---
_id: '635'
abstract:
- lang: eng
  text: Memory-hard functions (MHFs) are hash algorithms whose evaluation cost is
    dominated by memory cost. As memory, unlike computation, costs about the same
    across different platforms, MHFs cannot be evaluated at significantly lower cost
    on dedicated hardware like ASICs. MHFs have found widespread applications including
    password hashing, key derivation, and proofs-of-work. This paper focuses on scrypt,
    a simple candidate MHF designed by Percival, and described in RFC 7914. It has
    been used within a number of cryptocurrencies (e.g., Litecoin and Dogecoin) and
    has been an inspiration for Argon2d, one of the winners of the recent password-hashing
    competition. Despite its popularity, no rigorous lower bounds on its memory complexity
    are known. We prove that scrypt is optimally memory-hard, i.e., its cumulative
    memory complexity (cmc) in the parallel random oracle model is Ω(n2w), where w
    and n are the output length and number of invocations of the underlying hash function,
    respectively. High cmc is a strong security target for MHFs introduced by Alwen
    and Serbinenko (STOC’15) which implies high memory cost even for adversaries who
    can amortize the cost over many evaluations and evaluate the underlying hash functions
    many times in parallel. Our proof is the first showing optimal memory-hardness
    for any MHF. Our result improves both quantitatively and qualitatively upon the
    recent work by Alwen et al. (EUROCRYPT’16) who proved a weaker lower bound of
    Ω(n2w/ log2 n) for a restricted class of adversaries.
alternative_title:
- LNCS
author:
- first_name: Joel F
  full_name: Alwen, Joel F
  id: 2A8DFA8C-F248-11E8-B48F-1D18A9856A87
  last_name: Alwen
- first_name: Binchi
  full_name: Chen, Binchi
  last_name: Chen
- first_name: Krzysztof Z
  full_name: Pietrzak, Krzysztof Z
  id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
  last_name: Pietrzak
  orcid: 0000-0002-9139-1654
- first_name: Leonid
  full_name: Reyzin, Leonid
  last_name: Reyzin
- first_name: Stefano
  full_name: Tessaro, Stefano
  last_name: Tessaro
citation:
  ama: 'Alwen JF, Chen B, Pietrzak KZ, Reyzin L, Tessaro S. Scrypt is maximally memory
    hard. In: Coron J-S, Buus Nielsen J, eds. Vol 10212. Springer; 2017:33-62. doi:<a
    href="https://doi.org/10.1007/978-3-319-56617-7_2">10.1007/978-3-319-56617-7_2</a>'
  apa: 'Alwen, J. F., Chen, B., Pietrzak, K. Z., Reyzin, L., &#38; Tessaro, S. (2017).
    Scrypt is maximally memory hard. In J.-S. Coron &#38; J. Buus Nielsen (Eds.) (Vol.
    10212, pp. 33–62). Presented at the EUROCRYPT: Theory and Applications of Cryptographic
    Techniques, Paris, France: Springer. <a href="https://doi.org/10.1007/978-3-319-56617-7_2">https://doi.org/10.1007/978-3-319-56617-7_2</a>'
  chicago: Alwen, Joel F, Binchi Chen, Krzysztof Z Pietrzak, Leonid Reyzin, and Stefano
    Tessaro. “Scrypt Is Maximally Memory Hard.” edited by Jean-Sébastien Coron and
    Jesper Buus Nielsen, 10212:33–62. Springer, 2017. <a href="https://doi.org/10.1007/978-3-319-56617-7_2">https://doi.org/10.1007/978-3-319-56617-7_2</a>.
  ieee: 'J. F. Alwen, B. Chen, K. Z. Pietrzak, L. Reyzin, and S. Tessaro, “Scrypt
    is maximally memory hard,” presented at the EUROCRYPT: Theory and Applications
    of Cryptographic Techniques, Paris, France, 2017, vol. 10212, pp. 33–62.'
  ista: 'Alwen JF, Chen B, Pietrzak KZ, Reyzin L, Tessaro S. 2017. Scrypt is maximally
    memory hard. EUROCRYPT: Theory and Applications of Cryptographic Techniques, LNCS,
    vol. 10212, 33–62.'
  mla: Alwen, Joel F., et al. <i>Scrypt Is Maximally Memory Hard</i>. Edited by Jean-Sébastien
    Coron and Jesper Buus Nielsen, vol. 10212, Springer, 2017, pp. 33–62, doi:<a href="https://doi.org/10.1007/978-3-319-56617-7_2">10.1007/978-3-319-56617-7_2</a>.
  short: J.F. Alwen, B. Chen, K.Z. Pietrzak, L. Reyzin, S. Tessaro, in:, J.-S. Coron,
    J. Buus Nielsen (Eds.), Springer, 2017, pp. 33–62.
conference:
  end_date: 2017-05-04
  location: Paris, France
  name: 'EUROCRYPT: Theory and Applications of Cryptographic Techniques'
  start_date: 2017-04-30
date_created: 2018-12-11T11:47:37Z
date_published: 2017-01-01T00:00:00Z
date_updated: 2021-01-12T08:07:10Z
day: '01'
department:
- _id: KrPi
doi: 10.1007/978-3-319-56617-7_2
ec_funded: 1
editor:
- first_name: Jean-Sébastien
  full_name: Coron, Jean-Sébastien
  last_name: Coron
- first_name: Jesper
  full_name: Buus Nielsen, Jesper
  last_name: Buus Nielsen
intvolume: '     10212'
language:
- iso: eng
main_file_link:
- open_access: '1'
  url: https://eprint.iacr.org/2016/989
month: '01'
oa: 1
oa_version: Submitted Version
page: 33 - 62
project:
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
  call_identifier: H2020
  grant_number: '682815'
  name: Teaching Old Crypto New Tricks
publication_identifier:
  isbn:
  - 978-331956616-0
publication_status: published
publisher: Springer
publist_id: '7154'
quality_controlled: '1'
scopus_import: 1
status: public
title: Scrypt is maximally memory hard
type: conference
user_id: 4435EBFC-F248-11E8-B48F-1D18A9856A87
volume: 10212
year: '2017'
...
---
_id: '637'
abstract:
- lang: eng
  text: For many cryptographic primitives, it is relatively easy to achieve selective
    security (where the adversary commits a-priori to some of the choices to be made
    later in the attack) but appears difficult to achieve the more natural notion
    of adaptive security (where the adversary can make all choices on the go as the
    attack progresses). A series of several recent works shows how to cleverly achieve
    adaptive security in several such scenarios including generalized selective decryption
    (Panjwani, TCC ’07 and Fuchsbauer et al., CRYPTO ’15), constrained PRFs (Fuchsbauer
    et al., ASIACRYPT ’14), and Yao garbled circuits (Jafargholi and Wichs, TCC ’16b).
    Although the above works expressed vague intuition that they share a common technique,
    the connection was never made precise. In this work we present a new framework
    that connects all of these works and allows us to present them in a unified and
    simplified fashion. Moreover, we use the framework to derive a new result for
    adaptively secure secret sharing over access structures defined via monotone circuits.
    We envision that further applications will follow in the future. Underlying our
    framework is the following simple idea. It is well known that selective security,
    where the adversary commits to n-bits of information about his future choices,
    automatically implies adaptive security at the cost of amplifying the adversary’s
    advantage by a factor of up to 2n. However, in some cases the proof of selective
    security proceeds via a sequence of hybrids, where each pair of adjacent hybrids
    locally only requires some smaller partial information consisting of m ≪ n bits.
    The partial information needed might be completely different between different
    pairs of hybrids, and if we look across all the hybrids we might rely on the entire
    n-bit commitment. Nevertheless, the above is sufficient to prove adaptive security,
    at the cost of amplifying the adversary’s advantage by a factor of only 2m ≪ 2n.
    In all of our examples using the above framework, the different hybrids are captured
    by some sort of a graph pebbling game and the amount of information that the adversary
    needs to commit to in each pair of hybrids is bounded by the maximum number of
    pebbles in play at any point in time. Therefore, coming up with better strategies
    for proving adaptive security translates to various pebbling strategies for different
    types of graphs.
alternative_title:
- LNCS
author:
- first_name: Zahra
  full_name: Jafargholi, Zahra
  last_name: Jafargholi
- first_name: Chethan
  full_name: Kamath Hosdurg, Chethan
  id: 4BD3F30E-F248-11E8-B48F-1D18A9856A87
  last_name: Kamath Hosdurg
- first_name: Karen
  full_name: Klein, Karen
  id: 3E83A2F8-F248-11E8-B48F-1D18A9856A87
  last_name: Klein
- first_name: Ilan
  full_name: Komargodski, Ilan
  last_name: Komargodski
- first_name: Krzysztof Z
  full_name: Pietrzak, Krzysztof Z
  id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
  last_name: Pietrzak
  orcid: 0000-0002-9139-1654
- first_name: Daniel
  full_name: Wichs, Daniel
  last_name: Wichs
citation:
  ama: 'Jafargholi Z, Kamath Hosdurg C, Klein K, Komargodski I, Pietrzak KZ, Wichs
    D. Be adaptive avoid overcommitting. In: Katz J, Shacham H, eds. Vol 10401. Springer;
    2017:133-163. doi:<a href="https://doi.org/10.1007/978-3-319-63688-7_5">10.1007/978-3-319-63688-7_5</a>'
  apa: 'Jafargholi, Z., Kamath Hosdurg, C., Klein, K., Komargodski, I., Pietrzak,
    K. Z., &#38; Wichs, D. (2017). Be adaptive avoid overcommitting. In J. Katz &#38;
    H. Shacham (Eds.) (Vol. 10401, pp. 133–163). Presented at the CRYPTO: Cryptology,
    Santa Barbara, CA, United States: Springer. <a href="https://doi.org/10.1007/978-3-319-63688-7_5">https://doi.org/10.1007/978-3-319-63688-7_5</a>'
  chicago: Jafargholi, Zahra, Chethan Kamath Hosdurg, Karen Klein, Ilan Komargodski,
    Krzysztof Z Pietrzak, and Daniel Wichs. “Be Adaptive Avoid Overcommitting.” edited
    by Jonathan Katz and Hovav Shacham, 10401:133–63. Springer, 2017. <a href="https://doi.org/10.1007/978-3-319-63688-7_5">https://doi.org/10.1007/978-3-319-63688-7_5</a>.
  ieee: 'Z. Jafargholi, C. Kamath Hosdurg, K. Klein, I. Komargodski, K. Z. Pietrzak,
    and D. Wichs, “Be adaptive avoid overcommitting,” presented at the CRYPTO: Cryptology,
    Santa Barbara, CA, United States, 2017, vol. 10401, pp. 133–163.'
  ista: 'Jafargholi Z, Kamath Hosdurg C, Klein K, Komargodski I, Pietrzak KZ, Wichs
    D. 2017. Be adaptive avoid overcommitting. CRYPTO: Cryptology, LNCS, vol. 10401,
    133–163.'
  mla: Jafargholi, Zahra, et al. <i>Be Adaptive Avoid Overcommitting</i>. Edited by
    Jonathan Katz and Hovav Shacham, vol. 10401, Springer, 2017, pp. 133–63, doi:<a
    href="https://doi.org/10.1007/978-3-319-63688-7_5">10.1007/978-3-319-63688-7_5</a>.
  short: Z. Jafargholi, C. Kamath Hosdurg, K. Klein, I. Komargodski, K.Z. Pietrzak,
    D. Wichs, in:, J. Katz, H. Shacham (Eds.), Springer, 2017, pp. 133–163.
conference:
  end_date: 2017-07-24
  location: Santa Barbara, CA, United States
  name: 'CRYPTO: Cryptology'
  start_date: 2017-07-20
date_created: 2018-12-11T11:47:38Z
date_published: 2017-01-01T00:00:00Z
date_updated: 2023-09-07T13:32:11Z
day: '01'
department:
- _id: KrPi
doi: 10.1007/978-3-319-63688-7_5
ec_funded: 1
editor:
- first_name: Jonathan
  full_name: Katz, Jonathan
  last_name: Katz
- first_name: Hovav
  full_name: Shacham, Hovav
  last_name: Shacham
intvolume: '     10401'
language:
- iso: eng
main_file_link:
- open_access: '1'
  url: https://eprint.iacr.org/2017/515
month: '01'
oa: 1
oa_version: Submitted Version
page: 133 - 163
project:
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
  call_identifier: H2020
  grant_number: '682815'
  name: Teaching Old Crypto New Tricks
publication_identifier:
  isbn:
  - 978-331963687-0
publication_status: published
publisher: Springer
publist_id: '7151'
quality_controlled: '1'
related_material:
  record:
  - id: '10035'
    relation: dissertation_contains
    status: public
scopus_import: 1
status: public
title: Be adaptive avoid overcommitting
type: conference
user_id: 3E5EF7F0-F248-11E8-B48F-1D18A9856A87
volume: 10401
year: '2017'
...
---
_id: '640'
abstract:
- lang: eng
  text: 'Data-independent Memory Hard Functions (iMHFS) are finding a growing number
    of applications in security; especially in the domain of password hashing. An
    important property of a concrete iMHF is specified by fixing a directed acyclic
    graph (DAG) Gn on n nodes. The quality of that iMHF is then captured by the following
    two pebbling complexities of Gn: – The parallel cumulative pebbling complexity
    Π∥cc(Gn) must be as high as possible (to ensure that the amortized cost of computing
    the function on dedicated hardware is dominated by the cost of memory). – The
    sequential space-time pebbling complexity Πst(Gn) should be as close as possible
    to Π∥cc(Gn) (to ensure that using many cores in parallel and amortizing over many
    instances does not give much of an advantage). In this paper we construct a family
    of DAGs with best possible parameters in an asymptotic sense, i.e., where Π∥cc(Gn)
    = Ω(n2/ log(n)) (which matches a known upper bound) and Πst(Gn) is within a constant
    factor of Π∥cc(Gn). Our analysis relies on a new connection between the pebbling
    complexity of a DAG and its depth-robustness (DR) – a well studied combinatorial
    property. We show that high DR is sufficient for high Π∥cc. Alwen and Blocki (CRYPTO’16)
    showed that high DR is necessary and so, together, these results fully characterize
    DAGs with high Π∥cc in terms of DR. Complementing these results, we provide new
    upper and lower bounds on the Π∥cc of several important candidate iMHFs from the
    literature. We give the first lower bounds on the memory hardness of the Catena
    and Balloon Hashing functions in a parallel model of computation and we give the
    first lower bounds of any kind for (a version) of Argon2i. Finally we describe
    a new class of pebbling attacks improving on those of Alwen and Blocki (CRYPTO’16).
    By instantiating these attacks we upperbound the Π∥cc of the Password Hashing
    Competition winner Argon2i and one of the Balloon Hashing functions by O (n1.71).
    We also show an upper bound of O(n1.625) for the Catena functions and the two
    remaining Balloon Hashing functions.'
alternative_title:
- LNCS
author:
- first_name: Joel F
  full_name: Alwen, Joel F
  id: 2A8DFA8C-F248-11E8-B48F-1D18A9856A87
  last_name: Alwen
- first_name: Jeremiah
  full_name: Blocki, Jeremiah
  last_name: Blocki
- first_name: Krzysztof Z
  full_name: Pietrzak, Krzysztof Z
  id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
  last_name: Pietrzak
  orcid: 0000-0002-9139-1654
citation:
  ama: 'Alwen JF, Blocki J, Pietrzak KZ. Depth-robust graphs and their cumulative
    memory complexity. In: Coron J-S, Buus Nielsen J, eds. Vol 10212. Springer; 2017:3-32.
    doi:<a href="https://doi.org/10.1007/978-3-319-56617-7_1">10.1007/978-3-319-56617-7_1</a>'
  apa: 'Alwen, J. F., Blocki, J., &#38; Pietrzak, K. Z. (2017). Depth-robust graphs
    and their cumulative memory complexity. In J.-S. Coron &#38; J. Buus Nielsen (Eds.)
    (Vol. 10212, pp. 3–32). Presented at the EUROCRYPT: Theory and Applications of
    Cryptographic Techniques, Paris, France: Springer. <a href="https://doi.org/10.1007/978-3-319-56617-7_1">https://doi.org/10.1007/978-3-319-56617-7_1</a>'
  chicago: Alwen, Joel F, Jeremiah Blocki, and Krzysztof Z Pietrzak. “Depth-Robust
    Graphs and Their Cumulative Memory Complexity.” edited by Jean-Sébastien Coron
    and Jesper Buus Nielsen, 10212:3–32. Springer, 2017. <a href="https://doi.org/10.1007/978-3-319-56617-7_1">https://doi.org/10.1007/978-3-319-56617-7_1</a>.
  ieee: 'J. F. Alwen, J. Blocki, and K. Z. Pietrzak, “Depth-robust graphs and their
    cumulative memory complexity,” presented at the EUROCRYPT: Theory and Applications
    of Cryptographic Techniques, Paris, France, 2017, vol. 10212, pp. 3–32.'
  ista: 'Alwen JF, Blocki J, Pietrzak KZ. 2017. Depth-robust graphs and their cumulative
    memory complexity. EUROCRYPT: Theory and Applications of Cryptographic Techniques,
    LNCS, vol. 10212, 3–32.'
  mla: Alwen, Joel F., et al. <i>Depth-Robust Graphs and Their Cumulative Memory Complexity</i>.
    Edited by Jean-Sébastien Coron and Jesper Buus Nielsen, vol. 10212, Springer,
    2017, pp. 3–32, doi:<a href="https://doi.org/10.1007/978-3-319-56617-7_1">10.1007/978-3-319-56617-7_1</a>.
  short: J.F. Alwen, J. Blocki, K.Z. Pietrzak, in:, J.-S. Coron, J. Buus Nielsen (Eds.),
    Springer, 2017, pp. 3–32.
conference:
  end_date: 2017-05-04
  location: Paris, France
  name: 'EUROCRYPT: Theory and Applications of Cryptographic Techniques'
  start_date: 2017-04-30
date_created: 2018-12-11T11:47:39Z
date_published: 2017-04-01T00:00:00Z
date_updated: 2021-01-12T08:07:22Z
day: '01'
department:
- _id: KrPi
doi: 10.1007/978-3-319-56617-7_1
ec_funded: 1
editor:
- first_name: Jean-Sébastien
  full_name: Coron, Jean-Sébastien
  last_name: Coron
- first_name: Jesper
  full_name: Buus Nielsen, Jesper
  last_name: Buus Nielsen
intvolume: '     10212'
language:
- iso: eng
main_file_link:
- open_access: '1'
  url: https://eprint.iacr.org/2016/875
month: '04'
oa: 1
oa_version: Submitted Version
page: 3 - 32
project:
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
  call_identifier: H2020
  grant_number: '682815'
  name: Teaching Old Crypto New Tricks
publication_identifier:
  isbn:
  - 978-331956616-0
publication_status: published
publisher: Springer
publist_id: '7148'
quality_controlled: '1'
scopus_import: 1
status: public
title: Depth-robust graphs and their cumulative memory complexity
type: conference
user_id: 3E5EF7F0-F248-11E8-B48F-1D18A9856A87
volume: 10212
year: '2017'
...
---
_id: '648'
abstract:
- lang: eng
  text: 'Pseudoentropy has found a lot of important applications to cryptography and
    complexity theory. In this paper we focus on the foundational problem that has
    not been investigated so far, namely by how much pseudoentropy (the amount seen
    by computationally bounded attackers) differs from its information-theoretic counterpart
    (seen by unbounded observers), given certain limits on attacker’s computational
    power? We provide the following answer for HILL pseudoentropy, which exhibits
    a threshold behavior around the size exponential in the entropy amount:– If the
    attacker size (s) and advantage () satisfy s (formula presented) where k is the
    claimed amount of pseudoentropy, then the pseudoentropy boils down to the information-theoretic
    smooth entropy. – If s (formula presented) then pseudoentropy could be arbitrarily
    bigger than the information-theoretic smooth entropy. Besides answering the posted
    question, we show an elegant application of our result to the complexity theory,
    namely that it implies the clas-sical result on the existence of functions hard
    to approximate (due to Pippenger). In our approach we utilize non-constructive
    techniques: the duality of linear programming and the probabilistic method.'
alternative_title:
- LNCS
author:
- first_name: Maciej
  full_name: Skórski, Maciej
  id: EC09FA6A-02D0-11E9-8223-86B7C91467DD
  last_name: Skórski
citation:
  ama: 'Skórski M. On the complexity of breaking pseudoentropy. In: Jäger G, Steila
    S, eds. Vol 10185. Springer; 2017:600-613. doi:<a href="https://doi.org/10.1007/978-3-319-55911-7_43">10.1007/978-3-319-55911-7_43</a>'
  apa: 'Skórski, M. (2017). On the complexity of breaking pseudoentropy. In G. Jäger
    &#38; S. Steila (Eds.) (Vol. 10185, pp. 600–613). Presented at the TAMC: Theory
    and Applications of Models of Computation, Bern, Switzerland: Springer. <a href="https://doi.org/10.1007/978-3-319-55911-7_43">https://doi.org/10.1007/978-3-319-55911-7_43</a>'
  chicago: Skórski, Maciej. “On the Complexity of Breaking Pseudoentropy.” edited
    by Gerhard Jäger and Silvia Steila, 10185:600–613. Springer, 2017. <a href="https://doi.org/10.1007/978-3-319-55911-7_43">https://doi.org/10.1007/978-3-319-55911-7_43</a>.
  ieee: 'M. Skórski, “On the complexity of breaking pseudoentropy,” presented at the
    TAMC: Theory and Applications of Models of Computation, Bern, Switzerland, 2017,
    vol. 10185, pp. 600–613.'
  ista: 'Skórski M. 2017. On the complexity of breaking pseudoentropy. TAMC: Theory
    and Applications of Models of Computation, LNCS, vol. 10185, 600–613.'
  mla: Skórski, Maciej. <i>On the Complexity of Breaking Pseudoentropy</i>. Edited
    by Gerhard Jäger and Silvia Steila, vol. 10185, Springer, 2017, pp. 600–13, doi:<a
    href="https://doi.org/10.1007/978-3-319-55911-7_43">10.1007/978-3-319-55911-7_43</a>.
  short: M. Skórski, in:, G. Jäger, S. Steila (Eds.), Springer, 2017, pp. 600–613.
conference:
  end_date: 2017-04-22
  location: Bern, Switzerland
  name: 'TAMC: Theory and Applications of Models of Computation'
  start_date: 2017-04-20
date_created: 2018-12-11T11:47:42Z
date_published: 2017-04-01T00:00:00Z
date_updated: 2021-01-12T08:07:39Z
day: '01'
department:
- _id: KrPi
doi: 10.1007/978-3-319-55911-7_43
editor:
- first_name: Gerhard
  full_name: Jäger, Gerhard
  last_name: Jäger
- first_name: Silvia
  full_name: Steila, Silvia
  last_name: Steila
intvolume: '     10185'
language:
- iso: eng
main_file_link:
- open_access: '1'
  url: https://eprint.iacr.org/2016/1186.pdf
month: '04'
oa: 1
oa_version: Submitted Version
page: 600 - 613
publication_identifier:
  isbn:
  - 978-331955910-0
publication_status: published
publisher: Springer
publist_id: '7125'
quality_controlled: '1'
scopus_import: 1
status: public
title: On the complexity of breaking pseudoentropy
type: conference
user_id: 3E5EF7F0-F248-11E8-B48F-1D18A9856A87
volume: 10185
year: '2017'
...
---
_id: '650'
abstract:
- lang: eng
  text: 'In this work we present a short and unified proof for the Strong and Weak
    Regularity Lemma, based on the cryptographic tech-nique called low-complexity
    approximations. In short, both problems reduce to a task of finding constructively
    an approximation for a certain target function under a class of distinguishers
    (test functions), where dis-tinguishers are combinations of simple rectangle-indicators.
    In our case these approximations can be learned by a simple iterative procedure,
    which yields a unified and simple proof, achieving for any graph with density
    d and any approximation parameter the partition size. The novelty in our proof
    is: (a) a simple approach which yields both strong and weaker variant, and (b)
    improvements when d = o(1). At an abstract level, our proof can be seen a refinement
    and simplification of the “analytic” proof given by Lovasz and Szegedy.'
alternative_title:
- LNCS
author:
- first_name: Maciej
  full_name: Skórski, Maciej
  id: EC09FA6A-02D0-11E9-8223-86B7C91467DD
  last_name: Skórski
citation:
  ama: 'Skórski M. A cryptographic view of regularity lemmas: Simpler unified proofs
    and refined bounds. In: Jäger G, Steila S, eds. Vol 10185. Springer; 2017:586-599.
    doi:<a href="https://doi.org/10.1007/978-3-319-55911-7_42">10.1007/978-3-319-55911-7_42</a>'
  apa: 'Skórski, M. (2017). A cryptographic view of regularity lemmas: Simpler unified
    proofs and refined bounds. In G. Jäger &#38; S. Steila (Eds.) (Vol. 10185, pp.
    586–599). Presented at the TAMC: Theory and Applications of Models of Computation,
    Bern, Switzerland: Springer. <a href="https://doi.org/10.1007/978-3-319-55911-7_42">https://doi.org/10.1007/978-3-319-55911-7_42</a>'
  chicago: 'Skórski, Maciej. “A Cryptographic View of Regularity Lemmas: Simpler Unified
    Proofs and Refined Bounds.” edited by Gerhard Jäger and Silvia Steila, 10185:586–99.
    Springer, 2017. <a href="https://doi.org/10.1007/978-3-319-55911-7_42">https://doi.org/10.1007/978-3-319-55911-7_42</a>.'
  ieee: 'M. Skórski, “A cryptographic view of regularity lemmas: Simpler unified proofs
    and refined bounds,” presented at the TAMC: Theory and Applications of Models
    of Computation, Bern, Switzerland, 2017, vol. 10185, pp. 586–599.'
  ista: 'Skórski M. 2017. A cryptographic view of regularity lemmas: Simpler unified
    proofs and refined bounds. TAMC: Theory and Applications of Models of Computation,
    LNCS, vol. 10185, 586–599.'
  mla: 'Skórski, Maciej. <i>A Cryptographic View of Regularity Lemmas: Simpler Unified
    Proofs and Refined Bounds</i>. Edited by Gerhard Jäger and Silvia Steila, vol.
    10185, Springer, 2017, pp. 586–99, doi:<a href="https://doi.org/10.1007/978-3-319-55911-7_42">10.1007/978-3-319-55911-7_42</a>.'
  short: M. Skórski, in:, G. Jäger, S. Steila (Eds.), Springer, 2017, pp. 586–599.
conference:
  end_date: 2017-04-22
  location: Bern, Switzerland
  name: 'TAMC: Theory and Applications of Models of Computation'
  start_date: 2017-04-20
date_created: 2018-12-11T11:47:42Z
date_published: 2017-01-01T00:00:00Z
date_updated: 2021-01-12T08:07:46Z
day: '01'
department:
- _id: KrPi
doi: 10.1007/978-3-319-55911-7_42
editor:
- first_name: Gerhard
  full_name: Jäger, Gerhard
  last_name: Jäger
- first_name: Silvia
  full_name: Steila, Silvia
  last_name: Steila
intvolume: '     10185'
language:
- iso: eng
main_file_link:
- open_access: '1'
  url: https://eprint.iacr.org/2016/965.pdf
month: '01'
oa: 1
oa_version: Submitted Version
page: 586 - 599
publication_identifier:
  issn:
  - '03029743'
publication_status: published
publisher: Springer
publist_id: '7119'
quality_controlled: '1'
scopus_import: 1
status: public
title: 'A cryptographic view of regularity lemmas: Simpler unified proofs and refined
  bounds'
type: conference
user_id: 3E5EF7F0-F248-11E8-B48F-1D18A9856A87
volume: 10185
year: '2017'
...
---
_id: '6526'
abstract:
- lang: eng
  text: 'This paper studies the complexity of estimating Rényi divergences of discrete
    distributions: p observed from samples and the baseline distribution q known a
    priori. Extending the results of Acharya et al. (SODA''15) on estimating Rényi
    entropy, we present improved estimation techniques together with upper and lower
    bounds on the sample complexity. We show that, contrarily to estimating Rényi
    entropy where a sublinear (in the alphabet size) number of samples suffices, the
    sample complexity is heavily dependent on events occurring unlikely in q, and
    is unbounded in general (no matter what an estimation technique is used). For
    any divergence of integer order bigger than 1, we provide upper and lower bounds
    on the number of samples dependent on probabilities of p and q (the lower bounds
    hold for non-integer orders as well). We conclude that the worst-case sample complexity
    is polynomial in the alphabet size if and only if the probabilities of q are non-negligible.
    This gives theoretical insights into heuristics used in the applied literature
    to handle numerical instability, which occurs for small probabilities of q. Our
    result shows that they should be handled with care not only because of numerical
    issues, but also because of a blow up in the sample complexity.'
article_number: '8006529'
arxiv: 1
author:
- first_name: Maciej
  full_name: Skórski, Maciej
  id: EC09FA6A-02D0-11E9-8223-86B7C91467DD
  last_name: Skórski
citation:
  ama: 'Skórski M. On the complexity of estimating Rènyi divergences. In: <i>2017
    IEEE International Symposium on Information Theory (ISIT)</i>. IEEE; 2017. doi:<a
    href="https://doi.org/10.1109/isit.2017.8006529">10.1109/isit.2017.8006529</a>'
  apa: 'Skórski, M. (2017). On the complexity of estimating Rènyi divergences. In
    <i>2017 IEEE International Symposium on Information Theory (ISIT)</i>. Aachen,
    Germany: IEEE. <a href="https://doi.org/10.1109/isit.2017.8006529">https://doi.org/10.1109/isit.2017.8006529</a>'
  chicago: Skórski, Maciej. “On the Complexity of Estimating Rènyi Divergences.” In
    <i>2017 IEEE International Symposium on Information Theory (ISIT)</i>. IEEE, 2017.
    <a href="https://doi.org/10.1109/isit.2017.8006529">https://doi.org/10.1109/isit.2017.8006529</a>.
  ieee: M. Skórski, “On the complexity of estimating Rènyi divergences,” in <i>2017
    IEEE International Symposium on Information Theory (ISIT)</i>, Aachen, Germany,
    2017.
  ista: 'Skórski M. 2017. On the complexity of estimating Rènyi divergences. 2017
    IEEE International Symposium on Information Theory (ISIT). ISIT: International
    Symposium on Information Theory, 8006529.'
  mla: Skórski, Maciej. “On the Complexity of Estimating Rènyi Divergences.” <i>2017
    IEEE International Symposium on Information Theory (ISIT)</i>, 8006529, IEEE,
    2017, doi:<a href="https://doi.org/10.1109/isit.2017.8006529">10.1109/isit.2017.8006529</a>.
  short: M. Skórski, in:, 2017 IEEE International Symposium on Information Theory
    (ISIT), IEEE, 2017.
conference:
  end_date: 2017-06-30
  location: Aachen, Germany
  name: 'ISIT: International Symposium on Information Theory'
  start_date: 2017-06-25
date_created: 2019-06-06T12:53:09Z
date_published: 2017-08-09T00:00:00Z
date_updated: 2021-01-12T08:07:53Z
day: '09'
department:
- _id: KrPi
doi: 10.1109/isit.2017.8006529
ec_funded: 1
external_id:
  arxiv:
  - '1702.01666'
language:
- iso: eng
main_file_link:
- open_access: '1'
  url: https://arxiv.org/abs/1702.01666
month: '08'
oa: 1
oa_version: Preprint
project:
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
  call_identifier: H2020
  grant_number: '682815'
  name: Teaching Old Crypto New Tricks
publication: 2017 IEEE International Symposium on Information Theory (ISIT)
publication_identifier:
  isbn:
  - '9781509040964'
publication_status: published
publisher: IEEE
quality_controlled: '1'
scopus_import: 1
status: public
title: On the complexity of estimating Rènyi divergences
type: conference
user_id: 3E5EF7F0-F248-11E8-B48F-1D18A9856A87
year: '2017'
...
---
_id: '6527'
abstract:
- lang: eng
  text: "A memory-hard function (MHF) ƒn with parameter n can be computed in sequential
    time and space n. Simultaneously, a high amortized parallel area-time complexity
    (aAT) is incurred per evaluation. In practice, MHFs are used to limit the rate
    at which an adversary (using a custom computational device) can evaluate a security
    sensitive function that still occasionally needs to be evaluated by honest users
    (using an off-the-shelf general purpose device). The most prevalent examples of
    such sensitive functions are Key Derivation Functions (KDFs) and password hashing
    algorithms where rate limits help mitigate off-line dictionary attacks. As the
    honest users' inputs to these functions are often (low-entropy) passwords special
    attention is given to a class of side-channel resistant MHFs called iMHFs.\r\n\r\nEssentially
    all iMHFs can be viewed as some mode of operation (making n calls to some round
    function) given by a directed acyclic graph (DAG) with very low indegree. Recently,
    a combinatorial property of a DAG has been identified (called \"depth-robustness\")
    which results in good provable security for an iMHF based on that DAG. Depth-robust
    DAGs have also proven useful in other cryptographic applications. Unfortunately,
    up till now, all known very depth-robust DAGs are impractically complicated and
    little is known about their exact (i.e. non-asymptotic) depth-robustness both
    in theory and in practice.\r\n\r\nIn this work we build and analyze (both formally
    and empirically) several exceedingly simple and efficient to navigate practical
    DAGs for use in iMHFs and other applications. For each DAG we:\r\n*Prove that
    their depth-robustness is asymptotically maximal.\r\n*Prove bounds of at least
    3 orders of magnitude better on their exact depth-robustness compared to known
    bounds for other practical iMHF.\r\n*Implement and empirically evaluate their
    depth-robustness and aAT against a variety of state-of-the art (and several new)
    depth-reduction and low aAT attacks. \r\nWe find that, against all attacks, the
    new DAGs perform significantly better in practice than Argon2i, the most widely
    deployed iMHF in practice.\r\n\r\nAlong the way we also improve the best known
    empirical attacks on the aAT of Argon2i by implementing and testing several heuristic
    versions of a (hitherto purely theoretical) depth-reduction attack. Finally, we
    demonstrate practicality of our constructions by modifying the Argon2i code base
    to use one of the new high aAT DAGs. Experimental benchmarks on a standard off-the-shelf
    CPU show that the new modifications do not adversely affect the impressive throughput
    of Argon2i (despite seemingly enjoying significantly higher aAT).\r\n"
author:
- first_name: Joel F
  full_name: Alwen, Joel F
  id: 2A8DFA8C-F248-11E8-B48F-1D18A9856A87
  last_name: Alwen
- first_name: Jeremiah
  full_name: Blocki, Jeremiah
  last_name: Blocki
- first_name: Ben
  full_name: Harsha, Ben
  last_name: Harsha
citation:
  ama: 'Alwen JF, Blocki J, Harsha B. Practical graphs for optimal side-channel resistant
    memory-hard functions. In: <i>Proceedings of the 2017 ACM SIGSAC Conference on
    Computer and Communications Security</i>. ACM Press; 2017:1001-1017. doi:<a href="https://doi.org/10.1145/3133956.3134031">10.1145/3133956.3134031</a>'
  apa: 'Alwen, J. F., Blocki, J., &#38; Harsha, B. (2017). Practical graphs for optimal
    side-channel resistant memory-hard functions. In <i>Proceedings of the 2017 ACM
    SIGSAC Conference on Computer and Communications Security</i> (pp. 1001–1017).
    Dallas, TX, USA: ACM Press. <a href="https://doi.org/10.1145/3133956.3134031">https://doi.org/10.1145/3133956.3134031</a>'
  chicago: Alwen, Joel F, Jeremiah Blocki, and Ben Harsha. “Practical Graphs for Optimal
    Side-Channel Resistant Memory-Hard Functions.” In <i>Proceedings of the 2017 ACM
    SIGSAC Conference on Computer and Communications Security</i>, 1001–17. ACM Press,
    2017. <a href="https://doi.org/10.1145/3133956.3134031">https://doi.org/10.1145/3133956.3134031</a>.
  ieee: J. F. Alwen, J. Blocki, and B. Harsha, “Practical graphs for optimal side-channel
    resistant memory-hard functions,” in <i>Proceedings of the 2017 ACM SIGSAC Conference
    on Computer and Communications Security</i>, Dallas, TX, USA, 2017, pp. 1001–1017.
  ista: 'Alwen JF, Blocki J, Harsha B. 2017. Practical graphs for optimal side-channel
    resistant memory-hard functions. Proceedings of the 2017 ACM SIGSAC Conference
    on Computer and Communications Security. CCS: Conference on Computer and Communications
    Security, 1001–1017.'
  mla: Alwen, Joel F., et al. “Practical Graphs for Optimal Side-Channel Resistant
    Memory-Hard Functions.” <i>Proceedings of the 2017 ACM SIGSAC Conference on Computer
    and Communications Security</i>, ACM Press, 2017, pp. 1001–17, doi:<a href="https://doi.org/10.1145/3133956.3134031">10.1145/3133956.3134031</a>.
  short: J.F. Alwen, J. Blocki, B. Harsha, in:, Proceedings of the 2017 ACM SIGSAC
    Conference on Computer and Communications Security, ACM Press, 2017, pp. 1001–1017.
conference:
  end_date: 2017-11-03
  location: Dallas, TX, USA
  name: 'CCS: Conference on Computer and Communications Security'
  start_date: 2017-10-30
date_created: 2019-06-06T13:21:29Z
date_published: 2017-10-30T00:00:00Z
date_updated: 2021-01-12T08:07:53Z
day: '30'
department:
- _id: KrPi
doi: 10.1145/3133956.3134031
ec_funded: 1
language:
- iso: eng
main_file_link:
- open_access: '1'
  url: https://eprint.iacr.org/2017/443
month: '10'
oa: 1
oa_version: Submitted Version
page: 1001-1017
project:
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
  call_identifier: H2020
  grant_number: '682815'
  name: Teaching Old Crypto New Tricks
publication: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications
  Security
publication_identifier:
  isbn:
  - '9781450349468'
publication_status: published
publisher: ACM Press
quality_controlled: '1'
scopus_import: 1
status: public
title: Practical graphs for optimal side-channel resistant memory-hard functions
type: conference
user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87
year: '2017'
...
---
_id: '1174'
abstract:
- lang: eng
  text: Security of cryptographic applications is typically defined by security games.
    The adversary, within certain resources, cannot win with probability much better
    than 0 (for unpredictability applications, like one-way functions) or much better
    than 1/2 (indistinguishability applications for instance encryption schemes).
    In so called squared-friendly applications the winning probability of the adversary,
    for different values of the application secret randomness, is not only close to
    0 or 1/2 on average, but also concentrated in the sense that its second central
    moment is small. The class of squared-friendly applications, which contains all
    unpredictability applications and many indistinguishability applications, is particularly
    important for key derivation. Barak et al. observed that for square-friendly applications
    one can beat the &quot;RT-bound&quot;, extracting secure keys with significantly
    smaller entropy loss. In turn Dodis and Yu showed that in squared-friendly applications
    one can directly use a &quot;weak&quot; key, which has only high entropy, as a
    secure key. In this paper we give sharp lower bounds on square security assuming
    security for &quot;weak&quot; keys. We show that any application which is either
    (a) secure with weak keys or (b) allows for entropy savings for keys derived by
    universal hashing, must be square-friendly. Quantitatively, our lower bounds match
    the positive results of Dodis and Yu and Barak et al. (TCC\'13, CRYPTO\'11) Hence,
    they can be understood as a general characterization of squared-friendly applications.
    While the positive results on squared-friendly applications where derived by one
    clever application of the Cauchy-Schwarz Inequality, for tight lower bounds we
    need more machinery. In our approach we use convex optimization techniques and
    some theory of circular matrices.
alternative_title:
- LIPIcs
article_number: '57'
article_processing_charge: No
author:
- first_name: Maciej
  full_name: Skórski, Maciej
  id: EC09FA6A-02D0-11E9-8223-86B7C91467DD
  last_name: Skórski
citation:
  ama: 'Skórski M. Lower bounds on key derivation for square-friendly applications.
    In: Vol 66. Schloss Dagstuhl - Leibniz-Zentrum für Informatik; 2017. doi:<a href="https://doi.org/10.4230/LIPIcs.STACS.2017.57">10.4230/LIPIcs.STACS.2017.57</a>'
  apa: 'Skórski, M. (2017). Lower bounds on key derivation for square-friendly applications
    (Vol. 66). Presented at the STACS: Symposium on Theoretical Aspects of Computer
    Science, Hannover, Germany: Schloss Dagstuhl - Leibniz-Zentrum für Informatik.
    <a href="https://doi.org/10.4230/LIPIcs.STACS.2017.57">https://doi.org/10.4230/LIPIcs.STACS.2017.57</a>'
  chicago: Skórski, Maciej. “Lower Bounds on Key Derivation for Square-Friendly Applications,”
    Vol. 66. Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 2017. <a href="https://doi.org/10.4230/LIPIcs.STACS.2017.57">https://doi.org/10.4230/LIPIcs.STACS.2017.57</a>.
  ieee: 'M. Skórski, “Lower bounds on key derivation for square-friendly applications,”
    presented at the STACS: Symposium on Theoretical Aspects of Computer Science,
    Hannover, Germany, 2017, vol. 66.'
  ista: 'Skórski M. 2017. Lower bounds on key derivation for square-friendly applications.
    STACS: Symposium on Theoretical Aspects of Computer Science, LIPIcs, vol. 66,
    57.'
  mla: Skórski, Maciej. <i>Lower Bounds on Key Derivation for Square-Friendly Applications</i>.
    Vol. 66, 57, Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 2017, doi:<a href="https://doi.org/10.4230/LIPIcs.STACS.2017.57">10.4230/LIPIcs.STACS.2017.57</a>.
  short: M. Skórski, in:, Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 2017.
conference:
  end_date: 2017-03-11
  location: Hannover, Germany
  name: 'STACS: Symposium on Theoretical Aspects of Computer Science'
  start_date: 2017-03-08
date_created: 2018-12-11T11:50:32Z
date_published: 2017-03-01T00:00:00Z
date_updated: 2023-09-20T11:23:15Z
day: '01'
department:
- _id: KrPi
doi: 10.4230/LIPIcs.STACS.2017.57
ec_funded: 1
external_id:
  isi:
  - '000521077300057'
intvolume: '        66'
isi: 1
language:
- iso: eng
main_file_link:
- open_access: '1'
  url: http://drops.dagstuhl.de/opus/volltexte/2017/6976
month: '03'
oa: 1
oa_version: Submitted Version
project:
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
  call_identifier: H2020
  grant_number: '682815'
  name: Teaching Old Crypto New Tricks
publication_identifier:
  issn:
  - '18688969'
publication_status: published
publisher: Schloss Dagstuhl - Leibniz-Zentrum für Informatik
publist_id: '6180'
quality_controlled: '1'
scopus_import: '1'
status: public
title: Lower bounds on key derivation for square-friendly applications
type: conference
user_id: c635000d-4b10-11ee-a964-aac5a93f6ac1
volume: 66
year: '2017'
...
---
_id: '1175'
abstract:
- lang: eng
  text: We study space complexity and time-space trade-offs with a focus not on peak
    memory usage but on overall memory consumption throughout the computation.  Such
    a cumulative space measure was introduced for the computational model of parallel
    black pebbling by [Alwen and Serbinenko ’15] as a tool for obtaining results in
    cryptography. We consider instead the non- deterministic black-white pebble game
    and prove optimal cumulative space lower bounds and trade-offs, where in order
    to minimize pebbling time the space has to remain large during a significant fraction
    of the pebbling. We also initiate the study of cumulative space in proof complexity,
    an area where other space complexity measures have been extensively studied during
    the last 10–15 years. Using and extending the connection between proof complexity
    and pebble games in [Ben-Sasson and Nordström ’08, ’11] we obtain several strong
    cumulative space results for (even parallel versions of) the resolution proof
    system, and outline some possible future directions of study of this, in our opinion,
    natural and interesting space measure.
alternative_title:
- LIPIcs
author:
- first_name: Joel F
  full_name: Alwen, Joel F
  id: 2A8DFA8C-F248-11E8-B48F-1D18A9856A87
  last_name: Alwen
- first_name: Susanna
  full_name: De Rezende, Susanna
  last_name: De Rezende
- first_name: Jakob
  full_name: Nordstrom, Jakob
  last_name: Nordstrom
- first_name: Marc
  full_name: Vinyals, Marc
  last_name: Vinyals
citation:
  ama: 'Alwen JF, De Rezende S, Nordstrom J, Vinyals M. Cumulative space in black-white
    pebbling and resolution. In: Papadimitriou C, ed. Vol 67. Schloss Dagstuhl - Leibniz-Zentrum
    für Informatik; 2017:38:1-38-21. doi:<a href="https://doi.org/10.4230/LIPIcs.ITCS.2017.38">10.4230/LIPIcs.ITCS.2017.38</a>'
  apa: 'Alwen, J. F., De Rezende, S., Nordstrom, J., &#38; Vinyals, M. (2017). Cumulative
    space in black-white pebbling and resolution. In C. Papadimitriou (Ed.) (Vol.
    67, p. 38:1-38-21). Presented at the ITCS: Innovations in Theoretical Computer
    Science, Berkeley, CA, United States: Schloss Dagstuhl - Leibniz-Zentrum für Informatik.
    <a href="https://doi.org/10.4230/LIPIcs.ITCS.2017.38">https://doi.org/10.4230/LIPIcs.ITCS.2017.38</a>'
  chicago: Alwen, Joel F, Susanna De Rezende, Jakob Nordstrom, and Marc Vinyals. “Cumulative
    Space in Black-White Pebbling and Resolution.” edited by Christos Papadimitriou,
    67:38:1-38-21. Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 2017. <a href="https://doi.org/10.4230/LIPIcs.ITCS.2017.38">https://doi.org/10.4230/LIPIcs.ITCS.2017.38</a>.
  ieee: 'J. F. Alwen, S. De Rezende, J. Nordstrom, and M. Vinyals, “Cumulative space
    in black-white pebbling and resolution,” presented at the ITCS: Innovations in
    Theoretical Computer Science, Berkeley, CA, United States, 2017, vol. 67, p. 38:1-38-21.'
  ista: 'Alwen JF, De Rezende S, Nordstrom J, Vinyals M. 2017. Cumulative space in
    black-white pebbling and resolution. ITCS: Innovations in Theoretical Computer
    Science, LIPIcs, vol. 67, 38:1-38-21.'
  mla: Alwen, Joel F., et al. <i>Cumulative Space in Black-White Pebbling and Resolution</i>.
    Edited by Christos Papadimitriou, vol. 67, Schloss Dagstuhl - Leibniz-Zentrum
    für Informatik, 2017, p. 38:1-38-21, doi:<a href="https://doi.org/10.4230/LIPIcs.ITCS.2017.38">10.4230/LIPIcs.ITCS.2017.38</a>.
  short: J.F. Alwen, S. De Rezende, J. Nordstrom, M. Vinyals, in:, C. Papadimitriou
    (Ed.), Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 2017, p. 38:1-38-21.
conference:
  end_date: 2017-01-11
  location: Berkeley, CA, United States
  name: 'ITCS: Innovations in Theoretical Computer Science'
  start_date: 2017-01-09
date_created: 2018-12-11T11:50:33Z
date_published: 2017-01-01T00:00:00Z
date_updated: 2021-01-12T06:48:51Z
day: '01'
ddc:
- '005'
- '600'
department:
- _id: KrPi
doi: 10.4230/LIPIcs.ITCS.2017.38
editor:
- first_name: Christos
  full_name: Papadimitriou, Christos
  last_name: Papadimitriou
file:
- access_level: open_access
  checksum: dbc94810be07c2fb1945d5c2a6130e6c
  content_type: application/pdf
  creator: system
  date_created: 2018-12-12T10:17:11Z
  date_updated: 2020-07-14T12:44:37Z
  file_id: '5263'
  file_name: IST-2018-927-v1+1_LIPIcs-ITCS-2017-38.pdf
  file_size: 557769
  relation: main_file
file_date_updated: 2020-07-14T12:44:37Z
has_accepted_license: '1'
intvolume: '        67'
language:
- iso: eng
month: '01'
oa: 1
oa_version: Published Version
page: 38:1-38-21
publication_identifier:
  issn:
  - '18688969'
publication_status: published
publisher: Schloss Dagstuhl - Leibniz-Zentrum für Informatik
publist_id: '6179'
pubrep_id: '927'
quality_controlled: '1'
scopus_import: 1
status: public
title: Cumulative space in black-white pebbling and resolution
tmp:
  image: /images/cc_by.png
  legal_code_url: https://creativecommons.org/licenses/by/4.0/legalcode
  name: Creative Commons Attribution 4.0 International Public License (CC-BY 4.0)
  short: CC BY (4.0)
type: conference
user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87
volume: 67
year: '2017'
...
---
_id: '1176'
abstract:
- lang: eng
  text: The algorithm Argon2i-B of Biryukov, Dinu and Khovratovich is currently being
    considered by the IRTF (Internet Research Task Force) as a new de-facto standard
    for password hashing. An older version (Argon2i-A) of the same algorithm was chosen
    as the winner of the recent Password Hashing Competition. An important competitor
    to Argon2i-B is the recently introduced Balloon Hashing (BH) algorithm of Corrigan-Gibs,
    Boneh and Schechter. A key security desiderata for any such algorithm is that
    evaluating it (even using a custom device) requires a large amount of memory amortized
    across multiple instances. Alwen and Blocki (CRYPTO 2016) introduced a class of
    theoretical attacks against Argon2i-A and BH. While these attacks yield large
    asymptotic reductions in the amount of memory, it was not, a priori, clear if
    (1) they can be extended to the newer Argon2i-B, (2) the attacks are effective
    on any algorithm for practical parameter ranges (e.g., 1GB of memory) and (3)
    if they can be effectively instantiated against any algorithm under realistic
    hardware constrains. In this work we answer all three of these questions in the
    affirmative for all three algorithms. This is also the first work to analyze the
    security of Argon2i-B. In more detail, we extend the theoretical attacks of Alwen
    and Blocki (CRYPTO 2016) to the recent Argon2i-B proposal demonstrating severe
    asymptotic deficiencies in its security. Next we introduce several novel heuristics
    for improving the attack's concrete memory efficiency even when on-chip memory
    bandwidth is bounded. We then simulate our attacks on randomly sampled Argon2i-A,
    Argon2i-B and BH instances and measure the resulting memory consumption for various
    practical parameter ranges and for a variety of upperbounds on the amount of parallelism
    available to the attacker. Finally we describe, implement, and test a new heuristic
    for applying the Alwen-Blocki attack to functions employing a technique developed
    by Corrigan-Gibs et al. for improving concrete security of memory-hard functions.
    We analyze the collected data and show the effects various parameters have on
    the memory consumption of the attack. In particular, we can draw several interesting
    conclusions about the level of security provided by these functions. · For the
    Alwen-Blocki attack to fail against practical memory parameters, Argon2i-B must
    be instantiated with more than 10 passes on memory - beyond the "paranoid" parameter
    setting in the current IRTF proposal. · The technique of Corrigan-Gibs for improving
    security can also be overcome by the Alwen-Blocki attack under realistic hardware
    constraints. · On a positive note, both the asymptotic and concrete security of
    Argon2i-B seem to improve on that of Argon2i-A.
article_number: '7961977'
article_processing_charge: No
author:
- first_name: Joel F
  full_name: Alwen, Joel F
  id: 2A8DFA8C-F248-11E8-B48F-1D18A9856A87
  last_name: Alwen
- first_name: Jeremiah
  full_name: Blocki, Jeremiah
  last_name: Blocki
citation:
  ama: 'Alwen JF, Blocki J. Towards practical attacks on Argon2i and balloon hashing.
    In: IEEE; 2017. doi:<a href="https://doi.org/10.1109/EuroSP.2017.47">10.1109/EuroSP.2017.47</a>'
  apa: 'Alwen, J. F., &#38; Blocki, J. (2017). Towards practical attacks on Argon2i
    and balloon hashing. Presented at the EuroS&#38;P: European Symposium on Security
    and Privacy, Paris, France: IEEE. <a href="https://doi.org/10.1109/EuroSP.2017.47">https://doi.org/10.1109/EuroSP.2017.47</a>'
  chicago: Alwen, Joel F, and Jeremiah Blocki. “Towards Practical Attacks on Argon2i
    and Balloon Hashing.” IEEE, 2017. <a href="https://doi.org/10.1109/EuroSP.2017.47">https://doi.org/10.1109/EuroSP.2017.47</a>.
  ieee: 'J. F. Alwen and J. Blocki, “Towards practical attacks on Argon2i and balloon
    hashing,” presented at the EuroS&#38;P: European Symposium on Security and Privacy,
    Paris, France, 2017.'
  ista: 'Alwen JF, Blocki J. 2017. Towards practical attacks on Argon2i and balloon
    hashing. EuroS&#38;P: European Symposium on Security and Privacy, 7961977.'
  mla: Alwen, Joel F., and Jeremiah Blocki. <i>Towards Practical Attacks on Argon2i
    and Balloon Hashing</i>. 7961977, IEEE, 2017, doi:<a href="https://doi.org/10.1109/EuroSP.2017.47">10.1109/EuroSP.2017.47</a>.
  short: J.F. Alwen, J. Blocki, in:, IEEE, 2017.
conference:
  end_date: 2017-04-28
  location: Paris, France
  name: 'EuroS&P: European Symposium on Security and Privacy'
  start_date: 2017-04-26
date_created: 2018-12-11T11:50:33Z
date_published: 2017-07-03T00:00:00Z
date_updated: 2023-09-20T11:22:25Z
day: '03'
department:
- _id: KrPi
doi: 10.1109/EuroSP.2017.47
external_id:
  isi:
  - '000424197300011'
isi: 1
language:
- iso: eng
main_file_link:
- open_access: '1'
  url: https://eprint.iacr.org/2016/759
month: '07'
oa: 1
oa_version: Submitted Version
publication_identifier:
  isbn:
  - 978-150905761-0
publication_status: published
publisher: IEEE
publist_id: '6178'
quality_controlled: '1'
scopus_import: '1'
status: public
title: Towards practical attacks on Argon2i and balloon hashing
type: conference
user_id: c635000d-4b10-11ee-a964-aac5a93f6ac1
year: '2017'
...
---
_id: '1187'
abstract:
- lang: eng
  text: We construct efficient authentication protocols and message authentication
    codes (MACs) whose security can be reduced to the learning parity with noise (LPN)
    problem. Despite a large body of work—starting with the (Formula presented.) protocol
    of Hopper and Blum in 2001—until now it was not even known how to construct an
    efficient authentication protocol from LPN which is secure against man-in-the-middle
    attacks. A MAC implies such a (two-round) protocol.
article_processing_charge: No
article_type: original
author:
- first_name: Eike
  full_name: Kiltz, Eike
  last_name: Kiltz
- first_name: Krzysztof Z
  full_name: Pietrzak, Krzysztof Z
  id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
  last_name: Pietrzak
  orcid: 0000-0002-9139-1654
- first_name: Daniele
  full_name: Venturi, Daniele
  last_name: Venturi
- first_name: David
  full_name: Cash, David
  last_name: Cash
- first_name: Abhishek
  full_name: Jain, Abhishek
  last_name: Jain
citation:
  ama: Kiltz E, Pietrzak KZ, Venturi D, Cash D, Jain A. Efficient authentication from
    hard learning problems. <i>Journal of Cryptology</i>. 2017;30(4):1238-1275. doi:<a
    href="https://doi.org/10.1007/s00145-016-9247-3">10.1007/s00145-016-9247-3</a>
  apa: Kiltz, E., Pietrzak, K. Z., Venturi, D., Cash, D., &#38; Jain, A. (2017). Efficient
    authentication from hard learning problems. <i>Journal of Cryptology</i>. Springer.
    <a href="https://doi.org/10.1007/s00145-016-9247-3">https://doi.org/10.1007/s00145-016-9247-3</a>
  chicago: Kiltz, Eike, Krzysztof Z Pietrzak, Daniele Venturi, David Cash, and Abhishek
    Jain. “Efficient Authentication from Hard Learning Problems.” <i>Journal of Cryptology</i>.
    Springer, 2017. <a href="https://doi.org/10.1007/s00145-016-9247-3">https://doi.org/10.1007/s00145-016-9247-3</a>.
  ieee: E. Kiltz, K. Z. Pietrzak, D. Venturi, D. Cash, and A. Jain, “Efficient authentication
    from hard learning problems,” <i>Journal of Cryptology</i>, vol. 30, no. 4. Springer,
    pp. 1238–1275, 2017.
  ista: Kiltz E, Pietrzak KZ, Venturi D, Cash D, Jain A. 2017. Efficient authentication
    from hard learning problems. Journal of Cryptology. 30(4), 1238–1275.
  mla: Kiltz, Eike, et al. “Efficient Authentication from Hard Learning Problems.”
    <i>Journal of Cryptology</i>, vol. 30, no. 4, Springer, 2017, pp. 1238–75, doi:<a
    href="https://doi.org/10.1007/s00145-016-9247-3">10.1007/s00145-016-9247-3</a>.
  short: E. Kiltz, K.Z. Pietrzak, D. Venturi, D. Cash, A. Jain, Journal of Cryptology
    30 (2017) 1238–1275.
date_created: 2018-12-11T11:50:37Z
date_published: 2017-10-01T00:00:00Z
date_updated: 2023-09-20T11:20:58Z
day: '01'
ddc:
- '000'
department:
- _id: KrPi
doi: 10.1007/s00145-016-9247-3
ec_funded: 1
external_id:
  isi:
  - '000410788600007'
file:
- access_level: open_access
  checksum: c647520d115b772a1682fc06fa273eb1
  content_type: application/pdf
  creator: dernst
  date_created: 2020-05-14T16:30:17Z
  date_updated: 2020-07-14T12:44:37Z
  file_id: '7843'
  file_name: 2017_JournalCrypto_Kiltz.pdf
  file_size: 516959
  relation: main_file
file_date_updated: 2020-07-14T12:44:37Z
has_accepted_license: '1'
intvolume: '        30'
isi: 1
issue: '4'
language:
- iso: eng
month: '10'
oa: 1
oa_version: Submitted Version
page: 1238 - 1275
project:
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
  call_identifier: H2020
  grant_number: '682815'
  name: Teaching Old Crypto New Tricks
- _id: 258C570E-B435-11E9-9278-68D0E5697425
  call_identifier: FP7
  grant_number: '259668'
  name: Provable Security for Physical Cryptography
publication: Journal of Cryptology
publication_status: published
publisher: Springer
publist_id: '6166'
quality_controlled: '1'
related_material:
  record:
  - id: '3238'
    relation: earlier_version
    status: public
scopus_import: '1'
status: public
title: Efficient authentication from hard learning problems
type: journal_article
user_id: c635000d-4b10-11ee-a964-aac5a93f6ac1
volume: 30
year: '2017'
...
---
_id: '1225'
abstract:
- lang: eng
  text: At Crypto 2015 Fuchsbauer, Hanser and Slamanig (FHS) presented the first standard-model
    construction of efficient roundoptimal blind signatures that does not require
    complexity leveraging. It is conceptually simple and builds on the primitive of
    structure-preserving signatures on equivalence classes (SPS-EQ). FHS prove the
    unforgeability of their scheme assuming EUF-CMA security of the SPS-EQ scheme
    and hardness of a version of the DH inversion problem. Blindness under adversarially
    chosen keys is proven under an interactive variant of the DDH assumption. We propose
    a variant of their scheme whose blindness can be proven under a non-interactive
    assumption, namely a variant of the bilinear DDH assumption. We moreover prove
    its unforgeability assuming only unforgeability of the underlying SPS-EQ but no
    additional assumptions as needed for the FHS scheme.
alternative_title:
- LNCS
author:
- first_name: Georg
  full_name: Fuchsbauer, Georg
  id: 46B4C3EE-F248-11E8-B48F-1D18A9856A87
  last_name: Fuchsbauer
- first_name: Christian
  full_name: Hanser, Christian
  last_name: Hanser
- first_name: Chethan
  full_name: Kamath Hosdurg, Chethan
  id: 4BD3F30E-F248-11E8-B48F-1D18A9856A87
  last_name: Kamath Hosdurg
- first_name: Daniel
  full_name: Slamanig, Daniel
  last_name: Slamanig
citation:
  ama: 'Fuchsbauer G, Hanser C, Kamath Hosdurg C, Slamanig D. Practical round-optimal
    blind signatures in the standard model from weaker assumptions. In: Vol 9841.
    Springer; 2016:391-408. doi:<a href="https://doi.org/10.1007/978-3-319-44618-9_21">10.1007/978-3-319-44618-9_21</a>'
  apa: 'Fuchsbauer, G., Hanser, C., Kamath Hosdurg, C., &#38; Slamanig, D. (2016).
    Practical round-optimal blind signatures in the standard model from weaker assumptions
    (Vol. 9841, pp. 391–408). Presented at the SCN: Security and Cryptography for
    Networks, Amalfi, Italy: Springer. <a href="https://doi.org/10.1007/978-3-319-44618-9_21">https://doi.org/10.1007/978-3-319-44618-9_21</a>'
  chicago: Fuchsbauer, Georg, Christian Hanser, Chethan Kamath Hosdurg, and Daniel
    Slamanig. “Practical Round-Optimal Blind Signatures in the Standard Model from
    Weaker Assumptions,” 9841:391–408. Springer, 2016. <a href="https://doi.org/10.1007/978-3-319-44618-9_21">https://doi.org/10.1007/978-3-319-44618-9_21</a>.
  ieee: 'G. Fuchsbauer, C. Hanser, C. Kamath Hosdurg, and D. Slamanig, “Practical
    round-optimal blind signatures in the standard model from weaker assumptions,”
    presented at the SCN: Security and Cryptography for Networks, Amalfi, Italy, 2016,
    vol. 9841, pp. 391–408.'
  ista: 'Fuchsbauer G, Hanser C, Kamath Hosdurg C, Slamanig D. 2016. Practical round-optimal
    blind signatures in the standard model from weaker assumptions. SCN: Security
    and Cryptography for Networks, LNCS, vol. 9841, 391–408.'
  mla: Fuchsbauer, Georg, et al. <i>Practical Round-Optimal Blind Signatures in the
    Standard Model from Weaker Assumptions</i>. Vol. 9841, Springer, 2016, pp. 391–408,
    doi:<a href="https://doi.org/10.1007/978-3-319-44618-9_21">10.1007/978-3-319-44618-9_21</a>.
  short: G. Fuchsbauer, C. Hanser, C. Kamath Hosdurg, D. Slamanig, in:, Springer,
    2016, pp. 391–408.
conference:
  end_date: 2016-09-02
  location: Amalfi, Italy
  name: 'SCN: Security and Cryptography for Networks'
  start_date: 2016-08-31
date_created: 2018-12-11T11:50:49Z
date_published: 2016-08-11T00:00:00Z
date_updated: 2023-02-23T10:08:16Z
day: '11'
department:
- _id: KrPi
doi: 10.1007/978-3-319-44618-9_21
ec_funded: 1
intvolume: '      9841'
language:
- iso: eng
main_file_link:
- open_access: '1'
  url: https://eprint.iacr.org/2016/662
month: '08'
oa: 1
oa_version: Submitted Version
page: 391 - 408
project:
- _id: 258C570E-B435-11E9-9278-68D0E5697425
  call_identifier: FP7
  grant_number: '259668'
  name: Provable Security for Physical Cryptography
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
  call_identifier: H2020
  grant_number: '682815'
  name: Teaching Old Crypto New Tricks
publication_status: published
publisher: Springer
publist_id: '6109'
quality_controlled: '1'
related_material:
  record:
  - id: '1647'
    relation: earlier_version
    status: public
scopus_import: 1
status: public
title: Practical round-optimal blind signatures in the standard model from weaker
  assumptions
type: conference
user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87
volume: 9841
year: '2016'
...
---
_id: '1229'
abstract:
- lang: eng
  text: Witness encryption (WE) was introduced by Garg et al. [GGSW13]. A WE scheme
    is defined for some NP language L and lets a sender encrypt messages relative
    to instances x. A ciphertext for x can be decrypted using w witnessing x ∈ L,
    but hides the message if x ∈ L. Garg et al. construct WE from multilinear maps
    and give another construction [GGH+13b] using indistinguishability obfuscation
    (iO) for circuits. Due to the reliance on such heavy tools, WE can cur- rently
    hardly be implemented on powerful hardware and will unlikely be realizable on
    constrained devices like smart cards any time soon. We construct a WE scheme where
    encryption is done by simply computing a Naor-Yung ciphertext (two CPA encryptions
    and a NIZK proof). To achieve this, our scheme has a setup phase, which outputs
    public parameters containing an obfuscated circuit (only required for decryption),
    two encryption keys and a common reference string (used for encryption). This
    setup need only be run once, and the parame- ters can be used for arbitrary many
    encryptions. Our scheme can also be turned into a functional WE scheme, where
    a message is encrypted w.r.t. a statement and a function f, and decryption with
    a witness w yields f (m, w). Our construction is inspired by the functional encryption
    scheme by Garg et al. and we prove (selective) security assuming iO and statistically
    simulation-sound NIZK. We give a construction of the latter in bilinear groups
    and combining it with ElGamal encryption, our ciphertexts are of size 1.3 kB at
    a 128-bit security level and can be computed on a smart card.
acknowledgement: Research  supported  by  the  European  Research  Council,  ERC  starting  grant
  (259668-PSPC) and ERC consolidator grant (682815 - TOCNeT).
alternative_title:
- LNCS
author:
- first_name: Hamza M
  full_name: Abusalah, Hamza M
  id: 40297222-F248-11E8-B48F-1D18A9856A87
  last_name: Abusalah
- first_name: Georg
  full_name: Fuchsbauer, Georg
  id: 46B4C3EE-F248-11E8-B48F-1D18A9856A87
  last_name: Fuchsbauer
- first_name: Krzysztof Z
  full_name: Pietrzak, Krzysztof Z
  id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
  last_name: Pietrzak
  orcid: 0000-0002-9139-1654
citation:
  ama: 'Abusalah HM, Fuchsbauer G, Pietrzak KZ. Offline witness encryption. In: Vol
    9696. Springer; 2016:285-303. doi:<a href="https://doi.org/10.1007/978-3-319-39555-5_16">10.1007/978-3-319-39555-5_16</a>'
  apa: 'Abusalah, H. M., Fuchsbauer, G., &#38; Pietrzak, K. Z. (2016). Offline witness
    encryption (Vol. 9696, pp. 285–303). Presented at the ACNS: Applied Cryptography
    and Network Security, Guildford, UK: Springer. <a href="https://doi.org/10.1007/978-3-319-39555-5_16">https://doi.org/10.1007/978-3-319-39555-5_16</a>'
  chicago: Abusalah, Hamza M, Georg Fuchsbauer, and Krzysztof Z Pietrzak. “Offline
    Witness Encryption,” 9696:285–303. Springer, 2016. <a href="https://doi.org/10.1007/978-3-319-39555-5_16">https://doi.org/10.1007/978-3-319-39555-5_16</a>.
  ieee: 'H. M. Abusalah, G. Fuchsbauer, and K. Z. Pietrzak, “Offline witness encryption,”
    presented at the ACNS: Applied Cryptography and Network Security, Guildford, UK,
    2016, vol. 9696, pp. 285–303.'
  ista: 'Abusalah HM, Fuchsbauer G, Pietrzak KZ. 2016. Offline witness encryption.
    ACNS: Applied Cryptography and Network Security, LNCS, vol. 9696, 285–303.'
  mla: Abusalah, Hamza M., et al. <i>Offline Witness Encryption</i>. Vol. 9696, Springer,
    2016, pp. 285–303, doi:<a href="https://doi.org/10.1007/978-3-319-39555-5_16">10.1007/978-3-319-39555-5_16</a>.
  short: H.M. Abusalah, G. Fuchsbauer, K.Z. Pietrzak, in:, Springer, 2016, pp. 285–303.
conference:
  end_date: 2016-06-22
  location: Guildford, UK
  name: 'ACNS: Applied Cryptography and Network Security'
  start_date: 2016-06-19
date_created: 2018-12-11T11:50:50Z
date_published: 2016-06-09T00:00:00Z
date_updated: 2023-09-07T12:30:22Z
day: '09'
ddc:
- '005'
- '600'
department:
- _id: KrPi
doi: 10.1007/978-3-319-39555-5_16
ec_funded: 1
file:
- access_level: open_access
  checksum: 34fa9ce681da845a1ba945ba3dc57867
  content_type: application/pdf
  creator: system
  date_created: 2018-12-12T10:17:20Z
  date_updated: 2020-07-14T12:44:39Z
  file_id: '5273'
  file_name: IST-2017-765-v1+1_838.pdf
  file_size: 515000
  relation: main_file
file_date_updated: 2020-07-14T12:44:39Z
has_accepted_license: '1'
intvolume: '      9696'
language:
- iso: eng
month: '06'
oa: 1
oa_version: Submitted Version
page: 285 - 303
project:
- _id: 258C570E-B435-11E9-9278-68D0E5697425
  call_identifier: FP7
  grant_number: '259668'
  name: Provable Security for Physical Cryptography
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
  call_identifier: H2020
  grant_number: '682815'
  name: Teaching Old Crypto New Tricks
publication_status: published
publisher: Springer
publist_id: '6105'
pubrep_id: '765'
quality_controlled: '1'
related_material:
  record:
  - id: '83'
    relation: dissertation_contains
    status: public
scopus_import: 1
status: public
title: Offline witness encryption
type: conference
user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87
volume: 9696
year: '2016'
...
---
_id: '1231'
abstract:
- lang: eng
  text: 'We study the time-and memory-complexities of the problem of computing labels
    of (multiple) randomly selected challenge-nodes in a directed acyclic graph. The
    w-bit label of a node is the hash of the labels of its parents, and the hash function
    is modeled as a random oracle. Specific instances of this problem underlie both
    proofs of space [Dziembowski et al. CRYPTO’15] as well as popular memory-hard
    functions like scrypt. As our main tool, we introduce the new notion of a probabilistic
    parallel entangled pebbling game, a new type of combinatorial pebbling game on
    a graph, which is closely related to the labeling game on the same graph. As a
    first application of our framework, we prove that for scrypt, when the underlying
    hash function is invoked n times, the cumulative memory complexity (CMC) (a notion
    recently introduced by Alwen and Serbinenko (STOC’15) to capture amortized memory-hardness
    for parallel adversaries) is at least Ω(w · (n/ log(n))2). This bound holds for
    adversaries that can store many natural functions of the labels (e.g., linear
    combinations), but still not arbitrary functions thereof. We then introduce and
    study a combinatorial quantity, and show how a sufficiently small upper bound
    on it (which we conjecture) extends our CMC bound for scrypt to hold against arbitrary
    adversaries. We also show that such an upper bound solves the main open problem
    for proofs-of-space protocols: namely, establishing that the time complexity of
    computing the label of a random node in a graph on n nodes (given an initial kw-bit
    state) reduces tightly to the time complexity for black pebbling on the same graph
    (given an initial k-node pebbling).'
acknowledgement: "Joël Alwen, Chethan Kamath, and Krzysztof Pietrzak’s research is
  partially supported by an ERC starting grant (259668-PSPC). Vladimir Kolmogorov
  is partially supported by an ERC consolidator grant (616160-DOICV). Binyi Chen was
  partially supported by NSF grants CNS-1423566 and CNS-1514526, and a gift from the
  Gareatis Foundation. Stefano Tessaro was partially supported by NSF grants CNS-1423566,
  CNS-1528178, a Hellman Fellowship, and the Glen and Susanne Culler Chair.\r\n\r\nThis
  work was done in part while the authors were visiting the Simons Institute for the
  Theory of Computing, supported by the Simons Foundation and by the DIMACS/Simons
  Collaboration in Cryptography through NSF grant CNS-1523467."
alternative_title:
- LNCS
author:
- first_name: Joel F
  full_name: Alwen, Joel F
  id: 2A8DFA8C-F248-11E8-B48F-1D18A9856A87
  last_name: Alwen
- first_name: Binyi
  full_name: Chen, Binyi
  last_name: Chen
- first_name: Chethan
  full_name: Kamath Hosdurg, Chethan
  id: 4BD3F30E-F248-11E8-B48F-1D18A9856A87
  last_name: Kamath Hosdurg
- first_name: Vladimir
  full_name: Kolmogorov, Vladimir
  id: 3D50B0BA-F248-11E8-B48F-1D18A9856A87
  last_name: Kolmogorov
- first_name: Krzysztof Z
  full_name: Pietrzak, Krzysztof Z
  id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
  last_name: Pietrzak
  orcid: 0000-0002-9139-1654
- first_name: Stefano
  full_name: Tessaro, Stefano
  last_name: Tessaro
citation:
  ama: 'Alwen JF, Chen B, Kamath Hosdurg C, Kolmogorov V, Pietrzak KZ, Tessaro S.
    On the complexity of scrypt and proofs of space in the parallel random oracle
    model. In: Vol 9666. Springer; 2016:358-387. doi:<a href="https://doi.org/10.1007/978-3-662-49896-5_13">10.1007/978-3-662-49896-5_13</a>'
  apa: 'Alwen, J. F., Chen, B., Kamath Hosdurg, C., Kolmogorov, V., Pietrzak, K. Z.,
    &#38; Tessaro, S. (2016). On the complexity of scrypt and proofs of space in the
    parallel random oracle model (Vol. 9666, pp. 358–387). Presented at the EUROCRYPT:
    Theory and Applications of Cryptographic Techniques, Vienna, Austria: Springer.
    <a href="https://doi.org/10.1007/978-3-662-49896-5_13">https://doi.org/10.1007/978-3-662-49896-5_13</a>'
  chicago: Alwen, Joel F, Binyi Chen, Chethan Kamath Hosdurg, Vladimir Kolmogorov,
    Krzysztof Z Pietrzak, and Stefano Tessaro. “On the Complexity of Scrypt and Proofs
    of Space in the Parallel Random Oracle Model,” 9666:358–87. Springer, 2016. <a
    href="https://doi.org/10.1007/978-3-662-49896-5_13">https://doi.org/10.1007/978-3-662-49896-5_13</a>.
  ieee: 'J. F. Alwen, B. Chen, C. Kamath Hosdurg, V. Kolmogorov, K. Z. Pietrzak, and
    S. Tessaro, “On the complexity of scrypt and proofs of space in the parallel random
    oracle model,” presented at the EUROCRYPT: Theory and Applications of Cryptographic
    Techniques, Vienna, Austria, 2016, vol. 9666, pp. 358–387.'
  ista: 'Alwen JF, Chen B, Kamath Hosdurg C, Kolmogorov V, Pietrzak KZ, Tessaro S.
    2016. On the complexity of scrypt and proofs of space in the parallel random oracle
    model. EUROCRYPT: Theory and Applications of Cryptographic Techniques, LNCS, vol.
    9666, 358–387.'
  mla: Alwen, Joel F., et al. <i>On the Complexity of Scrypt and Proofs of Space in
    the Parallel Random Oracle Model</i>. Vol. 9666, Springer, 2016, pp. 358–87, doi:<a
    href="https://doi.org/10.1007/978-3-662-49896-5_13">10.1007/978-3-662-49896-5_13</a>.
  short: J.F. Alwen, B. Chen, C. Kamath Hosdurg, V. Kolmogorov, K.Z. Pietrzak, S.
    Tessaro, in:, Springer, 2016, pp. 358–387.
conference:
  end_date: 2016-05-12
  location: Vienna, Austria
  name: 'EUROCRYPT: Theory and Applications of Cryptographic Techniques'
  start_date: 2016-05-08
date_created: 2018-12-11T11:50:51Z
date_published: 2016-04-28T00:00:00Z
date_updated: 2021-01-12T06:49:15Z
day: '28'
department:
- _id: KrPi
- _id: VlKo
doi: 10.1007/978-3-662-49896-5_13
ec_funded: 1
intvolume: '      9666'
language:
- iso: eng
main_file_link:
- open_access: '1'
  url: https://eprint.iacr.org/2016/100
month: '04'
oa: 1
oa_version: Submitted Version
page: 358 - 387
project:
- _id: 258C570E-B435-11E9-9278-68D0E5697425
  call_identifier: FP7
  grant_number: '259668'
  name: Provable Security for Physical Cryptography
- _id: 25FBA906-B435-11E9-9278-68D0E5697425
  call_identifier: FP7
  grant_number: '616160'
  name: 'Discrete Optimization in Computer Vision: Theory and Practice'
publication_status: published
publisher: Springer
publist_id: '6103'
quality_controlled: '1'
scopus_import: 1
status: public
title: On the complexity of scrypt and proofs of space in the parallel random oracle
  model
type: conference
user_id: 3E5EF7F0-F248-11E8-B48F-1D18A9856A87
volume: 9666
year: '2016'
...
---
_id: '1233'
abstract:
- lang: eng
  text: About three decades ago it was realized that implementing private channels
    between parties which can be adaptively corrupted requires an encryption scheme
    that is secure against selective opening attacks. Whether standard (IND-CPA) security
    implies security against selective opening attacks has been a major open question
    since. The only known reduction from selective opening to IND-CPA security loses
    an exponential factor. A polynomial reduction is only known for the very special
    case where the distribution considered in the selective opening security experiment
    is a product distribution, i.e., the messages are sampled independently from each
    other. In this paper we give a reduction whose loss is quantified via the dependence
    graph (where message dependencies correspond to edges) of the underlying message
    distribution. In particular, for some concrete distributions including Markov
    distributions, our reduction is polynomial.
acknowledgement: G. Fuchsbauer and K. Pietrzak are supported by the European Research
  Council, ERC Starting Grant (259668-PSPC). F. Heuer is funded by a Sofja Kovalevskaja
  Award of the Alexander von Humboldt Foundation and DFG SPP 1736, Algorithms for
  BIG DATA. E. Kiltz is supported by a Sofja Kovalevskaja Award of the Alexander von
  Humboldt Foundation, the German Israel Foundation, and ERC Project ERCC (FP7/615074).
alternative_title:
- LNCS
author:
- first_name: Georg
  full_name: Fuchsbauer, Georg
  id: 46B4C3EE-F248-11E8-B48F-1D18A9856A87
  last_name: Fuchsbauer
- first_name: Felix
  full_name: Heuer, Felix
  last_name: Heuer
- first_name: Eike
  full_name: Kiltz, Eike
  last_name: Kiltz
- first_name: Krzysztof Z
  full_name: Pietrzak, Krzysztof Z
  id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
  last_name: Pietrzak
  orcid: 0000-0002-9139-1654
citation:
  ama: 'Fuchsbauer G, Heuer F, Kiltz E, Pietrzak KZ. Standard security does imply
    security against selective opening for markov distributions. In: Vol 9562. Springer;
    2016:282-305. doi:<a href="https://doi.org/10.1007/978-3-662-49096-9_12">10.1007/978-3-662-49096-9_12</a>'
  apa: 'Fuchsbauer, G., Heuer, F., Kiltz, E., &#38; Pietrzak, K. Z. (2016). Standard
    security does imply security against selective opening for markov distributions
    (Vol. 9562, pp. 282–305). Presented at the TCC: Theory of Cryptography Conference,
    Tel Aviv, Israel: Springer. <a href="https://doi.org/10.1007/978-3-662-49096-9_12">https://doi.org/10.1007/978-3-662-49096-9_12</a>'
  chicago: Fuchsbauer, Georg, Felix Heuer, Eike Kiltz, and Krzysztof Z Pietrzak. “Standard
    Security Does Imply Security against Selective Opening for Markov Distributions,”
    9562:282–305. Springer, 2016. <a href="https://doi.org/10.1007/978-3-662-49096-9_12">https://doi.org/10.1007/978-3-662-49096-9_12</a>.
  ieee: 'G. Fuchsbauer, F. Heuer, E. Kiltz, and K. Z. Pietrzak, “Standard security
    does imply security against selective opening for markov distributions,” presented
    at the TCC: Theory of Cryptography Conference, Tel Aviv, Israel, 2016, vol. 9562,
    pp. 282–305.'
  ista: 'Fuchsbauer G, Heuer F, Kiltz E, Pietrzak KZ. 2016. Standard security does
    imply security against selective opening for markov distributions. TCC: Theory
    of Cryptography Conference, LNCS, vol. 9562, 282–305.'
  mla: Fuchsbauer, Georg, et al. <i>Standard Security Does Imply Security against
    Selective Opening for Markov Distributions</i>. Vol. 9562, Springer, 2016, pp.
    282–305, doi:<a href="https://doi.org/10.1007/978-3-662-49096-9_12">10.1007/978-3-662-49096-9_12</a>.
  short: G. Fuchsbauer, F. Heuer, E. Kiltz, K.Z. Pietrzak, in:, Springer, 2016, pp.
    282–305.
conference:
  end_date: 2016-01-13
  location: Tel Aviv, Israel
  name: 'TCC: Theory of Cryptography Conference'
  start_date: 2016-01-10
date_created: 2018-12-11T11:50:51Z
date_published: 2016-01-01T00:00:00Z
date_updated: 2021-01-12T06:49:16Z
day: '01'
department:
- _id: KrPi
doi: 10.1007/978-3-662-49096-9_12
ec_funded: 1
intvolume: '      9562'
language:
- iso: eng
main_file_link:
- open_access: '1'
  url: https://eprint.iacr.org/2015/853
month: '01'
oa: 1
oa_version: Submitted Version
page: 282 - 305
project:
- _id: 258C570E-B435-11E9-9278-68D0E5697425
  call_identifier: FP7
  grant_number: '259668'
  name: Provable Security for Physical Cryptography
publication_status: published
publisher: Springer
publist_id: '6100'
quality_controlled: '1'
scopus_import: 1
status: public
title: Standard security does imply security against selective opening for markov
  distributions
type: conference
user_id: 3E5EF7F0-F248-11E8-B48F-1D18A9856A87
volume: 9562
year: '2016'
...
---
_id: '1235'
abstract:
- lang: eng
  text: 'A constrained pseudorandom function (CPRF) F: K×X → Y for a family T of subsets
    of χ is a function where for any key k ∈ K and set S ∈ T one can efficiently compute
    a short constrained key kS, which allows to evaluate F(k, ·) on all inputs x ∈
    S, while the outputs on all inputs x /∈ S look random even given kS. Abusalah
    et al. recently constructed the first constrained PRF for inputs of arbitrary
    length whose sets S are decided by Turing machines. They use their CPRF to build
    broadcast encryption and the first ID-based non-interactive key exchange for an
    unbounded number of users. Their constrained keys are obfuscated circuits and
    are therefore large. In this work we drastically reduce the key size and define
    a constrained key for a Turing machine M as a short signature on M. For this,
    we introduce a new signature primitive with constrained signing keys that let
    one only sign certain messages, while forging a signature on others is hard even
    when knowing the coins for key generation.'
acknowledgement: H. Abusalah—Research supported by the European Research Council,
  ERC starting grant (259668-PSPC) and ERC consolidator grant (682815 - TOCNeT).
alternative_title:
- LNCS
author:
- first_name: Hamza M
  full_name: Abusalah, Hamza M
  id: 40297222-F248-11E8-B48F-1D18A9856A87
  last_name: Abusalah
- first_name: Georg
  full_name: Fuchsbauer, Georg
  id: 46B4C3EE-F248-11E8-B48F-1D18A9856A87
  last_name: Fuchsbauer
citation:
  ama: 'Abusalah HM, Fuchsbauer G. Constrained PRFs for unbounded inputs with short
    keys. In: Vol 9696. Springer; 2016:445-463. doi:<a href="https://doi.org/10.1007/978-3-319-39555-5_24">10.1007/978-3-319-39555-5_24</a>'
  apa: 'Abusalah, H. M., &#38; Fuchsbauer, G. (2016). Constrained PRFs for unbounded
    inputs with short keys (Vol. 9696, pp. 445–463). Presented at the ACNS: Applied
    Cryptography and Network Security, Guildford, UK: Springer. <a href="https://doi.org/10.1007/978-3-319-39555-5_24">https://doi.org/10.1007/978-3-319-39555-5_24</a>'
  chicago: Abusalah, Hamza M, and Georg Fuchsbauer. “Constrained PRFs for Unbounded
    Inputs with Short Keys,” 9696:445–63. Springer, 2016. <a href="https://doi.org/10.1007/978-3-319-39555-5_24">https://doi.org/10.1007/978-3-319-39555-5_24</a>.
  ieee: 'H. M. Abusalah and G. Fuchsbauer, “Constrained PRFs for unbounded inputs
    with short keys,” presented at the ACNS: Applied Cryptography and Network Security,
    Guildford, UK, 2016, vol. 9696, pp. 445–463.'
  ista: 'Abusalah HM, Fuchsbauer G. 2016. Constrained PRFs for unbounded inputs with
    short keys. ACNS: Applied Cryptography and Network Security, LNCS, vol. 9696,
    445–463.'
  mla: Abusalah, Hamza M., and Georg Fuchsbauer. <i>Constrained PRFs for Unbounded
    Inputs with Short Keys</i>. Vol. 9696, Springer, 2016, pp. 445–63, doi:<a href="https://doi.org/10.1007/978-3-319-39555-5_24">10.1007/978-3-319-39555-5_24</a>.
  short: H.M. Abusalah, G. Fuchsbauer, in:, Springer, 2016, pp. 445–463.
conference:
  end_date: 2016-06-22
  location: Guildford, UK
  name: 'ACNS: Applied Cryptography and Network Security'
  start_date: 2016-06-19
date_created: 2018-12-11T11:50:52Z
date_published: 2016-01-01T00:00:00Z
date_updated: 2023-09-07T12:30:22Z
day: '01'
department:
- _id: KrPi
doi: 10.1007/978-3-319-39555-5_24
ec_funded: 1
intvolume: '      9696'
language:
- iso: eng
main_file_link:
- open_access: '1'
  url: https://eprint.iacr.org/2016/279.pdf
month: '01'
oa: 1
oa_version: Submitted Version
page: 445 - 463
project:
- _id: 258C570E-B435-11E9-9278-68D0E5697425
  call_identifier: FP7
  grant_number: '259668'
  name: Provable Security for Physical Cryptography
- _id: 258AA5B2-B435-11E9-9278-68D0E5697425
  call_identifier: H2020
  grant_number: '682815'
  name: Teaching Old Crypto New Tricks
publication_status: published
publisher: Springer
publist_id: '6098'
quality_controlled: '1'
related_material:
  record:
  - id: '83'
    relation: dissertation_contains
    status: public
scopus_import: 1
status: public
title: Constrained PRFs for unbounded inputs with short keys
type: conference
user_id: 3E5EF7F0-F248-11E8-B48F-1D18A9856A87
volume: 9696
year: '2016'
...
---
_id: '1236'
abstract:
- lang: eng
  text: 'A constrained pseudorandom function F: K × X → Y for a family T ⊆ 2X of subsets
    of X is a function where for any key k ∈ K and set S ∈ T one can efficiently compute
    a constrained key kS which allows to evaluate F (k, ·) on all inputs x ∈ S, while
    even given this key, the outputs on all inputs x ∉ S look random. At Asiacrypt’13
    Boneh and Waters gave a construction which supports the most general set family
    so far. Its keys kc are defined for sets decided by boolean circuits C and enable
    evaluation of the PRF on any x ∈ X where C(x) = 1. In their construction the PRF
    input length and the size of the circuits C for which constrained keys can be
    computed must be fixed beforehand during key generation. We construct a constrained
    PRF that has an unbounded input length and whose constrained keys can be defined
    for any set recognized by a Turing machine. The only a priori bound we make is
    on the description size of the machines. We prove our construction secure assuming
    publiccoin differing-input obfuscation. As applications of our constrained PRF
    we build a broadcast encryption scheme where the number of potential receivers
    need not be fixed at setup (in particular, the length of the keys is independent
    of the number of parties) and the first identity-based non-interactive key exchange
    protocol with no bound on the number of parties that can agree on a shared key.'
acknowledgement: Supported by the European Research Council, ERC Starting Grant (259668-PSPC).
alternative_title:
- LNCS
author:
- first_name: Hamza M
  full_name: Abusalah, Hamza M
  id: 40297222-F248-11E8-B48F-1D18A9856A87
  last_name: Abusalah
- first_name: Georg
  full_name: Fuchsbauer, Georg
  id: 46B4C3EE-F248-11E8-B48F-1D18A9856A87
  last_name: Fuchsbauer
- first_name: Krzysztof Z
  full_name: Pietrzak, Krzysztof Z
  id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
  last_name: Pietrzak
  orcid: 0000-0002-9139-1654
citation:
  ama: 'Abusalah HM, Fuchsbauer G, Pietrzak KZ. Constrained PRFs for unbounded inputs.
    In: Vol 9610. Springer; 2016:413-428. doi:<a href="https://doi.org/10.1007/978-3-319-29485-8_24">10.1007/978-3-319-29485-8_24</a>'
  apa: 'Abusalah, H. M., Fuchsbauer, G., &#38; Pietrzak, K. Z. (2016). Constrained
    PRFs for unbounded inputs (Vol. 9610, pp. 413–428). Presented at the CT-RSA: Topics
    in Cryptology, San Francisco, CA, USA: Springer. <a href="https://doi.org/10.1007/978-3-319-29485-8_24">https://doi.org/10.1007/978-3-319-29485-8_24</a>'
  chicago: Abusalah, Hamza M, Georg Fuchsbauer, and Krzysztof Z Pietrzak. “Constrained
    PRFs for Unbounded Inputs,” 9610:413–28. Springer, 2016. <a href="https://doi.org/10.1007/978-3-319-29485-8_24">https://doi.org/10.1007/978-3-319-29485-8_24</a>.
  ieee: 'H. M. Abusalah, G. Fuchsbauer, and K. Z. Pietrzak, “Constrained PRFs for
    unbounded inputs,” presented at the CT-RSA: Topics in Cryptology, San Francisco,
    CA, USA, 2016, vol. 9610, pp. 413–428.'
  ista: 'Abusalah HM, Fuchsbauer G, Pietrzak KZ. 2016. Constrained PRFs for unbounded
    inputs. CT-RSA: Topics in Cryptology, LNCS, vol. 9610, 413–428.'
  mla: Abusalah, Hamza M., et al. <i>Constrained PRFs for Unbounded Inputs</i>. Vol.
    9610, Springer, 2016, pp. 413–28, doi:<a href="https://doi.org/10.1007/978-3-319-29485-8_24">10.1007/978-3-319-29485-8_24</a>.
  short: H.M. Abusalah, G. Fuchsbauer, K.Z. Pietrzak, in:, Springer, 2016, pp. 413–428.
conference:
  end_date: 2016-03-04
  location: San Francisco, CA, USA
  name: 'CT-RSA: Topics in Cryptology'
  start_date: 2016-02-29
date_created: 2018-12-11T11:50:52Z
date_published: 2016-02-02T00:00:00Z
date_updated: 2023-09-07T12:30:22Z
day: '02'
ddc:
- '005'
- '600'
department:
- _id: KrPi
doi: 10.1007/978-3-319-29485-8_24
ec_funded: 1
file:
- access_level: open_access
  checksum: 3851cee49933ae13b1272e516f213e13
  content_type: application/pdf
  creator: system
  date_created: 2018-12-12T10:08:05Z
  date_updated: 2020-07-14T12:44:41Z
  file_id: '4664'
  file_name: IST-2017-764-v1+1_279.pdf
  file_size: 495176
  relation: main_file
file_date_updated: 2020-07-14T12:44:41Z
has_accepted_license: '1'
intvolume: '      9610'
language:
- iso: eng
month: '02'
oa: 1
oa_version: Submitted Version
page: 413 - 428
project:
- _id: 258C570E-B435-11E9-9278-68D0E5697425
  call_identifier: FP7
  grant_number: '259668'
  name: Provable Security for Physical Cryptography
publication_status: published
publisher: Springer
publist_id: '6097'
pubrep_id: '764'
quality_controlled: '1'
related_material:
  record:
  - id: '83'
    relation: dissertation_contains
    status: public
scopus_import: 1
status: public
title: Constrained PRFs for unbounded inputs
type: conference
user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87
volume: 9610
year: '2016'
...
---
_id: '1479'
abstract:
- lang: eng
  text: "Most entropy notions H(.) like Shannon or min-entropy satisfy a chain rule
    stating that for random variables X,Z, and A we have H(X|Z,A)≥H(X|Z)−|A|. That
    is, by conditioning on A the entropy of X can decrease by at most the bitlength
    |A| of A. Such chain rules are known to hold for some computational entropy notions
    like Yao’s and unpredictability-entropy. For HILL entropy, the computational analogue
    of min-entropy, the chain rule is of special interest and has found many applications,
    including leakage-resilient cryptography, deterministic encryption, and memory
    delegation. These applications rely on restricted special cases of the chain rule.
    Whether the chain rule for conditional HILL entropy holds in general was an open
    problem for which we give a strong negative answer: we construct joint distributions
    (X,Z,A), where A is a distribution over a single bit, such that the HILL entropy
    H HILL (X|Z) is large but H HILL (X|Z,A) is basically zero.\r\n\r\nOur counterexample
    just makes the minimal assumption that NP⊈P/poly. Under the stronger assumption
    that injective one-way function exist, we can make all the distributions efficiently
    samplable.\r\n\r\nFinally, we show that some more sophisticated cryptographic
    objects like lossy functions can be used to sample a distribution constituting
    a counterexample to the chain rule making only a single invocation to the underlying
    object."
acknowledgement: "This work was partly funded by the European Research Council under
  ERC Starting Grant 259668-PSPC and ERC Advanced Grant 321310-PERCY.\r\n"
author:
- first_name: Stephan
  full_name: Krenn, Stephan
  id: 329FCCF0-F248-11E8-B48F-1D18A9856A87
  last_name: Krenn
  orcid: 0000-0003-2835-9093
- first_name: Krzysztof Z
  full_name: Pietrzak, Krzysztof Z
  id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
  last_name: Pietrzak
  orcid: 0000-0002-9139-1654
- first_name: Akshay
  full_name: Wadia, Akshay
  last_name: Wadia
- first_name: Daniel
  full_name: Wichs, Daniel
  last_name: Wichs
citation:
  ama: Krenn S, Pietrzak KZ, Wadia A, Wichs D. A counterexample to the chain rule
    for conditional HILL entropy. <i>Computational Complexity</i>. 2016;25(3):567-605.
    doi:<a href="https://doi.org/10.1007/s00037-015-0120-9">10.1007/s00037-015-0120-9</a>
  apa: Krenn, S., Pietrzak, K. Z., Wadia, A., &#38; Wichs, D. (2016). A counterexample
    to the chain rule for conditional HILL entropy. <i>Computational Complexity</i>.
    Springer. <a href="https://doi.org/10.1007/s00037-015-0120-9">https://doi.org/10.1007/s00037-015-0120-9</a>
  chicago: Krenn, Stephan, Krzysztof Z Pietrzak, Akshay Wadia, and Daniel Wichs. “A
    Counterexample to the Chain Rule for Conditional HILL Entropy.” <i>Computational
    Complexity</i>. Springer, 2016. <a href="https://doi.org/10.1007/s00037-015-0120-9">https://doi.org/10.1007/s00037-015-0120-9</a>.
  ieee: S. Krenn, K. Z. Pietrzak, A. Wadia, and D. Wichs, “A counterexample to the
    chain rule for conditional HILL entropy,” <i>Computational Complexity</i>, vol.
    25, no. 3. Springer, pp. 567–605, 2016.
  ista: Krenn S, Pietrzak KZ, Wadia A, Wichs D. 2016. A counterexample to the chain
    rule for conditional HILL entropy. Computational Complexity. 25(3), 567–605.
  mla: Krenn, Stephan, et al. “A Counterexample to the Chain Rule for Conditional
    HILL Entropy.” <i>Computational Complexity</i>, vol. 25, no. 3, Springer, 2016,
    pp. 567–605, doi:<a href="https://doi.org/10.1007/s00037-015-0120-9">10.1007/s00037-015-0120-9</a>.
  short: S. Krenn, K.Z. Pietrzak, A. Wadia, D. Wichs, Computational Complexity 25
    (2016) 567–605.
date_created: 2018-12-11T11:52:16Z
date_published: 2016-09-01T00:00:00Z
date_updated: 2023-02-23T11:05:09Z
day: '01'
ddc:
- '004'
department:
- _id: KrPi
doi: 10.1007/s00037-015-0120-9
ec_funded: 1
file:
- access_level: open_access
  checksum: 7659296174fa75f5f0364f31f46f4bcf
  content_type: application/pdf
  creator: system
  date_created: 2018-12-12T10:13:29Z
  date_updated: 2020-07-14T12:44:56Z
  file_id: '5012'
  file_name: IST-2017-766-v1+1_678.pdf
  file_size: 483258
  relation: main_file
file_date_updated: 2020-07-14T12:44:56Z
has_accepted_license: '1'
intvolume: '        25'
issue: '3'
language:
- iso: eng
month: '09'
oa: 1
oa_version: Submitted Version
page: 567 - 605
project:
- _id: 258C570E-B435-11E9-9278-68D0E5697425
  call_identifier: FP7
  grant_number: '259668'
  name: Provable Security for Physical Cryptography
publication: Computational Complexity
publication_status: published
publisher: Springer
publist_id: '5715'
pubrep_id: '766'
quality_controlled: '1'
related_material:
  record:
  - id: '2940'
    relation: earlier_version
    status: public
scopus_import: 1
status: public
title: A counterexample to the chain rule for conditional HILL entropy
tmp:
  image: /images/cc_by.png
  legal_code_url: https://creativecommons.org/licenses/by/4.0/legalcode
  name: Creative Commons Attribution 4.0 International Public License (CC-BY 4.0)
  short: CC BY (4.0)
type: journal_article
user_id: 3E5EF7F0-F248-11E8-B48F-1D18A9856A87
volume: 25
year: '2016'
...
---
_id: '1592'
abstract:
- lang: eng
  text: A modular approach to constructing cryptographic protocols leads to simple
    designs but often inefficient instantiations. On the other hand, ad hoc constructions
    may yield efficient protocols at the cost of losing conceptual simplicity. We
    suggest a new design paradigm, structure-preserving cryptography, that provides
    a way to construct modular protocols with reasonable efficiency while retaining
    conceptual simplicity. A cryptographic scheme over a bilinear group is called
    structure-preserving if its public inputs and outputs consist of elements from
    the bilinear groups and their consistency can be verified by evaluating pairing-product
    equations. As structure-preserving schemes smoothly interoperate with each other,
    they are useful as building blocks in modular design of cryptographic applications.
    This paper introduces structure-preserving commitment and signature schemes over
    bilinear groups with several desirable properties. The commitment schemes include
    homomorphic, trapdoor and length-reducing commitments to group elements, and the
    structure-preserving signature schemes are the first ones that yield constant-size
    signatures on multiple group elements. A structure-preserving signature scheme
    is called automorphic if the public keys lie in the message space, which cannot
    be achieved by compressing inputs via a cryptographic hash function, as this would
    destroy the mathematical structure we are trying to preserve. Automorphic signatures
    can be used for building certification chains underlying privacy-preserving protocols.
    Among a vast number of applications of structure-preserving protocols, we present
    an efficient round-optimal blind-signature scheme and a group signature scheme
    with an efficient and concurrently secure protocol for enrolling new members.
acknowledgement: The authors would like to thank the anonymous reviewers of this paper.
  We also would like to express our appreciation to the program committee and the
  anonymous reviewers for CRYPTO 2010. The first author thanks Sherman S. M. Chow
  for his comment on group signatures in Sect. 7.1.
author:
- first_name: Masayuki
  full_name: Abe, Masayuki
  last_name: Abe
- first_name: Georg
  full_name: Fuchsbauer, Georg
  id: 46B4C3EE-F248-11E8-B48F-1D18A9856A87
  last_name: Fuchsbauer
- first_name: Jens
  full_name: Groth, Jens
  last_name: Groth
- first_name: Kristiyan
  full_name: Haralambiev, Kristiyan
  last_name: Haralambiev
- first_name: Miyako
  full_name: Ohkubo, Miyako
  last_name: Ohkubo
citation:
  ama: Abe M, Fuchsbauer G, Groth J, Haralambiev K, Ohkubo M. Structure preserving
    signatures and commitments to group elements. <i>Journal of Cryptology</i>. 2016;29(2):363-421.
    doi:<a href="https://doi.org/10.1007/s00145-014-9196-7">10.1007/s00145-014-9196-7</a>
  apa: Abe, M., Fuchsbauer, G., Groth, J., Haralambiev, K., &#38; Ohkubo, M. (2016).
    Structure preserving signatures and commitments to group elements. <i>Journal
    of Cryptology</i>. Springer. <a href="https://doi.org/10.1007/s00145-014-9196-7">https://doi.org/10.1007/s00145-014-9196-7</a>
  chicago: Abe, Masayuki, Georg Fuchsbauer, Jens Groth, Kristiyan Haralambiev, and
    Miyako Ohkubo. “Structure Preserving Signatures and Commitments to Group Elements.”
    <i>Journal of Cryptology</i>. Springer, 2016. <a href="https://doi.org/10.1007/s00145-014-9196-7">https://doi.org/10.1007/s00145-014-9196-7</a>.
  ieee: M. Abe, G. Fuchsbauer, J. Groth, K. Haralambiev, and M. Ohkubo, “Structure
    preserving signatures and commitments to group elements,” <i>Journal of Cryptology</i>,
    vol. 29, no. 2. Springer, pp. 363–421, 2016.
  ista: Abe M, Fuchsbauer G, Groth J, Haralambiev K, Ohkubo M. 2016. Structure preserving
    signatures and commitments to group elements. Journal of Cryptology. 29(2), 363–421.
  mla: Abe, Masayuki, et al. “Structure Preserving Signatures and Commitments to Group
    Elements.” <i>Journal of Cryptology</i>, vol. 29, no. 2, Springer, 2016, pp. 363–421,
    doi:<a href="https://doi.org/10.1007/s00145-014-9196-7">10.1007/s00145-014-9196-7</a>.
  short: M. Abe, G. Fuchsbauer, J. Groth, K. Haralambiev, M. Ohkubo, Journal of Cryptology
    29 (2016) 363–421.
date_created: 2018-12-11T11:52:54Z
date_published: 2016-04-01T00:00:00Z
date_updated: 2021-01-12T06:51:49Z
day: '01'
department:
- _id: KrPi
doi: 10.1007/s00145-014-9196-7
intvolume: '        29'
issue: '2'
language:
- iso: eng
month: '04'
oa_version: None
page: 363 - 421
publication: Journal of Cryptology
publication_status: published
publisher: Springer
publist_id: '5579'
quality_controlled: '1'
scopus_import: 1
status: public
title: Structure preserving signatures and commitments to group elements
type: journal_article
user_id: 3E5EF7F0-F248-11E8-B48F-1D18A9856A87
volume: 29
year: '2016'
...
---
_id: '1653'
abstract:
- lang: eng
  text: "A somewhere statistically binding (SSB) hash, introduced by Hubáček and Wichs
    (ITCS ’15), can be used to hash a long string x to a short digest y = H hk (x)
    using a public hashing-key hk. Furthermore, there is a way to set up the hash
    key hk to make it statistically binding on some arbitrary hidden position i, meaning
    that: (1) the digest y completely determines the i’th bit (or symbol) of x so
    that all pre-images of y have the same value in the i’th position, (2) it is computationally
    infeasible to distinguish the position i on which hk is statistically binding
    from any other position i’. Lastly, the hash should have a local opening property
    analogous to Merkle-Tree hashing, meaning that given x and y = H hk (x) it should
    be possible to create a short proof π that certifies the value of the i’th bit
    (or symbol) of x without having to provide the entire input x. A similar primitive
    called a positional accumulator, introduced by Koppula, Lewko and Waters (STOC
    ’15) further supports dynamic updates of the hashed value. These tools, which
    are interesting in their own right, also serve as one of the main technical components
    in several recent works building advanced applications from indistinguishability
    obfuscation (iO).\r\n\r\nThe prior constructions of SSB hashing and positional
    accumulators required fully homomorphic encryption (FHE) and iO respectively.
    In this work, we give new constructions of these tools based on well studied number-theoretic
    assumptions such as DDH, Phi-Hiding and DCR, as well as a general construction
    from lossy/injective functions."
alternative_title:
- LNCS
author:
- first_name: Tatsuaki
  full_name: Okamoto, Tatsuaki
  last_name: Okamoto
- first_name: Krzysztof Z
  full_name: Pietrzak, Krzysztof Z
  id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
  last_name: Pietrzak
  orcid: 0000-0002-9139-1654
- first_name: Brent
  full_name: Waters, Brent
  last_name: Waters
- first_name: Daniel
  full_name: Wichs, Daniel
  last_name: Wichs
citation:
  ama: 'Okamoto T, Pietrzak KZ, Waters B, Wichs D. New realizations of somewhere statistically
    binding hashing and positional accumulators. In: Vol 9452. Springer; 2016:121-145.
    doi:<a href="https://doi.org/10.1007/978-3-662-48797-6_6">10.1007/978-3-662-48797-6_6</a>'
  apa: 'Okamoto, T., Pietrzak, K. Z., Waters, B., &#38; Wichs, D. (2016). New realizations
    of somewhere statistically binding hashing and positional accumulators (Vol. 9452,
    pp. 121–145). Presented at the ASIACRYPT: Theory and Application of Cryptology
    and Information Security, Auckland, New Zealand: Springer. <a href="https://doi.org/10.1007/978-3-662-48797-6_6">https://doi.org/10.1007/978-3-662-48797-6_6</a>'
  chicago: Okamoto, Tatsuaki, Krzysztof Z Pietrzak, Brent Waters, and Daniel Wichs.
    “New Realizations of Somewhere Statistically Binding Hashing and Positional Accumulators,”
    9452:121–45. Springer, 2016. <a href="https://doi.org/10.1007/978-3-662-48797-6_6">https://doi.org/10.1007/978-3-662-48797-6_6</a>.
  ieee: 'T. Okamoto, K. Z. Pietrzak, B. Waters, and D. Wichs, “New realizations of
    somewhere statistically binding hashing and positional accumulators,” presented
    at the ASIACRYPT: Theory and Application of Cryptology and Information Security,
    Auckland, New Zealand, 2016, vol. 9452, pp. 121–145.'
  ista: 'Okamoto T, Pietrzak KZ, Waters B, Wichs D. 2016. New realizations of somewhere
    statistically binding hashing and positional accumulators. ASIACRYPT: Theory and
    Application of Cryptology and Information Security, LNCS, vol. 9452, 121–145.'
  mla: Okamoto, Tatsuaki, et al. <i>New Realizations of Somewhere Statistically Binding
    Hashing and Positional Accumulators</i>. Vol. 9452, Springer, 2016, pp. 121–45,
    doi:<a href="https://doi.org/10.1007/978-3-662-48797-6_6">10.1007/978-3-662-48797-6_6</a>.
  short: T. Okamoto, K.Z. Pietrzak, B. Waters, D. Wichs, in:, Springer, 2016, pp.
    121–145.
conference:
  end_date: 2015-12-03
  location: Auckland, New Zealand
  name: 'ASIACRYPT: Theory and Application of Cryptology and Information Security'
  start_date: 2015-11-29
date_created: 2018-12-11T11:53:16Z
date_published: 2016-01-08T00:00:00Z
date_updated: 2021-01-12T06:52:16Z
day: '08'
ddc:
- '000'
department:
- _id: KrPi
doi: 10.1007/978-3-662-48797-6_6
ec_funded: 1
file:
- access_level: open_access
  checksum: a57711cb660c5b17b42bb47275a00180
  content_type: application/pdf
  creator: system
  date_created: 2018-12-12T10:12:05Z
  date_updated: 2020-07-14T12:45:08Z
  file_id: '4923'
  file_name: IST-2016-677-v1+1_869.pdf
  file_size: 580088
  relation: main_file
file_date_updated: 2020-07-14T12:45:08Z
has_accepted_license: '1'
intvolume: '      9452'
language:
- iso: eng
month: '01'
oa: 1
oa_version: Submitted Version
page: 121 - 145
project:
- _id: 258C570E-B435-11E9-9278-68D0E5697425
  call_identifier: FP7
  grant_number: '259668'
  name: Provable Security for Physical Cryptography
publication_status: published
publisher: Springer
publist_id: '5497'
pubrep_id: '677'
quality_controlled: '1'
scopus_import: 1
status: public
title: New realizations of somewhere statistically binding hashing and positional
  accumulators
type: conference
user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87
volume: 9452
year: '2016'
...