Professional Documents
Culture Documents
Download textbook Advances In Cryptology Eurocrypt 2018 37Th Annual International Conference On The Theory And Applications Of Cryptographic Techniques Tel Aviv Israel April 29 May 3 2018 Proceedings Part I Jesper Buus ebook all chapter pdf
Download textbook Advances In Cryptology Eurocrypt 2018 37Th Annual International Conference On The Theory And Applications Of Cryptographic Techniques Tel Aviv Israel April 29 May 3 2018 Proceedings Part I Jesper Buus ebook all chapter pdf
Download textbook Advances In Cryptology Eurocrypt 2018 37Th Annual International Conference On The Theory And Applications Of Cryptographic Techniques Tel Aviv Israel April 29 May 3 2018 Proceedings Part I Jesper Buus ebook all chapter pdf
https://textbookfull.com/product/advances-in-cryptology-
crypto-2018-38th-annual-international-cryptology-conference-
proceedings-part-ii-hovav-shacham/
https://textbookfull.com/product/advances-in-cryptology-
crypto-2020-40th-annual-international-cryptology-conference-
proceedings-part-i-daniele-micciancio/
Advances in Cryptology – ASIACRYPT 2018: 24th
International Conference on the Theory and Application
of Cryptology and Information Security, Brisbane, QLD,
Australia, December 2–6, 2018, Proceedings, Part I
Thomas Peyrin
https://textbookfull.com/product/advances-in-cryptology-
asiacrypt-2018-24th-international-conference-on-the-theory-and-
application-of-cryptology-and-information-security-brisbane-qld-
australia-december-2-6-201/
https://textbookfull.com/product/advances-in-cryptology-
crypto-2020-40th-annual-international-cryptology-conference-
proceedings-part-ii-daniele-micciancio/
Advances in Cryptology –
EUROCRYPT 2018
37th Annual International Conference on the Theory
and Applications of Cryptographic Techniques
Tel Aviv, Israel, April 29 – May 3, 2018, Proceedings, Part I
123
Lecture Notes in Computer Science 10820
Commenced Publication in 1973
Founding and Former Series Editors:
Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen
Editorial Board
David Hutchison
Lancaster University, Lancaster, UK
Takeo Kanade
Carnegie Mellon University, Pittsburgh, PA, USA
Josef Kittler
University of Surrey, Guildford, UK
Jon M. Kleinberg
Cornell University, Ithaca, NY, USA
Friedemann Mattern
ETH Zurich, Zurich, Switzerland
John C. Mitchell
Stanford University, Stanford, CA, USA
Moni Naor
Weizmann Institute of Science, Rehovot, Israel
C. Pandu Rangan
Indian Institute of Technology Madras, Chennai, India
Bernhard Steffen
TU Dortmund University, Dortmund, Germany
Demetri Terzopoulos
University of California, Los Angeles, CA, USA
Doug Tygar
University of California, Berkeley, CA, USA
Gerhard Weikum
Max Planck Institute for Informatics, Saarbrücken, Germany
More information about this series at http://www.springer.com/series/7410
Jesper Buus Nielsen Vincent Rijmen (Eds.)
•
Advances in Cryptology –
EUROCRYPT 2018
37th Annual International Conference on the Theory
and Applications of Cryptographic Techniques
Tel Aviv, Israel, April 29 – May 3, 2018
Proceedings, Part I
123
Editors
Jesper Buus Nielsen Vincent Rijmen
Aarhus University University of Leuven
Aarhus Leuven
Denmark Belgium
This Springer imprint is published by the registered company Springer International Publishing AG
part of Springer Nature
The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland
Preface
Eurocrypt 2018, the 37th Annual International Conference on the Theory and Appli-
cations of Cryptographic Techniques, was held in Tel Aviv, Israel, from April 29 to
May 3, 2018. The conference was sponsored by the International Association for
Cryptologic Research (IACR). Orr Dunkelman (University of Haifa, Israel) was
responsible for the local organization. He was supported by a local organizing team
consisting of Technion’s Hiroshi Fujiwara Cyber Security Research Center headed by
Eli Biham, and most notably by Suzie Eid. We are deeply indebted to them for their
support and smooth collaboration.
The conference program followed the now established parallel track system where
the works of the authors were presented in two concurrently running tracks. Only the
invited talks spanned over both tracks.
We received a total of 294 submissions. Each submission was anonymized for the
reviewing process and was assigned to at least three of the 54 Program Committee
members. Committee members were allowed to submit at most one paper, or two if
both were co-authored. Submissions by committee members were held to a higher
standard than normal submissions. The reviewing process included a rebuttal round for
all submissions. After extensive deliberations, the Program Committee accepted 69
papers. The revised versions of these papers are included in these three-volume pro-
ceedings, organized topically within their respective track.
The committee decided to give the Best Paper Award to the papers “Simple Proofs
of Sequential Work” by Bram Cohen and Krzysztof Pietrzak, “Two-Round Multiparty
Secure Computation from Minimal Assumptions” by Sanjam Garg and Akshayaram
Srinivasan, and “Two-Round MPC from Two-Round OT” by Fabrice Benhamouda
and Huijia Lin. All three papers received invitations for the Journal of Cryptology.
The program also included invited talks by Anne Canteaut, titled “Desperately
Seeking Sboxes”, and Matthew Green, titled “Thirty Years of Digital Currency: From
DigiCash to the Blockchain”.
We would like to thank all the authors who submitted papers. We know that the
Program Committee’s decisions can be very disappointing, especially rejections of very
good papers that did not find a slot in the sparse number of accepted papers. We
sincerely hope that these works eventually get the attention they deserve.
We are also indebted to the members of the Program Committee and all external
reviewers for their voluntary work. The Program Committee work is quite a workload.
It has been an honor to work with everyone. The committee’s work was tremendously
simplified by Shai Halevi’s submission software and his support, including running the
service on IACR servers.
VI Preface
General Chair
Orr Dunkelman University of Haifa, Israel
Program Co-chairs
Jesper Buus Nielsen Aarhus University, Denmark
Vincent Rijmen University of Leuven, Belgium
Program Committee
Martin Albrecht Royal Holloway, UK
Joël Alwen IST Austria, Austria, and Wickr, USA
Gilles Van Assche STMicroelectronics, Belgium
Paulo S. L. M. Barreto University of Washington Tacoma, USA
Nir Bitansky Tel Aviv University, Israel
Céline Blondeau Aalto University, Finland
Andrey Bogdanov DTU, Denmark
Chris Brzuska TU Hamburg, Germany, and Aalto University, Finland
Jan Camenisch IBM Research – Zurich, Switzerland
Ignacio Cascudo Aalborg University, Denmark
Melissa Chase Microsoft Research, USA
Alessandro Chiesa UC Berkeley, USA
Joan Daemen Radboud University, The Netherlands,
and STMicroelectronics, Belgium
Yevgeniy Dodis New York University, USA
Nico Döttling Friedrich Alexander University Erlangen-Nürnberg,
Germany
Sebastian Faust TU Darmstadt, Germany
Serge Fehr CWI Amsterdam, The Netherlands
Georg Fuchsbauer Inria and ENS, France
Jens Groth University College London, UK
Jian Guo Nanyang Technological University, Singapore
VIII Eurocrypt 2018
Additional Reviewers
Anne Canteaut
Matthew Green
Abstract. More than thirty years ago a researcher named David Chaum pre-
sented his vision for a cryptographic financial system. In the past ten years this
vision has been realized. Yet despite a vast amount of popular excitement, it
remains to be seen whether the development of cryptocurrencies (and their
associated consensus technologies) will have a lasting positive impact—both on
society and on our research community. In this talk I will examine that question.
Specifically, I will review several important contributions that research cryp-
tography has made to this field; survey the most promising deployed
(or developing) technologies; and discuss the many challenges ahead.
Contents – Part I
Foundations
Lattices
Shortest Vector from Lattice Sieving: A Few Dimensions for Free . . . . . . . . 125
Léo Ducas
Faster Gaussian Sampling for Trapdoor Lattices with Arbitrary Modulus . . . . 174
Nicholas Genise and Daniele Micciancio
Permutations
Attribute-Based Encryption
Secret Sharing
Towards Breaking the Exponential Barrier for General Secret Sharing . . . . . . 567
Tianren Liu, Vinod Vaikuntanathan, and Hoeteck Wee
Contents – Part I XIX
Blockchain
Multi-collision Resistance
Signatures
Masking
Masking Proofs Are Tight and How to Exploit it in Security Evaluations. . . . 385
Vincent Grosso and François-Xavier Standaert
Obfuscation
Symmetric Cryptanalysis
Zero-Knowledge
Non-interactive Zero-Knowledge
Anonymous Communication
Isogeny
Leakage
Key Exchange
Quantum
Non-maleable Codes
1 Introduction
certain number of bits of security. E.g., one may say that AES offers 110-bits
of security as a pseudorandom permutation [6], or that a certain lattice based
digital signature scheme offers at least 160-bits of security for a given setting of
the parameters. While there is no universally accepted, general, formal defini-
tion of bit security, in many cases cryptographers seem to have an intuitive (at
least approximate) common understanding of what “n bits of security” means:
any attacker that successfully breaks the cryptographic primitive must incur a
cost1 of at least T > 2n , or, alternatively, any efficient attack achieves at most
< 2−n success probability, or, perhaps, a combination of these two conditions,
i.e., for any attack with cost T and success probability , it must be T / > 2n .
The intuition is that 2n is the cost of running a brute force attack to retrieve
an n-bit key, or the inverse success probability of a trivial attack that guesses
the key at random. In other words, n bits of security means “as secure as an
idealized perfect cryptographic primitive with an n-bit key”.
The appeal and popularity of the notion of bit security (both in theory and in
practice) rests on the fact that it nicely sits in between two extreme approaches:
widely used. However, there is no formal definition of this term at this point, but
rather just an intuitive common understanding of what this quantity should cap-
ture. This understanding has led to some paradoxical situations that suggest that
the current “definitions” might not capture exactly what they are meant to.
It has been noted that only considering the adversary’s running time is a
poor measure of the cost of an attack [7,8]. This is especially true if moving to
the non-uniform setting, where an adversary may receive additional advice, and
the question of identifying an appropriate cost measure has been studied before
[6]. However, the paradoxical situations have not, to this day, been resolved
to satisfaction, and it seems that considering only the adversary’s resources is
insufficient to address this issue.
In order to explain the problems with the current situation, we first distin-
guish between two types of primitives with respect to the type of game that
defines their security (see Sect. 3 for a more formal definition): search primitives
and decision primitives. Intuitively, the former are primitives where an adversary
is trying to recover some secret information from a large search space, as in a key
recovery attack. The latter are games where the adversary is trying to decide if
a secret bit is 0 or 1, as in the indistinguishability games underlying the defini-
tion of pseudorandom generators or semantically secure encryption. For search
games, the advantage of an adversary is usually understood to be the probability
of finding said secret information, while for decision games it is usually consid-
ered to be the distinguishing advantage (which is equal to the probability that
the output of the adversary is correct, over the trivial probability 12 of a random
guess).
FIG. 5.
At the present time there is only one lesion of the æsthesodic system
which can be diagnosticated during the patient's life from positive
symptoms.
FIG. 6.
(a) Lesions of the anterior gray horns (9) are revealed by most
definite and characteristic symptoms. There occurs a flaccid
paralysis involving more or less extensive groups of muscles in the
extremities, rarely truncal muscles, and never those of organic life. In
a few weeks the paralyzed muscles undergo atrophy, sometimes to
an extreme degree, and various degrees of De R. are present.
Cutaneous and tendinous reflexes are abolished. The bladder and
rectum are normal. Sensory symptoms absent, and if present consist
only of mild paræsthesiæ, which are probably due to postural
pressure upon nerve-trunks or to disturbance of the peripheral
circulation. There is no tendency to the formation of bed-sores, but
circulation and calorification are reduced in the paralyzed members.
It should be remembered that paralysis due to systematic lesion of
the anterior gray horns is never typically paraplegic, with horizontal
limit-line of sensory symptoms, a cincture feeling, and vesical
paralysis.
(b) Lesions of the spinal pyramidal tract (of fasciculi 10 and 11) are
followed by motor symptoms only—viz. paralysis and contracture—
or, in other words, by a spastic paralysis. Sensibility is unaffected;
the bladder, rectum, and truncal muscles are not distinctly paralyzed;
the reflexes are much increased, and ankle-clonus is often present.
The electrical reactions of the paralyzed muscles are normal,
qualitatively at least. The diagnosis of localization may be pushed
still farther by the following considerations:
(3) When the legs alone are the seat of spastic paralysis, with
increased reflexes, spastic or tetanoid gait, without sensory
symptoms, the diagnosis of a primary sclerosis of both lateral
columns (inclusive of 10) of the spinal cord is justified.
(a) Lesions of the cauda equina (by tumors, caries, or fracture of the
bones, etc.) produce paralysis, anæsthesia, atrophy of muscles, with
De R., in the range of distribution of the sciatic nerves mainly. The
sphincter ani is paralyzed and relaxed, while the bladder remains
normal as a rule. In all essential respects this paraplegiform, but not
paraplegic, affection resembles that following injury to mixed nerve-
trunks. It is in reality an intra-spinal peripheral paralysis. The more
exact location of the lesion, in the absence of external physical signs
(fracture, etc.), may be approximately determined by a study of the
distribution of the symptoms and their relation to nerve-supply.
(c) Lesions of the middle and upper parts (segments) of the lumbar
enlargement are evidenced by true paraplegia, without paralysis of
the abdominal muscles. In some cases the quadriceps group,
supplied by the crural nerve, is not paralyzed. The constriction and
the limit of anæsthesia are about the knees, at mid-thigh, or near the
groin in different cases. The paralyzed muscles, as a rule, retain
their irritability and show normal electrical reactions; the cutaneous
and tendinous reflexes are preserved or increased. The sphincter is
usually paralyzed, while the bladder is relatively unaffected.
(d) Transverse lesion of the dorsal spinal cord produces the classical
type of paraplegia—i.e. paralysis and anæsthesia of all parts caudad
of the lesion. The limit of anæsthesia and the constriction band are
nearly horizontal, and their exact level varies with the height of the
lesion, from the hypogastric region to above the nipples. Below the
level of anæsthesia, which indicates by the number of the dorsal
nerve the upper limit of the cord lesion, there are complete paralysis,
retention of urine, constipation with relaxed sphincter ani, greatly
exaggerated reflexes in the lower extremities, even to spinal
epilepsy; the muscles preserve their volume fairly well, and their
electrical reactions are normal—sensibility in all its modes is
abolished; bed-sores are easily provoked. Retention of urine is an
early symptom in lesion of the middle dorsal region of the cord—
sometimes, in our experience, preceding symptoms in the legs.
(e) A transverse lesion of the cord at the level of the last cervical and
first dorsal nerves—i.e. in the lower part of the cervical enlargement
—gives rise to typical paraplegia with a sensory limit-line at or just
below the clavicle, but also with some very peculiar symptoms
superadded. These characteristic symptoms are in the upper
extremities, and consist of paralysis and anæsthesia in the range of
distribution of the ulnar nerves. In the arms the anæsthesia will be
found along the lower ulnar aspect of the forearm, the ulnar part of
the hands, the whole of the little fingers, and one half of the annuli.
There will be paralysis (and in some cases atrophy with De R.)
affecting the flexor carpi ulnaris, the hypothenar eminence, the
interossei, and the ulnar half of the thenar group of muscles,
producing in most cases a special deformity of the hand known as
claw-hand or main-en-griffe. Another important symptom of a
transverse lesion in this location is complete paralysis of all the
intercostal and abdominal muscles, rendering respiration
diaphragmatic and making coughing and expectoration impossible.
The breathing is abdominal in type, and asphyxia is constantly
impending.
(g) Transverse lesions of the spinal cord from the decussation of the
pyramids to the fourth cervical nerve are very rare, and usually of
traumatic origin. They produce complete paralysis of the entire body,
and also of the diaphragm (third and fourth cervical nerves), thus
causing death by apnœa in a very short time.
7 Handbook of Diseases of the Nervous System, Am. ed., Philada., 1885, p. 356 et
seq.
(a) The most strictly systematic and most frequent of these lesions is
that of secondary (Wallerian) degeneration of the pyramids, the
prolongation of the cerebral motor tract. This morbid change gives
rise to no distinct bulbar symptoms, and it can only be diagnosticated
inferentially or inclusively by determining the existence of secondary
degeneration of the entire pyramidal tract, from the occurrence of
hemiplegia followed by contracture and increased reflexes. If the
phenomena present be those of double spastic hemiplegia, there is
surely degeneration of both pyramids.
(b) The symptoms may be complex and belong to the general class
of crossed paralysis, the mouth, face, tongue, and larynx being