Download textbook Advances In Cryptology Eurocrypt 2018 37Th Annual International Conference On The Theory And Applications Of Cryptographic Techniques Tel Aviv Israel April 29 May 3 2018 Proceedings Part I Jesper Buus ebook all chapter pdf

Advances in Cryptology EUROCRYPT
2018 37th Annual International

Conference on the Theory and
Applications of Cryptographic
Techniques Tel Aviv Israel April 29 May
3 2018 Proceedings Part I Jesper Buus
Nielsen
Visit to download the full and correct content document:
https://textbookfull.com/product/advances-in-cryptology-eurocrypt-2018-37th-annual-i
nternational-conference-on-the-theory-and-applications-of-cryptographic-techniques-t
el-aviv-israel-april-29-may-3-2018-proceedings-part-i-jesper-buus/
More products digital (pdf, epub, mobi) instant
download maybe you interests ...
Advances in Cryptology EUROCRYPT 2017 36th Annual

International Conference on the Theory and Applications
of Cryptographic Techniques Paris France April 30 May 4
2017 Proceedings Part I 1st Edition Jean-Sébastien
Coron
https://textbookfull.com/product/advances-in-cryptology-
eurocrypt-2017-36th-annual-international-conference-on-the-
theory-and-applications-of-cryptographic-techniques-paris-france-
april-30-may-4-2017-proceedings-part-i-1st-edition-je/
Advances in Cryptology EUROCRYPT 2017 36th Annual

of Cryptographic Techniques Paris France April 30 May 4
2017 Proceedings Part II 1st Edition Jean-Sébastien
Coron
eurocrypt-2017-36th-annual-international-conference-on-the-
theory-and-applications-of-cryptographic-techniques-paris-france-
april-30-may-4-2017-proceedings-part-ii-1st-edition-j/
Advances in Cryptology CRYPTO 2018 38th Annual

International Cryptology Conference Proceedings Part II
Hovav Shacham
crypto-2018-38th-annual-international-cryptology-conference-
proceedings-part-ii-hovav-shacham/

International Cryptology Conference Proceedings Part I
Daniele Micciancio
proceedings-part-i-daniele-micciancio/
Advances in Cryptology – ASIACRYPT 2018: 24th
International Conference on the Theory and Application
of Cryptology and Information Security, Brisbane, QLD,
Australia, December 2–6, 2018, Proceedings, Part I
Thomas Peyrin
asiacrypt-2018-24th-international-conference-on-the-theory-and-
application-of-cryptology-and-information-security-brisbane-qld-
australia-december-2-6-201/

Australia, December 2–6, 2018, Proceedings, Part II
Thomas Peyrin
australia-december-2-6-201-2/

Australia, December 2–6, 2018, Proceedings, Part III
Thomas Peyrin
australia-december-2-6-201-3/

International Cryptology Conference Proceedings Part II
Daniele Micciancio
proceedings-part-ii-daniele-micciancio/
Advances in Cryptology – ASIACRYPT 2017: 23rd

of Cryptology and Information Security, Hong Kong,
China, December 3-7, 2017, Proceedings, Part II 1st
Edition Tsuyoshi Takagi
asiacrypt-2017-23rd-international-conference-on-the-theory-and-
applications-of-cryptology-and-information-security-hong-kong-
Jesper Buus Nielsen
Vincent Rijmen (Eds.)
LNCS 10820
Advances in Cryptology –
EUROCRYPT 2018
37th Annual International Conference on the Theory
and Applications of Cryptographic Techniques
Tel Aviv, Israel, April 29 – May 3, 2018, Proceedings, Part I
123
Lecture Notes in Computer Science 10820
Commenced Publication in 1973
Founding and Former Series Editors:
Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen
Editorial Board
David Hutchison
Lancaster University, Lancaster, UK
Takeo Kanade
Carnegie Mellon University, Pittsburgh, PA, USA
Josef Kittler
University of Surrey, Guildford, UK
Jon M. Kleinberg
Cornell University, Ithaca, NY, USA
Friedemann Mattern
ETH Zurich, Zurich, Switzerland
John C. Mitchell
Stanford University, Stanford, CA, USA
Moni Naor
Weizmann Institute of Science, Rehovot, Israel
C. Pandu Rangan
Indian Institute of Technology Madras, Chennai, India
Bernhard Steffen
TU Dortmund University, Dortmund, Germany
Demetri Terzopoulos
University of California, Los Angeles, CA, USA
Doug Tygar
University of California, Berkeley, CA, USA
Gerhard Weikum
Max Planck Institute for Informatics, Saarbrücken, Germany
More information about this series at http://www.springer.com/series/7410
Jesper Buus Nielsen Vincent Rijmen (Eds.)
•
Advances in Cryptology –
EUROCRYPT 2018
37th Annual International Conference on the Theory
and Applications of Cryptographic Techniques
Tel Aviv, Israel, April 29 – May 3, 2018
Proceedings, Part I
123
Editors
Jesper Buus Nielsen Vincent Rijmen
Aarhus University University of Leuven
Aarhus Leuven
Denmark Belgium
ISSN 0302-9743 ISSN 1611-3349 (electronic)

Lecture Notes in Computer Science
ISBN 978-3-319-78380-2 ISBN 978-3-319-78381-9 (eBook)
https://doi.org/10.1007/978-3-319-78381-9
Library of Congress Control Number: 2018937382
LNCS Sublibrary: SL4 – Security and Cryptology
© International Association for Cryptologic Research 2018

This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the
material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation,
broadcasting, reproduction on microfilms or in any other physical way, and transmission or information
storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now
known or hereafter developed.
The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication
does not imply, even in the absence of a specific statement, that such names are exempt from the relevant
protective laws and regulations and therefore free for general use.
The publisher, the authors and the editors are safe to assume that the advice and information in this book are
believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the editors
give a warranty, express or implied, with respect to the material contained herein or for any errors or
omissions that may have been made. The publisher remains neutral with regard to jurisdictional claims in
published maps and institutional affiliations.
Printed on acid-free paper
This Springer imprint is published by the registered company Springer International Publishing AG
part of Springer Nature
The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland
Preface
Eurocrypt 2018, the 37th Annual International Conference on the Theory and Appli-
cations of Cryptographic Techniques, was held in Tel Aviv, Israel, from April 29 to
May 3, 2018. The conference was sponsored by the International Association for
Cryptologic Research (IACR). Orr Dunkelman (University of Haifa, Israel) was
responsible for the local organization. He was supported by a local organizing team
consisting of Technion’s Hiroshi Fujiwara Cyber Security Research Center headed by
Eli Biham, and most notably by Suzie Eid. We are deeply indebted to them for their
support and smooth collaboration.
The conference program followed the now established parallel track system where
the works of the authors were presented in two concurrently running tracks. Only the
invited talks spanned over both tracks.
We received a total of 294 submissions. Each submission was anonymized for the
reviewing process and was assigned to at least three of the 54 Program Committee
members. Committee members were allowed to submit at most one paper, or two if
both were co-authored. Submissions by committee members were held to a higher
standard than normal submissions. The reviewing process included a rebuttal round for
all submissions. After extensive deliberations, the Program Committee accepted 69
papers. The revised versions of these papers are included in these three-volume pro-
ceedings, organized topically within their respective track.
The committee decided to give the Best Paper Award to the papers “Simple Proofs
of Sequential Work” by Bram Cohen and Krzysztof Pietrzak, “Two-Round Multiparty
Secure Computation from Minimal Assumptions” by Sanjam Garg and Akshayaram
Srinivasan, and “Two-Round MPC from Two-Round OT” by Fabrice Benhamouda
and Huijia Lin. All three papers received invitations for the Journal of Cryptology.
The program also included invited talks by Anne Canteaut, titled “Desperately
Seeking Sboxes”, and Matthew Green, titled “Thirty Years of Digital Currency: From
DigiCash to the Blockchain”.
We would like to thank all the authors who submitted papers. We know that the
Program Committee’s decisions can be very disappointing, especially rejections of very
good papers that did not find a slot in the sparse number of accepted papers. We
sincerely hope that these works eventually get the attention they deserve.
We are also indebted to the members of the Program Committee and all external
reviewers for their voluntary work. The Program Committee work is quite a workload.
It has been an honor to work with everyone. The committee’s work was tremendously
simplified by Shai Halevi’s submission software and his support, including running the
service on IACR servers.
VI Preface
Finally, we thank everyone else — speakers, session chairs, and rump-session

chairs — for their contribution to the program of Eurocrypt 2018. We would also like
to thank the many sponsors for their generous support, including the Cryptography
Research Fund that supported student speakers.
May 2018 Jesper Buus Nielsen

Vincent Rijmen
Eurocrypt 2018
The 37th Annual International Conference

on the Theory and Applications
of Cryptographic Techniques
Sponsored by the International Association for Cryptologic Research
April 29 – May 3, 2018

Tel Aviv, Israel
General Chair
Orr Dunkelman University of Haifa, Israel
Program Co-chairs
Jesper Buus Nielsen Aarhus University, Denmark
Vincent Rijmen University of Leuven, Belgium
Program Committee
Martin Albrecht Royal Holloway, UK
Joël Alwen IST Austria, Austria, and Wickr, USA
Gilles Van Assche STMicroelectronics, Belgium
Paulo S. L. M. Barreto University of Washington Tacoma, USA
Nir Bitansky Tel Aviv University, Israel
Céline Blondeau Aalto University, Finland
Andrey Bogdanov DTU, Denmark
Chris Brzuska TU Hamburg, Germany, and Aalto University, Finland
Jan Camenisch IBM Research – Zurich, Switzerland
Ignacio Cascudo Aalborg University, Denmark
Melissa Chase Microsoft Research, USA
Alessandro Chiesa UC Berkeley, USA
Joan Daemen Radboud University, The Netherlands,
and STMicroelectronics, Belgium
Yevgeniy Dodis New York University, USA
Nico Döttling Friedrich Alexander University Erlangen-Nürnberg,
Germany
Sebastian Faust TU Darmstadt, Germany
Serge Fehr CWI Amsterdam, The Netherlands
Georg Fuchsbauer Inria and ENS, France
Jens Groth University College London, UK
Jian Guo Nanyang Technological University, Singapore
VIII Eurocrypt 2018
Martin Hirt ETH Zurich, Switzerland

Dennis Hofheinz KIT, Germany
Yuval Ishai Technion, Israel, and UCLA, USA
Nathan Keller Bar-Ilan University, Israel
Eike Kiltz Ruhr-Universität Bochum, Germany
Gregor Leander Ruhr-Universität Bochum, Germany
Yehuda Lindell Bar-Ilan University, Israel
Mohammad Mahmoody University of Virginia, USA
Willi Meier FHNW, Windisch, Switzerland
Florian Mendel Infineon Technologies, Germany
Bart Mennink Radboud University, The Netherlands
María Naya-Plasencia Inria, France
Svetla Nikova KU Leuven, Belgium
Eran Omri Ariel University, Israel
Arpita Patra Indian Institute of Science, India
David Pointcheval ENS/CNRS, France
Bart Preneel KU Leuven, Belgium
Thomas Ristenpart Cornell Tech, USA
Alon Rosen IDC Herzliya, Israel
Mike Rosulek Oregon State University, USA
Louis Salvail Université de Montréal, Canada
Yu Sasaki NTT Secure Platform Laboratories, Japan
Thomas Schneider TU Darmstadt, Germany
Jacob C. N. Schuldt AIST, Japan
Nigel P. Smart KU Leuven, Belgium, and University of Bristol, UK
Adam Smith Boston University, USA
Damien Stehlé ENS de Lyon, France
Björn Tackmann IBM Research – Zurich, Switzerland
Dominique Unruh University of Tartu, Estonia
Vinod Vaikuntanathan MIT, USA
Muthuramakrishnan University of Rochester, USA
Venkitasubramaniam
Frederik Vercauteren KU Leuven, Belgium
Damien Vergnaud Sorbonne Université, France
Ivan Visconti University of Salerno, Italy
Moti Yung Columbia University and Snap Inc., USA
Additional Reviewers
Masayuki Abe Divesh Aggarwal Bar Alon

Aysajan Abidin Shashank Agrawal Abdel Aly
Ittai Abraham Shweta Agrawal Prabhanjan Ananth
Hamza Abusalah Thomas Agrikola Elena Andreeva
Eurocrypt 2018 IX
Daniel Apon Chitchanok Romain Gay

Gilad Asharov Chuengsatiansup Peter Gaži
Nuttapong Attrapadung Michele Ciampi Rosario Gennaro
Benedikt Auerbach Thomas De Cnudde Satrajit Ghosh
Daniel Augot Ran Cohen Irene Giacomelli
Christian Badertscher Sandro Coretti Federico Giacon
Saikrishna Jean-Sebastien Coron Benedikt Gierlichs
Badrinarayanan Henry Corrigan-Gibbs Junqing Gong
Shi Bai Ana Costache Dov Gordon
Josep Balasch Geoffroy Couteau Divya Gupta
Marshall Ball Claude Crépeau Lorenzo Grassi
Valentina Banciu Ben Curtis Hannes Gross
Subhadeep Banik Dana Dachman-Soled Vincent Grosso
Zhenzhen Bao Yuanxi Dai Paul Grubbs
Gilles Barthe Bernardo David Chun Guo
Lejla Batina Alex Davidson Siyao Guo
Balthazar Bauer Jean Paul Degabriele Mohammad Hajiabadi
Carsten Baum Akshay Degwekar Carmit Hazay
Christof Beierle Daniel Demmler Gottfried Herold
Amos Beimel Amit Deo Felix Heuer
Sonia Belaid Apoorvaa Deshpande Thang Hoang
Aner Ben-Efraim Itai Dinur Viet Tung Hoang
Fabrice Benhamouda Christoph Dobraunig Akinori Hosoyamada
Iddo Bentov Manu Drijvers Kristina Hostáková
Itay Berman Maria Dubovitskaya Andreas Hülsing
Kavun Elif Bilge Léo Ducas Ilia Iliashenko
Olivier Blazy Yfke Dulek Roi Inbar
Jeremiah Blocki Pierre-Alain Dupont Vincenzo Iovino
Andrey Bogdanov François Dupressoir Tetsu Iwata
Carl Bootland Avijit Dutta Abhishek Jain
Jonathan Bootle Lisa Eckey Martin Jepsen
Raphael Bost Maria Eichlseder Daniel Jost
Leif Both Maximilian Ernst Chiraag Juvekar
Florian Bourse Mohammad Etemad Seny Kamara
Elette Boyle Antonio Faonio Chethan Kamath
Zvika Brakerski Oriol Farràs Bhavana Kanukurthi
Christian Cachin Pooya Farshim Harish Karthikeyan
Ran Canetti Manuel Fersch Suichi Katsumata
Anne Canteaut Dario Fiore Jonathan Katz
Brent Carmer Viktor Fischer John Kelsey
Wouter Castryck Nils Fleischhacker Dakshita Khurana
Andrea Cerulli Christian Forler Eunkyung Kim
André Chailloux Tommaso Gagliardoni Taechan Kim
Avik Chakraborti Chaya Ganesh Elena Kirshanova
Yilei Chen Juan Garay Ágnes Kiss
Ashish Choudhury Sanjam Garg Susumu Kiyoshima
X Eurocrypt 2018
Ilya Kizhvatov Marta Mularczyk Ron Rothblum

Alexander Koch Mridul Nandi David Roubinet
Konrad Kohbrok Ventzislav Nikov Adeline Roux-Langlois
Lisa Kohl Tobias Nilges Vladimir Rozic
Stefan Kölbl Ryo Nishimaki Andy Rupp
Ilan Komargodski Anca Nitulescu Yusuke Sakai
Yashvanth Kondi Ariel Nof Simona Samardjiska
Venkata Koppula Achiya Bar On Niels Samwel
Thorsten Kranz Claudio Orlandi Olivier Sanders
Hugo Krawczyk Michele Orrù Pratik Sarkar
Marie-Sarah Lacharite Clara Paglialonga Alessandra Scafuro
Kim Laine Giorgos Panagiotakos Martin Schläffer
Virginie Lallemand Omer Paneth Dominique Schröder
Gaëtan Leurent Louiza Papachristodoulou Sven Schäge
Anthony Leverrier Kostas Papagiannopoulos Adam Sealfon
Xin Li Sunoo Park Yannick Seurin
Pierre-Yvan Liardet Anat Paskin-Cherniavsky abhi shelat
Benoît Libert Alain Passelègue Kazumasa Shinagawa
Huijia Lin Kenny Paterson Luisa Siniscalchi
Guozhen Liu Michaël Peeters Maciej Skórski
Jian Liu Chris Peikert Fang Song
Chen-Da Liu-Zhang Alice Pellet–Mary Ling Song
Alex Lombardi Geovandro C. C. F. Katerina Sotiraki
Julian Loss Pereira Florian Speelman
Steve Lu Leo Perrin Gabriele Spini
Atul Luykx Giuseppe Persiano Kannan Srinathan
Vadim Lyubashevsky Thomas Peters Thomas Steinke
Saeed Mahloujifar Krzysztof Pietrzak Uri Stemmer
Hemanta Maji Benny Pinkas Igors Stepanovs
Mary Maller Oxana Poburinnaya Noah
Umberto Martínez-Peñas Bertram Poettering Stephens-Davidowitz
Daniel Masny Antigoni Polychroniadou Alan Szepieniec
Takahiro Matsuda Christopher Portmann Seth Terashima
Christian Matt Manoj Prabhakaran Cihangir Tezcan
Patrick McCorry Emmanuel Prouff Mehdi Tibouchi
Pierrick Méaux Carla Ràfols Elmar Tischhauser
Lauren De Meyer Somindu C. Ramanna Radu Titiu
Peihan Miao Samuel Ranellucci Yosuke Todo
Brice Minaud Shahram Rasoolzadeh Junichi Tomida
Esfandiar Mohammadi Divya Ravi Patrick Towa
Ameer Mohammed Ling Ren Boaz Tsaban
Maria Chiara Molteni Oscar Reparaz Daniel Tschudi
Tal Moran Silas Richelson Thomas Unterluggauer
Fabrice Mouhartem Peter Rindal Margarita Vald
Amir Moradi Michal Rolinek Kerem Varici
Pratyay Mukherjee Miruna Rosca Prashant Vasudevan
Eurocrypt 2018 XI
Philip Vejre Hoeteck Wee Shota Yamada

Daniele Venturi Felix Wegener Takashi Yamakawa
Benoît Viguier Christian Weinert Kan Yasuda
Fernando Virdia Erich Wenger Attila Yavuz
Damian Vizár Daniel Wichs Scott Yilek
Alexandre Wallet Friedrich Wiemer Eylon Yogev
Michael Walter David Wu Greg Zaverucha
Haoyang Wang Thomas Wunderer Mark Zhandry
Qingju Wang Sophia Yakoubov Ren Zhang
Abstract of Invited Talks
Desperately Seeking Sboxes
Anne Canteaut
Inria, Paris, France

anne.canteaut@inria.fr
Abstract. Twenty-five years ago, the definition of security criteria associated to

the resistance to linear and differential cryptanalysis has initiated a long line of
research in the quest for Sboxes with optimal nonlinearity and differential
uniformity. Although these optimal Sboxes have been studied by many cryp-
tographers and mathematicians, many questions remain open. The most
prominent open problem is probably the determination of the optimal values
of the nonlinearity and of the differential uniformity for a permutation depending
on an even number of variables.
Besides those classical properties, various attacks have motivated several
other criteria. Higher-order differential attacks, cube distinguishers and the more
recent division property exploit some specific properties of the representation
of the whole cipher as a collection of multivariate polynomials, typically the fact
that some given monomials do not appear in these polynomials. This type of
property is often inherited from some algebraic property of the Sbox. Similarly,
the invariant subspace attack and its nonlinear counterpart also originate from
specific algebraic structure in the Sbox.
Thirty Years of Digital Currency:
From DigiCash to the Blockchain
Matthew Green
Johns Hopkins University

mgreen@cs.jhu.edu
Abstract. More than thirty years ago a researcher named David Chaum pre-
sented his vision for a cryptographic financial system. In the past ten years this
vision has been realized. Yet despite a vast amount of popular excitement, it
remains to be seen whether the development of cryptocurrencies (and their
associated consensus technologies) will have a lasting positive impact—both on
society and on our research community. In this talk I will examine that question.
Specifically, I will review several important contributions that research cryp-
tography has made to this field; survey the most promising deployed
(or developing) technologies; and discuss the many challenges ahead.
Contents – Part I
Foundations
On the Bit Security of Cryptographic Primitives . . . . . . . . . . . . . . . . . . . . . 3

Daniele Micciancio and Michael Walter
On the Gold Standard for Security of Universal Steganography . . . . . . . . . . 29

Sebastian Berndt and Maciej Liśkiewicz
Memory Lower Bounds of Reductions Revisited. . . . . . . . . . . . . . . . . . . . . 61

Yuyu Wang, Takahiro Matsuda, Goichiro Hanaoka, and Keisuke Tanaka
Fiat-Shamir and Correlation Intractability from Strong

KDM-Secure Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Ran Canetti, Yilei Chen, Leonid Reyzin, and Ron D. Rothblum
Lattices
Shortest Vector from Lattice Sieving: A Few Dimensions for Free . . . . . . . . 125
Léo Ducas
On the Ring-LWE and Polynomial-LWE Problems . . . . . . . . . . . . . . . . . . . 146

Miruna Rosca, Damien Stehlé, and Alexandre Wallet
Faster Gaussian Sampling for Trapdoor Lattices with Arbitrary Modulus . . . . 174
Nicholas Genise and Daniele Micciancio
Short, Invertible Elements in Partially Splitting Cyclotomic Rings

and Applications to Lattice-Based Zero-Knowledge Proofs . . . . . . . . . . . . . . 204
Vadim Lyubashevsky and Gregor Seiler
Random Oracle Model
Random Oracles and Non-uniformity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227

Sandro Coretti, Yevgeniy Dodis, Siyao Guo, and John Steinberger
Another Step Towards Realizing Random Oracles: Non-malleable

Point Obfuscation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
Ilan Komargodski and Eylon Yogev
The Wonderful World of Global Random Oracles . . . . . . . . . . . . . . . . . . . . 280

Jan Camenisch, Manu Drijvers, Tommaso Gagliardoni, Anja Lehmann,
and Gregory Neven
XVIII Contents – Part I
Fully Homomorphic Encryption
Homomorphic Lower Digits Removal and Improved FHE Bootstrapping . . . . 315

Hao Chen and Kyoohyung Han
Homomorphic SIM2 D Operations: Single Instruction Much More Data . . . . . 338

Wouter Castryck, Ilia Iliashenko, and Frederik Vercauteren
Bootstrapping for Approximate Homomorphic Encryption . . . . . . . . . . . . . . 360

Jung Hee Cheon, Kyoohyung Han, Andrey Kim, Miran Kim,
and Yongsoo Song
Permutations
Full Indifferentiable Security of the Xor of Two or More Random

Permutations Using the v2 Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
Srimanta Bhattacharya and Mridul Nandi
An Improved Affine Equivalence Algorithm for Random Permutations . . . . . 413

Itai Dinur
Galois Counter Mode
Optimal Forgeries Against Polynomial-Based MACs and GCM . . . . . . . . . . 445

Atul Luykx and Bart Preneel
Revisiting AES-GCM-SIV: Multi-user Security, Faster Key Derivation,

and Better Bounds. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468
Priyanka Bose, Viet Tung Hoang, and Stefano Tessaro
Attribute-Based Encryption
Unbounded ABE via Bilinear Entropy Expansion, Revisited. . . . . . . . . . . . . 503

Jie Chen, Junqing Gong, Lucas Kowalczyk, and Hoeteck Wee
Anonymous IBE, Leakage Resilience and Circular Security from New

Assumptions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 535
Zvika Brakerski, Alex Lombardi, Gil Segev, and Vinod Vaikuntanathan
Secret Sharing
Towards Breaking the Exponential Barrier for General Secret Sharing . . . . . . 567
Tianren Liu, Vinod Vaikuntanathan, and Hoeteck Wee
Contents – Part I XIX
Improving the Linear Programming Technique in the Search for Lower

Bounds in Secret Sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 597
Oriol Farràs, Tarik Kaced, Sebastià Martín, and Carles Padró
Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 623

Contents – Part II
Blockchain
Thunderella: Blockchains with Optimistic Instant Confirmation . . . . . . . . . . 3

Rafael Pass and Elaine Shi
But Why Does It Work? A Rational Protocol Design Treatment

of Bitcoin. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Christian Badertscher, Juan Garay, Ueli Maurer, Daniel Tschudi,
and Vassilis Zikas
Ouroboros Praos: An Adaptively-Secure, Semi-synchronous

Proof-of-Stake Blockchain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Bernardo David, Peter Gaži, Aggelos Kiayias,
and Alexander Russell
Sustained Space Complexity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

Joël Alwen, Jeremiah Blocki, and Krzysztof Pietrzak
Multi-collision Resistance
Multi-Collision Resistant Hash Functions and Their Applications . . . . . . . . . 133

Itay Berman, Akshay Degwekar, Ron D. Rothblum,
and Prashant Nalini Vasudevan
Collision Resistant Hashing for Paranoids: Dealing

with Multiple Collisions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Ilan Komargodski, Moni Naor, and Eylon Yogev
Signatures
Synchronized Aggregate Signatures from the RSA Assumption. . . . . . . . . . . 197

Susan Hohenberger and Brent Waters
More Efficient (Almost) Tightly Secure Structure-Preserving Signatures. . . . . 230

Romain Gay, Dennis Hofheinz, Lisa Kohl, and Jiaxin Pan
Private Simultaneous Messages
The Communication Complexity of Private Simultaneous

Messages, Revisited . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
Benny Applebaum, Thomas Holenstein, Manoj Mishra,
and Ofer Shayevitz
XXII Contents – Part II
The Complexity of Multiparty PSM Protocols and Related Models . . . . . . . . 287

Amos Beimel, Eyal Kushilevitz, and Pnina Nissim
Masking
Formal Verification of Masked Hardware Implementations in the Presence

of Glitches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
Roderick Bloem, Hannes Gross, Rinat Iusupov, Bettina Könighofer,
Stefan Mangard, and Johannes Winter
Masking the GLP Lattice-Based Signature Scheme at Any Order . . . . . . . . . 354

Gilles Barthe, Sonia Belaïd, Thomas Espitau, Pierre-Alain Fouque,
Benjamin Grégoire, Mélissa Rossi, and Mehdi Tibouchi
Masking Proofs Are Tight and How to Exploit it in Security Evaluations. . . . 385
Vincent Grosso and François-Xavier Standaert
Best Young Researcher Paper Award
The Discrete-Logarithm Problem with Preprocessing . . . . . . . . . . . . . . . . . . 415

Henry Corrigan-Gibbs and Dmitry Kogan
Best Paper Awards
Simple Proofs of Sequential Work. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451

Bram Cohen and Krzysztof Pietrzak
Two-Round Multiparty Secure Computation from Minimal Assumptions . . . . 468

Sanjam Garg and Akshayaram Srinivasan
k-Round Multiparty Computation from k-Round Oblivious Transfer

via Garbled Interactive Circuits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 500
Fabrice Benhamouda and Huijia Lin
Theoretical Multiparty Computation
Adaptively Secure Garbling with Near Optimal Online Complexity . . . . . . . . 535

Sanjam Garg and Akshayaram Srinivasan
A New Approach to Black-Box Concurrent Secure Computation . . . . . . . . . 566

Sanjam Garg, Susumu Kiyoshima, and Omkant Pandey
Obfuscation
Obfustopia Built on Secret-Key Functional Encryption. . . . . . . . . . . . . . . . . 603

Fuyuki Kitagawa, Ryo Nishimaki, and Keisuke Tanaka
Contents – Part II XXIII
Limits on Low-Degree Pseudorandom Generators (Or: Sum-of-Squares

Meets Program Obfuscation) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 649
Boaz Barak, Zvika Brakerski, Ilan Komargodski,
and Pravesh K. Kothari
Symmetric Cryptanalysis
Boomerang Connectivity Table: A New Cryptanalysis Tool . . . . . . . . . . . . . 683

Carlos Cid, Tao Huang, Thomas Peyrin, Yu Sasaki, and Ling Song
Correlation Cube Attacks: From Weak-Key Distinguisher

to Key Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 715
Meicheng Liu, Jingchun Yang, Wenhao Wang, and Dongdai Lin
The Missing Difference Problem, and Its Applications to Counter

Mode Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 745
Gaëtan Leurent and Ferdinand Sibleyras
Fast Near Collision Attack on the Grain v1 Stream Cipher . . . . . . . . . . . . . . 771

Bin Zhang, Chao Xu, and Willi Meier
Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 803

Contents – Part III
Zero-Knowledge
On the Existence of Three Round Zero-Knowledge Proofs . . . . . . . . . . . . . . 3

Nils Fleischhacker, Vipul Goyal, and Abhishek Jain
Statistical Witness Indistinguishability (and more) in Two Messages . . . . . . . 34

Yael Tauman Kalai, Dakshita Khurana, and Amit Sahai
An Efficiency-Preserving Transformation from Honest-Verifier Statistical

Zero-Knowledge to Statistical Zero-Knowledge. . . . . . . . . . . . . . . . . . . . . . 66
Pavel Hubáček, Alon Rosen, and Margarita Vald
Implementing Multiparty Computation
Efficient Maliciously Secure Multiparty Computation for RAM . . . . . . . . . . 91

Marcel Keller and Avishay Yanai
Efficient Circuit-Based PSI via Cuckoo Hashing . . . . . . . . . . . . . . . . . . . . . 125

Benny Pinkas, Thomas Schneider, Christian Weinert, and Udi Wieder
Overdrive: Making SPDZ Great Again . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

Marcel Keller, Valerio Pastro, and Dragos Rotaru
Non-interactive Zero-Knowledge
Efficient Designated-Verifier Non-interactive Zero-Knowledge

Proofs of Knowledge. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Pyrros Chaidos and Geoffroy Couteau
Quasi-Optimal SNARGs via Linear Multi-Prover Interactive Proofs. . . . . . . . 222

Dan Boneh, Yuval Ishai, Amit Sahai, and David J. Wu
Anonymous Communication
Untagging Tor: A Formal Treatment of Onion Encryption . . . . . . . . . . . . . . 259

Jean Paul Degabriele and Martijn Stam
Exploring the Boundaries of Topology-Hiding Computation . . . . . . . . . . . . . 294

Marshall Ball, Elette Boyle, Tal Malkin, and Tal Moran
XXVI Contents – Part III
Isogeny
Supersingular Isogeny Graphs and Endomorphism Rings: Reductions

and Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
Kirsten Eisenträger, Sean Hallgren, Kristin Lauter, Travis Morrison,
and Christophe Petit
Leakage
On the Complexity of Simulating Auxiliary Input . . . . . . . . . . . . . . . . . . . . 371

Yi-Hsiu Chen, Kai-Min Chung, and Jyun-Jie Liao
Key Exchange
Fuzzy Password-Authenticated Key Exchange . . . . . . . . . . . . . . . . . . . . . . 393

Pierre-Alain Dupont, Julia Hesse, David Pointcheval, Leonid Reyzin,
and Sophia Yakoubov
Bloom Filter Encryption and Applications to Efficient Forward-Secret

0-RTT Key Exchange . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425
David Derler, Tibor Jager, Daniel Slamanig, and Christoph Striecks
OPAQUE: An Asymmetric PAKE Protocol Secure Against

Pre-computation Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456
Stanislaw Jarecki, Hugo Krawczyk, and Jiayu Xu
Quantum
Unforgeable Quantum Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 489

Gorjan Alagic, Tommaso Gagliardoni, and Christian Majenz
Tightly-Secure Key-Encapsulation Mechanism in the Quantum Random

Oracle Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 520
Tsunekazu Saito, Keita Xagawa, and Takashi Yamakawa
A Concrete Treatment of Fiat-Shamir Signatures in the Quantum

Random-Oracle Model. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 552
Eike Kiltz, Vadim Lyubashevsky, and Christian Schaffner
Non-maleable Codes
Non-malleable Randomness Encoders and Their Applications . . . . . . . . . . . . 589

Bhavana Kanukurthi, Sai Lakshmi Bhavana Obbattu, and Sruthi Sekar
Non-malleable Codes from Average-Case Hardness: AC0 , Decision Trees,

and Streaming Space-Bounded Tampering . . . . . . . . . . . . . . . . . . . . . . . . . 618
Marshall Ball, Dana Dachman-Soled, Mukul Kulkarni, and Tal Malkin
Contents – Part III XXVII
Provable Symmetric Cryptography
Naor-Reingold Goes Public: The Complexity of Known-Key Security . . . . . . 653

Pratik Soni and Stefano Tessaro
Updatable Encryption with Post-Compromise Security . . . . . . . . . . . . . . . . . 685

Anja Lehmann and Björn Tackmann
Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 717

Foundations
On the Bit Security of Cryptographic
Primitives
Daniele Micciancio1 and Michael Walter2(B)

1
UC San Diego, San Diego, USA
daniele@cs.ucsd.edu
2
IST Austria, Klosterneuburg, Austria
michael.walter@ist.ac.at
Abstract. We introduce a formal quantitative notion of “bit security”

for a general type of cryptographic games (capturing both decision and
search problems), aimed at capturing the intuition that a cryptographic
primitive with k-bit security is as hard to break as an ideal cryptographic
function requiring a brute force attack on a k-bit key space. Our new
definition matches the notion of bit security commonly used by cryp-
tographers and cryptanalysts when studying search (e.g., key recovery)
problems, where the use of the traditional definition is well established.
However, it produces a quantitatively different metric in the case of deci-
sion (indistinguishability) problems, where the use of (a straightforward
generalization of) the traditional definition is more problematic and leads
to a number of paradoxical situations or mismatches between theoreti-
cal/provable security and practical/common sense intuition. Key to our
new definition is to consider adversaries that may explicitly declare fail-
ure of the attack. We support and justify the new definition by proving
a number of technical results, including tight reductions between several
standard cryptographic problems, a new hybrid theorem that preserves
bit security, and an application to the security analysis of indistinguisha-
bility primitives making use of (approximate) floating point numbers.
This is the first result showing that (standard precision) 53-bit floating
point numbers can be used to achieve 100-bit security in the context of
cryptographic primitives with general indistinguishability-based security
definitions. Previous results of this type applied only to search problems,
or special types of decision problems.
1 Introduction
It is common in cryptography to describe the level of security offered by a (con-

crete instantiation of a) cryptographic primitive P by saying that P provides a
Research supported in part by the Defense Advanced Research Projects Agency

(DARPA) and the U.S. Army Research Office under the SafeWare program. Opin-
ions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect the views, position or policy of
the Government.
c International Association for Cryptologic Research 2018
J. B. Nielsen and V. Rijmen (Eds.): EUROCRYPT 2018, LNCS 10820, pp. 3–28, 2018.
https://doi.org/10.1007/978-3-319-78381-9_1
4 D. Micciancio and M. Walter
certain number of bits of security. E.g., one may say that AES offers 110-bits
of security as a pseudorandom permutation [6], or that a certain lattice based
digital signature scheme offers at least 160-bits of security for a given setting of
the parameters. While there is no universally accepted, general, formal defini-
tion of bit security, in many cases cryptographers seem to have an intuitive (at
least approximate) common understanding of what “n bits of security” means:
any attacker that successfully breaks the cryptographic primitive must incur a
cost1 of at least T > 2n , or, alternatively, any efficient attack achieves at most
< 2−n success probability, or, perhaps, a combination of these two conditions,
i.e., for any attack with cost T and success probability , it must be T / > 2n .
The intuition is that 2n is the cost of running a brute force attack to retrieve
an n-bit key, or the inverse success probability of a trivial attack that guesses
the key at random. In other words, n bits of security means “as secure as an
idealized perfect cryptographic primitive with an n-bit key”.
The appeal and popularity of the notion of bit security (both in theory and in
practice) rests on the fact that it nicely sits in between two extreme approaches:
– The foundations of cryptography asymptotic approach (e.g., see [9,10]) which

identifies feasible adversaries with polynomial time computation, and success-
ful attacks with breaking a system with non-negligible probability.
– The concrete security approach [3,5], which breaks the adversarial cost into
a number of different components (running time, oracle queries, etc.), and
expresses, precisely, how the adversary’s advantage in breaking a crypto-
graphic primitive depends on all of them.
The foundational/asymptotic approach has the indubious advantage of simplic-

ity, but it only offers a qualitative classification of cryptographic functions into
secure and insecure ones. In particular, it does not provide any guidance on
choosing appropriate parameters and key sizes to achieve a desired level of secu-
rity in practice. On the other hand, the concrete security treatment delivers (pre-
cise, but) substantially more complex security statements, and requires carefully
tracking a number of different parameters through security reductions. In this
respect, bit security offers a quantitative, yet simple, security metric, in the form
of a single number: the bit security or security level of a primitive, typically
understood as the logarithm (to the base 2) of the ratio T / between the cost T
and advantage of the attack, minimized over all possible adversaries.
Capturing security level with a single number is certainly convenient and use-
ful: it allows for direct comparison of the security level of different instances of
the same primitive (or even between different primitives altogether), and it pro-
vides a basis for the study of tight reductions, i.e., constructions and reductions
that approximately preserve the security level. Not surprisingly, bit security is
1
For concreteness, the reader may think of the cost as the running time of the attack,
but other cost measures are possible, and everything we say applies to any cost
measure satisfying certain general closure properties, like the fact that the cost of
repeating an attack k times is at most k times as large as the cost of a single
execution.
On the Bit Security of Cryptographic Primitives 5
widely used. However, there is no formal definition of this term at this point, but
rather just an intuitive common understanding of what this quantity should cap-
ture. This understanding has led to some paradoxical situations that suggest that
the current “definitions” might not capture exactly what they are meant to.
It has been noted that only considering the adversary’s running time is a
poor measure of the cost of an attack [7,8]. This is especially true if moving to
the non-uniform setting, where an adversary may receive additional advice, and
the question of identifying an appropriate cost measure has been studied before
[6]. However, the paradoxical situations have not, to this day, been resolved
to satisfaction, and it seems that considering only the adversary’s resources is
insufficient to address this issue.
In order to explain the problems with the current situation, we first distin-
guish between two types of primitives with respect to the type of game that
defines their security (see Sect. 3 for a more formal definition): search primitives
and decision primitives. Intuitively, the former are primitives where an adversary
is trying to recover some secret information from a large search space, as in a key
recovery attack. The latter are games where the adversary is trying to decide if
a secret bit is 0 or 1, as in the indistinguishability games underlying the defini-
tion of pseudorandom generators or semantically secure encryption. For search
games, the advantage of an adversary is usually understood to be the probability
of finding said secret information, while for decision games it is usually consid-
ered to be the distinguishing advantage (which is equal to the probability that
the output of the adversary is correct, over the trivial probability 12 of a random
guess).
The Peculiar Case of PRGs. Informally, a PRG is a function f : {0, 1}n →

{0, 1}m , where m > n, such that its output under uniform input is indistinguish-
able from the uniform distribution over {0, 1}m . In the complexity community
it is common knowledge according to [8] that a PRG with seed length n cannot
provide more than n/2 bits of security under the current definition of security
level. This is because there are non-uniform attacks that achieve distinguishing
advantage 2−n/2 in very little time against any such function. Such attacks were
generalized to yield other time-space-advantage trade-offs in [7]. This is very
counter-intuitive, as the best generic seed recovery attacks do not prevent n-bit
security (for appropriate cost measure), and thus one would expect n bits of
security in such a case to be possible.
The Peculiar Case of Approximate Samplers. Many cryptographic schemes,

in particular lattice based schemes, involve specific distributions that need to
be sampled from during their execution. Furthermore, security reductions may
assume that these distributions are sampled exactly. During the transition of
such a cryptographic scheme from a theoretical construction to a practical imple-
mentation, the question arises as to how such a sampling algorithm should be
implemented. In many cases, it is much more efficient or secure (against e.g.
side channel attacks) or even only possible to approximate the corresponding
6 D. Micciancio and M. Walter
distribution rather than generating it exactly. In such a case it is crucial to

analyze how this approximation impacts the security of the scheme. Tradition-
ally, statistical distance has been employed to quantify this trade-off between
approximation and security guarantee, but it leads to the unfortunate situation
where the 53-bit precision provided by floating point numbers (as implemented
in hardware in commodity microprocessors) only puts a 2−53 bound on statisti-
cal distance, and results in a rather weak 53-bit security guarantee on the final
application. Proving better security using statistical distance methods seems
to require higher precision floating point numbers implemented in (substantially
slower) software libraries. In recent years a number of generic results have shown
improved analysis methods based on different divergences [2,15–17] and using
the conventional definition of bit security. Surprisingly, all of them apply exclu-
sively to search primitives (with the only exception of [2], which also considers
decision primitives with a specific property). This has led to the unnatural sit-
uation where it seems that decision primitives, like encryption, require higher
precision sampling than search primitives. This is counter-intuitive, because in
search primitives, like signature schemes, the distribution is often used to hide
a specific secret and a bad approximation may leak information about it. On
the other hand, it is commonly believed within the research community that
for encryption schemes the distribution does not necessarily have to be followed
exactly, as long as it has sufficient entropy, since none of the cryptanalytic attacks
seem to be able to take advantage of a bad approximation in this case [1]. How-
ever, a corresponding proof for generic decision primitives (e.g., supporting the
use of hardware floating point numbers, while still targeting 100-bit or higher
levels of security) has so far eluded the attempts of the research community.
1.1 Contribution and Techniques
We present a new notion of bit security associated to a general cryptographic

game. Informally, we consider a game in which an adversary has to guess an n-bit
secret string2 x. This captures, in a unified setting, both decision/indistinguish-
ability properties, when n = 1, and arbitrary search/unpredictability properties,
for larger n. The definition of bit security is quite natural and intuitive, building
on concepts from information theory, but we postpone its description to the end
of this section. For now, what matters is that a distinguishing feature of our
framework is to explicitly allow the adversary to output a special “don’t know”
symbol ⊥, rather than a random guess. So, we can talk about the probability
α that the adversary outputs something (other than ⊥), and the (conditional)
probability β that the output correctly identifies the secret. This makes little
difference for search problems, but for decision problems it allows the adversary
to express different degrees of confidence in its guess: admitting failure is more
informative than a random guess. We proceed by specializing our notion of bit
2
More generally, the adversary has to output a value satisfying a relation R(x, a)
which defines successful attacks. For simplicity, in this introduction, we assume R is
the identity function. See Definition 5 for the actual definition.
Another random document with
no related content on Scribd:
2 “The Myography of Nerve-degeneration in Animals and Man,” Archives of Medicine,
viii., No. 1, 1882.
In the period of recovery or regeneration of the nerve the musculo-

galvanic reactions slowly reacquire their normal characters; the
normal suddenness and completeness of the contractions gradually
appear, and faradic excitation causes slight responses. Lastly, the
nerve also begins to exhibit excitability under galvanism and
faradism. These various abnormal electrical reactions, also
frequently observed in diseases of the spinal cord, constitute the so-
called reaction of degeneration, or De R. The subject is one of much
practical importance, and for details the reader is referred to the
treatises on electro-therapeutics of Erb and De Watteville.
Just as we depend upon the De R. to prove interruption of motor

nerve-fibres (or, in other cases, destruction of ganglion cells in the
anterior horns of the cord), so do we rely upon the demonstration of
complete anæsthesia to prove interruption of sensory fibres. In
seeking for the area of anæsthesia several points must be borne in
mind: (1) The normal distribution of the principal nerve-trunks as
taught by ordinary anatomical works; (2) the remarkable anomalies
of distribution which sometimes occur; (3) that many nerves near
their endings exchange filaments in very variable numbers; loops for
collateral innervation, which will supply some sensibility to parts
which, judging by ordinary anatomical rules, should be made
anæsthetic by section of a given nerve-trunk; (4) another
consideration is the degree of anæsthesia. Before pronouncing upon
the complete and fatal division of a nerve-trunk (by injury or by
disease), absolute anæsthesia should be demonstrated in its area of
principal and isolated distribution. Ordinary tests are not, as a rule,
sufficient for this purpose. The best means in our experience
consists in the use of a very strong induction (faradic) current, as
follows: The skin of the suspected region to be thoroughly dried and
rubbed with chalk or powdered starch; one pole, consisting of an
ordinary wet electrode, to be applied just above the part to be tested,
and the other pole, consisting of a single wire, with which different
parts of the anæsthetic area are to be touched. By this means
partially insensible regions, not responding to pricking and burning,
may be made to yield reaction, and the area of absolute anæsthesia
be thereby much reduced. Malingering may also be readily exposed
by this test, which presents another advantage—viz. of not causing
local injury or scars as burning will.
It follows from the preceding statements that in cases of limited

atrophic paralysis with De R. the diagnosis between a central lesion
(destruction of ganglion cells of the anterior horns of the cord) and a
strictly peripheral (or neural) lesion is to be chiefly based upon two
considerations: (1) The distribution of the paralysis, which in the first
case affects muscles which are physiologically grouped or
associated, while in the second case the simple law of anatomical
associations or grouping is observed; (2) by the state of sensibility,
which is normal in disease of the anterior horns of the cord, and is
frequently impaired or abolished in nerve lesions.
Lesions affecting the cauda equina cause all the above-mentioned

symptoms of peripheral lesions in a limited (partial) paraplegic
distribution. If the lesion or injury be in the sacro-coccygeal region,
the symptoms will, as a rule, be found confined to parts below the
knee, occasionally also involving the muscles on the posterior aspect
of the thigh (flexors of the leg). Below the knees we find an atrophic
paralysis with De R., anæsthesia of the foot and part of the leg, loss
of plantar and achillis reflexes, and the sphincter ani will be
paralyzed. The patellar reflex is preserved or exaggerated. In case
the lesion be in the lumbar region, below the first lumbar vertebræ,
the symptoms will be found to extend as high as the groin, involving
also the buttocks and sphincter ani; state of the bladder variable. All
reflexes will be lost in the paralyzed extremities, except in some
cases the cremasteric reflex.
Strange as it may appear, physicians do not always remember that

there is practically no lumbar spinal cord (vide Fig. 2.), and that
injuries, etc. of the lumbar vertebræ and dura tend to affect nerves,
and not a nervous centre.
II. Localization of Lesions in the Spinal Cord.
Diseases of the spinal cord are distinguished by the following

general characters, positive and negative:
Positive Characters.—Tendency to primary bilateral or paraplegic

distribution of all the symptoms. In the majority of cases preservation
of electro-muscular excitability, and in one well-defined group of
cases De R. more or less typically developed in the paralyzed parts.
Frequent vesical and rectal paralysis, either of the retaining or of the
ejecting apparatus. Pains and other paræsthesiæ in the extremities,
the pains often possessing the electric or fulgurating character.
Anæsthesia of paraplegic distribution. Sensations of constriction or
cincture about a limb or about the body at various levels. Occurrence
of ataxia without paralysis. Progressive muscular atrophy without
actual paralysis. Easy production of eschars (bed-sores).
Negative Characters.—Absence of typical hemiplegic or monoplegic

distribution of symptoms. Rarity of head symptoms, as headache,
vertigo, mental disturbance; of lesions of the optic nerve. Absence of
epileptiform convulsions. Absence of such grouping of motor and
sensory symptoms as would exactly correspond to the area of
distribution of one or more large nerve-trunks.
The above symptomatic indications are, of course, of the most

general meaning only, and are liable to exceptions and subject to
varying conditions.
The DIAGNOSIS of the exact localization of lesions in the spinal cord,

considered from the clinical standpoint, is perhaps best arrived at by
following an anatomical and physiological order of subdivision of the
problem into three questions, as follows:
FIRST QUESTION.—BEING GIVEN SYMPTOMS INDICATING DISEASE LIMITED TO

ONE OR MORE SYSTEMS OF THE SPINAL CORD, TO DECIDE WHICH ARE
AFFECTED.
Physiology and the results of embryological and pathological
researches justify us in making a general division of the spinal cord,
for purposes of diagnosis, into two great systems, whose limits are
fairly well known—viz. the æsthesodic or sensory system, and the
kinesodic or motor system. The following outline diagram (Fig. 5) of
section through the spinal cord exhibits the ascertained limits of the
two systems.
FIG. 5.
Diagram of a Transverse Section of the Spinal Cord through the Cervical

Enlargement: The æsthesodic system is shaded, the kinesodic system
unshaded. Parts of the æsthesodic system: (1) Posterior nerve-roots; (2)
posterior gray horns; (3) fasciculi cuneati (columns of Burdach, inclusive
of posterior root-zones); (4) fasciculi graciles (columns of Goll or posterior
median columns); (5) ascending cerebellar fasciculi; (6) columns of
Clarke. Parts of the kinesodic system: (7) Anterior roots; (8) anterior
columns (inclusive of anterior root-zones); (9) anterior gray horns; (10)
crossed pyramidal fasciculi; (11) direct pyramidal fasciculi (columns of
Türck); [10 and 11 are the intraspinal prolongation of the cerebral motor
tract]; (12) lateral columns, of ill-defined limits and unknown functions; P.
R., posterior roots; P. S., posterior septum; A. R., anterior roots; A. F.,
anterior fissure.
A. Lesions of the Æsthesodic System.—Limits of the Æsthesodic
System.—By this term we mean that combinations of ganglion-cells
and nerve-fibres whose functions are locally sensory, and of those
fibres which transmit impressions centripetally (frontad) to the
encephalon. The following are the recognized parts of this system,
as outlined on the diagram: (1) the posterior (dorsal) nerve-roots and
attached ganglia; (2) the posterior gray horn and central gray
substance to an unknown distance ventrad; (3) the fasciculi cuneati
(columns of Burdach), whose lateral parts are more particularly
designated as posterior root-zones; (4) the fasciculi graciles
(columns of Goll) or posterior median columns; (5) the fasciculi ad
cerebellum; (6) the vesicular columns of Clarke (most developed in
the dorsal part of the cord). All of these parts have sensory functions,
or at least transmit impressions centripetally, and they undergo
secondary (Wallerian) degeneration toward the encephalon—i.e.
frontad of a transverse lesion of the cord.3
3 There are some results of physiological experiments and a few isolated pathological
facts which would seem to point to the existence of other sensory (centripetal)
fasciculi in the lateral columns, but it would be wholly premature to make use of these
facts in a practical consideration of the subject.
At the present time there is only one lesion of the æsthesodic system
which can be diagnosticated during the patient's life from positive
symptoms.
(a) Lesions of the fasciculi cuneati (posterior root-zones, 3). The

symptoms of lesion (usually sclerosis) in this region are wholly
sensory and ataxic. At an early stage acute pains, fulgurating pains,
occur in the extremities; later paræsthesiæ, anæsthesia, and ataxia.
The fulgurating pains caused by the slowly-progressive lesion of the
posterior root-zones are very peculiar, and almost pathognomonic
(vide preceding article for their description). In some cases
paræsthesiæ precede the pains, which inversion of the usual order
must be due to a difference in the starting-point of the sclerosis
within the large fasciculi cuneati. Tendinous reflexes (especially the
patellar) are lost at an early period in the disease, and by noting the
disappearances of the different reflexes we can trace with some
accuracy the longitudinal extension of the sclerosis (vide Fig. 2). In
many cases the pupillary reflex is also abolished, constituting the
Argyll-Robertson pupil.
As negative characters of lesions of the posterior root-zones (and of

the rest of the æsthesodic system) we note absence of paralysis,
contracture, atrophy, and De R.
In the present state of our knowledge of spinal physiology and

pathology we think that a lesion in this location should be recognized
by the physician early and positively—in some cases years before
ataxia and other grosser symptoms make the diagnosis of locomotor
ataxia obvious even to a layman's eye.
(b) Lesions of the fasciculi graciles (column of Goll, 4) cannot, we

believe, be recognized directly by positive symptoms. There are a
few cases on record of primary (?) sclerosis of these columns, in
which during life vague sensory symptoms had been noted, but we
cannot build upon such data. Indirectly, however, we can in many
cases diagnosticate degeneration of these fasciculi, reasoning from
the data of pathological anatomy. Thus, for example, in advanced
cases of sclerosis of the fasciculi cuneati (posterior spinal sclerosis)
we know that in the dorsal and cervical regions of the cord the
columns of Goll are in a state of secondary degeneration. After
complete transverse division of the cord by injury, extreme pressure,
or focus of myelitis, etc. the same (centripetal) degeneration exists
above the lesion.
The same remarks apply fairly to our clinical knowledge of the

remaining parts of the æsthesodic system, columns of Clarke (6),
and fasciculi ad cerebellum (5). We know absolutely nothing of
lesions of the posterior horns (2) in their clinical and diagnostic
relations.
B. Lesions of the Kinesodic System.—Limits of the Kinesodic

System.—In general this includes the antero-lateral parts of the cord.
In a trans-section of the cord (vide Figs. 5 and 6) the following
columns and fasciculi are recognized, their location and limits being
made known to us by embryology, descriptive and pathological
anatomy: (7) The anterior (ventral) nerve-roots emerging from (8) the
true anterior columns or anterior root-zones; (9) the ventral (anterior)
gray horns with their groups of ganglion cells; (10) the crossed
pyramidal fasciculus, which is the caudal continuation of the cerebral
motor tract of the opposite hemisphere; (11) the direct pyramidal
column (column of Türck), which is the caudal continuation of the
cerebral motor part of the hemisphere on the same side; (12) the
antero-lateral column. Fasciculi 10 and 11 bear an inverse relation to
each other—i.e. 11 is larger in proportion as 10 is smaller.
FIG. 6.
Diagram of a Transverse Section of the Spinal Cord through the Lumbar

Enlargement: The æsthesodic system is shaded; the kinesodic system
unshaded. Parts of the æsthesodic system: (1) Posterior nerve-roots; (2)
posterior gray horns; (3) fasciculi cuneati (columns of Burdach, inclusive
of posterior root-zones); (4) fasciculi graciles (columns of Goll, or
posterior median columns); (5) ascending cerebellar fasciculi; (6)
columns of Clarke. Parts of the kinesodic system: (7) Anterior roots; (8)
anterior columns (inclusive of anterior root-zones); (9) anterior gray
horns; (10) crossed pyramidal fasciculi; (11) direct pyramidal fasciculi
(columns of Türck) [10 and 11 are the intraspinal prolongation of the
cerebral motor tract]; (12) lateral columns of ill-defined limits and
unknown functions; P. R., posterior roots; P. S., posterior septum; A. R.,
anterior roots; A. F., anterior fissure.
In a general way it may be stated that lesions of the kinesodic

system are characterized positively by the isolated existence or
predominance of motor symptoms, by impairment of muscular
nutrition, and by De R.; also by contractures. The reflexes are almost
never normal, being either exaggerated or lost. Negative symptoms
are—absence of sensory symptoms, of ataxia, and of vesical or
rectal symptoms.
(a) Lesions of the anterior gray horns (9) are revealed by most
definite and characteristic symptoms. There occurs a flaccid
paralysis involving more or less extensive groups of muscles in the
extremities, rarely truncal muscles, and never those of organic life. In
a few weeks the paralyzed muscles undergo atrophy, sometimes to
an extreme degree, and various degrees of De R. are present.
Cutaneous and tendinous reflexes are abolished. The bladder and
rectum are normal. Sensory symptoms absent, and if present consist
only of mild paræsthesiæ, which are probably due to postural
pressure upon nerve-trunks or to disturbance of the peripheral
circulation. There is no tendency to the formation of bed-sores, but
circulation and calorification are reduced in the paralyzed members.
It should be remembered that paralysis due to systematic lesion of
the anterior gray horns is never typically paraplegic, with horizontal
limit-line of sensory symptoms, a cincture feeling, and vesical
paralysis.
The above symptom-grouping is characteristic of lesion of the

anterior horns en masse; in other words, of poliomyelitis. In that form
of systematic disease of the anterior horns which consists primarily
and chiefly of a degeneration or molecular death of the ganglion cells
there is no true paralysis; the atrophy of muscles is infinitely slower,
and it proceeds in various muscles fasciculus by fasciculus, the
wasting being usually preceded by fibrillary contractions, and being
almost always symmetrically located on the two sides of the body
(affecting analogous or homologous parts). The electrical reactions
are abnormal, in that musculo-faradic reaction is lost in exact
proportion to the wasting; so that in a large muscle one part may
contract normally, while the adjacent fasciculi do not. It is as yet
uncertain whether De R. occur in this disease (progressive muscular
atrophy). Calorification and circulation are much less impaired than
in poliomyelitis; the negative symptoms are much the same.
It is sometimes difficult to distinguish poliomyelitis from generalized

neuritis. The diagnosis is to be made by the presence in the latter
disease of marked sensory symptoms—neuro-muscular pains,
numbness, slight anæsthesia—and by a grouping of symptoms
coinciding with the distribution of nerve-trunks and branches. No
assistance can be derived from electrical tests, as both diseases
yield more or less typical De R.
(b) Lesions of the spinal pyramidal tract (of fasciculi 10 and 11) are
followed by motor symptoms only—viz. paralysis and contracture—
or, in other words, by a spastic paralysis. Sensibility is unaffected;
the bladder, rectum, and truncal muscles are not distinctly paralyzed;
the reflexes are much increased, and ankle-clonus is often present.
The electrical reactions of the paralyzed muscles are normal,
qualitatively at least. The diagnosis of localization may be pushed
still farther by the following considerations:
(1) When the condition of spastic paralysis is unilateral, of

hemiplegic distribution, and follows an attack of cerebral disease of
some sort, we may feel sure that both the crossed and the direct
fasciculi of the pyramidal (10 and 11) belonging to one cerebral
motor tract are degenerated throughout the length of the spinal cord,
the crossed fasciculus on the paralyzed side and the direct on the
healthy side (same side as injured hemisphere). It would thus appear
that lesion of the direct pyramidal fasciculus (11) produces no
symptoms,4 except, of course, in those rare cases in which it is
larger than its associated crossed fasciculus.
4 Unless it be the increase of reflexes which is so often observed on the non-
paralyzed side in hemiplegics.
(2) The above symptoms may be bilateral, as observed in children

as a congenital or early-acquired condition. In such cases the four
fasciculi of the motor tract are degenerated or undeveloped, in
correspondence with a symmetrical bilateral lesion of the motor area
of the cerebrum—imperfect development or early destruction.
(3) When the legs alone are the seat of spastic paralysis, with
increased reflexes, spastic or tetanoid gait, without sensory
symptoms, the diagnosis of a primary sclerosis of both lateral
columns (inclusive of 10) of the spinal cord is justified.
(c) Lesions of antero-lateral columns of the cord (8 and 12), primary

and independent of lesions of the anterior horns or of the crossed
pyramidal fasciculus, cannot now be diagnosticated during life.
These large masses of fibres include fasciculi whose functions are
probably motor; others (especially in 12) whose functions, according
to recent experiments, may be sensory; and still others which are
associating or commissural.
(d) Various combinations of the above lesions occur, and may be

recognized positively during life: (1) Combined sclerosis of the
posterior columns and of the crossed pyramidal fasciculi (3 and 10),
indicated by ataxia with paralysis, absence of patellar reflex,
tendency to contracture, pains, and anæsthesia less marked than in
typical posterior spinal sclerosis. This symptom-group is usually
found in children; it is pre-eminently a family disease, and is known
as Friedreich's disease. Similar cases also occur in adults as a
strictly personal disease. (2) Secondary degeneration of the
pyramidal tract (10 and 11), with more or less localized atrophy of
cells in the anterior horns (9) coexists in two forms: First, in a few
cases of cerebral hemiplegia with contracture, and pathological
atrophy of various muscles on the paralyzed side; second, as a
distinctly spinal bilateral affection, characterized by a spastic or
tetanoid state of the lower extremities, and a mixture of atrophic
paralysis (vide (a)), with contracture in the arms and hands. This
latter form is the amyotrophic lateral sclerosis of Charcot.
SECOND QUESTION.—BEING GIVEN SYMPTOMS INDICATING A TOTAL

TRANSVERSE LESION OF THE SPINAL CORD, ONE INVOLVING ITS VARIOUS
SYSTEMS AT A CERTAIN LEVEL, TO DETERMINE THE ELEVATION OR FRONTO-
CAUDAL SITUATION OF THE LESION.
This question is usually easy of solution by the following method:

Since a transverse lesion of the spinal cord gives rise to both motor
and sensory symptoms of horizontal, paraplegic distribution caudad
of the lesion, the first thing to do is to determine accurately the upper
level of the symptom, either the line of anæsthesia or the limit of
paralysis. The former is always much more definite than the latter,
and usually serves as the guide to diagnosis, indicating accurately
the uppermost part of the lesion. In the thorax the levels of sensory
and motor symptoms nearly coincide, but in the extremities the
operation of Van der Kolk's law of distribution of motor and sensory
fibres of nerve-trunks must be borne in mind, although it does not
apply as strictly in this case as in nerve lesions strictly speaking.
Gowers's diagram will prove very serviceable in making a diagnosis
of transverse lesions, and will also prove of use in the study of
vertebral injury and disease, as it indicates with sufficient accuracy
the relation between vertebræ (spinous processes) and segments of
the spinal cord. (Vide Fig. 2.)
The following are the principal transverse localizations of disease

which are usually recognized during life by the above procedure:
(a) Lesions of the cauda equina (by tumors, caries, or fracture of the
bones, etc.) produce paralysis, anæsthesia, atrophy of muscles, with
De R., in the range of distribution of the sciatic nerves mainly. The
sphincter ani is paralyzed and relaxed, while the bladder remains
normal as a rule. In all essential respects this paraplegiform, but not
paraplegic, affection resembles that following injury to mixed nerve-
trunks. It is in reality an intra-spinal peripheral paralysis. The more
exact location of the lesion, in the absence of external physical signs
(fracture, etc.), may be approximately determined by a study of the
distribution of the symptoms and their relation to nerve-supply.
(b) Lesions of the lower end of the lumbar enlargement, or conus

medullaris, behind the first lumbar vertebra, will give rise to the same
symptoms as (a). The expression, lumbar part of the spinal cord,
should be more carefully used than it is at present in the discussion
of spinal injuries and spinal-cord diseases, disease of the lumbar
enlargement being common enough, but disease of the lumbar part
of the cord very rare. In the discussion of railway cases, more
especially, it is often forgotten that the spinal cord practically ends
behind the first lumbar vertebra.
(c) Lesions of the middle and upper parts (segments) of the lumbar
enlargement are evidenced by true paraplegia, without paralysis of
the abdominal muscles. In some cases the quadriceps group,
supplied by the crural nerve, is not paralyzed. The constriction and
the limit of anæsthesia are about the knees, at mid-thigh, or near the
groin in different cases. The paralyzed muscles, as a rule, retain
their irritability and show normal electrical reactions; the cutaneous
and tendinous reflexes are preserved or increased. The sphincter is
usually paralyzed, while the bladder is relatively unaffected.
(d) Transverse lesion of the dorsal spinal cord produces the classical
type of paraplegia—i.e. paralysis and anæsthesia of all parts caudad
of the lesion. The limit of anæsthesia and the constriction band are
nearly horizontal, and their exact level varies with the height of the
lesion, from the hypogastric region to above the nipples. Below the
level of anæsthesia, which indicates by the number of the dorsal
nerve the upper limit of the cord lesion, there are complete paralysis,
retention of urine, constipation with relaxed sphincter ani, greatly
exaggerated reflexes in the lower extremities, even to spinal
epilepsy; the muscles preserve their volume fairly well, and their
electrical reactions are normal—sensibility in all its modes is
abolished; bed-sores are easily provoked. Retention of urine is an
early symptom in lesion of the middle dorsal region of the cord—
sometimes, in our experience, preceding symptoms in the legs.
(e) A transverse lesion of the cord at the level of the last cervical and
first dorsal nerves—i.e. in the lower part of the cervical enlargement
—gives rise to typical paraplegia with a sensory limit-line at or just
below the clavicle, but also with some very peculiar symptoms
superadded. These characteristic symptoms are in the upper
extremities, and consist of paralysis and anæsthesia in the range of
distribution of the ulnar nerves. In the arms the anæsthesia will be
found along the lower ulnar aspect of the forearm, the ulnar part of
the hands, the whole of the little fingers, and one half of the annuli.
There will be paralysis (and in some cases atrophy with De R.)
affecting the flexor carpi ulnaris, the hypothenar eminence, the
interossei, and the ulnar half of the thenar group of muscles,
producing in most cases a special deformity of the hand known as
claw-hand or main-en-griffe. Another important symptom of a
transverse lesion in this location is complete paralysis of all the
intercostal and abdominal muscles, rendering respiration
diaphragmatic and making coughing and expectoration impossible.
The breathing is abdominal in type, and asphyxia is constantly
impending.
(f) A transverse lesion of the upper part of the cervical enlargement,

below the origin of the fourth cervical nerve, gives rise to symptoms
designated as cervical or total paraplegia. The lower extremities and
trunk are as in (d) and (e), but besides both arms are completely
paralyzed and anæsthetic. The limit of anæsthesia usually extends
along the clavicles to the acromion processes, or a little below, near
the deltoid insertions. All reflexes caudad of this line are vastly
increased, either with tonic or clonic contractions. In some cases of
pressure upon the cervical cord by tumors, caries of vertebræ, etc.
the tetanoid or spastic state of the extremities (the lower more
especially) may precede paralysis for a long time; as the
compression increases paralysis becomes more and more marked,
while the reflexes remain high. This constitutes the clinical group we
described in 1873 as tetanoid pseudo-paraplegia.
(g) Transverse lesions of the spinal cord from the decussation of the
pyramids to the fourth cervical nerve are very rare, and usually of
traumatic origin. They produce complete paralysis of the entire body,
and also of the diaphragm (third and fourth cervical nerves), thus
causing death by apnœa in a very short time.
(h) In ascending paralysis (Landry) the above symptom-groups,

excepting (a), (b), are met with at successive stages of the disease,
often by almost daily accession, until finally respiration ceases.
(i) The height of a transverse localized lesion (e.g. a stab-wound) of

one lateral half of the spinal cord is to be determined by the various
groupings of symptoms stated in the preceding paragraphs, the chief
guide being the limit-line between the sensitive and anæsthetic
portions of the body, measured vertically. The symptoms are,
however, distributed in a very remarkable manner on either side of
the median line. The paralysis will be found on the same side as the
lesion, often accompanied by hyperæsthesia, vaso-motor paralysis,
and loss of muscular sense, while the anæsthesia is on the other
side of the body. When such a lesion occurs below the first dorsal
nerve, the symptom-group is designated as hemiparaplegia; when
the lesion is higher up, so as to paralyze the arms, the affection is
termed spinal hemiplegia (Brown-Séquard).
Above the decussation of the pyramids total transverse lesions are

practically unknown, so that the second question need not be
followed farther.
By means of the data above given we are also enabled to determine

the length—i.e. fronto-caudal extension—of the systematic lesions of
the cord.
The symptoms of transverse lesions of the spinal cord are not

exclusively caudad of the lesion, and some very striking ones are
observable in the head. In lesions of the upper part of the dorsal cord
and of the cervical enlargement (e, f, g) we observe vaso-motor and
pupillary symptoms, due to injury of the spinal origin of the cervical
sympathetic nerve; the pupils are contracted; the cheeks and ears
congested and unnaturally warm; the cutaneous secretions are
increased. In other words, the symptoms about the head, frontad of
the lesion, are the same as those we produce experimentally in
animals by section of the cervical sympathetic or of the lower
cervical cord. In hemi-lesion of the cord, in man as in animals, these
symptoms are unilateral, on the same side as the injury.
Another point to be remembered in the study of transverse lesions of

the spinal cord is that the lesion may involve enough of the anterior
gray horns to give rise to atrophic paralysis with De R. in some few
muscles deriving their motor innervation from the focus of disease.
This is not rarely seen in cervical paraplegia.
THIRD QUESTION.—BEING GIVEN VERY LIMITED MOTOR OR SENSORY

SYMPTOMS OF SPINAL ORIGIN, TO DETERMINE THE EXACT LOCATION OF THE
FOCAL LESIONS CAUSING THEM.
(a) In the range of sensory disturbances this question rarely presents

itself for solution. Localized anæsthesia and pain of spinal origin
(except the fulgurating pains of tabes) are rare, and we do not know
the relation of cutaneous areas with the spinal segments as well as
we know the motor innervations. It should be stated here, however,
that the location of a fixed pain and of a zone of anæsthesia is often
of great value in determining what spinal nerve is affected, just
outside of the cord itself, by such directly-acting lesions as vertebral
caries, spinal pachymeningitis, tumors upon the spinal cord, etc.
Among the various symptoms of Pott's disease of the spine, fixed
pains in one side of the trunk, in one thigh, or in the upper occipital
region, etc. is a sign against which the physician should always be
on his guard, as it is a very early and valuable indication of the
existence of an affection which requires special treatment as soon as
a diagnosis can be made.
(b) Localized motor symptoms of spinal origin calling for a diagnosis

of the focal lesions causing them are frequent, and are mostly met
with in two affections—viz. progressive muscular atrophy and
poliomyelitis. The problem is now capable in many cases of an
approximately exact solution by the deductive application of our
knowledge of the intimate connection between certain muscles and
muscular groups and limited portions or segments of the spinal cord
(anterior gray horns more especially). This knowledge has been
accumulated and organized from ordinary anatomy, physiological
experiments, and more especially from carefully-made autopsies
with microscopic examination of the cord. We cannot present this
subject better than by reproducing a tabular statement of these
results prepared by M. Allen Starr.5 Future autopsies may correct this
table, and in making use of it the occurrence of anomalous nerve-
distribution should be remembered:
LOCALIZATION OF FUNCTIONS IN THE VARIOUS SEGMENTS OF

THE SPINAL CORD.
5 “The Localization of Functions of the Spinal Cord,” American Journal Neurology and
Psychiatry, iii., 1884.
The above table should be studied in connection with Gowers's

diagram of the vertebral column and spinal cord (Fig. 2, p. 53), for
the thorough study of cases of neural and spinal localization.
Additional details of much value with respect to the peripheral nerve
distribution are accessible in the works of Ranney6 and Ross7.
6 The Applied Anatomy of the Nervous System, N. Y., 1881, p. 355 et seq.
7 Handbook of Diseases of the Nervous System, Am. ed., Philada., 1885, p. 356 et
seq.
III. The Localization of Lesions in the Medulla Oblongata.
In general terms, lesions of the oblongata are characterized by the

early appearance and prominence of motor symptoms in the mouth,
throat, and larynx, and by bilaterality of the symptoms. Remote
symptoms consist of disturbances in the cardiac action and in the
functions of some intra-abdominal organs. There may also be more
or less paralysis of all the extremities. These lesions may
conveniently be classified, like those of the cord, into systematic and
focal.
A. SYSTEMATIC LESIONS OF THE OBLONGATA.—1. Systematic lesions of
the æsthesodic system of the oblongata are, for purposes of
practical diagnosis, unknown at the present time.
2. Systematic lesions of the kinesodic system of the oblongata, on

the other hand, are often positively recognizable during the patient's
life.
(a) The most strictly systematic and most frequent of these lesions is
that of secondary (Wallerian) degeneration of the pyramids, the
prolongation of the cerebral motor tract. This morbid change gives
rise to no distinct bulbar symptoms, and it can only be diagnosticated
inferentially or inclusively by determining the existence of secondary
degeneration of the entire pyramidal tract, from the occurrence of
hemiplegia followed by contracture and increased reflexes. If the
phenomena present be those of double spastic hemiplegia, there is
surely degeneration of both pyramids.
(b) A systematic lesion affects the nuclei (origins) of the facial,

hypoglossal, pneumogastric, spinal accessory, and the motor root of
the trigeminus nerves, giving rise to a classical symptom-group. The
symptoms thus produced are exclusively (?) motor and trophic,
consisting of progressively increasing paresis, with atrophy of the
muscles about the lips and cheeks, the intrinsic lingual muscles, the
laryngeal and pharyngeal muscles. Later, the masseters, temporals,
and pterygoids are sometimes involved; and, finally, extremely rapid
action of the heart with pneumonic symptoms indicates the gravest
extension of the morbid process. An early symptom in such cases is
abnormal salivation. These affections, generally designated as
varieties of bulbar paralysis, subacute or chronic, are usually readily
recognized intra vitam, and recent discoveries in morbid anatomy
have enabled us to correctly diagnosticate the seat of the lesion in its
various extensions. The laryngeal paralysis represents disintegration
(atrophy) of ganglion-cells in the bulbar origin of the spinal accessory
nerve; lingual atrophic paralysis indicates the same lesion in the
nuclei of the hypoglossal nerves; the labio-buccal symptoms are
produced by lesion of the facial nerve nucleus (inferior facial nucleus
of older writers); the paralysis of the muscles of mastication is due to
extension of cell-degeneration to the motor nucleus of the trigeminus
in the pons; and the final cardio-pulmonary symptoms indicate an
extension of the lesion into the sensory (?) origin of the
pneumogastric nerves.
It is evident that this systematic lesion of the oblongata is the

equivalent or analogue of the various acute and chronic lesions of
the anterior horns of the spinal cord, described supra, and in practice
we sometimes find these bulbar and spinal lesions associated:
progressive muscular atrophy of the extremities and amyotrophic
lateral sclerosis being complicated with bulbar paralysis.
B. FOCAL LESIONS OF THE MEDULLA OBLONGATA, as at present known,

occur mostly in the kinesodic system, but may also involve several
fasciculi and nuclei at one time. The symptoms of such lesions are
grouped in two principal types:
(a) Single symptoms, such as atrophy or atrophic paralysis of some

one muscle or muscular group innervated by the hypoglossal, facial,
or spinal accessory nerves. For example, unilateral atrophy of the
tongue, when not due to neural injury, is quite surely the
representative of destruction of one hypoglossal nucleus. It is
possible that some cases of peripheral facial paralysis, so-called, or
Bell's palsy, and cases of paralysis of the sterno-mastoid and
trapezius, are not due to neural lesion, but to primary disease of the
nuclei of the facial and spinal accessory nerves, either as
poliomyelitis or as progressive cell-degeneration and atrophy.
A similar reserve must be used in speaking of the localization of

small lesions in the oblongata, causing diabetes mellitus, polyuria,
albuminuria, and salivation. From experiments upon animals and a
few post-mortem examinations in human cases we know that such
lesions may occur and cause the symptoms, but their recognition
during the patient's life is at the present time next to impossible.
(b) The symptoms may be complex and belong to the general class
of crossed paralysis, the mouth, face, tongue, and larynx being

Download textbook Advances In Cryptology Eurocrypt 2018 37Th Annual International Conference On The Theory And Applications Of Cryptographic Techniques Tel Aviv Israel April 29 May 3 2018 Proceedings Part I Jesper Buus ebook all chapter pdf

Uploaded by

Copyright:

Available Formats

You might also like

Download textbook Advances In Cryptology Eurocrypt 2018 37Th Annual International Conference On The Theory And Applications Of Cryptographic Techniques Tel Aviv Israel April 29 May 3 2018 Proceedings Part I Jesper Buus ebook all chapter pdf

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Download textbook Advances In Cryptology Eurocrypt 2018 37Th Annual International Conference On The Theory And Applications Of Cryptographic Techniques Tel Aviv Israel April 29 May 3 2018 Proceedings Part I Jesper Buus ebook all chapter pdf

Uploaded by

Copyright:

Available Formats

Advances in Cryptology EUROCRYPT

2018 37th Annual International

Advances in Cryptology EUROCRYPT 2017 36th Annual

Advances in Cryptology EUROCRYPT 2017 36th Annual

Advances in Cryptology CRYPTO 2018 38th Annual

Advances in Cryptology CRYPTO 2020 40th Annual

Advances in Cryptology – ASIACRYPT 2018: 24th

Advances in Cryptology – ASIACRYPT 2018: 24th

Advances in Cryptology CRYPTO 2020 40th Annual

Advances in Cryptology – ASIACRYPT 2017: 23rd

ISSN 0302-9743 ISSN 1611-3349 (electronic)

Library of Congress Control Number: 2018937382

LNCS Sublibrary: SL4 – Security and Cryptology

© International Association for Cryptologic Research 2018

Printed on acid-free paper

Finally, we thank everyone else — speakers, session chairs, and rump-session

May 2018 Jesper Buus Nielsen

The 37th Annual International Conference

Sponsored by the International Association for Cryptologic Research

April 29 – May 3, 2018

Martin Hirt ETH Zurich, Switzerland

Masayuki Abe Divesh Aggarwal Bar Alon

Daniel Apon Chitchanok Romain Gay

Ilya Kizhvatov Marta Mularczyk Ron Rothblum

Philip Vejre Hoeteck Wee Shota Yamada

Inria, Paris, France

Abstract. Twenty-ﬁve years ago, the deﬁnition of security criteria associated to

Johns Hopkins University

On the Bit Security of Cryptographic Primitives . . . . . . . . . . . . . . . . . . . . . 3

On the Gold Standard for Security of Universal Steganography . . . . . . . . . . 29

Memory Lower Bounds of Reductions Revisited. . . . . . . . . . . . . . . . . . . . . 61

Fiat-Shamir and Correlation Intractability from Strong

On the Ring-LWE and Polynomial-LWE Problems . . . . . . . . . . . . . . . . . . . 146

Short, Invertible Elements in Partially Splitting Cyclotomic Rings

Random Oracle Model

Random Oracles and Non-uniformity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227

Another Step Towards Realizing Random Oracles: Non-malleable

The Wonderful World of Global Random Oracles . . . . . . . . . . . . . . . . . . . . 280

Fully Homomorphic Encryption

Homomorphic Lower Digits Removal and Improved FHE Bootstrapping . . . . 315

Homomorphic SIM2 D Operations: Single Instruction Much More Data . . . . . 338

Bootstrapping for Approximate Homomorphic Encryption . . . . . . . . . . . . . . 360

Full Indifferentiable Security of the Xor of Two or More Random

An Improved Affine Equivalence Algorithm for Random Permutations . . . . . 413

Galois Counter Mode

Optimal Forgeries Against Polynomial-Based MACs and GCM . . . . . . . . . . 445

Revisiting AES-GCM-SIV: Multi-user Security, Faster Key Derivation,

Unbounded ABE via Bilinear Entropy Expansion, Revisited. . . . . . . . . . . . . 503

Anonymous IBE, Leakage Resilience and Circular Security from New

Improving the Linear Programming Technique in the Search for Lower

Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 623

Thunderella: Blockchains with Optimistic Instant Confirmation . . . . . . . . . . 3

But Why Does It Work? A Rational Protocol Design Treatment

Ouroboros Praos: An Adaptively-Secure, Semi-synchronous

Sustained Space Complexity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

Multi-Collision Resistant Hash Functions and Their Applications . . . . . . . . . 133

Collision Resistant Hashing for Paranoids: Dealing

Synchronized Aggregate Signatures from the RSA Assumption. . . . . . . . . . . 197

More Efficient (Almost) Tightly Secure Structure-Preserving Signatures. . . . . 230