical and theoretical interest.'
acknowledgement: The second author was supported by EPSRC grant EP/H043454/1.
alternative_title:
- LNCS
author:
- first_name: Dana
  full_name: Dachman Soled, Dana
  last_name: Dachman Soled
- first_name: Georg
  full_name: Fuchsbauer, Georg
  id: 46B4C3EE-F248-11E8-B48F-1D18A9856A87
  last_name: Fuchsbauer
- first_name: Payman
  full_name: Mohassel, Payman
  last_name: Mohassel
- first_name: Adam
  full_name: O’Neill, Adam
  last_name: O’Neill
citation:
  ama: 'Dachman Soled D, Fuchsbauer G, Mohassel P, O’Neill A. Enhanced chosen-ciphertext
    security and applications. In: Krawczyk H, ed. <i>Lecture Notes in Computer Science
    (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes
    in Bioinformatics)</i>. Vol 8383. Springer; 2014:329-344. doi:<a href="https://doi.org/10.1007/978-3-642-54631-0_19">10.1007/978-3-642-54631-0_19</a>'
  apa: 'Dachman Soled, D., Fuchsbauer, G., Mohassel, P., &#38; O’Neill, A. (2014).
    Enhanced chosen-ciphertext security and applications. In H. Krawczyk (Ed.), <i>Lecture
    Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence
    and Lecture Notes in Bioinformatics)</i> (Vol. 8383, pp. 329–344). Buenos Aires,
    Argentina: Springer. <a href="https://doi.org/10.1007/978-3-642-54631-0_19">https://doi.org/10.1007/978-3-642-54631-0_19</a>'
  chicago: Dachman Soled, Dana, Georg Fuchsbauer, Payman Mohassel, and Adam O’Neill.
    “Enhanced Chosen-Ciphertext Security and Applications.” In <i>Lecture Notes in
    Computer Science (Including Subseries Lecture Notes in Artificial Intelligence
    and Lecture Notes in Bioinformatics)</i>, edited by Hugo Krawczyk, 8383:329–44.
    Springer, 2014. <a href="https://doi.org/10.1007/978-3-642-54631-0_19">https://doi.org/10.1007/978-3-642-54631-0_19</a>.
  ieee: D. Dachman Soled, G. Fuchsbauer, P. Mohassel, and A. O’Neill, “Enhanced chosen-ciphertext
    security and applications,” in <i>Lecture Notes in Computer Science (including
    subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)</i>,
    Buenos Aires, Argentina, 2014, vol. 8383, pp. 329–344.
  ista: 'Dachman Soled D, Fuchsbauer G, Mohassel P, O’Neill A. 2014. Enhanced chosen-ciphertext
    security and applications. Lecture Notes in Computer Science (including subseries
    Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics).
    PKC: Public Key Crypography, LNCS, vol. 8383, 329–344.'
  mla: Dachman Soled, Dana, et al. “Enhanced Chosen-Ciphertext Security and Applications.”
    <i>Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial
    Intelligence and Lecture Notes in Bioinformatics)</i>, edited by Hugo Krawczyk,
    vol. 8383, Springer, 2014, pp. 329–44, doi:<a href="https://doi.org/10.1007/978-3-642-54631-0_19">10.1007/978-3-642-54631-0_19</a>.
  short: D. Dachman Soled, G. Fuchsbauer, P. Mohassel, A. O’Neill, in:, H. Krawczyk
    (Ed.), Lecture Notes in Computer Science (Including Subseries Lecture Notes in
    Artificial Intelligence and Lecture Notes in Bioinformatics), Springer, 2014,
    pp. 329–344.
conference:
  end_date: 2014-03-28
  location: Buenos Aires, Argentina
  name: 'PKC: Public Key Crypography'
  start_date: 2014-03-26
date_created: 2018-12-11T11:55:24Z
date_published: 2014-01-01T00:00:00Z
date_updated: 2021-01-12T06:54:57Z
day: '01'
department:
- _id: KrPi
doi: 10.1007/978-3-642-54631-0_19
ec_funded: 1
editor:
- first_name: Hugo
  full_name: Krawczyk, Hugo
  last_name: Krawczyk
intvolume: '      8383'
language:
- iso: eng
main_file_link:
- open_access: '1'
  url: https://eprint.iacr.org/2012/543
month: '01'
oa: 1
oa_version: Submitted Version
page: 329 - 344
project:
- _id: 258C570E-B435-11E9-9278-68D0E5697425
  call_identifier: FP7
  grant_number: '259668'
  name: Provable Security for Physical Cryptography
publication: Lecture Notes in Computer Science (including subseries Lecture Notes
  in Artificial Intelligence and Lecture Notes in Bioinformatics)
publication_status: published
publisher: Springer
publist_id: '5006'
quality_controlled: '1'
scopus_import: 1
status: public
title: Enhanced chosen-ciphertext security and applications
type: conference
user_id: 4435EBFC-F248-11E8-B48F-1D18A9856A87
volume: 8383
year: '2014'
...
---
_id: '2046'
abstract:
- lang: eng
  text: 'We introduce policy-based signatures (PBS), where a signer can only sign
    messages conforming to some authority-specified policy. The main requirements
    are unforgeability and privacy, the latter meaning that signatures not reveal
    the policy. PBS offers value along two fronts: (1) On the practical side, they
    allow a corporation to control what messages its employees can sign under the
    corporate key. (2) On the theoretical side, they unify existing work, capturing
    other forms of signatures as special cases or allowing them to be easily built.
    Our work focuses on definitions of PBS, proofs that this challenging primitive
    is realizable for arbitrary policies, efficient constructions for specific policies,
    and a few representative applications.'
acknowledgement: Part of his work was done while at Bristol University, supported
  by EPSRC grant EP/H043454/1.
alternative_title:
- LNCS
author:
- first_name: Mihir
  full_name: Bellare, Mihir
  last_name: Bellare
- first_name: Georg
  full_name: Fuchsbauer, Georg
  id: 46B4C3EE-F248-11E8-B48F-1D18A9856A87
  last_name: Fuchsbauer
citation:
  ama: 'Bellare M, Fuchsbauer G. Policy-based signatures. In: Krawczyk H, ed. <i>Lecture
    Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence
    and Lecture Notes in Bioinformatics)</i>. Vol 8383. Springer; 2014:520-537. doi:<a
    href="https://doi.org/10.1007/978-3-642-54631-0_30">10.1007/978-3-642-54631-0_30</a>'
  apa: 'Bellare, M., &#38; Fuchsbauer, G. (2014). Policy-based signatures. In H. Krawczyk
    (Ed.), <i>Lecture Notes in Computer Science (including subseries Lecture Notes
    in Artificial Intelligence and Lecture Notes in Bioinformatics)</i> (Vol. 8383,
    pp. 520–537). Buenos Aires, Argentina: Springer. <a href="https://doi.org/10.1007/978-3-642-54631-0_30">https://doi.org/10.1007/978-3-642-54631-0_30</a>'
  chicago: Bellare, Mihir, and Georg Fuchsbauer. “Policy-Based Signatures.” In <i>Lecture
    Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence
    and Lecture Notes in Bioinformatics)</i>, edited by Hugo Krawczyk, 8383:520–37.
    Springer, 2014. <a href="https://doi.org/10.1007/978-3-642-54631-0_30">https://doi.org/10.1007/978-3-642-54631-0_30</a>.
  ieee: M. Bellare and G. Fuchsbauer, “Policy-based signatures,” in <i>Lecture Notes
    in Computer Science (including subseries Lecture Notes in Artificial Intelligence
    and Lecture Notes in Bioinformatics)</i>, Buenos Aires, Argentina, 2014, vol.
    8383, pp. 520–537.
  ista: 'Bellare M, Fuchsbauer G. 2014. Policy-based signatures. Lecture Notes in
    Computer Science (including subseries Lecture Notes in Artificial Intelligence
    and Lecture Notes in Bioinformatics). PKC: Public Key Crypography, LNCS, vol.
    8383, 520–537.'
  mla: Bellare, Mihir, and Georg Fuchsbauer. “Policy-Based Signatures.” <i>Lecture
    Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence
    and Lecture Notes in Bioinformatics)</i>, edited by Hugo Krawczyk, vol. 8383,
    Springer, 2014, pp. 520–37, doi:<a href="https://doi.org/10.1007/978-3-642-54631-0_30">10.1007/978-3-642-54631-0_30</a>.
  short: M. Bellare, G. Fuchsbauer, in:, H. Krawczyk (Ed.), Lecture Notes in Computer
    Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture
    Notes in Bioinformatics), Springer, 2014, pp. 520–537.
conference:
  end_date: 2014-05-28
  location: Buenos Aires, Argentina
  name: 'PKC: Public Key Crypography'
  start_date: 2014-05-26
date_created: 2018-12-11T11:55:24Z
date_published: 2014-01-01T00:00:00Z
date_updated: 2021-01-12T06:54:57Z
day: '01'
department:
- _id: KrPi
doi: 10.1007/978-3-642-54631-0_30
ec_funded: 1
editor:
- first_name: Hugo
  full_name: Krawczyk, Hugo
  last_name: Krawczyk
intvolume: '      8383'
language:
- iso: eng
main_file_link:
- open_access: '1'
  url: https://eprint.iacr.org/2013/413
month: '01'
oa: 1
oa_version: Submitted Version
page: 520 - 537
project:
- _id: 258C570E-B435-11E9-9278-68D0E5697425
  call_identifier: FP7
  grant_number: '259668'
  name: Provable Security for Physical Cryptography
publication: Lecture Notes in Computer Science (including subseries Lecture Notes
  in Artificial Intelligence and Lecture Notes in Bioinformatics)
publication_status: published
publisher: Springer
publist_id: '5005'
quality_controlled: '1'
scopus_import: 1
status: public
title: Policy-based signatures
type: conference
user_id: 4435EBFC-F248-11E8-B48F-1D18A9856A87
volume: 8383
year: '2014'
...
---
_id: '2047'
abstract:
- lang: eng
  text: Following the publication of an attack on genome-wide association studies
    (GWAS) data proposed by Homer et al., considerable attention has been given to
    developing methods for releasing GWAS data in a privacy-preserving way. Here,
    we develop an end-to-end differentially private method for solving regression
    problems with convex penalty functions and selecting the penalty parameters by
    cross-validation. In particular, we focus on penalized logistic regression with
    elastic-net regularization, a method widely used to in GWAS analyses to identify
    disease-causing genes. We show how a differentially private procedure for penalized
    logistic regression with elastic-net regularization can be applied to the analysis
    of GWAS data and evaluate our method’s performance.
acknowledgement: This research was partially supported by BCS- 0941518 to the Department
  of Statistics at Carnegie Mellon University.
alternative_title:
- LNCS
arxiv: 1
author:
- first_name: Fei
  full_name: Yu, Fei
  last_name: Yu
- first_name: Michal
  full_name: Rybar, Michal
  id: 2B3E3DE8-F248-11E8-B48F-1D18A9856A87
  last_name: Rybar
- first_name: Caroline
  full_name: Uhler, Caroline
  id: 49ADD78E-F248-11E8-B48F-1D18A9856A87
  last_name: Uhler
  orcid: 0000-0002-7008-0216
- first_name: Stephen
  full_name: Fienberg, Stephen
  last_name: Fienberg
citation:
  ama: 'Yu F, Rybar M, Uhler C, Fienberg S. Differentially-private logistic regression
    for detecting multiple-SNP association in GWAS databases. In: Domingo Ferrer J,
    ed. <i>Lecture Notes in Computer Science (Including Subseries Lecture Notes in
    Artificial Intelligence and Lecture Notes in Bioinformatics)</i>. Vol 8744. Springer;
    2014:170-184. doi:<a href="https://doi.org/10.1007/978-3-319-11257-2_14">10.1007/978-3-319-11257-2_14</a>'
  apa: 'Yu, F., Rybar, M., Uhler, C., &#38; Fienberg, S. (2014). Differentially-private
    logistic regression for detecting multiple-SNP association in GWAS databases.
    In J. Domingo Ferrer (Ed.), <i>Lecture Notes in Computer Science (including subseries
    Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)</i>
    (Vol. 8744, pp. 170–184). Ibiza, Spain: Springer. <a href="https://doi.org/10.1007/978-3-319-11257-2_14">https://doi.org/10.1007/978-3-319-11257-2_14</a>'
  chicago: Yu, Fei, Michal Rybar, Caroline Uhler, and Stephen Fienberg. “Differentially-Private
    Logistic Regression for Detecting Multiple-SNP Association in GWAS Databases.”
    In <i>Lecture Notes in Computer Science (Including Subseries Lecture Notes in
    Artificial Intelligence and Lecture Notes in Bioinformatics)</i>, edited by Josep
    Domingo Ferrer, 8744:170–84. Springer, 2014. <a href="https://doi.org/10.1007/978-3-319-11257-2_14">https://doi.org/10.1007/978-3-319-11257-2_14</a>.
  ieee: F. Yu, M. Rybar, C. Uhler, and S. Fienberg, “Differentially-private logistic
    regression for detecting multiple-SNP association in GWAS databases,” in <i>Lecture
    Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence
    and Lecture Notes in Bioinformatics)</i>, Ibiza, Spain, 2014, vol. 8744, pp. 170–184.
  ista: 'Yu F, Rybar M, Uhler C, Fienberg S. 2014. Differentially-private logistic
    regression for detecting multiple-SNP association in GWAS databases. Lecture Notes
    in Computer Science (including subseries Lecture Notes in Artificial Intelligence
    and Lecture Notes in Bioinformatics). PSD: Privacy in Statistical Databases, LNCS,
    vol. 8744, 170–184.'
  mla: Yu, Fei, et al. “Differentially-Private Logistic Regression for Detecting Multiple-SNP
    Association in GWAS Databases.” <i>Lecture Notes in Computer Science (Including
    Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)</i>,
    edited by Josep Domingo Ferrer, vol. 8744, Springer, 2014, pp. 170–84, doi:<a
    href="https://doi.org/10.1007/978-3-319-11257-2_14">10.1007/978-3-319-11257-2_14</a>.
  short: F. Yu, M. Rybar, C. Uhler, S. Fienberg, in:, J. Domingo Ferrer (Ed.), Lecture
    Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence
    and Lecture Notes in Bioinformatics), Springer, 2014, pp. 170–184.
conference:
  end_date: 2014-09-19
  location: Ibiza, Spain
  name: 'PSD: Privacy in Statistical Databases'
  start_date: 2014-09-17
date_created: 2018-12-11T11:55:24Z
date_published: 2014-01-01T00:00:00Z
date_updated: 2021-01-12T06:54:57Z
day: '01'
department:
- _id: KrPi
- _id: CaUh
doi: 10.1007/978-3-319-11257-2_14
editor:
- first_name: Josep
  full_name: Domingo Ferrer, Josep
  last_name: Domingo Ferrer
external_id:
  arxiv:
  - '1407.8067'
intvolume: '      8744'
language:
- iso: eng
main_file_link:
- open_access: '1'
  url: http://arxiv.org/abs/1407.8067
month: '01'
oa: 1
oa_version: Submitted Version
page: 170 - 184
project:
- _id: 25636330-B435-11E9-9278-68D0E5697425
  grant_number: 11-NSF-1070
  name: ROOTS Genome-wide Analysis of Root Traits
publication: Lecture Notes in Computer Science (including subseries Lecture Notes
  in Artificial Intelligence and Lecture Notes in Bioinformatics)
publication_status: published
publisher: Springer
publist_id: '5004'
quality_controlled: '1'
scopus_import: 1
status: public
title: Differentially-private logistic regression for detecting multiple-SNP association
  in GWAS databases
type: conference
user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87
volume: 8744
year: '2014'
...
---
_id: '2082'
abstract:
- lang: eng
  text: 'NMAC is a mode of operation which turns a fixed input-length keyed hash function
    f into a variable input-length function. A practical single-key variant of NMAC
    called HMAC is a very popular and widely deployed message authentication code
    (MAC). Security proofs and attacks for NMAC can typically be lifted to HMAC. NMAC
    was introduced by Bellare, Canetti and Krawczyk [Crypto''96], who proved it to
    be a secure pseudorandom function (PRF), and thus also a MAC, assuming that (1)
    f is a PRF and (2) the function we get when cascading f is weakly collision-resistant.
    Unfortunately, HMAC is typically instantiated with cryptographic hash functions
    like MD5 or SHA-1 for which (2) has been found to be wrong. To restore the provable
    guarantees for NMAC, Bellare [Crypto''06] showed its security based solely on
    the assumption that f is a PRF, albeit via a non-uniform reduction. - Our first
    contribution is a simpler and uniform proof for this fact: If f is an ε-secure
    PRF (against q queries) and a δ-non-adaptively secure PRF (against q queries),
    then NMAC f is an (ε+ℓqδ)-secure PRF against q queries of length at most ℓ blocks
    each. - We then show that this ε+ℓqδ bound is basically tight. For the most interesting
    case where ℓqδ ≥ ε we prove this by constructing an f for which an attack with
    advantage ℓqδ exists. This also violates the bound O(ℓε) on the PRF-security of
    NMAC recently claimed by Koblitz and Menezes. - Finally, we analyze the PRF-security
    of a modification of NMAC called NI [An and Bellare, Crypto''99] that differs
    mainly by using a compression function with an additional keying input. This avoids
    the constant rekeying on multi-block messages in NMAC and allows for a security
    proof starting by the standard switch from a PRF to a random function, followed
    by an information-theoretic analysis. We carry out such an analysis, obtaining
    a tight ℓq2/2 c bound for this step, improving over the trivial bound of ℓ2q2/2c.
    The proof borrows combinatorial techniques originally developed for proving the
    security of CBC-MAC [Bellare et al., Crypto''05].'
alternative_title:
- LNCS
author:
- first_name: Peter
  full_name: Gazi, Peter
  id: 3E0BFE38-F248-11E8-B48F-1D18A9856A87
  last_name: Gazi
- first_name: Krzysztof Z
  full_name: Pietrzak, Krzysztof Z
  id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
  last_name: Pietrzak
  orcid: 0000-0002-9139-1654
- first_name: Michal
  full_name: Rybar, Michal
  id: 2B3E3DE8-F248-11E8-B48F-1D18A9856A87
  last_name: Rybar
citation:
  ama: 'Gazi P, Pietrzak KZ, Rybar M. The exact PRF-security of NMAC and HMAC. In:
    Garay J, Gennaro R, eds. Vol 8616. Springer; 2014:113-130. doi:<a href="https://doi.org/10.1007/978-3-662-44371-2_7">10.1007/978-3-662-44371-2_7</a>'
  apa: 'Gazi, P., Pietrzak, K. Z., &#38; Rybar, M. (2014). The exact PRF-security
    of NMAC and HMAC. In J. Garay &#38; R. Gennaro (Eds.) (Vol. 8616, pp. 113–130).
    Presented at the CRYPTO: International Cryptology Conference, Santa Barbara, USA:
    Springer. <a href="https://doi.org/10.1007/978-3-662-44371-2_7">https://doi.org/10.1007/978-3-662-44371-2_7</a>'
  chicago: Gazi, Peter, Krzysztof Z Pietrzak, and Michal Rybar. “The Exact PRF-Security
    of NMAC and HMAC.” edited by Juan Garay and Rosario Gennaro, 8616:113–30. Springer,
    2014. <a href="https://doi.org/10.1007/978-3-662-44371-2_7">https://doi.org/10.1007/978-3-662-44371-2_7</a>.
  ieee: 'P. Gazi, K. Z. Pietrzak, and M. Rybar, “The exact PRF-security of NMAC and
    HMAC,” presented at the CRYPTO: International Cryptology Conference, Santa Barbara,
    USA, 2014, vol. 8616, no. 1, pp. 113–130.'
  ista: 'Gazi P, Pietrzak KZ, Rybar M. 2014. The exact PRF-security of NMAC and HMAC.
    CRYPTO: International Cryptology Conference, LNCS, vol. 8616, 113–130.'
  mla: Gazi, Peter, et al. <i>The Exact PRF-Security of NMAC and HMAC</i>. Edited
    by Juan Garay and Rosario Gennaro, vol. 8616, no. 1, Springer, 2014, pp. 113–30,
    doi:<a href="https://doi.org/10.1007/978-3-662-44371-2_7">10.1007/978-3-662-44371-2_7</a>.
  short: P. Gazi, K.Z. Pietrzak, M. Rybar, in:, J. Garay, R. Gennaro (Eds.), Springer,
    2014, pp. 113–130.
conference:
  end_date: 2014-08-21
  location: Santa Barbara, USA
  name: 'CRYPTO: International Cryptology Conference'
  start_date: 2014-08-17
date_created: 2018-12-11T11:55:36Z
date_published: 2014-01-01T00:00:00Z
date_updated: 2023-09-07T12:02:27Z
day: '01'
ddc:
- '000'
- '004'
department:
- _id: KrPi
doi: 10.1007/978-3-662-44371-2_7
ec_funded: 1
editor:
- first_name: Juan
  full_name: Garay, Juan
  last_name: Garay
- first_name: Rosario
  full_name: Gennaro, Rosario
  last_name: Gennaro
file:
- access_level: open_access
  checksum: dab6ab36a5f6af94f2b597e6404ed11d
  content_type: application/pdf
  creator: system
  date_created: 2018-12-12T10:13:17Z
  date_updated: 2020-07-14T12:45:28Z
  file_id: '4999'
  file_name: IST-2016-682-v1+1_578.pdf
  file_size: 492310
  relation: main_file
file_date_updated: 2020-07-14T12:45:28Z
has_accepted_license: '1'
intvolume: '      8616'
issue: '1'
language:
- iso: eng
month: '01'
oa: 1
oa_version: Submitted Version
page: 113 - 130
project:
- _id: 258C570E-B435-11E9-9278-68D0E5697425
  call_identifier: FP7
  grant_number: '259668'
  name: Provable Security for Physical Cryptography
publication_status: published
publisher: Springer
publist_id: '4955'
pubrep_id: '682'
quality_controlled: '1'
related_material:
  record:
  - id: '838'
    relation: dissertation_contains
    status: public
status: public
title: The exact PRF-security of NMAC and HMAC
type: conference
user_id: 4435EBFC-F248-11E8-B48F-1D18A9856A87
volume: 8616
year: '2014'
...
---
_id: '2185'
abstract:
- lang: eng
  text: 'We revisit the classical problem of converting an imperfect source of randomness
    into a usable cryptographic key. Assume that we have some cryptographic application
    P that expects a uniformly random m-bit key R and ensures that the best attack
    (in some complexity class) against P(R) has success probability at most δ. Our
    goal is to design a key-derivation function (KDF) h that converts any random source
    X of min-entropy k into a sufficiently &quot;good&quot; key h(X), guaranteeing
    that P(h(X)) has comparable security δ′ which is ''close'' to δ. Seeded randomness
    extractors provide a generic way to solve this problem for all applications P,
    with resulting security δ′ = O(δ), provided that we start with entropy k ≥ m +
    2 log (1/δ) - O(1). By a result of Radhakrishnan and Ta-Shma, this bound on k
    (called the &quot;RT-bound&quot;) is also known to be tight in general. Unfortunately,
    in many situations the loss of 2 log (1/δ) bits of entropy is unacceptable. This
    motivates the study KDFs with less entropy waste by placing some restrictions
    on the source X or the application P. In this work we obtain the following new
    positive and negative results in this regard: - Efficient samplability of the
    source X does not help beat the RT-bound for general applications. This resolves
    the SRT (samplable RT) conjecture of Dachman-Soled et al. [DGKM12] in the affirmative,
    and also shows that the existence of computationally-secure extractors beating
    the RT-bound implies the existence of one-way functions. - We continue in the
    line of work initiated by Barak et al. [BDK+11] and construct new information-theoretic
    KDFs which beat the RT-bound for large but restricted classes of applications.
    Specifically, we design efficient KDFs that work for all unpredictability applications
    P (e.g., signatures, MACs, one-way functions, etc.) and can either: (1) extract
    all of the entropy k = m with a very modest security loss δ′ = O(δ·log (1/δ)),
    or alternatively, (2) achieve essentially optimal security δ′ = O(δ) with a very
    modest entropy loss k ≥ m + loglog (1/δ). In comparison, the best prior results
    from [BDK+11] for this class of applications would only guarantee δ′ = O(√δ) when
    k = m, and would need k ≥ m + log (1/δ) to get δ′ = O(δ). - The weaker bounds
    of [BDK+11] hold for a larger class of so-called &quot;square- friendly&quot;
    applications (which includes all unpredictability, but also some important indistinguishability,
    applications). Unfortunately, we show that these weaker bounds are tight for the
    larger class of applications. - We abstract out a clean, information-theoretic
    notion of (k,δ,δ′)- unpredictability extractors, which guarantee &quot;induced&quot;
    security δ′ for any δ-secure unpredictability application P, and characterize
    the parameters achievable for such unpredictability extractors. Of independent
    interest, we also relate this notion to the previously-known notion of (min-entropy)
    condensers, and improve the state-of-the-art parameters for such condensers.'
alternative_title:
- LNCS
author:
- first_name: Yevgeniy
  full_name: Dodis, Yevgeniy
  last_name: Dodis
- first_name: Krzysztof Z
  full_name: Pietrzak, Krzysztof Z
  id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
  last_name: Pietrzak
  orcid: 0000-0002-9139-1654
- first_name: Daniel
  full_name: Wichs, Daniel
  last_name: Wichs
citation:
  ama: 'Dodis Y, Pietrzak KZ, Wichs D. Key derivation without entropy waste. In: Nguyen
    P, Oswald E, eds. Vol 8441. Springer; 2014:93-110. doi:<a href="https://doi.org/10.1007/978-3-642-55220-5_6">10.1007/978-3-642-55220-5_6</a>'
  apa: 'Dodis, Y., Pietrzak, K. Z., &#38; Wichs, D. (2014). Key derivation without
    entropy waste. In P. Nguyen &#38; E. Oswald (Eds.) (Vol. 8441, pp. 93–110). Presented
    at the EUROCRYPT: Theory and Applications of Cryptographic Techniques, Copenhagen,
    Denmark: Springer. <a href="https://doi.org/10.1007/978-3-642-55220-5_6">https://doi.org/10.1007/978-3-642-55220-5_6</a>'
  chicago: Dodis, Yevgeniy, Krzysztof Z Pietrzak, and Daniel Wichs. “Key Derivation
    without Entropy Waste.” edited by Phong Nguyen and Elisabeth Oswald, 8441:93–110.
    Springer, 2014. <a href="https://doi.org/10.1007/978-3-642-55220-5_6">https://doi.org/10.1007/978-3-642-55220-5_6</a>.
  ieee: 'Y. Dodis, K. Z. Pietrzak, and D. Wichs, “Key derivation without entropy waste,”
    presented at the EUROCRYPT: Theory and Applications of Cryptographic Techniques,
    Copenhagen, Denmark, 2014, vol. 8441, pp. 93–110.'
  ista: 'Dodis Y, Pietrzak KZ, Wichs D. 2014. Key derivation without entropy waste.
    EUROCRYPT: Theory and Applications of Cryptographic Techniques, LNCS, vol. 8441,
    93–110.'
  mla: Dodis, Yevgeniy, et al. <i>Key Derivation without Entropy Waste</i>. Edited
    by Phong Nguyen and Elisabeth Oswald, vol. 8441, Springer, 2014, pp. 93–110, doi:<a
    href="https://doi.org/10.1007/978-3-642-55220-5_6">10.1007/978-3-642-55220-5_6</a>.
  short: Y. Dodis, K.Z. Pietrzak, D. Wichs, in:, P. Nguyen, E. Oswald (Eds.), Springer,
    2014, pp. 93–110.
conference:
  end_date: 2014-05-15
  location: Copenhagen, Denmark
  name: 'EUROCRYPT: Theory and Applications of Cryptographic Techniques'
  start_date: 2014-05-11
date_created: 2018-12-11T11:56:12Z
date_published: 2014-04-01T00:00:00Z
date_updated: 2021-01-12T06:55:51Z
day: '01'
ddc:
- '000'
- '004'
department:
- _id: KrPi
doi: 10.1007/978-3-642-55220-5_6
editor:
- first_name: Phong
  full_name: Nguyen, Phong
  last_name: Nguyen
- first_name: Elisabeth
  full_name: Oswald, Elisabeth
  last_name: Oswald
file:
- access_level: open_access
  checksum: da1aa01221086083b23c92e547b48ff4
  content_type: application/pdf
  creator: system
  date_created: 2018-12-12T10:08:43Z
  date_updated: 2020-07-14T12:45:31Z
  file_id: '4705'
  file_name: IST-2016-680-v1+1_708.pdf
  file_size: 505389
  relation: main_file
file_date_updated: 2020-07-14T12:45:31Z
has_accepted_license: '1'
intvolume: '      8441'
language:
- iso: eng
month: '04'
oa: 1
oa_version: Submitted Version
page: 93 - 110
publication_status: published
publisher: Springer
publist_id: '4795'
pubrep_id: '680'
quality_controlled: '1'
scopus_import: 1
status: public
title: Key derivation without entropy waste
type: conference
user_id: 4435EBFC-F248-11E8-B48F-1D18A9856A87
volume: 8441
year: '2014'
...
---
_id: '2219'
abstract:
- lang: eng
  text: Recently, Döttling et al. (ASIACRYPT 2012) proposed the first chosen-ciphertext
    (IND-CCA) secure public-key encryption scheme from the learning parity with noise
    (LPN) assumption. In this work we give an alternative scheme which is conceptually
    simpler and more efficient. At the core of our construction is a trapdoor technique
    originally proposed for lattices by Micciancio and Peikert (EUROCRYPT 2012), which
    we adapt to the LPN setting. The main technical tool is a new double-trapdoor
    mechanism, together with a trapdoor switching lemma based on a computational variant
    of the leftover hash lemma.
alternative_title:
- LNCS
author:
- first_name: Eike
  full_name: Kiltz, Eike
  last_name: Kiltz
- first_name: Daniel
  full_name: Masny, Daniel
  last_name: Masny
- first_name: Krzysztof Z
  full_name: Pietrzak, Krzysztof Z
  id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
  last_name: Pietrzak
  orcid: 0000-0002-9139-1654
citation:
  ama: 'Kiltz E, Masny D, Pietrzak KZ. Simple chosen-ciphertext security from low
    noise LPN. In: Vol 8383. Springer; 2014:1-18. doi:<a href="https://doi.org/10.1007/978-3-642-54631-0_1">10.1007/978-3-642-54631-0_1</a>'
  apa: 'Kiltz, E., Masny, D., &#38; Pietrzak, K. Z. (2014). Simple chosen-ciphertext
    security from low noise LPN (Vol. 8383, pp. 1–18). Presented at the IACR: International
    Conference on Practice and Theory in Public-Key Cryptography, Springer. <a href="https://doi.org/10.1007/978-3-642-54631-0_1">https://doi.org/10.1007/978-3-642-54631-0_1</a>'
  chicago: Kiltz, Eike, Daniel Masny, and Krzysztof Z Pietrzak. “Simple Chosen-Ciphertext
    Security from Low Noise LPN,” 8383:1–18. Springer, 2014. <a href="https://doi.org/10.1007/978-3-642-54631-0_1">https://doi.org/10.1007/978-3-642-54631-0_1</a>.
  ieee: 'E. Kiltz, D. Masny, and K. Z. Pietrzak, “Simple chosen-ciphertext security
    from low noise LPN,” presented at the IACR: International Conference on Practice
    and Theory in Public-Key Cryptography, 2014, vol. 8383, pp. 1–18.'
  ista: 'Kiltz E, Masny D, Pietrzak KZ. 2014. Simple chosen-ciphertext security from
    low noise LPN. IACR: International Conference on Practice and Theory in Public-Key
    Cryptography, LNCS, vol. 8383, 1–18.'
  mla: Kiltz, Eike, et al. <i>Simple Chosen-Ciphertext Security from Low Noise LPN</i>.
    Vol. 8383, Springer, 2014, pp. 1–18, doi:<a href="https://doi.org/10.1007/978-3-642-54631-0_1">10.1007/978-3-642-54631-0_1</a>.
  short: E. Kiltz, D. Masny, K.Z. Pietrzak, in:, Springer, 2014, pp. 1–18.
conference:
  name: 'IACR: International Conference on Practice and Theory in Public-Key Cryptography'
date_created: 2018-12-11T11:56:24Z
date_published: 2014-03-01T00:00:00Z
date_updated: 2021-01-12T06:56:05Z
day: '01'
department:
- _id: KrPi
doi: 10.1007/978-3-642-54631-0_1
intvolume: '      8383'
language:
- iso: eng
main_file_link:
- open_access: '1'
  url: https://eprint.iacr.org/2015/401
month: '03'
oa: 1
oa_version: Submitted Version
page: 1 - 18
publication_identifier:
  isbn:
  - 978-364254630-3
publication_status: published
publisher: Springer
publist_id: '4748'
quality_controlled: '1'
scopus_import: 1
status: public
title: Simple chosen-ciphertext security from low noise LPN
type: conference
user_id: 4435EBFC-F248-11E8-B48F-1D18A9856A87
volume: 8383
year: '2014'
...
---
_id: '2236'
abstract:
- lang: eng
  text: Consider a joint distribution (X,A) on a set. We show that for any family
    of distinguishers, there exists a simulator such that 1 no function in can distinguish
    (X,A) from (X,h(X)) with advantage ε, 2 h is only O(2 3ℓ ε -2) times less efficient
    than the functions in. For the most interesting settings of the parameters (in
    particular, the cryptographic case where X has superlogarithmic min-entropy, ε
    &gt; 0 is negligible and consists of circuits of polynomial size), we can make
    the simulator h deterministic. As an illustrative application of our theorem,
    we give a new security proof for the leakage-resilient stream-cipher from Eurocrypt'09.
    Our proof is simpler and quantitatively much better than the original proof using
    the dense model theorem, giving meaningful security guarantees if instantiated
    with a standard blockcipher like AES. Subsequent to this work, Chung, Lui and
    Pass gave an interactive variant of our main theorem, and used it to investigate
    weak notions of Zero-Knowledge. Vadhan and Zheng give a more constructive version
    of our theorem using their new uniform min-max theorem.
alternative_title:
- LNCS
author:
- first_name: Dimitar
  full_name: Jetchev, Dimitar
  last_name: Jetchev
- first_name: Krzysztof Z
  full_name: Pietrzak, Krzysztof Z
  id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
  last_name: Pietrzak
  orcid: 0000-0002-9139-1654
citation:
  ama: 'Jetchev D, Pietrzak KZ. How to fake auxiliary input. In: Lindell Y, ed. Vol
    8349. Springer; 2014:566-590. doi:<a href="https://doi.org/10.1007/978-3-642-54242-8_24">10.1007/978-3-642-54242-8_24</a>'
  apa: 'Jetchev, D., &#38; Pietrzak, K. Z. (2014). How to fake auxiliary input. In
    Y. Lindell (Ed.) (Vol. 8349, pp. 566–590). Presented at the TCC: Theory of Cryptography
    Conference, San Diego, USA: Springer. <a href="https://doi.org/10.1007/978-3-642-54242-8_24">https://doi.org/10.1007/978-3-642-54242-8_24</a>'
  chicago: Jetchev, Dimitar, and Krzysztof Z Pietrzak. “How to Fake Auxiliary Input.”
    edited by Yehuda Lindell, 8349:566–90. Springer, 2014. <a href="https://doi.org/10.1007/978-3-642-54242-8_24">https://doi.org/10.1007/978-3-642-54242-8_24</a>.
  ieee: 'D. Jetchev and K. Z. Pietrzak, “How to fake auxiliary input,” presented at
    the TCC: Theory of Cryptography Conference, San Diego, USA, 2014, vol. 8349, pp.
    566–590.'
  ista: 'Jetchev D, Pietrzak KZ. 2014. How to fake auxiliary input. TCC: Theory of
    Cryptography Conference, LNCS, vol. 8349, 566–590.'
  mla: Jetchev, Dimitar, and Krzysztof Z. Pietrzak. <i>How to Fake Auxiliary Input</i>.
    Edited by Yehuda Lindell, vol. 8349, Springer, 2014, pp. 566–90, doi:<a href="https://doi.org/10.1007/978-3-642-54242-8_24">10.1007/978-3-642-54242-8_24</a>.
  short: D. Jetchev, K.Z. Pietrzak, in:, Y. Lindell (Ed.), Springer, 2014, pp. 566–590.
conference:
  end_date: 2014-02-26
  location: San Diego, USA
  name: 'TCC: Theory of Cryptography Conference'
  start_date: 2014-02-24
date_created: 2018-12-11T11:56:29Z
date_published: 2014-02-01T00:00:00Z
date_updated: 2021-01-12T06:56:12Z
day: '01'
ddc:
- '004'
department:
- _id: KrPi
doi: 10.1007/978-3-642-54242-8_24
ec_funded: 1
editor:
- first_name: Yehuda
  full_name: Lindell, Yehuda
  last_name: Lindell
file:
- access_level: open_access
  checksum: 42960325c29dcd8d832edadcc3ce0045
  content_type: application/pdf
  creator: system
  date_created: 2018-12-12T10:17:21Z
  date_updated: 2020-07-14T12:45:34Z
  file_id: '5275'
  file_name: IST-2016-681-v1+1_869_1_.pdf
  file_size: 313528
  relation: main_file
file_date_updated: 2020-07-14T12:45:34Z
has_accepted_license: '1'
intvolume: '      8349'
language:
- iso: eng
main_file_link:
- open_access: '1'
  url: https://repository.ist.ac.at/id/eprint/681
month: '02'
oa: 1
oa_version: Submitted Version
page: 566 - 590
project:
- _id: 258C570E-B435-11E9-9278-68D0E5697425
  call_identifier: FP7
  grant_number: '259668'
  name: Provable Security for Physical Cryptography
publication_identifier:
  isbn:
  - 978-364254241-1
publication_status: published
publisher: Springer
publist_id: '4725'
pubrep_id: '681'
quality_controlled: '1'
status: public
title: How to fake auxiliary input
type: conference
user_id: 4435EBFC-F248-11E8-B48F-1D18A9856A87
volume: 8349
year: '2014'
...
---
_id: '2940'
abstract:
- lang: eng
  text: "A chain rule for an entropy notion H(.) states that the entropy H(X) of a
    variable X decreases by at most l if conditioned on an l-bit string A, i.e., H(X|A)&gt;=
    H(X)-l. More generally, it satisfies a chain rule for conditional entropy if H(X|Y,A)&gt;=
    H(X|Y)-l.\r\n\r\nAll natural information theoretic entropy notions we are aware
    of (like Shannon or min-entropy) satisfy some kind of chain rule for conditional
    entropy. Moreover, many computational entropy notions (like Yao entropy, unpredictability
    entropy and several variants of HILL entropy) satisfy the chain rule for conditional
    entropy, though here not only the quantity decreases by l, but also the quality
    of the entropy decreases exponentially in l. However, for \r\nthe standard notion
    of conditional HILL entropy (the computational equivalent of min-entropy) the
    existence of such a rule was unknown so far.\r\n\r\nIn this paper, we prove that
    for conditional HILL entropy no meaningful chain rule exists, assuming the existence
    of one-way permutations: there exist distributions X,Y,A, where A is a distribution
    over a single bit, but  $H(X|Y)&gt;&gt;H(X|Y,A)$, even if we simultaneously allow
    for a massive degradation in the quality of the entropy.\r\n\r\nThe idea underlying
    our construction is based on a surprising connection between the chain rule for
    HILL entropy and deniable encryption. "
alternative_title:
- LNCS
author:
- first_name: Stephan
  full_name: Krenn, Stephan
  id: 329FCCF0-F248-11E8-B48F-1D18A9856A87
  last_name: Krenn
  orcid: 0000-0003-2835-9093
- first_name: Krzysztof Z
  full_name: Pietrzak, Krzysztof Z
  id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
  last_name: Pietrzak
  orcid: 0000-0002-9139-1654
- first_name: Akshay
  full_name: Wadia, Akshay
  last_name: Wadia
citation:
  ama: 'Krenn S, Pietrzak KZ, Wadia A. A counterexample to the chain rule for conditional
    HILL entropy, and what deniable encryption has to do with it. In: Sahai A, ed.
    Vol 7785. Springer; 2013:23-39. doi:<a href="https://doi.org/10.1007/978-3-642-36594-2_2">10.1007/978-3-642-36594-2_2</a>'
  apa: 'Krenn, S., Pietrzak, K. Z., &#38; Wadia, A. (2013). A counterexample to the
    chain rule for conditional HILL entropy, and what deniable encryption has to do
    with it. In A. Sahai (Ed.) (Vol. 7785, pp. 23–39). Presented at the TCC: Theory
    of Cryptography Conference, Tokyo, Japan: Springer. <a href="https://doi.org/10.1007/978-3-642-36594-2_2">https://doi.org/10.1007/978-3-642-36594-2_2</a>'
  chicago: Krenn, Stephan, Krzysztof Z Pietrzak, and Akshay Wadia. “A Counterexample
    to the Chain Rule for Conditional HILL Entropy, and What Deniable Encryption Has
    to Do with It.” edited by Amit Sahai, 7785:23–39. Springer, 2013. <a href="https://doi.org/10.1007/978-3-642-36594-2_2">https://doi.org/10.1007/978-3-642-36594-2_2</a>.
  ieee: 'S. Krenn, K. Z. Pietrzak, and A. Wadia, “A counterexample to the chain rule
    for conditional HILL entropy, and what deniable encryption has to do with it,”
    presented at the TCC: Theory of Cryptography Conference, Tokyo, Japan, 2013, vol.
    7785, pp. 23–39.'
  ista: 'Krenn S, Pietrzak KZ, Wadia A. 2013. A counterexample to the chain rule for
    conditional HILL entropy, and what deniable encryption has to do with it. TCC:
    Theory of Cryptography Conference, LNCS, vol. 7785, 23–39.'
  mla: Krenn, Stephan, et al. <i>A Counterexample to the Chain Rule for Conditional
    HILL Entropy, and What Deniable Encryption Has to Do with It</i>. Edited by Amit
    Sahai, vol. 7785, Springer, 2013, pp. 23–39, doi:<a href="https://doi.org/10.1007/978-3-642-36594-2_2">10.1007/978-3-642-36594-2_2</a>.
  short: S. Krenn, K.Z. Pietrzak, A. Wadia, in:, A. Sahai (Ed.), Springer, 2013, pp.
    23–39.
conference:
  end_date: 2013-03-06
  location: Tokyo, Japan
  name: 'TCC: Theory of Cryptography Conference'
  start_date: 2013-03-03
date_created: 2018-12-11T12:00:27Z
date_published: 2013-01-29T00:00:00Z
date_updated: 2023-02-23T10:00:43Z
day: '29'
ddc:
- '000'
department:
- _id: KrPi
doi: 10.1007/978-3-642-36594-2_2
ec_funded: 1
editor:
- first_name: Amit
  full_name: Sahai, Amit
  last_name: Sahai
file:
- access_level: open_access
  checksum: beb0cc1c0579da2d2e84394230a5da78
  content_type: application/pdf
  creator: dernst
  date_created: 2019-01-22T14:11:11Z
  date_updated: 2020-07-14T12:45:54Z
  file_id: '5875'
  file_name: 2013_LNCS_Krenn.pdf
  file_size: 414823
  relation: main_file
file_date_updated: 2020-07-14T12:45:54Z
has_accepted_license: '1'
intvolume: '      7785'
language:
- iso: eng
month: '01'
oa: 1
oa_version: Submitted Version
page: 23 - 39
project:
- _id: 258C570E-B435-11E9-9278-68D0E5697425
  call_identifier: FP7
  grant_number: '259668'
  name: Provable Security for Physical Cryptography
publication_status: published
publisher: Springer
publist_id: '3795'
quality_controlled: '1'
related_material:
  record:
  - id: '1479'
    relation: later_version
    status: public
scopus_import: 1
status: public
title: A counterexample to the chain rule for conditional HILL entropy, and what deniable
  encryption has to do with it
type: conference
user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87
volume: 7785
year: '2013'
...
---
_id: '2258'
abstract:
- lang: eng
  text: "In a digital signature scheme with message recovery, rather than transmitting
    the message m and its signature σ, a single enhanced signature τ is transmitted.
    The verifier is able to recover m from τ and at the same time verify its authenticity.
    The two most important parameters of such a scheme are its security and overhead
    |τ| − |m|. A simple argument shows that for any scheme with “n bits security”
    |τ| − |m| ≥ n, i.e., the overhead is lower bounded by the security parameter n.
    Currently, the best known constructions in the random oracle model are far from
    this lower bound requiring an overhead of n + logq h , where q h is the number
    of queries to the random oracle. In this paper we give a construction which basically
    matches the n bit lower bound. We propose a simple digital signature scheme with
    n + o(logq h ) bits overhead, where q h denotes the number of random oracle queries.\r\n\r\nOur
    construction works in two steps. First, we propose a signature scheme with message
    recovery having optimal overhead in a new ideal model, the random invertible function
    model. Second, we show that a four-round Feistel network with random oracles as
    round functions is tightly “public-indifferentiable” from a random invertible
    function. At the core of our indifferentiability proof is an almost tight upper
    bound for the expected number of edges of the densest “small” subgraph of a random
    Cayley graph, which may be of independent interest.\r\n"
alternative_title:
- LNCS
author:
- first_name: Eike
  full_name: Kiltz, Eike
  last_name: Kiltz
- first_name: Krzysztof Z
  full_name: Pietrzak, Krzysztof Z
  id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
  last_name: Pietrzak
  orcid: 0000-0002-9139-1654
- first_name: Mario
  full_name: Szegedy, Mario
  last_name: Szegedy
citation:
  ama: Kiltz E, Pietrzak KZ, Szegedy M. Digital signatures with minimal overhead from
    indifferentiable random invertible functions. 2013;8042:571-588. doi:<a href="https://doi.org/10.1007/978-3-642-40041-4_31">10.1007/978-3-642-40041-4_31</a>
  apa: 'Kiltz, E., Pietrzak, K. Z., &#38; Szegedy, M. (2013). Digital signatures with
    minimal overhead from indifferentiable random invertible functions. Presented
    at the CRYPTO: International Cryptology Conference, Santa Barbara, CA, United
    States: Springer. <a href="https://doi.org/10.1007/978-3-642-40041-4_31">https://doi.org/10.1007/978-3-642-40041-4_31</a>'
  chicago: Kiltz, Eike, Krzysztof Z Pietrzak, and Mario Szegedy. “Digital Signatures
    with Minimal Overhead from Indifferentiable Random Invertible Functions.” Lecture
    Notes in Computer Science. Springer, 2013. <a href="https://doi.org/10.1007/978-3-642-40041-4_31">https://doi.org/10.1007/978-3-642-40041-4_31</a>.
  ieee: E. Kiltz, K. Z. Pietrzak, and M. Szegedy, “Digital signatures with minimal
    overhead from indifferentiable random invertible functions,” vol. 8042. Springer,
    pp. 571–588, 2013.
  ista: Kiltz E, Pietrzak KZ, Szegedy M. 2013. Digital signatures with minimal overhead
    from indifferentiable random invertible functions. 8042, 571–588.
  mla: Kiltz, Eike, et al. <i>Digital Signatures with Minimal Overhead from Indifferentiable
    Random Invertible Functions</i>. Vol. 8042, Springer, 2013, pp. 571–88, doi:<a
    href="https://doi.org/10.1007/978-3-642-40041-4_31">10.1007/978-3-642-40041-4_31</a>.
  short: E. Kiltz, K.Z. Pietrzak, M. Szegedy, 8042 (2013) 571–588.
conference:
  end_date: 2013-08-22
  location: Santa Barbara, CA, United States
  name: 'CRYPTO: International Cryptology Conference'
  start_date: 2013-08-18
date_created: 2018-12-11T11:56:37Z
date_published: 2013-01-01T00:00:00Z
date_updated: 2021-01-12T06:56:21Z
day: '01'
ddc:
- '000'
- '004'
department:
- _id: KrPi
doi: 10.1007/978-3-642-40041-4_31
ec_funded: 1
file:
- access_level: open_access
  checksum: 18a3f602cb41de184dc0e16a0e907633
  content_type: application/pdf
  creator: system
  date_created: 2018-12-12T10:09:20Z
  date_updated: 2020-07-14T12:45:35Z
  file_id: '4744'
  file_name: IST-2016-685-v1+1_658.pdf
  file_size: 493175
  relation: main_file
file_date_updated: 2020-07-14T12:45:35Z
has_accepted_license: '1'
intvolume: '      8042'
language:
- iso: eng
month: '01'
oa: 1
oa_version: Submitted Version
page: 571 - 588
project:
- _id: 258C570E-B435-11E9-9278-68D0E5697425
  call_identifier: FP7
  grant_number: '259668'
  name: Provable Security for Physical Cryptography
publication_status: published
publisher: Springer
publist_id: '4688'
pubrep_id: '685'
quality_controlled: '1'
scopus_import: 1
series_title: Lecture Notes in Computer Science
status: public
title: Digital signatures with minimal overhead from indifferentiable random invertible
  functions
type: conference
user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87
volume: 8042
year: '2013'
...
---
_id: '2259'
abstract:
- lang: eng
  text: "The learning with rounding (LWR) problem, introduced by Banerjee, Peikert
    and Rosen at EUROCRYPT ’12, is a variant of learning with errors (LWE), where
    one replaces random errors with deterministic rounding. The LWR problem was shown
    to be as hard as LWE for a setting of parameters where the modulus and modulus-to-error
    ratio are super-polynomial. In this work we resolve the main open problem and
    give a new reduction that works for a larger range of parameters, allowing for
    a polynomial modulus and modulus-to-error ratio. In particular, a smaller modulus
    gives us greater efficiency, and a smaller modulus-to-error ratio gives us greater
    security, which now follows from the worst-case hardness of GapSVP with polynomial
    (rather than super-polynomial) approximation factors.\r\n\r\nAs a tool in the
    reduction, we show that there is a “lossy mode” for the LWR problem, in which
    LWR samples only reveal partial information about the secret. This property gives
    us several interesting new applications, including a proof that LWR remains secure
    with weakly random secrets of sufficient min-entropy, and very simple constructions
    of deterministic encryption, lossy trapdoor functions and reusable extractors.\r\n\r\nOur
    approach is inspired by a technique of Goldwasser et al. from ICS ’10, which implicitly
    showed the existence of a “lossy mode” for LWE. By refining this technique, we
    also improve on the parameters of that work to only requiring a polynomial (instead
    of super-polynomial) modulus and modulus-to-error ratio.\r\n"
alternative_title:
- LNCS
author:
- first_name: Joel F
  full_name: Alwen, Joel F
  id: 2A8DFA8C-F248-11E8-B48F-1D18A9856A87
  last_name: Alwen
- first_name: Stephan
  full_name: Krenn, Stephan
  id: 329FCCF0-F248-11E8-B48F-1D18A9856A87
  last_name: Krenn
  orcid: 0000-0003-2835-9093
- first_name: Krzysztof Z
  full_name: Pietrzak, Krzysztof Z
  id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
  last_name: Pietrzak
  orcid: 0000-0002-9139-1654
- first_name: Daniel
  full_name: Wichs, Daniel
  last_name: Wichs
citation:
  ama: 'Alwen JF, Krenn S, Pietrzak KZ, Wichs D. Learning with rounding, revisited:
    New reduction properties and applications. 2013;8042(1):57-74. doi:<a href="https://doi.org/10.1007/978-3-642-40041-4_4">10.1007/978-3-642-40041-4_4</a>'
  apa: 'Alwen, J. F., Krenn, S., Pietrzak, K. Z., &#38; Wichs, D. (2013). Learning
    with rounding, revisited: New reduction properties and applications. Presented
    at the CRYPTO: International Cryptology Conference, Santa Barbara, CA, United
    States: Springer. <a href="https://doi.org/10.1007/978-3-642-40041-4_4">https://doi.org/10.1007/978-3-642-40041-4_4</a>'
  chicago: 'Alwen, Joel F, Stephan Krenn, Krzysztof Z Pietrzak, and Daniel Wichs.
    “Learning with Rounding, Revisited: New Reduction Properties and Applications.”
    Lecture Notes in Computer Science. Springer, 2013. <a href="https://doi.org/10.1007/978-3-642-40041-4_4">https://doi.org/10.1007/978-3-642-40041-4_4</a>.'
  ieee: 'J. F. Alwen, S. Krenn, K. Z. Pietrzak, and D. Wichs, “Learning with rounding,
    revisited: New reduction properties and applications,” vol. 8042, no. 1. Springer,
    pp. 57–74, 2013.'
  ista: 'Alwen JF, Krenn S, Pietrzak KZ, Wichs D. 2013. Learning with rounding, revisited:
    New reduction properties and applications. 8042(1), 57–74.'
  mla: 'Alwen, Joel F., et al. <i>Learning with Rounding, Revisited: New Reduction
    Properties and Applications</i>. Vol. 8042, no. 1, Springer, 2013, pp. 57–74,
    doi:<a href="https://doi.org/10.1007/978-3-642-40041-4_4">10.1007/978-3-642-40041-4_4</a>.'
  short: J.F. Alwen, S. Krenn, K.Z. Pietrzak, D. Wichs, 8042 (2013) 57–74.
conference:
  end_date: 2013-08-22
  location: Santa Barbara, CA, United States
  name: 'CRYPTO: International Cryptology Conference'
  start_date: 2013-08-18
date_created: 2018-12-11T11:56:37Z
date_published: 2013-01-01T00:00:00Z
date_updated: 2021-01-12T06:56:21Z
day: '01'
ddc:
- '000'
- '004'
department:
- _id: KrPi
doi: 10.1007/978-3-642-40041-4_4
ec_funded: 1
file:
- access_level: open_access
  checksum: 16d428408a806b8e49eecc607deab115
  content_type: application/pdf
  creator: system
  date_created: 2018-12-12T10:11:55Z
  date_updated: 2020-07-14T12:45:35Z
  file_id: '4912'
  file_name: IST-2016-684-v1+1_098.pdf
  file_size: 587898
  relation: main_file
file_date_updated: 2020-07-14T12:45:35Z
has_accepted_license: '1'
intvolume: '      8042'
issue: '1'
language:
- iso: eng
month: '01'
oa: 1
oa_version: Published Version
page: 57 - 74
project:
- _id: 258C570E-B435-11E9-9278-68D0E5697425
  call_identifier: FP7
  grant_number: '259668'
  name: Provable Security for Physical Cryptography
publication_status: published
publisher: Springer
publist_id: '4687'
pubrep_id: '684'
quality_controlled: '1'
scopus_import: 1
series_title: Lecture Notes in Computer Science
status: public
title: 'Learning with rounding, revisited: New reduction properties and applications'
type: conference
user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87
volume: 8042
year: '2013'
...
---
_id: '2260'
abstract:
- lang: eng
  text: "Direct Anonymous Attestation (DAA) is one of the most complex cryptographic
    protocols deployed in practice. It allows an embedded secure processor known as
    a Trusted Platform Module (TPM) to attest to the configuration of its host computer
    without violating the owner’s privacy. DAA has been standardized by the Trusted
    Computing Group and ISO/IEC.\r\n\r\nThe security of the DAA standard and all existing
    schemes is analyzed in the random-oracle model. We provide the first constructions
    of DAA in the standard model, that is, without relying on random oracles. Our
    constructions use new building blocks, including the first efficient signatures
    of knowledge in the standard model, which have many applications beyond DAA.\r\n"
alternative_title:
- LNCS
author:
- first_name: David
  full_name: Bernhard, David
  last_name: Bernhard
- first_name: Georg
  full_name: Fuchsbauer, Georg
  id: 46B4C3EE-F248-11E8-B48F-1D18A9856A87
  last_name: Fuchsbauer
- first_name: Essam
  full_name: Ghadafi, Essam
  last_name: Ghadafi
citation:
  ama: Bernhard D, Fuchsbauer G, Ghadafi E. Efficient signatures of knowledge and
    DAA in the standard model. 2013;7954:518-533. doi:<a href="https://doi.org/10.1007/978-3-642-38980-1_33">10.1007/978-3-642-38980-1_33</a>
  apa: 'Bernhard, D., Fuchsbauer, G., &#38; Ghadafi, E. (2013). Efficient signatures
    of knowledge and DAA in the standard model. Presented at the ACNS: Applied Cryptography
    and Network Security, Banff, AB, Canada: Springer. <a href="https://doi.org/10.1007/978-3-642-38980-1_33">https://doi.org/10.1007/978-3-642-38980-1_33</a>'
  chicago: Bernhard, David, Georg Fuchsbauer, and Essam Ghadafi. “Efficient Signatures
    of Knowledge and DAA in the Standard Model.” Lecture Notes in Computer Science.
    Springer, 2013. <a href="https://doi.org/10.1007/978-3-642-38980-1_33">https://doi.org/10.1007/978-3-642-38980-1_33</a>.
  ieee: D. Bernhard, G. Fuchsbauer, and E. Ghadafi, “Efficient signatures of knowledge
    and DAA in the standard model,” vol. 7954. Springer, pp. 518–533, 2013.
  ista: Bernhard D, Fuchsbauer G, Ghadafi E. 2013. Efficient signatures of knowledge
    and DAA in the standard model. 7954, 518–533.
  mla: Bernhard, David, et al. <i>Efficient Signatures of Knowledge and DAA in the
    Standard Model</i>. Vol. 7954, Springer, 2013, pp. 518–33, doi:<a href="https://doi.org/10.1007/978-3-642-38980-1_33">10.1007/978-3-642-38980-1_33</a>.
  short: D. Bernhard, G. Fuchsbauer, E. Ghadafi, 7954 (2013) 518–533.
conference:
  end_date: 2013-06-28
  location: Banff, AB, Canada
  name: 'ACNS: Applied Cryptography and Network Security'
  start_date: 2013-06-25
date_created: 2018-12-11T11:56:37Z
date_published: 2013-06-01T00:00:00Z
date_updated: 2020-08-11T10:09:44Z
day: '01'
department:
- _id: KrPi
doi: 10.1007/978-3-642-38980-1_33
intvolume: '      7954'
language:
- iso: eng
main_file_link:
- open_access: '1'
  url: http://eprint.iacr.org/2012/475
month: '06'
oa: 1
oa_version: Submitted Version
page: 518 - 533
publication_status: published
publisher: Springer
publist_id: '4686'
quality_controlled: '1'
scopus_import: 1
series_title: Lecture Notes in Computer Science
status: public
title: Efficient signatures of knowledge and DAA in the standard model
type: conference
user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87
volume: 7954
year: '2013'
...
---
_id: '2274'
abstract:
- lang: eng
  text: "Proofs of work (PoW) have been suggested by Dwork and Naor (Crypto'92) as
    protection to a shared resource. The basic idea is to ask the service requestor
    to dedicate some non-trivial amount of computational work to every request. The
    original applications included prevention of spam and protection against denial
    of service attacks. More recently, PoWs have been used to prevent double spending
    in the Bitcoin digital currency system.\r\n\r\nIn this work, we put forward an
    alternative concept for PoWs -- so-called proofs of space (PoS), where a service
    requestor must dedicate a significant amount of disk space as opposed to computation.
    We construct secure PoS schemes in the random oracle model, using graphs with
    high &quot;pebbling complexity&quot; and Merkle hash-trees. "
author:
- first_name: Stefan
  full_name: Dziembowski, Stefan
  last_name: Dziembowski
- first_name: Sebastian
  full_name: Faust, Sebastian
  last_name: Faust
- first_name: Vladimir
  full_name: Kolmogorov, Vladimir
  id: 3D50B0BA-F248-11E8-B48F-1D18A9856A87
  last_name: Kolmogorov
- first_name: Krzysztof Z
  full_name: Pietrzak, Krzysztof Z
  id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
  last_name: Pietrzak
  orcid: 0000-0002-9139-1654
citation:
  ama: Dziembowski S, Faust S, Kolmogorov V, Pietrzak KZ. <i>Proofs of Space</i>.
    IST Austria; 2013.
  apa: Dziembowski, S., Faust, S., Kolmogorov, V., &#38; Pietrzak, K. Z. (2013). <i>Proofs
    of Space</i>. IST Austria.
  chicago: Dziembowski, Stefan, Sebastian Faust, Vladimir Kolmogorov, and Krzysztof
    Z Pietrzak. <i>Proofs of Space</i>. IST Austria, 2013.
  ieee: S. Dziembowski, S. Faust, V. Kolmogorov, and K. Z. Pietrzak, <i>Proofs of
    Space</i>. IST Austria, 2013.
  ista: Dziembowski S, Faust S, Kolmogorov V, Pietrzak KZ. 2013. Proofs of Space,
    IST Austria,p.
  mla: Dziembowski, Stefan, et al. <i>Proofs of Space</i>. IST Austria, 2013.
  short: S. Dziembowski, S. Faust, V. Kolmogorov, K.Z. Pietrzak, Proofs of Space,
    IST Austria, 2013.
date_created: 2018-12-11T11:56:42Z
date_published: 2013-11-28T00:00:00Z
date_updated: 2023-02-23T10:09:33Z
day: '28'
ddc:
- '530'
department:
- _id: VlKo
- _id: KrPi
file:
- access_level: open_access
  checksum: 37b61637b62fc079d9141c59d9f1a94f
  content_type: application/pdf
  creator: system
  date_created: 2018-12-12T10:16:11Z
  date_updated: 2020-07-14T12:45:36Z
  file_id: '5197'
  file_name: IST-2016-671-v1+1_796.pdf
  file_size: 405870
  relation: main_file
file_date_updated: 2020-07-14T12:45:36Z
has_accepted_license: '1'
language:
- iso: eng
month: '11'
oa: 1
oa_version: Published Version
publication_status: published
publisher: IST Austria
publist_id: '4670'
pubrep_id: '671'
related_material:
  record:
  - id: '1675'
    relation: later_version
    status: public
scopus_import: 1
status: public
title: Proofs of Space
type: report
user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87
year: '2013'
...
---
_id: '2291'
abstract:
- lang: eng
  text: "Cryptographic access control promises to offer easily distributed trust and
    broader applicability, while reducing reliance on low-level online monitors. Traditional
    implementations of cryptographic access control rely on simple cryptographic primitives
    whereas recent endeavors employ primitives with richer functionality and security
    guarantees. Worryingly, few of the existing cryptographic access-control schemes
    come with precise guarantees, the gap between the policy specification and the
    implementation being analyzed only informally, if at all. In this paper we begin
    addressing this shortcoming. Unlike prior work that targeted ad-hoc policy specification,
    we look at the well-established Role-Based Access Control (RBAC) model, as used
    in a typical file system. In short, we provide a precise syntax for a computational
    version of RBAC, offer rigorous definitions for cryptographic policy enforcement
    of a large class of RBAC security policies, and demonstrate that an implementation
    based on attribute-based encryption meets our security notions. We view our main
    contribution as being at the conceptual level. Although we work with RBAC for
    concreteness, our general methodology could guide future research for uses of
    cryptography in other access-control models. \r\n"
author:
- first_name: Anna
  full_name: Ferrara, Anna
  last_name: Ferrara
- first_name: Georg
  full_name: Fuchsbauer, Georg
  id: 46B4C3EE-F248-11E8-B48F-1D18A9856A87
  last_name: Fuchsbauer
- first_name: Bogdan
  full_name: Warinschi, Bogdan
  last_name: Warinschi
citation:
  ama: 'Ferrara A, Fuchsbauer G, Warinschi B. Cryptographically enforced RBAC. In:
    IEEE; 2013:115-129. doi:<a href="https://doi.org/10.1109/CSF.2013.15">10.1109/CSF.2013.15</a>'
  apa: 'Ferrara, A., Fuchsbauer, G., &#38; Warinschi, B. (2013). Cryptographically
    enforced RBAC (pp. 115–129). Presented at the CSF: Computer Security Foundations,
    New Orleans, LA, United States: IEEE. <a href="https://doi.org/10.1109/CSF.2013.15">https://doi.org/10.1109/CSF.2013.15</a>'
  chicago: Ferrara, Anna, Georg Fuchsbauer, and Bogdan Warinschi. “Cryptographically
    Enforced RBAC,” 115–29. IEEE, 2013. <a href="https://doi.org/10.1109/CSF.2013.15">https://doi.org/10.1109/CSF.2013.15</a>.
  ieee: 'A. Ferrara, G. Fuchsbauer, and B. Warinschi, “Cryptographically enforced
    RBAC,” presented at the CSF: Computer Security Foundations, New Orleans, LA, United
    States, 2013, pp. 115–129.'
  ista: 'Ferrara A, Fuchsbauer G, Warinschi B. 2013. Cryptographically enforced RBAC.
    CSF: Computer Security Foundations, 115–129.'
  mla: Ferrara, Anna, et al. <i>Cryptographically Enforced RBAC</i>. IEEE, 2013, pp.
    115–29, doi:<a href="https://doi.org/10.1109/CSF.2013.15">10.1109/CSF.2013.15</a>.
  short: A. Ferrara, G. Fuchsbauer, B. Warinschi, in:, IEEE, 2013, pp. 115–129.
conference:
  end_date: 2013-09-28
  location: New Orleans, LA, United States
  name: 'CSF: Computer Security Foundations'
  start_date: 2013-09-26
date_created: 2018-12-11T11:56:48Z
date_published: 2013-09-01T00:00:00Z
date_updated: 2021-01-12T06:56:34Z
day: '01'
department:
- _id: KrPi
doi: 10.1109/CSF.2013.15
language:
- iso: eng
main_file_link:
- open_access: '1'
  url: http://eprint.iacr.org/2013/492
month: '09'
oa: 1
oa_version: Submitted Version
page: 115 - 129
publication_status: published
publisher: IEEE
publist_id: '4637'
quality_controlled: '1'
scopus_import: 1
status: public
title: Cryptographically enforced RBAC
type: conference
user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87
year: '2013'
...
---
_id: '502'
abstract:
- lang: eng
  text: 'Blind signatures allow users to obtain signatures on messages hidden from
    the signer; moreover, the signer cannot link the resulting message/signature pair
    to the signing session. This paper presents blind signature schemes, in which
    the number of interactions between the user and the signer is minimal and whose
    blind signatures are short. Our schemes are defined over bilinear groups and are
    proved secure in the common-reference-string model without random oracles and
    under standard assumptions: CDH and the decision-linear assumption. (We also give
    variants over asymmetric groups based on similar assumptions.) The blind signatures
    are Waters signatures, which consist of 2 group elements. Moreover, we instantiate
    partially blind signatures, where the message consists of a part hidden from the
    signer and a commonly known public part, and schemes achieving perfect blindness.
    We propose new variants of blind signatures, such as signer-friendly partially
    blind signatures, where the public part can be chosen by the signer without prior
    agreement, 3-party blind signatures, as well as blind signatures on multiple aggregated
    messages provided by independent sources. We also extend Waters signatures to
    non-binary alphabets by proving a new result on the underlying hash function. '
author:
- first_name: Olivier
  full_name: Blazy, Olivier
  last_name: Blazy
- first_name: Georg
  full_name: Fuchsbauer, Georg
  id: 46B4C3EE-F248-11E8-B48F-1D18A9856A87
  last_name: Fuchsbauer
- first_name: David
  full_name: Pointcheval, David
  last_name: Pointcheval
- first_name: Damien
  full_name: Vergnaud, Damien
  last_name: Vergnaud
citation:
  ama: Blazy O, Fuchsbauer G, Pointcheval D, Vergnaud D. Short blind signatures. <i>Journal
    of Computer Security</i>. 2013;21(5):627-661. doi:<a href="https://doi.org/10.3233/JCS-130477">10.3233/JCS-130477</a>
  apa: Blazy, O., Fuchsbauer, G., Pointcheval, D., &#38; Vergnaud, D. (2013). Short
    blind signatures. <i>Journal of Computer Security</i>. IOS Press. <a href="https://doi.org/10.3233/JCS-130477">https://doi.org/10.3233/JCS-130477</a>
  chicago: Blazy, Olivier, Georg Fuchsbauer, David Pointcheval, and Damien Vergnaud.
    “Short Blind Signatures.” <i>Journal of Computer Security</i>. IOS Press, 2013.
    <a href="https://doi.org/10.3233/JCS-130477">https://doi.org/10.3233/JCS-130477</a>.
  ieee: O. Blazy, G. Fuchsbauer, D. Pointcheval, and D. Vergnaud, “Short blind signatures,”
    <i>Journal of Computer Security</i>, vol. 21, no. 5. IOS Press, pp. 627–661, 2013.
  ista: Blazy O, Fuchsbauer G, Pointcheval D, Vergnaud D. 2013. Short blind signatures.
    Journal of Computer Security. 21(5), 627–661.
  mla: Blazy, Olivier, et al. “Short Blind Signatures.” <i>Journal of Computer Security</i>,
    vol. 21, no. 5, IOS Press, 2013, pp. 627–61, doi:<a href="https://doi.org/10.3233/JCS-130477">10.3233/JCS-130477</a>.
  short: O. Blazy, G. Fuchsbauer, D. Pointcheval, D. Vergnaud, Journal of Computer
    Security 21 (2013) 627–661.
date_created: 2018-12-11T11:46:50Z
date_published: 2013-11-22T00:00:00Z
date_updated: 2021-01-12T08:01:09Z
day: '22'
department:
- _id: KrPi
doi: 10.3233/JCS-130477
intvolume: '        21'
issue: '5'
language:
- iso: eng
month: '11'
oa_version: None
page: 627 - 661
publication: Journal of Computer Security
publication_status: published
publisher: IOS Press
publist_id: '7318'
quality_controlled: '1'
scopus_import: 1
status: public
title: Short blind signatures
type: journal_article
user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87
volume: 21
year: '2013'
...
---
_id: '2937'
abstract:
- lang: eng
  text: Developers building cryptography into security-sensitive applications face
    a daunting task. Not only must they understand the security guarantees delivered
    by the constructions they choose, they must also implement and combine them correctly
    and efficiently. Cryptographic compilers free developers from this task by turning
    high-level specifications of security goals into efficient implementations. Yet,
    trusting such tools is hard as they rely on complex mathematical machinery and
    claim security properties that are subtle and difficult to verify. In this paper
    we present ZKCrypt, an optimizing cryptographic compiler achieving an unprecedented
    level of assurance without sacrificing practicality for a comprehensive class
    of cryptographic protocols, known as Zero-Knowledge Proofs of Knowledge. The pipeline
    of ZKCrypt integrates purpose-built verified compilers and verifying compilers
    producing formal proofs in the CertiCrypt framework. By combining the guarantees
    delivered by each stage, ZKCrypt provides assurance that the output implementation
    securely realizes the abstract proof goal given as input. We report on the main
    characteristics of ZKCrypt, highlight new definitions and concepts at its foundations,
    and illustrate its applicability through a representative example of an anonymous
    credential system.
acknowledgement: This work was partially funded by National Funds through the FCT
  - Fundação para a Ciência e a Tecnologia (Portuguese Foundation for Science and
  Technology) within project ENI-AC/2224/2009, by ENIAC Joint Undertaking under grant
  agreement number 120224, European Projects FP7-256980 NESSoS and FP7-229599 AMAROUT,
  Spanish National project TIN2009-14599 DESAFIOS 10, and Madrid Regional project
  S2009TIC-1465 PROMETIDOS.
author:
- first_name: José
  full_name: Almeida, José
  last_name: Almeida
- first_name: Manuel
  full_name: Barbosa, Manuel
  last_name: Barbosa
- first_name: Endre
  full_name: Bangerter, Endre
  last_name: Bangerter
- first_name: Gilles
  full_name: Barthe, Gilles
  last_name: Barthe
- first_name: Stephan
  full_name: Krenn, Stephan
  id: 329FCCF0-F248-11E8-B48F-1D18A9856A87
  last_name: Krenn
  orcid: 0000-0003-2835-9093
- first_name: Santiago
  full_name: Béguelin, Santiago
  last_name: Béguelin
citation:
  ama: 'Almeida J, Barbosa M, Bangerter E, Barthe G, Krenn S, Béguelin S. Full proof
    cryptography: Verifiable compilation of efficient zero-knowledge protocols. In:
    <i>Proceedings of the 2012 ACM Conference on Computer and Communications Security</i>.
    ACM; 2012:488-500. doi:<a href="https://doi.org/10.1145/2382196.2382249">10.1145/2382196.2382249</a>'
  apa: 'Almeida, J., Barbosa, M., Bangerter, E., Barthe, G., Krenn, S., &#38; Béguelin,
    S. (2012). Full proof cryptography: Verifiable compilation of efficient zero-knowledge
    protocols. In <i>Proceedings of the 2012 ACM conference on Computer and communications
    security</i> (pp. 488–500). Raleigh, NC, USA: ACM. <a href="https://doi.org/10.1145/2382196.2382249">https://doi.org/10.1145/2382196.2382249</a>'
  chicago: 'Almeida, José, Manuel Barbosa, Endre Bangerter, Gilles Barthe, Stephan
    Krenn, and Santiago Béguelin. “Full Proof Cryptography: Verifiable Compilation
    of Efficient Zero-Knowledge Protocols.” In <i>Proceedings of the 2012 ACM Conference
    on Computer and Communications Security</i>, 488–500. ACM, 2012. <a href="https://doi.org/10.1145/2382196.2382249">https://doi.org/10.1145/2382196.2382249</a>.'
  ieee: 'J. Almeida, M. Barbosa, E. Bangerter, G. Barthe, S. Krenn, and S. Béguelin,
    “Full proof cryptography: Verifiable compilation of efficient zero-knowledge protocols,”
    in <i>Proceedings of the 2012 ACM conference on Computer and communications security</i>,
    Raleigh, NC, USA, 2012, pp. 488–500.'
  ista: 'Almeida J, Barbosa M, Bangerter E, Barthe G, Krenn S, Béguelin S. 2012. Full
    proof cryptography: Verifiable compilation of efficient zero-knowledge protocols.
    Proceedings of the 2012 ACM conference on Computer and communications security.
    CCS: Computer and Communications Security, 488–500.'
  mla: 'Almeida, José, et al. “Full Proof Cryptography: Verifiable Compilation of
    Efficient Zero-Knowledge Protocols.” <i>Proceedings of the 2012 ACM Conference
    on Computer and Communications Security</i>, ACM, 2012, pp. 488–500, doi:<a href="https://doi.org/10.1145/2382196.2382249">10.1145/2382196.2382249</a>.'
  short: J. Almeida, M. Barbosa, E. Bangerter, G. Barthe, S. Krenn, S. Béguelin, in:,
    Proceedings of the 2012 ACM Conference on Computer and Communications Security,
    ACM, 2012, pp. 488–500.
conference:
  end_date: 2012-10-18
  location: Raleigh, NC, USA
  name: 'CCS: Computer and Communications Security'
  start_date: 2012-10-16
date_created: 2018-12-11T12:00:26Z
date_published: 2012-10-01T00:00:00Z
date_updated: 2021-01-12T07:39:53Z
day: '01'
department:
- _id: KrPi
doi: 10.1145/2382196.2382249
language:
- iso: eng
main_file_link:
- open_access: '1'
  url: https://eprint.iacr.org/2012/258
month: '10'
oa: 1
oa_version: Submitted Version
page: 488 - 500
publication: Proceedings of the 2012 ACM conference on Computer and communications
  security
publication_status: published
publisher: ACM
publist_id: '3798'
quality_controlled: '1'
scopus_import: 1
status: public
title: 'Full proof cryptography: Verifiable compilation of efficient zero-knowledge
  protocols'
type: conference
user_id: 3E5EF7F0-F248-11E8-B48F-1D18A9856A87
year: '2012'
...
---
_id: '2974'
abstract:
- lang: eng
  text: "We construct a perfectly binding string commitment scheme whose security
    is based on the learning parity with noise (LPN) assumption, or equivalently,
    the hardness of decoding random linear codes. Our scheme not only allows for a
    simple and efficient zero-knowledge proof of knowledge for committed values (essentially
    a Σ-protocol), but also for such proofs showing any kind of relation amongst committed
    values, i.e. proving that messages m_0,...,m_u, are such that m_0=C(m_1,...,m_u)
    for any circuit C.\r\n\r\nTo get soundness which is exponentially small in a security
    parameter t, and when the zero-knowledge property relies on the LPN problem with
    secrets of length l, our 3 round protocol has communication complexity O(t|C|l
    log(l)) and computational complexity of O(t|C|l) bit operations. The hidden constants
    are small, and the computation consists mostly of computing inner products of
    bit-vectors."
acknowledgement: "We are grateful to Petros Mol for helpful discussions on the reduction
  for the hardness of the xLPN problem.\r\n"
alternative_title:
- LNCS
author:
- first_name: Abhishek
  full_name: Jain, Abhishek
  last_name: Jain
- first_name: Stephan
  full_name: Krenn, Stephan
  id: 329FCCF0-F248-11E8-B48F-1D18A9856A87
  last_name: Krenn
  orcid: 0000-0003-2835-9093
- first_name: Krzysztof Z
  full_name: Pietrzak, Krzysztof Z
  id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
  last_name: Pietrzak
  orcid: 0000-0002-9139-1654
- first_name: Aris
  full_name: Tentes, Aris
  last_name: Tentes
citation:
  ama: 'Jain A, Krenn S, Pietrzak KZ, Tentes A. Commitments and efficient zero knowledge
    proofs from learning parity with noise. In: Wang X, Sako K, eds. Vol 7658. Springer;
    2012:663-680. doi:<a href="https://doi.org/10.1007/978-3-642-34961-4_40">10.1007/978-3-642-34961-4_40</a>'
  apa: 'Jain, A., Krenn, S., Pietrzak, K. Z., &#38; Tentes, A. (2012). Commitments
    and efficient zero knowledge proofs from learning parity with noise. In X. Wang
    &#38; K. Sako (Eds.) (Vol. 7658, pp. 663–680). Presented at the ASIACRYPT: Theory
    and Application of Cryptology and Information Security, Beijing, China: Springer.
    <a href="https://doi.org/10.1007/978-3-642-34961-4_40">https://doi.org/10.1007/978-3-642-34961-4_40</a>'
  chicago: Jain, Abhishek, Stephan Krenn, Krzysztof Z Pietrzak, and Aris Tentes. “Commitments
    and Efficient Zero Knowledge Proofs from Learning Parity with Noise.” edited by
    Xiaoyun Wang and Kazue Sako, 7658:663–80. Springer, 2012. <a href="https://doi.org/10.1007/978-3-642-34961-4_40">https://doi.org/10.1007/978-3-642-34961-4_40</a>.
  ieee: 'A. Jain, S. Krenn, K. Z. Pietrzak, and A. Tentes, “Commitments and efficient
    zero knowledge proofs from learning parity with noise,” presented at the ASIACRYPT:
    Theory and Application of Cryptology and Information Security, Beijing, China,
    2012, vol. 7658, pp. 663–680.'
  ista: 'Jain A, Krenn S, Pietrzak KZ, Tentes A. 2012. Commitments and efficient zero
    knowledge proofs from learning parity with noise. ASIACRYPT: Theory and Application
    of Cryptology and Information Security, LNCS, vol. 7658, 663–680.'
  mla: Jain, Abhishek, et al. <i>Commitments and Efficient Zero Knowledge Proofs from
    Learning Parity with Noise</i>. Edited by Xiaoyun Wang and Kazue Sako, vol. 7658,
    Springer, 2012, pp. 663–80, doi:<a href="https://doi.org/10.1007/978-3-642-34961-4_40">10.1007/978-3-642-34961-4_40</a>.
  short: A. Jain, S. Krenn, K.Z. Pietrzak, A. Tentes, in:, X. Wang, K. Sako (Eds.),
    Springer, 2012, pp. 663–680.
conference:
  end_date: 2012-12-06
  location: Beijing, China
  name: 'ASIACRYPT: Theory and Application of Cryptology and Information Security'
  start_date: 2012-12-02
date_created: 2018-12-11T12:00:38Z
date_published: 2012-12-01T00:00:00Z
date_updated: 2021-01-12T07:40:11Z
day: '01'
ddc:
- '004'
- '005'
department:
- _id: KrPi
doi: 10.1007/978-3-642-34961-4_40
ec_funded: 1
editor:
- first_name: Xiaoyun
  full_name: Wang, Xiaoyun
  last_name: Wang
- first_name: Kazue
  full_name: Sako, Kazue
  last_name: Sako
file:
- access_level: open_access
  checksum: ab879537385efc4cb4203e7ef0fea17b
  content_type: application/pdf
  creator: system
  date_created: 2018-12-12T10:14:00Z
  date_updated: 2020-07-14T12:45:58Z
  file_id: '5048'
  file_name: IST-2016-721-v1+1_513.pdf
  file_size: 482570
  relation: main_file
file_date_updated: 2020-07-14T12:45:58Z
has_accepted_license: '1'
intvolume: '      7658'
language:
- iso: eng
month: '12'
oa: 1
oa_version: Submitted Version
page: 663 - 680
project:
- _id: 258C570E-B435-11E9-9278-68D0E5697425
  call_identifier: FP7
  grant_number: '259668'
  name: Provable Security for Physical Cryptography
publication_status: published
publisher: Springer
publist_id: '3730'
pubrep_id: '721'
scopus_import: 1
status: public
title: Commitments and efficient zero knowledge proofs from learning parity with noise
tmp:
  image: /images/cc_by.png
  legal_code_url: https://creativecommons.org/licenses/by/4.0/legalcode
  name: Creative Commons Attribution 4.0 International Public License (CC-BY 4.0)
  short: CC BY (4.0)
type: conference
user_id: 3E5EF7F0-F248-11E8-B48F-1D18A9856A87
volume: 7658
year: '2012'
...
---
_id: '3250'
abstract:
- lang: eng
  text: The Learning Parity with Noise (LPN) problem has recently found many applications
    in cryptography as the hardness assumption underlying the constructions of &quot;provably
    secure&quot; cryptographic schemes like encryption or authentication protocols.
    Being provably secure means that the scheme comes with a proof showing that the
    existence of an efficient adversary against the scheme implies that the underlying
    hardness assumption is wrong. LPN based schemes are appealing for theoretical
    and practical reasons. On the theoretical side, LPN based schemes offer a very
    strong security guarantee. The LPN problem is equivalent to the problem of decoding
    random linear codes, a problem that has been extensively studied in the last half
    century. The fastest known algorithms run in exponential time and unlike most
    number-theoretic problems used in cryptography, the LPN problem does not succumb
    to known quantum algorithms. On the practical side, LPN based schemes are often
    extremely simple and efficient in terms of code-size as well as time and space
    requirements. This makes them prime candidates for light-weight devices like RFID
    tags, which are too weak to implement standard cryptographic primitives like the
    AES block-cipher. This talk will be a gentle introduction to provable security
    using simple LPN based schemes as examples. Starting from pseudorandom generators
    and symmetric key encryption, over secret-key authentication protocols, and, if
    time admits, touching on recent constructions of public-key identification, commitments
    and zero-knowledge proofs.
alternative_title:
- LNCS
author:
- first_name: Krzysztof Z
  full_name: Pietrzak, Krzysztof Z
  id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
  last_name: Pietrzak
  orcid: 0000-0002-9139-1654
citation:
  ama: 'Pietrzak KZ. Cryptography from learning parity with noise. In: Vol 7147. Springer;
    2012:99-114. doi:<a href="https://doi.org/10.1007/978-3-642-27660-6_9">10.1007/978-3-642-27660-6_9</a>'
  apa: 'Pietrzak, K. Z. (2012). Cryptography from learning parity with noise (Vol.
    7147, pp. 99–114). Presented at the SOFSEM: Current Trends in Theory and Practice
    of Computer Science, Špindlerův Mlýn, Czech Republic: Springer. <a href="https://doi.org/10.1007/978-3-642-27660-6_9">https://doi.org/10.1007/978-3-642-27660-6_9</a>'
  chicago: Pietrzak, Krzysztof Z. “Cryptography from Learning Parity with Noise,”
    7147:99–114. Springer, 2012. <a href="https://doi.org/10.1007/978-3-642-27660-6_9">https://doi.org/10.1007/978-3-642-27660-6_9</a>.
  ieee: 'K. Z. Pietrzak, “Cryptography from learning parity with noise,” presented
    at the SOFSEM: Current Trends in Theory and Practice of Computer Science, Špindlerův
    Mlýn, Czech Republic, 2012, vol. 7147, pp. 99–114.'
  ista: 'Pietrzak KZ. 2012. Cryptography from learning parity with noise. SOFSEM:
    Current Trends in Theory and Practice of Computer Science, LNCS, vol. 7147, 99–114.'
  mla: Pietrzak, Krzysztof Z. <i>Cryptography from Learning Parity with Noise</i>.
    Vol. 7147, Springer, 2012, pp. 99–114, doi:<a href="https://doi.org/10.1007/978-3-642-27660-6_9">10.1007/978-3-642-27660-6_9</a>.
  short: K.Z. Pietrzak, in:, Springer, 2012, pp. 99–114.
conference:
  end_date: 2012-01-27
  location: Špindlerův Mlýn, Czech Republic
  name: 'SOFSEM: Current Trends in Theory and Practice of Computer Science'
  start_date: 2012-01-21
date_created: 2018-12-11T12:02:15Z
date_published: 2012-02-19T00:00:00Z
date_updated: 2021-01-12T07:42:07Z
day: '19'
department:
- _id: KrPi
doi: 10.1007/978-3-642-27660-6_9
intvolume: '      7147'
language:
- iso: eng
month: '02'
oa_version: None
page: 99 - 114
publication_status: published
publisher: Springer
publist_id: '3407'
quality_controlled: '1'
scopus_import: 1
status: public
title: Cryptography from learning parity with noise
type: conference
user_id: 3E5EF7F0-F248-11E8-B48F-1D18A9856A87
volume: 7147
year: '2012'
...