Ngày đăng: 14/05/2018, 11:33
LNCS 9816 Matthew Robshaw Jonathan Katz (Eds.) Advances in Cryptology – CRYPTO 2016 36th Annual International Cryptology Conference Santa Barbara, CA, USA, August 14–18, 2016 Proceedings, Part III 123 Lecture Notes in Computer Science Commenced Publication in 1973 Founding and Former Series Editors: Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen Editorial Board David Hutchison Lancaster University, Lancaster, UK Takeo Kanade Carnegie Mellon University, Pittsburgh, PA, USA Josef Kittler University of Surrey, Guildford, UK Jon M Kleinberg Cornell University, Ithaca, NY, USA Friedemann Mattern ETH Zurich, Zürich, Switzerland John C Mitchell Stanford University, Stanford, CA, USA Moni Naor Weizmann Institute of Science, Rehovot, Israel C Pandu Rangan Indian Institute of Technology, Madras, India Bernhard Steffen TU Dortmund University, Dortmund, Germany Demetri Terzopoulos University of California, Los Angeles, CA, USA Doug Tygar University of California, Berkeley, CA, USA Gerhard Weikum Max Planck Institute for Informatics, Saarbrücken, Germany 9816 More information about this series at http://www.springer.com/series/7410 Matthew Robshaw Jonathan Katz (Eds.) • Advances in Cryptology – CRYPTO 2016 36th Annual International Cryptology Conference Santa Barbara, CA, USA, August 14–18, 2016 Proceedings, Part III 123 Editors Matthew Robshaw Impinj, Inc Seattle, WA USA Jonathan Katz University of Maryland College Park, MD USA ISSN 0302-9743 ISSN 1611-3349 (electronic) Lecture Notes in Computer Science ISBN 978-3-662-53014-6 ISBN 978-3-662-53015-3 (eBook) DOI 10.1007/978-3-662-53015-3 Library of Congress Control Number: 2016945783 LNCS Sublibrary: SL4 – Security and Cryptology © International Association for Cryptologic Research 2016 This work is subject to copyright All rights are reserved by the Publisher, whether the whole or part of the material is concerned, speciﬁcally the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microﬁlms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed The use of general descriptive names, registered names, trademarks, service marks, etc in this publication does not imply, even in the absence of a speciﬁc statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use The publisher, the authors and the editors are safe to assume that the advice and information in this book are believed to be true and accurate at the date of publication Neither the publisher nor the authors or the editors give a warranty, express or implied, with respect to the material contained herein or for any errors or omissions that may have been made Printed on acid-free paper This Springer imprint is published by Springer Nature The registered company is Springer-Verlag GmbH Berlin Heidelberg Preface The 36th International Cryptology Conference (Crypto 2016) was held at UCSB, Santa Barbara, CA, USA, during August 14–18, 2016 The workshop was sponsored by the International Association for Cryptologic Research Crypto continues to grow This year the Program Committee evaluated a record 274 submissions out of which 70 were chosen for inclusion in the program Each paper was reviewed by at least three independent reviewers, with papers from Program Committee members receiving at least ﬁve reviews Reviewers with potential conﬂicts of interest for speciﬁc papers were excluded from all discussions about those papers, and this policy was extended to the program chairs as well The 44 members of the Program Committee were aided in this complex and time-consuming task by many external reviewers We would like to thank them all for their service, their expert opinions, and their spirited contributions to the review process It was a tremendously difﬁcult task to choose the program for this conference, as the quality of the submissions was very high It was even harder to identify a single best paper, but our congratulations go to Elette Boyle, Niv Gilboa, and Yuval Ishai from IDC Herzliya, Ben Gurion University, and the Technion, respectively, whose paper “Breaking the Circuit Size Barrier for Secure Computation Under DDH” was awarded Best Paper Our congratulations also go to Mark Zhandry of MIT and Princeton University who won the award for the Best Student Paper “The Magic of ELFs.” The invited speakers at Crypto 2016 were Brian Sniffen, Chief Security Architect at Akamai Technologies, Inc., and Paul Kocher, founder of Cryptography Research Brian’s presentation cast a fascinating light on the issues of real-world cryptographic deployment while Paul’s presentation, a joint invitation from the program co-chairs of both Crypto 2016 and CHES 2016, marked 20 years since his publication of the ﬁrst paper on side-channel attacks at Crypto 1996 We are, of course, indebted to Brian LaMacchia, the general chair, as well as the local Organizing Committee, who together proved ideal liaisons for establishing the layout of the program and for supporting the speakers Our job as program co-chairs was made much easier by the excellent tools developed by Shai Halevi; both Shai and Brian were always available at short notice to answer our queries Finally, we would like to thank all the authors who submitted their work to Crypto 2016 Without you the conference would not exist August 2016 Matthew Robshaw Jonathan Katz Crypto 2016 The 36th IACR International Cryptology Conference University of California, Santa Barbara, CA, USA August 14–18, 2016 Sponsored by the International Association for Cryptologic Research General Chair Brian LaMacchia Microsoft Program Chairs Matthew Robshaw Jonathan Katz Impinj, USA University of Maryland, USA Program Committee Alex Biryukov Anne Canteaut Dario Catalano Nishanth Chandran Melissa Chase Joan Daemen Martin Van Dijk Itai Dinur Pierre-Alain Fouque Steven Galbraith Sanjam Garg S Dov Gordon Jens Groth Sorina Ionica Tetsu Iwata Aggelos Kiayias Gregor Leander Shengli Liu Alexander May Willi Meier Payman Mohassel University of Luxembourg, Luxembourg Inria, France Università di Catania, Italy Microsoft Research, India Microsoft Research, USA STMicroelectronics, Belgium and Radboud University, The Netherlands University of Connecticut, USA Ben-Gurion University, Israel Université Rennes 1, France Auckland University, New Zealand University of California, Berkeley, USA George Mason University, USA University College London, UK Université de Picardie, France Nagoya University, Japan National and Kapodistrian University of Athens, Greece Ruhr Universität Bochum, Germany Shanghai Jiao Tong University, China Ruhr Universität Bochum, Germany FHNW, Switzerland Visa Research, USA VIII Crypto 2016 Elke De Mulder Steven Myers Phong Nguyen Kaisa Nyberg Kenny Paterson Thomas Peyrin Benny Pinkas David Pointcheval Manoj Prabhakaran Bart Preneel Mariana Raykova Christian Rechberger Mike Rosulek Rei Safavi-Naini Alessandra Scafuro Patrick Schaumont Dominique Schröder Jae Hong Seo Yannick Seurin Abhi Shelat Nigel Smart Ron Steinfeld Mehdi Tibouchi Cryptographic Research, France Indiana University, USA Inria, France and CNRS/JFLI and University of Tokyo, Japan Aalto University, Finland Royal Holloway University of London, UK Nanyang Technological University, Singapore Bar-Ilan University, Israel École Normale Supérieure, France University of Illinois, USA KU Leuven, Belgium Yale University, USA TU-Graz, Austria and DTU, Denmark Oregon State University, USA University of Calgary, Canada Boston University and Northeastern University, USA Virginia Tech, USA Saarland University, Germany Myongji University, Korea ANSSI, France University of Virginia, USA University of Bristol, UK Monash University, Australia NTT Secure Platform Laboratories, Japan Additional Reviewers Michel Abdalla Masayuki Abe Arash Afshar Shashank Agrawal Shweta Agrawal Ayo Akinyele Martin Albrecht Gergely Alpar Jacob Alperin-Sheriff Elena Andreeva Daniel Apon Gilad Asharov Gilles Van Assche Nuttapong Attrapadung Saikrishna Badrinarayanan Josep Balasch Foteini Baldimtsi Paulo Barreto Gilles Barthe Lejla Batina Christof Beierle Mihir Bellare Fabrice Benhamouda Sanjay Bhattacherjee Jean-Francois Biasse Begul Bilgin Gaetan Bisson Nir Bitansky Simon Blackburn Olivier Blazy Matthieu Bloch Céline Blondeau Andrej Bogdanov Dan Boneh Jonathan Bootle Raphael Bost Christina Boura Florian Bourse Cyril Bouvier Elette Boyle Zvika Brakerski Lus Brandão Anne Broadbent Christina Brzuska Christian Cachin Ran Canetti Angelo De Caro Guilhem Castagnos Andrea Cerulli Pyrros Chaidos Crypto 2016 André Chailloux Jie Chen Céline Chevalier Chongwon Cho Seung Geol Choi Ashish Choudhury Sherman Chow Kai-Min Chung Michele Ciampi Michael Clear Ran Cohen Geoffroy Couteau Dana Dachman-Soled Deepesh Data Jean Paul Degabriele David Derler Daniel Dinu Christoph Dobraunig Yevgeniy Dodis Nico Döttling Natnatee Dokmai Leo Ducas Tuyet Duong Keita Emura Frederic Ezerman Pooya Farshim Sebastian Faust Dario Fiore Marc Fischlin Joe Fitzsimons Nils Fleischhacker Emmanuel Fouotsa Georg Fuchsbauer Eiichiro Fujisaki Martin Gagne Franỗois Le Gall Chaya Ganesh Juan Garay Christina Garman Romain Gay Essam Ghadaﬁ Benedikt Gierlichs Niv Gilboa Vipul Goyal Frédéric Grosshans Aurore Guillevic Divya Gupta Felix Günther Shai Halevi Mike Hamburg Shuai Han Helena Handschuh Christian Hanser Carmit Hazay Ethan Heilman Ryan Henry Gottfried Herold Felix Heuer Viet Tung Hoang Dennis Hofheinz Ziyuan Hu Yan Huang Michael Hutter Malika Izabachene Håkon Jacobsen Mahavir Jhawar Dingding Jia Keting Jia Thomas Johansson Aaron Johnson Kimmo Järvinen Yael Tauman Kalai Bhavana Kanukurthi Petteri Kaski Marcel Keller Nathan Keller Carmen Kempka Iordanis Kerenidis Dmitry Khovratovich Dakshita Khurana Eike Kiltz Jinsu Kim Taechan Kim Paul Kirchner Elena Kirshanova Susumu Kiyoshima Simon Knellwolf Stefan Koelbl Vlad Kolesnikov Takeshi Koshiba Luke Kowalczyk Thorsten Kranz IX Daniel Kraschewski Anna Krasnova Hugo Krawczyk Fernando Krell Stephan Krenn Ranjit Kumaresan Alptekin Kupcu Fabien Laguillaumie Virginie Lallemand Enrique Larraia Changmin Lee Hyung Tae Lee Kwangsu Lee Nikos Leonardos Tancrède Lepoint Anthony Leverrier Benoit Libert Fuchun Lin Rachel Lin Yehuda Lindell Feng-Hao Liu Yi-Kai Liu Patrick Longa Steve Lu Stefan Lucks Atul Luykx Anna Lysyanskaya Lin Lyu Vadim Lyubashevsky Mohammad Mahmoody Hemanta Maji Giulio Malavolta Tal Malkin Alex Malozemoff Mark Marson Daniel Masny Takahiro Matsuda Florian Mendel Bart Mennink Thyla van der Merwe Peihan Miao Christof Michel Ian Miers Andrew Miller Brice Minaud Kazuhiko Minematsu X Crypto 2016 Ilya Mironov Ameer Mohammad Amir Moradi Tal Moran Nicky Mouha Pratyay Mukherjee Jörn Müller-Quade Valérie Nachef Michael Naehrig Maria Naya-Plasencia Soheil Nemati Khoa Nguyen Ivica Nikolic Ventzi Nikov Ryo Nishimaki Anca Nitulescu Adam O’Neill Miyako Ohkubo Go Ohtake Tatsuaki Okamoto Ozgur Oksuz Cristina Onete Claudio Orlandi Elisabeth Oswald Léo Paul Perrin Jiaxin Pan Giorgos Panagiotakos Omkant Pandey Kostas Pappagiannopoulos Anat Paskin-Cherniavsky Rafael Pass Valerio Pastro Arpita Patra Souradyuti Paul Christopher Peikert Rene Peralta Trevor Perrin Giuseppe Persiano Christophe Petit Rafael Del Pino Oxana Poburinnaya Antigoni Polychroniadou Orazio Puglisi Baodong Qin Max Rabkin Carla Rafols Srinivasan Raghuraman Vanishree Rao Manuel Reinert Oscar Reparaz Silas Richelson Thomas Ristenpart Damien Robert Alon Rosen Adeline Roux-Langlois Arnab Roy Tim Rufﬁng Hansol Ryu Sondre Rønjom Akshayaram Srinivasan Amin Sakzad Katerina Samari Ruediger Schack Christian Schaffner John Schanck Thomas Schneider Peter Scholl Peter Schwabe Sven Schäge Adam Sealfon Setareh Shariﬁan Tom Shrimpton Sandeep Shukla Siang Meng Sim Luisa Siniscalchi Daniel Slamanig Yongsoo Song Kannan Srinathan Akshayaram Srinivasan Douglas Stebila Damien Stehlé John Steinberger Marc Stevens Valentin Suder Willy Susilo Björn Tackmann Katsuyuki Takashima Qiang Tang Stefano Tessaro Aishwarya Thiruvengadam Jean-Pierre Tillich Yosuke Todo Yiannis Tselekounis Michael Tunstall Himanshu Tyagi Aleksei Udovenko Jon Ullman Dominique Unruh Prashant Vasudevan Vesselin Velichkov Muthu Venkitasubramaniam Frederik Vercauteren Damien Vergnaud Jorge Villar Dhinakaran Vinayagamurthy Ivan Visconti Michael Walter Pengwei Wang Qingju Wang Xiao Wang Hoeteck Wee Mor Weiss Yunhua Wen Carolyn Whitnall Daniel Wichs Xiaodi Wu Keita Xagawa Sophia Yakoubov Shota Yamada Kan Yasuda Arkady Yerukhimovich Ouyang Yingkai Thomas Zacharias Mark Zhandry Bingsheng Zhang Liang Feng Zhang Xiao Zhang Yupeng Zhang Hong-Sheng Zhou Vassilis Zikas Dionysis Zindros Two-Message, Oblivious Evaluation of Cryptographic Functionalities 637 Remark We remark several points First, if a simulator Sim is non-trivial by construction, we can omit the second oracle of the distinguisher Basically, the only property we need to ensure non-triviality is that if the simulator gets messages from an honest receiver, then this composed system actually implements in the random function H Formally, this requirement can be written as SimH , R(·) ≡ H(·), i.e., if an honest receiver interacts with a simulator Sim with access to H, then this protocol implements H If this is guaranteed, then the oracles S(k), · and SimH (·) are suﬃcient: Given such an oracle OA (which is either of the two), the distinguisher D can simulate the honest oracle by OA, R(·) In our construction the simulator Sim will be canonical: It extracts the ﬁrst message, sends the extracted input to the random function H, and uses the output to simulate the senders message This simulator is non-trivial by construction, and thus giving the distinguisher access to a single oracle will be suﬃcient Moreover, while Deﬁnition 10 allows the simulator Sim to depend on the distinguisher D, our canonic simulator will be universal in the sense that it works for any PPT distinguisher D Pseudorandom Functions with Oblivious Black-Box Reductions To apply the technique developed in Sect 3, we require a pseudorandom function with an oblivious black-box reduction Most constructions of PRFs in the literature not possess such a reduction In particular, most reductions need to program the distinguishers oracle adaptively depending on prior oracle inputs of the distinguisher For example, the security reduction of the construction of Goldreich, Goldwasser and Micali [25], which reduces the security of the PRF on that of the underlying pseudorandom generator is based on a hybrid argument and needs to keep a list of the distinguisher’s distinct oracle queries to be able to answer oracle queries consistently This however contradicts our notion of obliviousness Fortunately, there are constructions of pseudorandom functions with oblivious black-box reductions to their underlying hard problems One example of such a PRF is the Naor Reingold PRF [49] While the security reduction provided in [49] is not oblivious, there is simple way of converting this reduction into an oblivious black-box reduction using q-wise independent functions (Appendix A) More generally, there is a recent line of work that aims at constructing largedomain pseudorandom functions from small-domain pseudorandom functions via oblivious black-box reductions [8,14] The baseline of these results is that large domain PRFs can be constructed by combining several small-domain (i.e., polysized domain) PRFs in a suitable way The pseudorandomness of large domain PRFs is established by replacing one of the small-domain PRFs (depending on the query bound of the adversary) with a random function in a single shot Since the small-domain PRF has a domain of just polynomial size, the reduction can (non-adptively) query its oracle on all inputs and retrieve the entire function table Thus, there is no need of adaptively programming the distinguishers oracle based on previous queries In order to use the framework we developed in Sect 3, it will be convenient to use an alternative deﬁnition of pseudorandom 638 N Dă ottling et al functions In Denition 9, the distinguishers goal is to distinguish the PRF from a truly random function However, if we not know any bound on the distinguisher’s number of queries in advance, the only (known) way to simulate a random function is by evaluating the random function lazily: Every time the distinguisher queries the random function on a new input, the simulation samples a random image and adds it into a table of input and output values If a certain input has been queried before, it’s image is retrieved from the table However, such a simulation is necessarily stateful To overcome this, we use an equivalent deﬁnition of pseudorandom functions which takes into account that a every PPT distinguisher has a polynomial upper bound on the number of its oracle queries Once such a bound q is known, we can simulate a random function statelessly with an eﬃcient q-wise independent function Definition 11 (q-Wise Independent Function) Let F be an eﬃciently computable two argument function that takes a seed s and an input x We say that F is a q-wise independent functions, if it holds for all pairwise distinct x1 , , xq that F (s, x1 ), , F (s, xq ) are distributed independently and uniformly random over the choice of the seed s There are various constructions of eﬃcient q-wise independent functions, such as the classical construction of Wegman and Carter [57] which is based on random degree q polynomials in large ﬁnite ﬁelds Definition 12 (Pseudorandom Functions, Equivalent Definition) An eﬃciently computable two-argument function P RF is called pseudorandom function, if there exists a family {Fq }q of functions, where Fq is q-wise independent, such that the following holds For every q = poly(λ) and every PPT distinguisher D that queries its oracle at most q times it holds that Adv(D) = | Pr[DP RF (k,·) = 1] − Pr[DFq (s,·) = 1]| ≤ negl(λ), where k is a randomly chosen key for P RF and s is a randomly chosen seed for Fq Theorem [8, 14, 49] Under various standard hardness assumptions (pseudorandom generators, DDH, LWE) there exist pseudorandom functions with oblivious black-box reduction to their underlying hardness assumption Construction The construction is expectably simple We combine Construction with a pseudorandom function that possesses an oblivious black-box reduction to some hard problem π, which is provided by Theorem For this instantiation, we need to instantiate Construction with a maliciously circuit private fully homomorphic encryption scheme (such as provided by Theorem 2), as there is no a priori upper bound on the size of the circuits that implement q-wise independent functions For convenience, we write down the protocol as follows Let P RF be a pseudorandom function and HE be a fully homomorphic encryption scheme The OPRF protocol Π is given as follows Two-Message, Oblivious Evaluation of Cryptographic Functionalities 639 Protocol ΠOPRF Setup S0 (1λ ): Choose a random key k for P RF Query R1 (x) (ek , sk) ← Kg(1λ ) c ← Enc(ek , x) Send (ek , c) to S S(k, (ek , c)): c ← Eval(ek , P RF (k, ·), x) Send c to R R2 (c ): y ← Dec(sk, c ) Output y We can now prove the main theorem of this section Theorem Let HE be an IND-CPA secure maliciously circuit private fully homomorphic encryption scheme with perfect completeness (as provided by Theorem 2) and P RF be a pseudorandom function with an oblivious black-box reduction to hard problem π Then the protocol ΠOPRF is an OPRF protocol with security against semi-honest senders and malicious receivers Proof We begin with the proof of security against malicious receivers deﬁning the universal simulator Sim Let ExtHE and SimHE be the extractor and simulator for the statistical circuit privacy of HE Simulator Sim is given as follows Simulator SimH (ek , c) Has oracle access to a function H x ← ExtHE (ek , c) y ← H(x) c ← SimHE (ek , y, c) return c Now, let D be a PPT distinguisher that makes at most q = poly(λ) oracle queries and has non-negligible advantage against the malicious receiver security experiment of ΠOPRF , i.e., | Pr[D S(k),· , S(k),R(·) = 1] − Pr[DSim H (·),H(·) = 1]| ≥ First of all, notice that since D makes at most q queries to its oracles, we can eﬃciently (and statelessly) simulate the random function H by an eﬃciently computable q-wise independent function Fq , i.e., we get | Pr[D S(k),· , S(k),R(·) = 1] − Pr[DSim Fq (s,·) (·),Fq (s,·) = 1]| ≥ Our proof strategy will now be as follows We will use D to construct a = − negl(λ) against the induced security distinguisher D with advantage 640 N Dă ottling et al experiment for PRF under the homomorphic encryption HE (c.f Deﬁnition 5) Recall that the pseudorandom function P RF possesses an oblivious black-box reduction B to some hard problem π Thus, Theorem yields an eﬃcient reducD has non-negligible advantage against π, contradicting its tion B such that B hardness We will now consider the induced security experiment for P RF Therefore, we will ﬁrst deﬁne a sender algorithm S Basically, S homomorphically evaluates the q-wise independent function Fq S (s, (ek , c)) c ← Eval(ek , Fq (s, ·), c) return c Thus, while S homomorphically evaluates the pseudorandom function P RF , S homomorphically evaluates the q-wise independent function Fq Thus, the induced security experiment of the experiment given in Deﬁnition 12 asks to distinguish the oracles S(k), · and S (s), · We will now construct a distinguisher D against the induced security experiment of P RF using the distinguisher D D is given as follows Distinguisher D (1λ ) Has access to oracle OA1 out ← DOA1 (·),OA2 (·) (1λ ) Return out Oracle OA2 (x) y ← OA1 , R(x) Return y We claim that | Pr[D S(k),· = 1] − Pr[D S (s),· = 1]| ≥ − negl(λ), (1) i.e., D has non-negligible advantage − negl(λ) against the induced security experiment of P RF S(k),· We claim that if OA1 = S(k), · , then the output of D (1λ ) is identiS(k),· , S(k),R(·) λ (1 ) To see this, note that the cally distributed to the output D oracle OA2 implemented by D is precisely S(k), R(·) in this case On the other hand, if OA1 = S (s), · , then we claim that the output of Fq S (s),· is distributed statistically close to the output of DSim (·),Fq (·) (1λ ) To D see this, note ﬁrst that in this case the oracle OA2 provided by D to D can be expressed as follows OA2 (x) (ek , sk) ← Kg(1λ ) c ← Enc(ek , x) c ← Eval(ek , Fq (s, ·), c) y ← Dec(sk, c ) return y Two-Message, Oblivious Evaluation of Cryptographic Functionalities 641 It follows immediately from the perfect completeness of HE that OA2 implements exactly Fq (s, ·) It remains to show that the oracles S (s), · and SimFq (·) are statistically close However, as S (s) homomorphically evaluates Fq , it follows from the malicious circuit privacy of HE that both oracles produce distributions that are statistically close, even given Fq Thus, we can use a standard q-step hybrid Fq S (s),· and DSim (·),Fq (·) (1λ ) argument over the queries of D to establish that D are statistically close Thus, (1) follows and we can apply Theorem to arrive at a contradiction Security against semi-honest senders follows directly from Theorem 4, which concludes the proof Impossibility of Malicious Sender Security In this section, we show that malicious receiver security (w.r.t our notion of induced game-based security) and malicious sender security cannot be achieved simultaneously Our impossibility result is constructive in the sense that we show that our framework covers the standard security notion of blind signatures However, Fischlin and Schră oder showed that a large class of three-move blind signature schemes cannot be proven secure under standard assumptions [16] Since our framework falls into this class, the impossibility result follows Blind Signatures Blind signatures [11] implement a carbon copy envelope allowing a signer to issue signatures for messages such that the signer’s signature on the envelope is imprinted onto the message in the sealed envelope In particular, the signer remains oblivious about the message (blindness), but at the same time no additional signatures without the help of the signer can be created (unforgeability) Constructing round-optimal blind signature schemes in the standard model has been a long standing open question Fischlin and Schră oder showed that all previously known schemes having at most three rounds of communication, cannot be proven secure under non-interactive assumptions in the standard model via black-box reductions [16] Subsequently, several works used a technique called “complexity leveraging” to circumvent this impossibility result [19,20] and recently, Fuchsbauer, Hanser, Slamanig suggested a round optimal blind signature scheme that is secure in the generic group model [18] In fact, it is still unknown if round optimal blind signatures, based on standard assumptions, exist in the standard model By applying our technique to the oblivious computation of signatures, we obtain a round optimal blind signature scheme without complexity leveraging and whose security can be based on standard cryptographic assumptions Since our scheme belongs to the class characterized by Fischlin and Schră oder it is not possible to prove blindness w.r.t malicious adversaries Security Definition for Blind Signatures We recall the unforgeability deﬁnition of blind signatures [35,53] that can be expressed within our formalization of a cryptographic experiment 642 N Dă ottling et al Definition 13 (Unforgeability) An interactive signature scheme BS = (KG, S, U , Vf) is called unforgeable if for any eﬃcient algorithm A (the malicious user) the probability that experiment ForgeBS A (λ) evaluates to is negligible (as a function of λ) where Experiment ForgeBS A (λ) (sk, pk) ← KG(1λ ) ∞ ∗ )) ← A S(sk),· (pk) ((m∗1 , σ1∗ ), , (m∗k+1 , σk+1 Return iﬀ m∗i = m∗j for all i, j with i = j, and Vf(pk, m∗i , σi∗ ) = for all i, and S has returned ok in at most k interactions The corresponding deﬁnition of blindness says that it should be infeasible for a malicious signer S ∗ to decide which of two messages m0 and m1 has been signed ﬁrst in two executions with an honest user U If one of these executions has returned ⊥ then the signer is not informed about the other signature (Otherwise the signer could trivially identify one session by making the other abort.) If one restricts this deﬁnition the semi-honest adversaries, then this deﬁnition is immediately implied by Deﬁnition Construction Our construction instantiates our general framework as deﬁned in Construction with a signature scheme DS = (KgSig , Sig, Vf) that has an oblivious black-box reduction to some underlying hard problem π For this instantiation, we need maliciously circuit private homomorphic encryption for logarithmic depth circuits that can be achieved by combining information-theoretic garbled circuits (aka randomized encodings) [2,33,38] with two-message oblivious transfer [1,30,48] as provided by Theorem Moreover, we need a digital signature scheme that can computed via a logarithmic depth circuit Such a signature scheme can be obtained by using the non-apaptively secure signature scheme by Applebaum et al [2] However, this scheme is only non-adaptively secure, which means the adversary has to commit to all messages before learning the public-key and the signature Using the standard transformation based on chameleon hash functions [31,40] one can convert any non-adaptively secure signature scheme into one that is adaptively secure Here we actually deal with two reductions One that deals with adversaries that ﬁnd collisions of the chameleon hash function and one that deals with adversaries that not ﬁnd hash collisions, but still manage to forge signatures The ﬁrst reduction is easily seen to be obliviously black-box, as the reduction possesses the signing key for the signature scheme an hash collisions can be easily recovered from the adversary’s output Here the signing circuit is the same as in the real experiment The second reduction has the following structure If q is the query bound of the adversary, the reduction computes chameleon hashes on q random values and has them (non-adaptively) signed by the signing oracle Each time the adversary queries its signing oracle, the reduction uses up one of the precomputed signatures of the chameleon hashes by computing a hash collision with the adversary’s query and returning Two-Message, Oblivious Evaluation of Cryptographic Functionalities 643 the corresponding signature to the adversary Note that since the reduction is allowed to reprogram the signing circuit after each query, we only need to hardwire a single hash value and trapdoor at a time into the signing oracle circuit Since chameleon hash functions can easily be obtained from the discrete logarithm assumption involving only two modular exponentiations and a multiplication [40], this transformation can also be computed by a circuit of logarithmic depth Thus we obtain an oblivious black-box reduction to the non-adaptive unforgeability of the signature scheme where every circuit used by the reduction has a most an a priori known logarithmic depth We obtain the following theorem Theorem Let HE be an IND-CPA secure maliciously circuit private homomorphic encryption scheme with perfect completeness for circuits of logarithmic depth and let DS be a signature scheme compute by a circuit of logarithmic depth and with an oblivious black-box reduction to hard problem π Then the protocol ΠBS deﬁned above is a blind signature protocol with security against semi-honest senders and malicious receivers Given this theorem, we obtain our impossibility result in the following corollary Corollary (Impossibility of Malicious Sender Security, Informal) There exists no two-move secure evaluation protocol for cryptographic functionalities that is secure against malicious receivers and senders based on standard assumptions Acknowledgement Nico Dă ottling gratefully acknowledges support by the DAAD (German Academic Exchange Service) under the postdoctoral program (57243032) This work was in part supported by European Research Council Starting Grant 279447 Research supported in part from a DARPA/ARL SAFEWARE award, AFOSR Award FA9550-15-1-0274, and NSF CRII Award 1464397 The views expressed are those of the author and not reﬂect the oﬃcial policy or position of the Department of Defense, the National Science Foundation, or the U.S Government Nils Fleischhacker, Johannes Krupp and Dominique Schră oder were supported by the German Federal Ministry of Education and Research (BMBF) through funding for the Center for IT-Security, Privacy and Accountability (CISPA – www.cispa-security.org) and the project PROMISE Moreover, it was supported by the Initiative for Excellence of the German federal and state governments through funding for the Saarbră ucken Graduate School of Computer Science and the DFG MMCI Cluster of Excellence Part of this work was also supported by the German research foundation (DFG) through funding for the collaborative research center 1223 and by the DAAD PPP USA program (57129666) We would like to thank the anonymous reviewers of CRYPTO 2016 for their helpful comments A An Oblivious Black-Box Reduction for Naor-Reingold PRF Lemma The Naor-Reingold PRF is secure under the DDH assumption and the reduction is oblivious 644 N Dă ottling et al Proof Given an adversary A who can distinguish the Naor-Reingold PRF with non-negligible probability (λ) from a truly random function making at most q queries to its oracle, consider the following oblivious reduction B against DDH: B gets as input a DDH instance (g, g a , g b , g c˜), where either c˜ = a · b or not We restrict the reduction to the case where a, b, c˜ = (otherwise it is trivial $ to tell whether c˜ = a · b) B will choose a random j ← {1, , λ} and pick $ a random q-wise independent function F ← F q It will then sample values $ (aj+1 , , aλ ) ← Zp and program the oracle OA for A as follows: OA(x): x xj xλ = x, where x is the (j − 1)-bit preﬁx of x α = F (x) If xj = 0: x Return else gb α λ k=j+1 akk Return g c˜ α λ k=j+1 akk x The reduction B will invoke AOA and output exactly whenever AOA does If c˜ = a · b, then for j = the oracle perfectly simulates the Naor-Reingold PRF PRFa with key a = (bα, a, a2 , , aλ ) (since x will be the empty string, α will be constant) Furthermore, if c˜ = a · b, then for j = λ the oracle perfectly simulates a q-wise independent function f (observed as truly random by A): Prob B A (g, g a , g b , g c˜) = c˜ = a · b∧ j = = Prob APRFa (1λ ) = Prob B A (g, g a , g b , g c˜) = c˜ = a · b∧ j = λ = Prob Af (1λ ) = Since g c˜ is independent of g b in case of c˜ = a · b it holds that Prob B A (g, g a , g b , g c˜) = c˜ = a · b∧ j = i = Prob B A (g, g a , g b , g c˜) = c˜ = a · b∧ j = i + And therefore Prob B A (g, g a , g b , g c˜) = c˜ = a · b − Prob B A (g, g a , g b , g c˜) = c˜ = a · b λ = · Prob B A (g, g a , g b , g c˜) = c˜ = a · b ∧ j = i λ i=1 λ − = = · Prob B A (g, g a , g b , g c˜) = c˜ = a · b ∧ j = i λ i=1 Prob B A (g, g a , g b , g c˜) = c˜ = a · b ∧ j = λ − Prob B A (g, g a , g b , g c˜) = c˜ = a · b ∧ j = λ 1 (λ) Prob APRFa (1λ ) = − Prob Af (1λ ) = ≥ λ λ Two-Message, Oblivious Evaluation of Cryptographic Functionalities 645 Thus this reduction will break the DDH assumption with non-negligible probability As the reduction does not see the queries A makes to the oracle OA, it is oblivious according to Deﬁnition This concludes the proof References Aiello, W., Ishai, Y., Reingold, O.: Priced oblivious transfer: how to sell digital goods In: Pﬁtzmann, B (ed.) EUROCRYPT 2001 LNCS, vol 2045, p 119 Springer, Heidelberg (2001) 3.1, 1, Applebaum, B., Ishai, Y., Kushilevitz, E.: Cryptography in NC0 In: 45th Annual Symposium on Foundations of Computer Science, pp 166–175 IEEE Computer Society Press, October 2004 3.1, 1, Bar-Ilan, J., Beaver, D.: Non-cryptographic fault-tolerant computing in constant number of rounds of interaction In: Proceedings of the Eighth Annual ACM Symposium on Principles of Distributed Computing, pp 201–209 ACM (1989) 1.4 Beaver, D., Micali, S., Rogaway, P.: The round complexity of secure protocols (extended abstract) In: 22nd Annual ACM Symposium on Theory of Computing, pp 503–513 ACM Press, May 1990 1.4 Bellare, M., Jakobsson, M., Yung, M.: Round-optimal zero-knowledge arguments based on any one-way function In: Fumy, W (ed.) EUROCRYPT 1997 LNCS, vol 1233, pp 280–305 Springer, Heidelberg (1997) 1.4 Bellare, M., Rogaway, P.: The security of triple encryption and a framework for code-based game-playing proofs In: Vaudenay, S (ed.) EUROCRYPT 2006 LNCS, vol 4004, pp 409–426 Springer, Heidelberg (2006) 2, 2.1 Bendlin, R., Damg˚ ard, I., Orlandi, C., Zakarias, S.: Semi-homomorphic encryption and multiparty computation In: Paterson, K.G (ed.) EUROCRYPT 2011 LNCS, vol 6632, pp 169–188 Springer, Heidelberg (2011) 1.4 Berman, I., Haitner, I.: From non-adaptive to adaptive pseudorandom functions In: Cramer, R (ed.) TCC 2012 LNCS, vol 7194, pp 357–368 Springer, Heidelberg (2012) 4, Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols In: 42nd Annual Symposium on Foundations of Computer Science, pp 136–145 IEEE Computer Society Press, October 2001 10 Canetti, R., Kilian, J., Petrank, E., Rosen, A.: Black-box concurrent zeroknowledge requires omega (log n) rounds In: 33rd Annual ACM Symposium on Theory of Computing, pp 570–579 ACM Press, July 2001 1.4 11 Chaum, D.: Blind signature system In: Advances in Cryptology - CRYPTO 1983, p 153 Plenum Press, New York (1983) 1.4, 12 Cramer, R., Damg˚ ard, I.B.: Secure distributed linear algebra in a constant number of rounds In: Kilian, J (ed.) CRYPTO 2001 LNCS, vol 2139, p 119 Springer, Heidelberg (2001) 1.4 13 Damg˚ ard, I., Pastro, V., Smart, N., Zakarias, S.: Multiparty computation from somewhat homomorphic encryption In: Safavi-Naini, R., Canetti, R (eds.) CRYPTO 2012 LNCS, vol 7417, pp 643–662 Springer, Heidelberg (2012) 1.4 14 Dă ottling, N., Schră oder, D.: Ecient pseudorandom functions via on-the-ﬂy adaptation In: Gennaro, R., Robshaw, M.J.B (eds.) CRYPTO 2015 LNCS, vol 9215, pp 329–350 Springer, Heidelberg (2015) 4, 15 Feige, U., Shamir, A.: Zero knowledge proofs of knowledge in two rounds In: Brassard, G (ed.) CRYPTO 1989 LNCS, vol 435, pp 526–544 Springer, Heidelberg (1990) 1.4 646 N Dă ottling et al 16 Fischlin, M., Schră oder, D.: On the impossibility of three-move blind signature schemes In: Gilbert, H (ed.) EUROCRYPT 2010 LNCS, vol 6110, pp 197–215 Springer, Heidelberg (2010) 1.1, 1.4, 5, 17 Freedman, M.J., Ishai, Y., Pinkas, B., Reingold, O.: Keyword search and oblivious pseudorandom functions In: Kilian, J (ed.) TCC 2005 LNCS, vol 3378, pp 303– 324 Springer, Heidelberg (2005) 1.4, 18 Garg, S., Rao, V., Sahai, A., Schră oder, D., Unruh, D.: Round optimal blind signatures In: Rogaway, P (ed.) CRYPTO 2011 LNCS, vol 6841, pp 630–648 Springer, Heidelberg (2011) 1.4, 19 Garg, S., Gupta, D.: Eﬃcient round optimal blind signatures In: Nguyen, P.Q., Oswald, E (eds.) EUROCRYPT 2014 LNCS, vol 8441, pp 477–495 Springer, Heidelberg (2014) 1.4, 20 Garg, S., Rao, V., Sahai, A., Schră oder, D., Unruh, D.: Round optimal blind signatures In: Rogaway, P (ed.) CRYPTO 2011 LNCS, vol 6841, pp 630–648 Springer, Heidelberg (2011) 1.4, 21 Gennaro, R., Ishai, Y., Kushilevitz, E., Rabin, T.: The round complexity of veriﬁable secret sharing and secure multicast In: 33rd Annual ACM Symposium on Theory of Computing, pp 580–589 ACM Press, July 2001 1.4 22 Gennaro, R., Ishai, Y., Kushilevitz, E., Rabin, T.: On 2-round secure multiparty computation In: Yung, M (ed.) CRYPTO 2002 LNCS, vol 2442, p 178 Springer, Heidelberg (2002) 1.4 23 Gentry, C.: Fully homomorphic encryption using ideal lattices In: Mitzenmacher, M., (ed.) 41st Annual ACM Symposium on Theory of Computing, pp 169–178 ACM Press, May/June 2009 1.2, 3.1, 3.1 24 Goldreich, O.: Foundations of Cryptography: Volume 2, Basic Applications Cambridge University Press, New York (2004) 2.3 25 Goldreich, O., Goldwasser, S., Micali, S.: How to construct random functions (extended abstract) In: 25th Annual Symposium on Foundations of Computer Science, pp 464–479 IEEE Computer Society Press, October 1984 26 Goldreich, O., Kahan, A.: How to construct constant-round zero-knowledge proof systems for NP J Cryptology 9(3), 167–190 (1996) 1.4 27 Goldreich, O., Krawczyk, H.: On the composition of zero-knowledge proof systems SIAM J Comput 25(1), 169–192 (1996) 1.4 28 Goldreich, O., Micali, S., Wigderson, A.: How to play any mental game or a completeness theorem for protocols with honest majority In: Aho, A (ed.) 19th Annual ACM Symposium on Theory of Computing, pp 218–229 ACM Press, May 1987 1.4 29 Goldreich, O., Oren, Y.: Deﬁnitions and properties of zero-knowledge proof systems J Cryptol 7(1), 1–32 (1994) 1, 1.1, 1.4, 2.3 30 Halevi, S., Kalai, Y.T.: Smooth projective hashing and two-message oblivious transfer J Cryptol 25(1), 158–193 (2012) 3.1, 1, 31 Hohenberger, S., Waters, B.: Short and stateless signatures from the RSA assumption In: Halevi, S (ed.) CRYPTO 2009 LNCS, vol 5677, pp 654–670 Springer, Heidelberg (2009) 32 Ishai, Y., Kushilevitz, E.: Randomizing polynomials: a new representation with applications to round-eﬃcient secure computation In: 41st Annual Symposium on Foundations of Computer Science, pp 294–304 IEEE Computer Society Press, November 2000 1.4 33 Ishai, Y., Paskin, A.: Evaluating branching programs on encrypted data In: Vadhan, S.P (ed.) TCC 2007 LNCS, vol 4392, pp 575–594 Springer, Heidelberg (2007) 3.1, 1, Two-Message, Oblivious Evaluation of Cryptographic Functionalities 647 34 Jarecki, S., Liu, X.: Eﬃcient oblivious pseudorandom function with applications to adaptive OT and secure computation of set intersection In: Reingold, O (ed.) TCC 2009 LNCS, vol 5444, pp 577–594 Springer, Heidelberg (2009) 1.4, 35 Juels, A., Luby, M., Ostrovsky, R.: Security of blind digital signatures In: Kaliski Jr., B.S (ed.) CRYPTO 1997 LNCS, vol 1294, pp 150–164 Springer, Heidelberg (1997) 36 Katz, J., Ostrovsky, R.: Round-optimal secure two-party computation In: Franklin, M (ed.) CRYPTO 2004 LNCS, vol 3152, pp 335–354 Springer, Heidelberg (2004) 1.1, 1.4 37 Katz, J., Ostrovsky, R., Smith, A.: Round eﬃciency of multi-party computation with a dishonest majority In: Biham, E (ed.) EUROCRYPT 2003 LNCS, vol 2656, pp 578–595 Springer, Heidelberg (2003) 1.4 38 Kilian, J.: Founding cryptography on oblivious transfer In: 20th Annual ACM Symposium on Theory of Computing, pp 20–31 ACM Press, May 1988 3.1, 1, 39 Kilian, J., Petrank, E.: Concurrent and resettable zero-knowledge in polyloalgorithm rounds In: 33rd Annual ACM Symposium on Theory of Computing, pp 560–569 ACM Press, July 2001 1.4 40 Krawczyk, H., Rabin, T.: Chameleon signatures In: ISOC Network and Distributed System Security Symposium - NDSS 2000 The Internet Society, February 2000 41 Lindell, Y.: Parallel coin-tossing and constant-round secure two-party computation In: Kilian, J (ed.) CRYPTO 2001 LNCS, vol 2139, p 171 Springer, Heidelberg (2001) 1.4 42 Lindell, Y.: Bounded-concurrent secure two-party computation without setup assumptions In: 35th Annual ACM Symposium on Theory of Computing, pp 683–692 ACM Press, June 2003 1.4 43 Lindell, Y.: Lower bounds for concurrent self composition In: Naor, M (ed.) TCC 2004 LNCS, vol 2951, pp 203–222 Springer, Heidelberg (2004) 1.4 44 Lindell, Y., Pinkas, B.: Secure two-party computation via cut-and-choose oblivious transfer J Cryptology 25(4), 680–722 (2012) 1.4 45 Naor, M.: On cryptographic assumptions and challenges In: Boneh, D (ed.) CRYPTO 2003 LNCS, vol 2729, pp 96–109 Springer, Heidelberg (2003) 2.2 46 Naor, M., Pinkas, B.: Oblivious transfer and polynomial evaluation In: 31st Annual ACM Symposium on Theory of Computing, pp 245–254 ACM Press, May 1999 1.4 47 Naor, M., Pinkas, B.: Oblivious transfer with adaptive queries In: Wiener, M (ed.) CRYPTO 1999 LNCS, vol 1666, p 573 Springer, Heidelberg (1999) 1.4 48 Naor, M., Pinkas, B.: Eﬃcient oblivious transfer protocols In: Kosaraju, S.R (ed.) 12th Annual ACM-SIAM Symposium on Discrete Algorithms, pp 448–457 ACMSIAM, January 2001 3.1, 1, 49 Naor, M., Reingold, O.: Number-theoretic constructions of eﬃcient pseudo-random functions In: 38th Annual Symposium on Foundations of Computer Science, pp 458–467 IEEE Computer Society Press, October 1997 1, 1.4, 4, 50 Nielsen, J.B.: Separating random oracle proofs from complexity theoretic proofs: the non-committing encryption case In: Yung, M (ed.) CRYPTO 2002 LNCS, vol 2442, p 111 Springer, Heidelberg (2002) 51 Nielsen, J.B., Nordholt, P.S., Orlandi, C., Burra, S.S.: A new approach to practical active-secure two-party computation In: Safavi-Naini, R., Canetti, R (eds.) CRYPTO 2012 LNCS, vol 7417, pp 681–700 Springer, Heidelberg (2012) 1.4 52 Ostrovsky, R., Paskin-Cherniavsky, A., Paskin-Cherniavsky, B.: Maliciously circuit-private FHE In: Garay, J.A., Gennaro, R (eds.) CRYPTO 2014, Part I LNCS, vol 8616, pp 536–553 Springer, Heidelberg (2014) 3.1, 648 N Dă ottling et al 53 Pointcheval, D., Stern, J.: Security arguments for digital signatures and blind signatures J Cryptol 13(3), 361–396 (2000) 54 Prabhakaran, M., Rosen, A., Sahai, A.: Concurrent zero knowledge with logarithmic round-complexity In: 43rd Annual Symposium on Foundations of Computer Science, pp 366–375 IEEE Computer Society Press, November 2002 1.4 55 Reingold, O., Trevisan, L., Vadhan, S.P.: Notions of reducibility between cryptographic primitives In: Naor, M (ed.) TCC 2004 LNCS, vol 2951, pp 1–20 Springer, Heidelberg (2004) 2.2 56 Richardson, R., Kilian, J.: On the concurrent composition of zero-knowledge proofs In: Stern, J (ed.) EUROCRYPT 1999 LNCS, vol 1592, p 415 Springer, Heidelberg (1999) 1.4 57 Wegman, M.N., Carter, L.: New classes and applications of hash functions In: 20th Annual Symposium on Foundations of Computer Science, San Juan, Puerto Rico, 29–31 October 1979, pp 175–182 (1979) 58 Yao, A.C.C.: Protocols for secure computations (extended abstract) In: 23rd Annual Symposium on Foundations of Computer Science, pp 160–164 IEEE Computer Society Press, November 1982 1.4 Author Index Abe, Masayuki III-387 Agrawal, Shweta III-333 Alamati, Navid II-659 Albrecht, Martin I-153 Alwen, Joël II-241 Ananth, Prabhanjan II-491 Applebaum, Benny III-449 Bai, Shi I-153 Barbulescu, Razvan I-543 Bar-On, Achiya I-435 Baum, Carsten III-478 Beierle, Christof I-625, II-123 Bellare, Mihir I-247, I-373 Ben-Zvi, Adi I-179 Bin-Noon, Hod II-521 Biryukov, Alex II-93 Blackburn, Simon R I-179 Blocki, Jeremiah II-241 Bogdanov, Andrej III-593 Boura, Christina I-654 Bourse, Florian II-62 Boyle, Elette I-509 Brakerski, Zvika I-190, II-551, III-363 Brzuska, Christina II-551 Camenisch, Jan III-208 Canteaut, Anne I-654 Carmer, Brent III-416 Cascudo, Ignacio III-179 Chase, Melissa III-499 Chen, Yu III-303 Ciampi, Michele III-270 Cogliati, Bent I-121 Cohen, Ran III-240 Coretti, Sandro III-240 Coron, Jean-Sébastien II-607 Costello, Craig I-572 Couteau, Geoffroy I-308 Dai, Yuanxi I-95 Damgård, Ivan II-459, III-179, III-478 David, Bernardo III-179 Degabriele, Jean Paul I-403 Degwekar, Akshay III-533 Del Pino, Rafaël II-62 Derbez, Patrick II-157 Dinur, Itai II-185 Dodis, Yevgeniy I-341, III-93 Döttling, Nico III-179, III-619 Dubovitskaya, Maria III-208 Ducas, Léo I-153 Dulek, Yfke III-3 Dunkelman, Orr II-185 Dupuis, Frédéric III-33 Duval, Sébastien I-457 Dwork, Cynthia III-123 Dziembowski, Stefan II-272 Faust, Sebastian II-272 Fehr, Serge III-33 Fischlin, Marc II-521 Fleischhacker, Nils II-551, III-619 Fouque, Pierre-Alain II-157 Gagliardoni, Tommaso III-60 Ganesh, Chaya III-499 Garay, Juan III-240 Garg, Sanjam II-579, III-563 Gilboa, Niv I-509 Güneysu, Tim II-302 Guo, Jian I-605 Halevi, Shai III-93 Hanaoka, Goichiro II-3 Hazay, Carmit II-397 Hemenway, Brett III-149 Herold, Gottfried II-272 Herzberg, Amir II-521 Hirt, Martin II-335 Hoang, Viet Tung I-3 Hoshino, Fumitaka III-387 Hülsing, Andreas III-60 Ishai, Yuval I-509, II-430, III-593 Jafargholi, Zahra III-149 Jain, Aayush II-491 650 Author Index Paterson, Kenneth G I-403 Peikert, Chris II-659 Perlman, Renen I-190 Perrin, Léo II-93 Peters, Thomas I-308 Peyrin, Thomas I-33, II-123 Pointcheval, David I-308 Polychroniadou, Antigoni II-459 Prabhakaran, Manoj II-430 Jean, Jérémy II-123 Journault, Anthony II-272 Kane, Daniel I-373 Kaplan, Marc II-207 Keller, Nathan I-435, II-185 Kiltz, Eike II-33 Kim, Taechan I-543 Kölbl, Stefan II-123 Koppula, Venkata II-681 Kranz, Thorsten I-625 Krupp, Johannes III-619 Kumaresan, Ranjit II-366 Kunihiro, Noboru II-3 Kushilevitz, Eyal II-430 Qu, Longjiang Lallemand, Virginie I-457 Lamontagne, Philippe III-33 Larsen, Kasper Green III-478 Leander, Gregor I-625, II-123 Lee, Moon Sung II-607 Lepoint, Tancrède II-607 Leurent, Gaëtan II-207 Leverrier, Anthony II-207 Libert, Bent III-333 Liu, Meicheng I-605 Longa, Patrick I-572 Masny, Daniel II-33, II-272 Maurer, Ueli II-335 Mennink, Bart I-64 Miles, Eric II-629 Minelli, Michele II-62 Mironov, Ilya I-341 Mohassel, Payman III-499, III-563 Moradi, Amir II-123, II-302 Naehrig, Michael I-572 Naor, Moni II-491, III-123 Naya-Plasencia, María II-207 Nielsen, Jesper Buus II-459, III-179 Nielsen, Michael III-478 Ohkubo, Miyako III-387 Ostrovsky, Rafail III-149, III-270 Pan, Jiaxin II-33 Pandey, Omkant II-579 Papamanthou, Charalampos III-563 I-605 Raghuraman, Srinivasan II-366 Raskin, Michael II-459 Raykov, Pavel III-449 Rial, Alfredo III-208 Rijmen, Vincent I-605 Rogaway, Phillip I-373 Rosulek, Mike III-416 Rotella, Yann I-457 Rothblum, Guy N III-123 Rothblum, Ron D III-93 Sahai, Amit II-430, II-491, II-629 Salvail, Louis III-33 Sasaki, Yu II-123 Sasdrich, Pascal II-123 Scafuro, Alessandra III-149 Schaffner, Christian III-3, III-60 Schneider, Tobias II-302 Schröder, Dominique III-619 Schuldt, Jacob C.N I-403 Sealfon, Adam II-366 Seurin, Yannick I-33, I-121 Shamir, Adi II-185 Shrimpton, Thomas I-277 Shulman, Haya II-521 Sim, Siang Meng II-123 Siniscalchi, Luisa III-270 Speelman, Florian III-3 Srinivasan, Akshayaram II-579 Stam, Martijn I-277 Standaert, Franỗois-Xavier II-272 Stehlộ, Damien III-333 Steinberger, John I-95 Stephens-Davidowitz, Noah I-341 Sun, Bing I-605 Tackmann, Björn I-247 Tessaro, Stefano I-3 Author Index Tibouchi, Mehdi II-607 Tsaban, Boaz I-179 Tschudi, Daniel II-335 Udovenko, Aleksei Wee, Hoeteck II-62 Wichs, Daniel III-93, III-149 Williamson, Christopher III-593 Woodage, Joanne I-403 II-93 Vaikuntanathan, Vinod III-363, III-533 Vasudevan, Prashant Nalini III-533 Venkitasubramaniam, Muthuramakrishnan II-397 Viola, Emanuele III-593 Visconti, Ivan III-270 Warinschi, Bogdan I-277 Waters, Brent II-681 Yamada, Shota II-3 Yamakawa, Takashi II-3 Yogev, Eylon II-491 Yu, Ching-Hua II-430 Yu, Yu I-214 Zhandry, Mark I-479, II-629 Zhang, Jiang I-214, III-303 Zhang, Zhenfeng III-303 Zikas, Vassilis II-335, III-240 651 ... in Cryptology – CRYPTO 2016 36th Annual International Cryptology Conference Santa Barbara, CA, USA, August 1 4–1 8, 2016 Proceedings, Part III 123 Editors Matthew Robshaw Impinj, Inc Seattle, WA... Berlin Heidelberg Preface The 36th International Cryptology Conference (Crypto 2016) was held at UCSB, Santa Barbara, CA, USA, during August 1 4–1 8, 2016 The workshop was sponsored by the International... that quantum computing will not be available c International Association for Cryptologic Research 2016 M Robshaw and J Katz (Eds.): CRYPTO 2016, Part III, LNCS 9816, pp 3–3 2, 2016 DOI: 10.1007/978-3-662-53015-3
- Xem thêm -
Xem thêm: Advances in cryptology – CRYPTO 2016 part III , Advances in cryptology – CRYPTO 2016 part III , 3 Special Case: The BCJL Bit-Commitment Scheme, B.2 UC Security of OT from 1CC, 1 Learning with Errors (LWE) and Multi-key FHE, 3 Example: Flexible Revocation for Attribute-Based Credentials, 3 Learning with Errors (LWE) and Small Integer Solutions (SIS), 4 Linear Transformations, Basis Changes and Composition, A.1 Proof of Item 5 of Fact1, 2 Other Related Work: Cryptography Against Bounded Adversaries, 3 Application: 4-Round Searchable Encryption with No Search Pattern Leakage, A.4 Proof of Security for the SSE scheme, D Exact vs. Almost Bounded Indistinguishability, 2 Oblivious Reductions: A Nonblack-Box Proof Technique