Full Chapter Advances in Cryptology Crypto 2020 40Th Annual International Cryptology Conference Proceedings Part I Daniele Micciancio PDF

Advances in Cryptology CRYPTO 2020
40th Annual International Cryptology

Conference Proceedings Part I Daniele
Micciancio
Visit to download the full and correct content document:
https://textbookfull.com/product/advances-in-cryptology-crypto-2020-40th-annual-inter
national-cryptology-conference-proceedings-part-i-daniele-micciancio/
More products digital (pdf, epub, mobi) instant
download maybe you interests ...
Advances in Cryptology CRYPTO 2020 40th Annual

International Cryptology Conference Proceedings Part II
Daniele Micciancio
https://textbookfull.com/product/advances-in-cryptology-
crypto-2020-40th-annual-international-cryptology-conference-
proceedings-part-ii-daniele-micciancio/
Advances in Cryptology CRYPTO 2018 38th Annual

International Cryptology Conference Proceedings Part II
Hovav Shacham
crypto-2018-38th-annual-international-cryptology-conference-
proceedings-part-ii-hovav-shacham/
Advances in Cryptology ASIACRYPT 2020 26th

International Conference on the Theory and Application
of Cryptology and Information Security Daejeon South
Korea December 7 11 2020 Proceedings Part I Shiho
Moriai
asiacrypt-2020-26th-international-conference-on-the-theory-and-
application-of-cryptology-and-information-security-daejeon-south-
korea-december-7-11-2020-proceedings-part-i-shiho/

Korea December 7 11 2020 Proceedings Part II Shiho
Moriai
Korea December 7 11 2020 Proceedings Part III Shiho
Moriai
korea-december-7-11-2020-proceedings-part-iii-shi/
Progress in Cryptology INDOCRYPT 2020 21st

International Conference on Cryptology in India
Bangalore India December 13 16 2020 Proceedings
Karthikeyan Bhargavan
https://textbookfull.com/product/progress-in-cryptology-
indocrypt-2020-21st-international-conference-on-cryptology-in-
india-bangalore-india-december-13-16-2020-proceedings-
karthikeyan-bhargavan/
Advances in Cryptology – ASIACRYPT 2018: 24th

of Cryptology and Information Security, Brisbane, QLD,
Australia, December 2–6, 2018, Proceedings, Part I
Thomas Peyrin
application-of-cryptology-and-information-security-brisbane-qld-
australia-december-2-6-201/

of Cryptology and Information Security Kobe Japan
December 8 12 2019 Proceedings Part I Steven D.
Galbraith
application-of-cryptology-and-information-security-kobe-japan-
december-8-12-2019-proceedings-part-i-steven-d-galb/
Advances in Cryptology EUROCRYPT 2018 37th Annual

International Conference on the Theory and Applications
of Cryptographic Techniques Tel Aviv Israel April 29
May 3 2018 Proceedings Part I Jesper Buus Nielsen
eurocrypt-2018-37th-annual-international-conference-on-the-
theory-and-applications-of-cryptographic-techniques-tel-aviv-
Daniele Micciancio
Thomas Ristenpart (Eds.)
LNCS 12170
Advances in Cryptology –
CRYPTO 2020
40th Annual International Cryptology Conference, CRYPTO 2020
Santa Barbara, CA, USA, August 17–21, 2020
Proceedings, Part I
Lecture Notes in Computer Science 12170
Founding Editors
Gerhard Goos
Karlsruhe Institute of Technology, Karlsruhe, Germany
Juris Hartmanis
Cornell University, Ithaca, NY, USA
Editorial Board Members

Elisa Bertino
Purdue University, West Lafayette, IN, USA
Wen Gao
Peking University, Beijing, China
Bernhard Steffen
TU Dortmund University, Dortmund, Germany
Gerhard Woeginger
RWTH Aachen, Aachen, Germany
Moti Yung
Columbia University, New York, NY, USA
More information about this series at http://www.springer.com/series/7410
Daniele Micciancio Thomas Ristenpart (Eds.)
•
Advances in Cryptology –
CRYPTO 2020
40th Annual International Cryptology Conference, CRYPTO 2020
Santa Barbara, CA, USA, August 17–21, 2020
Proceedings, Part I
123
Editors
Daniele Micciancio Thomas Ristenpart
UC San Diego Cornell Tech
La Jolla, CA, USA New York, NY, USA
ISSN 0302-9743 ISSN 1611-3349 (electronic)

Lecture Notes in Computer Science
ISBN 978-3-030-56783-5 ISBN 978-3-030-56784-2 (eBook)
https://doi.org/10.1007/978-3-030-56784-2
LNCS Sublibrary: SL4 – Security and Cryptology
© International Association for Cryptologic Research 2020

This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the
material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation,
broadcasting, reproduction on microfilms or in any other physical way, and transmission or information
storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now
known or hereafter developed.
The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication
does not imply, even in the absence of a specific statement, that such names are exempt from the relevant
protective laws and regulations and therefore free for general use.
The publisher, the authors and the editors are safe to assume that the advice and information in this book are
believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the editors
give a warranty, expressed or implied, with respect to the material contained herein or for any errors or
omissions that may have been made. The publisher remains neutral with regard to jurisdictional claims in
published maps and institutional affiliations.
This Springer imprint is published by the registered company Springer Nature Switzerland AG
The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland
Preface
The 40th International Cryptology Conference (Crypto 2020), sponsored by the

International Association of Cryptologic Research (IACR), was exceptional in many
ways. The COVID-19 pandemic meant that for the first time in the conference’s
40-year history, Crypto was not held at the University of California, Santa Barbara.
Safety mandated that we shift to an online-only virtual conference.
Crypto 2020 received 371 submissions. Review occurred during what, for many
countries, was the height thus far of pandemic spread and lockdowns. We thank the 54
person Program Committee (PC) and the 286 external reviewers for their efforts to
ensure that, in the face of challenging work environments, illness, and death, we
nevertheless were able to perform a standard double-blind review process in which
papers received multiple independent reviews, authors were allowed a rebuttal, and
papers were subsequently further reviewed and discussed. The two program chairs
were not allowed to submit a paper, and PC members were limited to two submissions
each. The PC ultimately selected 85 papers for acceptance, a record number for Crypto.
The PC selected four papers to receive recognition via awards, via a voting-based
process that took into account conflicts of interest (including for the program chairs).
Three papers were selected to receive a Best Paper award and were invited to the
Journal of Cryptology: “Improved Differential-Linear Attacks with Applications to
ARX Ciphers” by Christof Beierle, Gregor Leander, and Yosuke Todo; “Breaking the
Decisional Diffie-Hellman Problem for Class Group Actions using Genus Theory” by
Wouter Castryck, Jana Sotáková, and Frederik Vercauteren; and “Chosen Ciphertext
Security from Injective Trapdoor Functions” by Susan Hohenberger, Venkata Koppula,
and Brent Waters. One paper was selected to receive the Best Paper by Early Career
Researchers award: “Handling Adaptive Compromise for Practical Encryption
Schemes” by Joseph Jaeger and Nirvan Tyagi.
In addition to the regular program, Crypto 2020 included the IACR Distinguished
Lecture by Silvio Micali on “Our Models and Us” and an invited talk by Seny Kamara
on “Crypto for the People”. Crypto 2020 carried forward the long-standing tradition of
having a rump session, this year organized in a virtual format by Antigoni Polychro-
niadou, Bertram Poettering, and Martijn Stam.
The chairs would also like to thank the many people whose hard work helped ensure
Crypto 2020 was a success:
– Leonid Reyzin (Boston University) – Crypto 2020 general chair.
– Sophia Yakoubov for helping with general chair duties, and Muthuramakrishnan
Venkitasubramaniam, Tal Rabin, and Fabrice Benhamouda for providing valuable
advice to the general chair.
– Carmit Hazay (Bar Ilan University) – Crypto 2020 workshop chair.
– Antigoni Polychroniadou, Bertram Poettering, and Martijn Stam – Crypto 2020
rump session chairs.
vi Preface
– Chris Peikert for his role in overseeing reviews and the Best Paper by Early Career
Researchers award selection for which the program chairs were conflicted.
– Kevin McCurley and Christian Cachin for their critical assistance in setting up
and managing a (new for Crypto) paper submission and review system.
– Kevin McCurley, Kay McKelly, and members of the IACR’s emergency pandemic
team for their work in designing and running the virtual format.
– Whitney Morris and Eriko Macdonald from UCSB event services for their help
navigating the COVID-19 shutdown logistics.
– Anna Kramer and her colleagues at Springer.
July 2020 Daniele Micciancio

Thomas Ristenpart
Organization
General Chair
Leonid Reyzin Boston University, USA
Program Committee Chairs

Daniele Micciancio UC San Diego, USA
Thomas Ristenpart Cornell Tech, USA
Program Committee
Adi Akavia University of Haifa, Israel
Martin Albrecht Royal Holloway, University of London, UK
Roberto Avanzi ARM, Germany
Lejla Batina Radboud University, The Netherlands
Jeremiah Blocki Purdue University, USA
David Cash University of Chicago, USA
Melissa Chase Microsoft Research, USA
Hao Chen Microsoft Research, USA
Ilaria Chillotti KU Leuven, Zama, Belgium
Henry Corrigan-Gibbs EPFL, Switzerland, and MIT CSAIL, USA
Craig Costello Microsoft Research, USA
Joan Daemen Radboud University, The Netherlands
Thomas Eisenbarth University of Lübeck, Germany
Pooya Farshim University of York, UK
Sanjam Garg UC Berkeley, USA
Daniel Genkin University of Michigan, USA
Steven Goldfeder Cornell Tech, USA
Shay Gueron University of Haifa, Israel, and AWS, USA
Felix Günther ETH Zurich, Switzerland
Tetsu Iwata Nagoya University, Japan
Tibor Jager Bergische Universitaet, Germany
Antoine Joux CISPA – Helmholtz Center for Information Security,
Germany
Jonathan Katz George Mason Univeristy, USA
Eike Kiltz Ruhr University Bochum, Germany
Elena Kirshanova I.Kant Baltic Federal University, Russia
Venkata Koppula Weizmann Institute of Science, Isarel
Anna Lysyanskaya Brown University, USA
Vadim Lyubashevsky IBM Research Zurich, Switzerland
Mohammad Mahmoody University of Virginia, USA
viii Organization
Giulio Malavolta Carnegie Mellon University and UC Berkeley, USA

Florian Mendel Infineon Technologies, Germany
María Naya-Plasencia Inria, France
Adam O’Neill University of Massachusetts, USA
Olya Ohrimenko The University of Melbourne, Australia
Claudio Orlandi Aarhus University, Denmark
Elisabeth Oswald University of Klagenfurt, Austria
Chris Peikert University of Michigan, USA
Bertram Poettering IBM Research Zurich, Switzerland
Antigoni Polychroniadou JP Morgan AI Research, USA
Ananth Raghunathan Google, USA
Mariana Raykova Google, USA
Christian Rechberger TU Graz, Austria
Alon Rosen IDC, Israel
Mike Rosulek Oregon State University, USA
Alessandra Scafuro NC State University, USA
Dominique Schroeder Florida Atlantic University, USA
Thomas Shrimpton University of Florida, USA
Fang Song Texas A&M University, USA
Marc Stevens CWI Amsterdam, The Netherlands
Dominique Unruh University of Tartu, Estonia
Michael Walter IST, Austria
David Wu University of Virginia, USA
Additional Reviewers
Masayuki Abe Fabrice Benhamouda

Shweta Agrawal Sebastian Berndt
Shashank Agrawal Ward Beullens
Shweta Agrawal Ritam Bhaumik
Gorjan Alagic Nina Bindel
Navid Alamati Alex Block
Greg Alpar Xavier Bonnetain
Joel Alwen Charlotte Bonte
Elena Andreeva Carl Bootland
Gilad Asharov Jonathan Bootle
Thomas Attema Raphael Bost
Saikrishna Badrinarayanan Christina Boura
Shi Bai Elette Boyle
Foteini Baldimtsi Zvika Brakerski
Marshall Ball Benedikt Bünz
James Bartusek Matteo Campanelli
Carsten Baum Anne Canteaut
Asli Bay André Chailloux
Mihir Bellare Suvradip Chakraborty
Organization ix
Yilei Chen Nicholas Genise

Jie Chen Rosario Gennaro
Nai-Hui Chia Marios Georgiou
Arka Rai Choudhuri Riddhi Ghosal
Kai-Min Chung Satrajit Ghosh
Michele Ciampi Esha Ghosh
Carlos Cid Koustabh Ghosh
Michael Clear Irene Giacomelli
Ran Cohen Andras Gilyen
Kelong Cong S. Dov Gordon
Aisling Connolly Rishab Goyal
Sandro Coretti Lorenzo Grassi
Daniele Cozzo Matthew Green
Tingting Cui Hannes Gross
Benjamin Curtis Aldo Gunsing
Jan Czajkowski Tim Güneysu
Dana Dachman-Soled Mohammad Hajiabadi
Alex Davidson Shai Halevi
Leo De Castro Koki Hamada
Luca De Feo Dominik Hartmann
Thomas Debris Eduard Hauck
Jean Paul Degabriele Carmit Hazay
Cyprien Delpech de Saint Guilhem Alexander Helm
Patrick Derbez Lukas Helminger
Apoorvaa Deshpande Julia Hesse
Benjamin Diamond Dennis Hofheinz
Christoph Dobraunig Alex Hoover
Nico Doettling Akinori Hosoyamada
Benjamin Dowling Kathrin Hövelmanns
Yfke Dulek Andreas Hülsing
Stefan Dziembowski Ilia Iliashenko
Christoph Egger Gorka Irazoqui
Maria Eichlseder Joseph Jaeger
Daniel Escudero Eli Jaffe
Saba Eskandarian Abhishek Jain
Serge Fehr Aayush Jain
Rex Fernando Samuel Jaques
Dario Fiore Stanislaw Jarecki
Ben Fisch Zhengfeng Ji
Wieland Fischer Zhengzhong Jin
Nils Fleischhacker Saqib Kakvi
Daniele Friolo Daniel Kales
Georg Fuchsbauer Chethan Kamath
Tommaso Gagliardoni Akinori Kawachi
Juan Garay Mahimna Kelkar
Romain Gay Hamidreza Khoshakhlagh
x Organization
Dakshita Khurana Pratyay Mukherjee

Sam Kim Michael Naehrig
Michael Kim Samuel Neves
Susumu Kiyoshima Ruth Francis Ng
Karen Klein Ngoc Khanh Nguyen
Dmitry Kogan Valeria Nikolaenko
Markulf Kohlweiss Ryo Nishimaki
Ilan Komargodski Satoshi Obana
Daniel Kuijsters Sabine Oechsner
Mukul Kulkarni Jiaxin Pan
Ashutosh Kumar Omer Paneth
Stefan Kölbl Lorenz Panny
Thijs Laarhoven Sunoo Park
Russell W. F. Lai Alain Passelègue
Kim Laine Valerio Pastro
Virginie Lallemand Jacques Patarin
Changmin Lee Kenneth Paterson
Tancrede Lepoint Alice Pellet–Mary
Antonin Leroux Zack Pepin
Gaëtan Leurent Ludovic Perret
Kevin Lewi Léo Perrin
Baiyu Li Peter Pessl
Xin Li Jeroen Pijnenburg
Xiao Liang Benny Pinkas
Feng-Hao Liu Rachel Player
Alex Lombardi Oxana Poburinnaya
Julian Loss Eamonn Postlethwaite
Ji Luo Robert Primas
Fermi Ma Willy Quach
Bernardo Magri Rahul Rachuri
Urmila Mahadev Ahmadreza Rahimi
Christian Majenz Divya Ravi
Eleftheria Makri Ling Ren
Nathan Manohar Joost Renes
Sai Krishna Deepak Maram M. Sadegh Riazi
Daniel Masny João L. Ribeiro
Eleanor McMurtry Silas Richelson
Sarah Meiklejohn Doreen Riepel
Bart Mennink Dragos Rotaru
Peihan Miao Ron Rothblum
Tarik Moataz Adeline Roux-Langlois
Esfandiar Mohammadi Arnab Roy
Hart Montgomery Carla Ràfols
Tal Moran Paul Rösler
Andrew Morgan Simona Samardjiska
Fabrice Mouhartem Yu Sasaki
Organization xi
John Schanck Ni Trieu

Patrick Schaumont Rotem Tsabary
Martin Schläffer Daniel Tschudi
Jonas Schneider-Bensch Vinod Vaikuntanathan
Peter Scholl Thyla van der Merwe
André Schrottenloher Prashant Vasudevan
Sven Schäge Marloes Venema
Adam Sealfon Muthuramakrishnan
Gil Segev Venkitasubramaniam
Gregor Seiler Damien Vergnaud
Okan Seker Thomas Vidick
Nicolas Sendrier Fernando Virdia
Sacha Servan-Schreiber Ivan Visconti
Karn Seth Satyanarayana Vusirikala
Yannick Seurin Riad Wahby
Siamak Shahandashti Xiao Wang
Devika Sharma Brent Waters
Sina Shiehian Hoeteck Wee
Omer Shlomovits Christian Weinert
Omri Shmueli Weiqiang Wen
Mark Simkin Erich Wenger
Boris Škorić Daniel Wichs
Yongsoo Song Luca Wilke
Pratik Soni Keita Xagawa
Florian Speelman Min Xu
Nicholas Spooner Sophia Yakoubov
Akshayaram Srinivasan Rupeng Yang
Douglas Stebila Eylon Yogev
Damien Stehlé Yu Yu
Noah Stephens-Davidowitz Greg Zaverucha
Younes Talibi Alaoui Mark Zhandry
Titouan Tanguy Tina Zhang
Stefano Tessaro Fan Zhang
Aravind Thyagarajan Yupeng Zhang
Radu Titiu Vassilis Zikas
Yosuke Todo
Contents – Part I
Security Models
Handling Adaptive Compromise for Practical Encryption Schemes . . . . . . . . 3

Joseph Jaeger and Nirvan Tyagi
Overcoming Impossibility Results in Composable Security Using

Interval-Wise Guarantees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Daniel Jost and Ueli Maurer
Indifferentiability for Public Key Cryptosystems . . . . . . . . . . . . . . . . . . . . . 63

Mark Zhandry and Cong Zhang
Quantifying the Security Cost of Migrating Protocols to Practice . . . . . . . . . 94

Christopher Patton and Thomas Shrimpton
Symmetric and Real World Cryptography
The Memory-Tightness of Authenticated Encryption . . . . . . . . . . . . . . . . . . 127

Ashrujit Ghoshal, Joseph Jaeger, and Stefano Tessaro
Time-Space Tradeoffs and Short Collisions in Merkle-Damgård

Hash Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Akshima, David Cash, Andrew Drucker, and Hoeteck Wee
The Summation-Truncation Hybrid: Reusing Discarded Bits for Free. . . . . . . 187

Aldo Gunsing and Bart Mennink
Security Analysis of NIST CTR-DRBG . . . . . . . . . . . . . . . . . . . . . . . . . . . 218

Viet Tung Hoang and Yaobin Shen
Security Analysis and Improvements for the IETF MLS Standard

for Group Messaging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
Joël Alwen, Sandro Coretti, Yevgeniy Dodis, and Yiannis Tselekounis
Universally Composable Relaxed Password Authenticated Key Exchange . . . . 278

Michel Abdalla, Manuel Barbosa, Tatiana Bradley, Stanisław Jarecki,
Jonathan Katz, and Jiayu Xu
Anonymous Tokens with Private Metadata Bit . . . . . . . . . . . . . . . . . . . . . . 308

Ben Kreuter, Tancrède Lepoint, Michele Orrù, and Mariana Raykova
xiv Contents – Part I
Hardware Security and Leakage Resilience
Random Probing Security: Verification, Composition, Expansion

and New Constructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
Sonia Belaïd, Jean-Sébastien Coron, Emmanuel Prouff,
Matthieu Rivain, and Abdul Rahman Taleb
Mode-Level vs. Implementation-Level Physical Security in Symmetric

Cryptography: A Practical Guide Through the Leakage-Resistance Jungle . . . 369
Davide Bellizia, Olivier Bronchain, Gaëtan Cassiers, Vincent Grosso,
Chun Guo, Charles Momin, Olivier Pereira, Thomas Peters,
and François-Xavier Standaert
Leakage-Resilient Key Exchange and Two-Seed Extractors . . . . . . . . . . . . . 401

Xin Li, Fermi Ma, Willy Quach, and Daniel Wichs
Outsourced Encryption
Lower Bounds for Encrypted Multi-Maps and Searchable Encryption

in the Leakage Cell Probe Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433
Sarvar Patel, Giuseppe Persiano, and Kevin Yeo
Fast and Secure Updatable Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464

Colin Boyd, Gareth T. Davies, Kristian Gjøsteen, and Yao Jiang
Incompressible Encodings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494

Tal Moran and Daniel Wichs
Constructions
New Constructions of Hinting PRGs, OWFs with Encryption, and More . . . . 527
Rishab Goyal, Satyanarayana Vusirikala, and Brent Waters
Adaptively Secure Constrained Pseudorandom Functions

in the Standard Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 559
Alex Davidson, Shuichi Katsumata, Ryo Nishimaki, Shota Yamada,
and Takashi Yamakawa
Collusion Resistant Watermarkable PRFs from Standard Assumptions . . . . . . 590

Rupeng Yang, Man Ho Au, Zuoxia Yu, and Qiuliang Xu
Verifiable Registration-Based Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . 621

Rishab Goyal and Satyanarayana Vusirikala
New Techniques for Traitor Tracing: Size N 1=3 and More from Pairings . . . . 652
Mark Zhandry
Contents – Part I xv
Public Key Cryptography
Functional Encryption for Attribute-Weighted Sums from k-Lin . . . . . . . . . . 685

Michel Abdalla, Junqing Gong, and Hoeteck Wee
Amplifying the Security of Functional Encryption, Unconditionally . . . . . . . . 717

Aayush Jain, Alexis Korb, Nathan Manohar, and Amit Sahai
Dynamic Decentralized Functional Encryption . . . . . . . . . . . . . . . . . . . . . . 747

Jérémy Chotard, Edouard Dufour-Sans, Romain Gay,
Duong Hieu Phan, and David Pointcheval
On Succinct Arguments and Witness Encryption from Groups . . . . . . . . . . . 776

Ohad Barta, Yuval Ishai, Rafail Ostrovsky, and David J. Wu
Fully Deniable Interactive Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . 807

Ran Canetti, Sunoo Park, and Oxana Poburinnaya
Chosen Ciphertext Security from Injective Trapdoor Functions . . . . . . . . . . . 836

Susan Hohenberger, Venkata Koppula, and Brent Waters
Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 867

Contents – Part II
Public Key Cryptanalysis
A Polynomial-Time Algorithm for Solving the Hidden Subset

Sum Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Jean-Sébastien Coron and Agnese Gini
Asymptotic Complexities of Discrete Logarithm Algorithms

in Pairing-Relevant Finite Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Gabrielle De Micheli, Pierrick Gaudry, and Cécile Pierrot
Comparing the Difficulty of Factorization and Discrete Logarithm:

A 240-Digit Experiment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Fabrice Boudot, Pierrick Gaudry, Aurore Guillevic, Nadia Heninger,
Emmanuel Thomé, and Paul Zimmermann
Breaking the Decisional Diffie-Hellman Problem for Class Group Actions

Using Genus Theory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Wouter Castryck, Jana Sotáková, and Frederik Vercauteren
A Classification of Computational Assumptions in the Algebraic

Group Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Balthazar Bauer, Georg Fuchsbauer, and Julian Loss
Lattice Algorithms and Cryptanalysis
Fast Reduction of Algebraic Lattices over Cyclotomic Fields . . . . . . . . . . . . 155

Paul Kirchner, Thomas Espitau, and Pierre-Alain Fouque
Faster Enumeration-Based Lattice Reduction:

Root Hermite Factor k1=ð2kÞ Time k k=8 þ oðkÞ . . . . . . . . . . . . . . . . . . . . . . . . . 186
Martin R. Albrecht, Shi Bai, Pierre-Alain Fouque, Paul Kirchner,
Damien Stehlé, and Weiqiang Wen
Lattice Reduction for Modules,

or How to Reduce ModuleSVP to ModuleSVP . . . . . . . . . . . . . . . . . . . . . . 213
Tamalika Mukherjee and Noah Stephens-Davidowitz
Random Self-reducibility of Ideal-SVP via Arakelov Random Walks. . . . . . . 243

Koen de Boer, Léo Ducas, Alice Pellet-Mary, and Benjamin Wesolowski
Slide Reduction, Revisited—Filling the Gaps in SVP Approximation . . . . . . 274

Divesh Aggarwal, Jianwei Li, Phong Q. Nguyen,
and Noah Stephens-Davidowitz
xviii Contents – Part II
Rounding in the Rings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296

Feng-Hao Liu and Zhedong Wang
Lattice-Based and Post-quantum Cryptography
LWE with Side Information: Attacks and Concrete Security Estimation . . . . . 329
Dana Dachman-Soled, Léo Ducas, Huijing Gong, and Mélissa Rossi
A Key-Recovery Timing Attack on Post-quantum Primitives Using

the Fujisaki-Okamoto Transformation and Its Application on FrodoKEM . . . . 359
Qian Guo, Thomas Johansson, and Alexander Nilsson
Efficient Pseudorandom Correlation Generators from Ring-LPN . . . . . . . . . . 387

Elette Boyle, Geoffroy Couteau, Niv Gilboa, Yuval Ishai, Lisa Kohl,
and Peter Scholl
Scalable Pseudorandom Quantum States. . . . . . . . . . . . . . . . . . . . . . . . . . . 417

Zvika Brakerski and Omri Shmueli
A Non-PCP Approach to Succinct Quantum-Safe Zero-Knowledge . . . . . . . . 441

Jonathan Bootle, Vadim Lyubashevsky, Ngoc Khanh Nguyen,
and Gregor Seiler
Practical Product Proofs for Lattice Commitments . . . . . . . . . . . . . . . . . . . . 470

Thomas Attema, Vadim Lyubashevsky, and Gregor Seiler
Lattice-Based Blind Signatures, Revisited. . . . . . . . . . . . . . . . . . . . . . . . . . 500

Eduard Hauck, Eike Kiltz, Julian Loss, and Ngoc Khanh Nguyen
Multi-party computation
Round-Optimal Black-Box Commit-and-Prove

with Succinct Communication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533
Susumu Kiyoshima
Efficient Constant-Round MPC with Identifiable Abort

and Public Verifiability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 562
Carsten Baum, Emmanuela Orsini, Peter Scholl,
and Eduardo Soria-Vazquez
Black-Box Use of One-Way Functions is Useless for Optimal

Fair Coin-Tossing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 593
Hemanta K. Maji and Mingyuan Wang
Guaranteed Output Delivery Comes Free in Honest Majority MPC . . . . . . . . 618

Vipul Goyal, Yifan Song, and Chenzhi Zhu
Contents – Part II xix
Black-Box Transformations from Passive to Covert Security

with Public Verifiability. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 647
Ivan Damgård, Claudio Orlandi, and Mark Simkin
MPC with Friends and Foes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 677

Bar Alon, Eran Omri, and Anat Paskin-Cherniavsky
Always Have a Backup Plan: Fully Secure

Synchronous MPC with Asynchronous Fallback . . . . . . . . . . . . . . . . . . . . . 707
Erica Blum, Chen-Da Liu-Zhang, and Julian Loss
Reverse Firewalls for Actively Secure MPCs . . . . . . . . . . . . . . . . . . . . . . . 732

Suvradip Chakraborty, Stefan Dziembowski, and Jesper Buus Nielsen
Stacked Garbling: Garbled Circuit Proportional to Longest Execution Path. . . 763

David Heath and Vladimir Kolesnikov
Better Concrete Security for Half-Gates Garbling

(in the Multi-instance Setting). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 793
Chun Guo, Jonathan Katz, Xiao Wang, Chenkai Weng, and Yu Yu
Improved Primitives for MPC over Mixed Arithmetic-Binary Circuits . . . . . . 823

Daniel Escudero, Satrajit Ghosh, Marcel Keller, Rahul Rachuri,
and Peter Scholl
Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 853

Contents – Part III
Multi-party Computation
Two-Sided Malicious Security for Private Intersection-Sum

with Cardinality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Peihan Miao, Sarvar Patel, Mariana Raykova, Karn Seth,
and Moti Yung
Private Set Intersection in the Internet Setting from Lightweight

Oblivious PRF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Melissa Chase and Peihan Miao
Multiparty Generation of an RSA Modulus . . . . . . . . . . . . . . . . . . . . . . . . 64

Megan Chen, Ran Cohen, Jack Doerner, Yashvanth Kondi, Eysa Lee,
Schuyler Rosefield, and Abhi Shelat
Secret Sharing
Non-malleability Against Polynomial Tampering. . . . . . . . . . . . . . . . . . . . . 97

Marshall Ball, Eshan Chattopadhyay, Jyun-Jie Liao, Tal Malkin,
and Li-Yang Tan
Non-malleable Secret Sharing Against Bounded Joint-Tampering Attacks

in the Plain Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Gianluca Brian, Antonio Faonio, Maciej Obremski, Mark Simkin,
and Daniele Venturi
Nearly Optimal Robust Secret Sharing Against Rushing Adversaries . . . . . . . 156

Pasin Manurangsi, Akshayaram Srinivasan,
and Prashant Nalini Vasudevan
Cryptanalysis
Cryptanalytic Extraction of Neural Network Models . . . . . . . . . . . . . . . . . . 189

Nicholas Carlini, Matthew Jagielski, and Ilya Mironov
Automatic Verification of Differential Characteristics: Application

to Reduced Gimli . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Fukang Liu, Takanori Isobe, and Willi Meier
The MALICIOUS Framework: Embedding Backdoors into Tweakable

Block Ciphers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Thomas Peyrin and Haoyang Wang
xxii Contents – Part III
Cryptanalysis of the Lifted Unbalanced Oil Vinegar Signature Scheme . . . . . 279

Jintai Ding, Joshua Deaton, Kurt Schmidt, Vishakha, and Zheng Zhang
Out of Oddity – New Cryptanalytic Techniques Against Symmetric

Primitives Optimized for Integrity Proof Systems . . . . . . . . . . . . . . . . . . . . 299
Tim Beyne, Anne Canteaut, Itai Dinur, Maria Eichlseder,
Gregor Leander, Gaëtan Leurent, María Naya-Plasencia, Léo Perrin,
Yu Sasaki, Yosuke Todo, and Friedrich Wiemer
Improved Differential-Linear Attacks with Applications to ARX Ciphers . . . . 329

Christof Beierle, Gregor Leander, and Yosuke Todo
Cryptanalysis Results on Spook: Bringing Full-Round Shadow-512

to the Light . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Patrick Derbez, Paul Huynh, Virginie Lallemand,
María Naya-Plasencia, Léo Perrin, and André Schrottenloher
Cryptanalysis of LEDAcrypt. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389

Daniel Apon, Ray Perlner, Angela Robinson, and Paolo Santini
Alzette: A 64-Bit ARX-box: (Feat. CRAX and TRAX) . . . . . . . . . . . . . . . . 419

Christof Beierle, Alex Biryukov, Luan Cardoso dos Santos,
Johann Großschädl, Léo Perrin, Aleksei Udovenko, Vesselin Velichkov,
and Qingju Wang
Delay Functions
Order-Fairness for Byzantine Consensus . . . . . . . . . . . . . . . . . . . . . . . . . . 451

Mahimna Kelkar, Fan Zhang, Steven Goldfeder, and Ari Juels
Generically Speeding-Up Repeated Squaring Is Equivalent to Factoring:

Sharp Thresholds for All Generic-Ring Delay Functions . . . . . . . . . . . . . . . 481
Lior Rotem and Gil Segev
Zero Knowledge
Compressed R-Protocol Theory and Practical Application

to Plug & Play Secure Algorithmics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513
Thomas Attema and Ronald Cramer
A Tight Parallel Repetition Theorem for Partially Simulatable Interactive

Arguments via Smooth KL-Divergence . . . . . . . . . . . . . . . . . . . . . . . . . . . 544
Itay Berman, Iftach Haitner, and Eliad Tsfadia
Interactive Proofs for Social Graphs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 574

Liran Katzir, Clara Shikhelman, and Eylon Yogev
Contents – Part III xxiii
The Measure-and-Reprogram Technique 2.0: Multi-round Fiat-Shamir

and More . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 602
Jelle Don, Serge Fehr, and Christian Majenz
Fiat-Shamir for Repeated Squaring with Applications to PPAD-Hardness

and VDFs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 632
Alex Lombardi and Vinod Vaikuntanathan
Delegation with Updatable Unambiguous Proofs and PPAD-Hardness . . . . . . 652

Yael Tauman Kalai, Omer Paneth, and Lisa Yang
New Techniques for Zero-Knowledge: Leveraging Inefficient Provers

to Reduce Assumptions, Interaction, and Trust . . . . . . . . . . . . . . . . . . . . . . 674
Marshall Ball, Dana Dachman-Soled, and Mukul Kulkarni
Spartan: Efficient and General-Purpose zkSNARKs Without

Trusted Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 704
Srinath Setty
NIZK from LPN and Trapdoor Hash via Correlation Intractability

for Approximable Relations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 738
Zvika Brakerski, Venkata Koppula, and Tamer Mour
Shorter Non-interactive Zero-Knowledge Arguments and ZAPs

for Algebraic Languages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 768
Geoffroy Couteau and Dominik Hartmann
Non-interactive Zero-Knowledge Arguments for QMA,

with Preprocessing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 799
Andrea Coladangelo, Thomas Vidick, and Tina Zhang
Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 829

Security Models
Handling Adaptive Compromise for
Practical Encryption Schemes
Joseph Jaeger1(B) and Nirvan Tyagi2

1
Paul G. Allen School of Computer Science & Engineering,
University of Washington, Seattle, USA
jsjaeger@cs.washington.edu
2
Cornell Tech, New York City, USA
tyagi@cs.cornell.edu
Abstract. We provide a new definitional framework capturing the

multi-user security of encryption schemes and pseudorandom functions
in the face of adversaries that can adaptively compromise users’ keys.
We provide a sequence of results establishing the security of practical
symmetric encryption schemes under adaptive compromise in the ran-
dom oracle or ideal cipher model. The bulk of analysis complexity for
adaptive compromise security is relegated to the analysis of lower-level
primitives such as pseudorandom functions.
We apply our framework to give proofs of security for the BurnBox
system for privacy in the face of border searches and the in-use search-
able symmetric encryption scheme due to Cash et al. In both cases, prior
analyses had bugs that our framework helps avoid.
Keywords: Symmetric cryptography · Ideal models · Adaptive

security · Searchable symmetric encryption
1 Introduction
A classic question in cryptography has been dealing with adversaries that adap-
tively compromise particular parties, thereby learning their secrets. Consider
a setting where parties use keys k1 , . . . , kn to encrypt messages m1 , . . . , mn
to derive ciphertexts Enc(k1 , m1 ), . . . , Enc(kn , mn ). An adversary obtains the
ciphertexts and compromises a chosen subset of the parties to learn their keys.
What can we say about the security of the messages encrypted by the keys that
remain secret? Surprisingly, traditional approaches to formal security analysis,
such as using encryption schemes that provide semantic security [19], fail to suf-
fice for proving these messages’ confidentiality. This problem was first discussed
in the context of secure multiparty computation [10], and it arises in a variety
of important cryptographic applications, as we explain below.
In this work, we introduce a new framework for formal analyses when secu-
rity in the face of adaptive compromise is desired. Our approach provides a
modular route towards analysis using idealized primitives (such as random ora-
cles or ideal ciphers) for practical and in-use schemes. This modularity helps
c International Association for Cryptologic Research 2020
D. Micciancio and T. Ristenpart (Eds.): CRYPTO 2020, LNCS 12170, pp. 3–32, 2020.
https://doi.org/10.1007/978-3-030-56784-2_1
4 J. Jaeger and N. Tyagi
us sidestep the pitfalls of prior ideal-model analyses that either invented new
(less satisfying) ideal primitives, omitted proofs, or gave detailed but incorrect
proofs. We exercise our framework across applications including searchable sym-
metric encryption (SSE), revocable cloud storage, and asymmetric password-
authenticated key exchange (aPAKE). In particular, we provide full, correct
proofs of security against adaptive adversaries for the Cash et al. [12] search-
able symmetric encryption scheme that is used often in practice and the Burn-
Box system [33] for dealing with compelled-access searches. We show that our
new definitions imply the notion of equivocable encryption introduced to prove
security of the OPAQUE [24] asymmetric password-authenticated key exchange
protocol. More broadly, our framework can be applied to a wide variety of con-
structions [1,2,9,13,17,20,21,25–29,34].
Current approaches to the “commitment problem”. Our motivating
applications have at their core an adaptive simulation-based model of security.
Roughly speaking, they ask that no computationally bound adversary can dis-
tinguish between two worlds. In the first world, the adversary interacts with the
scheme whose security is being measured. In the second world, the “ideal” world,
the adversary’s queries are instead handled by a simulator that must make do
with only limited information which represents allowable “leakage” about the
queries the adversary has made so far. The common unifying factor between
varying applications we consider is that the adversary can make queries result-
ing in being given a ciphertexts encrypting messages of its choosing, then with
future queries adaptively choose to expose the secret keys underlying some of
the ciphertexts. The leakage given to the simulator will not include the messages
encrypted unless a query has been made to expose the corresponding key.
Proving security in this model, however, does not work based on standard
assumptions of the underlying encryption scheme. The problem is that the simu-
lator must commit to ciphertexts, revealing them to the adversary, before know-
ing the messages associated to them. Hence the commitment problem. Several
prior approaches for proving positive security results exist.
One natural approach attempts to build special non-committing encryption
schemes [10] that can be proven (in the standard model) to allow opening some
a priori fixed ciphertext to a message. But these schemes are not practical, as
they require key material at least as long as the underlying message. Another
unsatisfying approach considers only non-adaptive security in which an attacker
specifies all of its queries at the beginning of the game. This is one of the two
approaches that were simultaneously taken by Cash et al. [12]. Here the simulator
is given the leakage for all of these queries at once and generates a transcript of
all of its response. This is unsatisfying because more is lost when switching from
adaptive to non-adaptive security than just avoiding the commitment problem.
It is an easy exercise to construct encryption schemes which are secure when
all queries to it must be chosen ahead of time but are not secure even against
key-recovery attacks when an adversary may adaptively choose its queries.
The primary approach used to avoid this is to use idealized models, which
we can again split into two versions. The first is to use an idealized model of
Handling Adaptive Compromise for Practical Encryption Schemes 5
App1 App2 App3
PRF1 PRF2 PRF3 Mode1 Mode2 Mode3
Fig. 1. Old state of affairs. Red dashed lines correspond to implications proved through
programming in an ideal model proof. A different programming proof is needed to prove
an application secure for each pair of PRF and symmetric encryption mode. (Color
figure online)
App1 App2 App3
SIM-AC-CPA/CCA
SIM-AC-PRF Mode1 Mode2 Mode3
PRF1 PRF2 PRF3
Fig. 2. New state of affairs. Red dashed lines correspond to implications proved through
programming in an ideal model proof. New definitions are in bold boxes. Programming
proofs are only needed to show each low level PRF construction meets SIM-AC-PRF.
(Color figure online)
encryption. Examples of this include indifferentiable authenticated encryption [3]

(IAE) or the ideal encryption model (IEM) of Tyagi et al. [33]. Security analyses
in these models might not say much when one uses real encryption schemes, even
when one is willing to use more established idealized models such as the ideal
cipher model (ICM) or the random oracle model (ROM). One hope would be to
use approaches such as indifferentiability [30] to modularly show that symmetric
schemes sufficiently “behave like” ideal encryption, but this approach is unlikely
to work for most encryption schemes used in practice [3].
The final approach, which is by far the most common in searchable symmet-
ric encryption [1,2,9,12,13,17,20,21,25–29,34], is to fix a particular encryption
scheme and prove security with respect to it in the ICM or ROM. Typically
encryption schemes are built as modes of operations of an underlying pseudo-
random function (PRF) and this function (or its constituent parts) is what is
modeled as an ideal function. The downside of this is represented in Fig. 1. On
the top, we have the applications one would like to prove secure, and on the
bottom, we have the different modes of operation and PRFs that one might
use. Using this approach means that for each application, we have to provide a
separate ideal model proof for each different choice of a mode of operation and
a PRF (represented by dotted red arrows in Fig. 1). If there are A applications,
P PRFs, and M modes of operation one might consider using, then this requires
A · P · M ideal model proofs in total, an unsatisfying state of affairs.
Moreover, the required ideal analysis can be tedious1 and error-prone. This is
presumably why only a few of the papers we found actually attempt to provide
the full details of the ROM proof. We have identified bugs in all of the proofs that
did provide the details. The lack of a full, valid proof among the fifteen papers we
considered indicates the need for a more modular framework to capture this use
of the random oracle. Our work provides such a framework, allowing the random
oracle details to be abstracted away as a proof that only needs to be provided
once. This framework provides definitions for use by other cryptographers that
are simple to use, apply to practical encryption schemes, and allow showing
adaptive security in well-studied models.
Examples of the “commitment problem”. We proceed by discussing the
example applications where we will apply our framework.
Revocable cloud storage and the compelled access setting. We start with the
recently introduced compelled access setting (CAS) [33]. Here one wants encryp-
tion tools that provide privacy in the face of an authority searching digital
devices, e.g., government searches of mobile phones or laptops at border cross-
ings. To protect against compelled access searches, the BurnBox tool [33] uses
what they call revocable encryption. At its core, this has the system encrypt a
user’s files m1 , . . . , mn with independent keys k1 , . . . , kn . Ciphertexts are stored
on (adversarially visible) cloud storage. Before a search occurs, the user instructs
the application to delete the keys corresponding to files that the user wishes to
hide from the authority, thereby revoking their own access to them. The other
keys and file contents are disclosed to the authority.
The formal security definition introduced by Tyagi et al. captures confiden-
tiality for revoked files even in the face of adversarial choice of which files to
revoke, meaning they want security in the face of adaptive compromises. This
very naturally results in the commitment problem because the simulator can be
forced to provide ciphertexts for files, but only later learn the contents of these
files at the time of key revelation. At which point, it is supposed to give keys
which properly decrypt these ciphertexts.
To address the commitment problem they introduced the IEM. This models
symmetric encryption as perfect: every encryption query is associated to a freshly
chosen random string as ciphertext, and decryption is only allowed on previously
returned ciphertexts. Analyses in the IEM can commit to ciphertexts (when the
adversary doesn’t know the key) and later open them to arbitrary messages.
In their implementation, they used AES-GCM for encryption which cannot be
1
Even more-so because SSE protocols often also run into the commitment problem
with a PRF and need to model that using a random oracle as well.
thought of as indifferentiable from the IEM. Hence their proof can ultimately
only provide heuristic evidence for the security of their implemenation.
Symmetric searchable encryption. Our second motivating setting is symmetric
searchable encryption (SSE), which has similar issues as that discussed above
for BurnBox, but with added complexity. SSE handles the following problem: a
client wants to offload storage of a database of documents to an untrusted server
while maintaining the ability to perform keyword searches on the database. The
keyword searches should not reveal the contents of the documents to the server.
To enable efficient solutions, we allow queries to leak some partial information
about documents. Security is formalized via a simulation-based definition [15],
in which a simulator given only the allowed leakage must trick an adversary
into believing it is interacting with the actual SSE construction. An adaptive
adversary can submit keyword searches as a function of prior returned results.
Proving security here establishes that the scheme only leaks what is allowed
and nothing more. While the leakage itself has been shown to be damaging in
various contexts [11,22], our focus here is on the formal analyses showing that
leakage-abuse attacks are the best possible ones.
A common approach for SSE can be summarized at a high level as follows.
The client generates a sequence of key pairs (k1 , k1 ), . . . , (kn , kn ) for keywords
w ∈ {1, . . . , n} represented as integers for simplicity. The first key kw in each pair

is used to encrypt the identifiers of documents containing w. The latter key kw is
used as a pseudorandom function (PRF) key to derive pseudorandom locations
to store the encryption of the document identifiers. When the client later wants

to search for documents containing w it sends the associated (kw , kw ) keys to

the server. The server then uses kw to re-derive the pseudorandom locations of
the ciphertexts and uses kw to decrypt them.
To prove adaptive security, the simulator for such a protocol runs into the
commitment problem because it must commit to ciphertexts of the document
identifiers before knowing what the identifiers are. Perhaps less obviously, a sim-
ulator also runs into a commitment issues with the PRF. To ensure security the
simulated locations of ciphertexts must be random, but then when responding
to a search query the simulator is on the hook to find a key for the PRF that
“explains” the simulated locations. Papers on SSE typically address these issue
by modeling the PRF as a random oracle and fixing a specific construction of an
encryption scheme based on a random oracle. As noted earlier, this has resulted
in a need for many tedious and error-prone proofs.
Asymmetric password-authenticated key exchange and equivocable encryption.
In independent and concurrent work, Jarecki et al. updated the ePrint ver-
sion of [24] to introduce the notion of equivocable encryption and use it to
prove security of their asymmetric password-authenticated key exchange proto-
col OPAQUE. The definition of equivocable encryption is essentially a weakened
version of our confidentiality definition, considering only single-user security and
allowing only a single encryption query; whereas we consider multi-user security
and arbitrarily many adaptively chosen queries. Since their definition is implied
by ours, our results will make rigorous their claim that “common encryption
modes are equivocable under some idealized assumption”.
A new approach. We introduce a new framework for analyzing security in
adaptive compromise scenarios. Our framework has a simple, but powerful
recipe: augment traditional simulation-based, property-based security definitions
to empower adversaries with the ability to perform adaptive compromise of
secret keys. For symmetric encryption, for example, we convert the standard
simulation-based, multi-user indistinguishability under chosen plaintext attack
(mu-IND-CPA) [4] to a game that includes the same adversarial powers, but
adds an additional oracle for adaptively compromising individual user secret
keys. Critical to our approach is (1) the use of simulators, which allows handling
corruptions gracefully, and (2) incorporating handling of idealized models (e.g.,
the ROM or ICM). The latter is requisite for analyzing practical constructions.
We offer new definitions for multi-user CPA and CCA security of symmetric
encryption, called SIM-AC-CPA (simulation-based security under adaptive cor-
ruption, chosen plaintext attack) and SIM-AC-CCA (chosen ciphertext attack).
By restricting the classes of allowed simulators we can obtain stronger definitions
(e.g., SIM-AC-$ which requires that ciphertexts look like random strings).
Symmetric encryption under adaptive compromise. We then begin exercising
our framework by first answering the question: Are practical, in-use symmetric
encryption schemes secure in the face of adaptive compromises? We give positive
results here, in idealized models. Taking an encrypt-then-MAC scheme such as
AES in counter mode combined with HMAC [5] as an example, we could directly
show SIM-AC-CCA security while modeling AES as an ideal cipher and HMAC
as a random oracle (c.f., [16]). But this would lead to a rather complex proof,
and we’d have to do similarly complex proofs for other encryption schemes.
Instead, we provide simple, modular proofs by lifting the underlying assump-
tions made about primitives (AES and HMAC) to hold in adaptive compromise
scenarios. Specifically, we introduce a new security notion for pseudorandom
functions under adaptive compromise attacks (SIM-AC-PRF). This adapts the
standard multi-user PRF notion to also give adversaries the ability to adaptively
compromise particular keys. Then we prove that AES and HMAC each achieve
this notion in the ICM and ROM, respectively. The benefit is that these proofs
encapsulate the complexity of ideal model programming proofs in the simpler
context of SIM-AC-PRF (as opposed to SIM-AC-CCA).
The workflow when using our framework is represented by Fig. 2. Here PRFs
are individually shown to achieve SIM-AC-PRF security in an ideal model. Then
modes of operation are proven secure under the assumption that they use a
SIM-AC-PRF secure PRF. Then each application is proven secure under the
appropriate assumption of the encryption scheme used. This decreases the total
number of proofs required to A + P + M , significantly fewer than the A · P ·
M required previously. Moreover, the complicated ideal model programming
analysis (represented by red dashed arrows) is restricted to only appearing in
the simplest of these proofs (analyzing of PRFs); it can then simply be “passed
along” to the higher level proofs.
We can then show that for most CPA modes of operation (e.g., CBC mode
or CTR mode), one can prove SIM-AC-CPA security assuming the underlying
block cipher is SIM-AC-PRF. The core requirement is that the mode of operation
enjoys a property that we call extraction security. This is a technical condition
capturing the key security properties needed to prove that a mode of operation
is SIM-AC-CPA assuming the underlying block cipher is SIM-AC-PRF. More-
over, we show that most existing (standard) proofs of IND-CPA security show,
implicitly, the extraction security of the mode. Thus, we can easily establish
adaptive compromise proofs given existing (standard) ones.
The above addresses only confidentiality. Luckily, integrity is inherited essen-
tially for free from existing analysis. We generically show that SIM-AC-CPA
security combined with the standard notion of ciphertext integrity implies SIM-
AC-CCA security. Thus, one can prove encrypt-then-MAC is SIM-AC-CCA
secure assuming the SIM-AC-CPA security of the encryption and the standard
unforgeability security of the MAC. This is an easy adaptation of the standard
proof [8] of encrypt-then-MAC.
Applying the framework to high-level protocols. Equipped with our new SIM-AC-
CCA and SIM-AC-PRF security notions, we can return to our motivating task:
providing positive security analyses of BurnBox and the Cash et al. SSE scheme.
We give a proof of BurnBox’s CAS security assuming the SIM-AC-CPA secu-
rity of the underlying symmetric encryption scheme. Our proof is significantly
simpler than the original analysis, avoiding specifically the nuanced program-
ming logic that led to the bug in the original analysis. For the Cash et al. scheme
we apply our SIM-AC-PRF definition and a key-private version of our SIM-AC-
CPA definition. Their adaptive security claim was accompanied only by a brief
proof sketch which fails to identify an important detail that need to be consid-
ered in the ROM analysis (see the full version of this paper [23]). Our proof
handles this detail cleanly while being ultimately of comparable complexity to
their non-adaptive security proof.
Unfortunately, these settings and constructions are inherently complicated.
So even with the simplification provided by our analysis techniques there is not
space to fit their analysis in the body of our paper; it has instead been relegated
to the full version of this work. We choose this organization because our main
contribution is the definition abstraction which we believe will be of use for
future work, rather than the particular applications we chose to exhibit its use.
Treatment of symmetric encryption. In this work, we focus on randomized
encryption, over more modern nonce-based variants because this was the form
of encryption used by the applications we identified. In the full version of this
paper [23], we extend our definitions to nonce-based encryption. The techniques
we introduce for analyzing randomized symmetric encryption schemes should
extend to nonce-based encryption schemes.
Related works. A related line of work is that of selective-opening attacks [7]
which studies the security of asymmetric encryption schemes against compro-
mises in a multi-sender setting (where coins underlying encryption may be com-
Another random document with
no related content on Scribd:
“There, you see Fanny doesn’t believe it;” said Allie West
triumphantly.
“As if any one in her senses could!” Dora added.
After they went away Fan sat glancing out of the window
thoughtfully.
“I allowed them to think what was not quite true,” she said slowly,
“but I did not want the fact to leak out. Some very smart young
woman might write to Kate and alarm her. It had better go on
quietly.”
We missed Daisy ever so much. You would hardly think it among
so many.
Then came a letter from Mr. Duncan, stating that he intended to
follow it in time to keep the festival of baby’s christening. There were
some business matters on which he wished to consult papa, and he
was longing for a sight of the household, from least to greatest. Louis
was much better. Mrs. Whitcomb was well and had utterly refused
her first vacation. What did Fanny expect to do in such a case of
insubordination? He was sorry he had proved so attractive, but it
was more his misfortune than his fault, so she must not visit him too
heavily with her displeasure.
We all had a good laugh over it. I arranged the guest-chamber in
the morning, flowers and all, and in the afternoon went cantering
round the parish, as Fan often expressed it. She had been smitten
with such a passion for sewing, and the Churchills took up so much
of her time that I had to visit for both. I was beginning to feel quite
grave and staid with my eighteen and a half years. The fact of Fan’s
having a real lover affected me in a rather curious fashion. It seemed
as if the romance was to begin with her and go down. It shut me out
as it were; but never having counted myself in, I did not feel much
disappointed. I was to be the house-daughter. Already I could see
that papa had begun to depend more upon me. He brought his
gloves to be mended, and used to ask me now and then to find
various little matters for him. True, mamma was much occupied with
Edith. I liked the growing nearer though, the tender confidence and
trust.
I could see how it would be. One by one the birdlings would fly out
of the home nest. I was an every-day useful body and would be
needed to help the others, make some ready to go and comfort
those who staid. I didn’t suppose the sweet grace and patience that
glorified Miss Oldway’s face would ever come in mine. It was such a
round, funny little face, and would get so sun-burned in summer. No
one could ever call me fair and dainty.
I laughed over it softly to myself, I was in such a merry mood. In
ten years I should be twenty-eight, getting on the “list” a wee bit,
visiting round the same as usual, carrying broths and jellies, listening
to sorrows and complaints, and by that time, perhaps, a little better, a
little nearer the Great ensample so that I could say my say without
faltering.
My basket was emptied at length. I leaned over the fence awhile
and talked with Mrs. Day, who “could not see why,” about something.
Aunt Letty Perkins came along, puffing and wheezing. She had been
confined to the house a good deal since Christmas, with the asthma,
and if it was not irreverent I should say—“Israel had had peace.”
“All well, I suppose?”
“Yes, thank you.”
“I never see such folks. You don’t have a bit of sickness or trouble
like other people!”
“No,” said Mrs. Day, as if she felt personally aggrieved. “I never
saw the match to that baby, and my poor lamb in the church-yard!”
I wanted to reply that it was the care and watchfulness, the love
and tenderness that never tired. We did not suffer real heart-felt
trouble, but there were hard pinches and perplexities, many things
given up that we longed to have, hours of patient industry, self-denial
and all that. Do discontented people ever realize what steady
courage and grace it takes to make many lives look fair and sweet?
“Well, it’s out of its trouble,” pursued Aunt Letty. “You never can tell
what children are coming to. Goin’ to take boarders agen this
summer?”
That last to me. I started and colored at the impertinence. I wanted
to resent it, but I knew that would not help for an example.
“Mr. Duncan is at home and can take care of his brothers;” I
replied quietly.
“Well, they want much addition to the neighborhood. That young
one was a master-hand at mischief. I should have wanted a good
deal of money to pay me.”
“Good-night;” I said rather abruptly, “I must be going.”
“Why don’t you come in? I haven’t seen your ma in an age.
Nobody drops in when I am sick, though if I do say it myself, I’ve
always been neighborly. No one can say I ever went on the other
side like the publican.”
“Indeed they could not,” I thought to myself with a smile.
All this made me later than I expected to be. As I came up the road
I saw Fanny and Mr. Duncan walking slowly to meet me.
Something dreadful flashed into my mind at that moment and
made my face scarlet. I remembered that in my talk with Louis I had
spoken of the probability of Stephen’s marrying Fanny. What if he
had repeated that bit of idle gossip? Stuart would have done so from
pure love of teasing.
“Why, Rose, how you have hurried! You are as red as your reddest
namesake. Do stop and cool off a moment, child!”
That from Fanny did not make me any paler. I felt the contrast very
keenly. She tall and elegant, with her graceful self-possession, and I
such a little budget! I don’t know why I should have cared just at that
moment, but I felt mortified enough to cry.
Mr. Duncan put out his hand. I just touched the tips of his fingers.
“I am glad to see you.” Then he looked me all over with those
strange eyes of his that could be so dark and piercing.
“Isn’t it late?” I asked. “I am sure supper must be ready. Please
excuse me,” and I hurried on.
They turned as well. I rushed up-stairs, bathed my face and gave
my hair a brush. Then I went to the glass a moment to pull it out. No,
I was not a beauty. If Mr. Duncan had not come to-day! He could
spend Sunday without starting as early as Friday afternoon!
When I went down they were all gathered around the table. He
glanced up sharply again, and I was foolish enough to blush.
Not an unnecessary word did I utter. I had a constricted feeling
about my throat and tongue and could not tell what was the matter
with me, I believe I felt cross. I was glad to go to the study afterward
and give papa the messages that had been sent for him.
Nelly called me to see about a skirt she was letting down. Tim and
Lily put themselves to bed now, and I had only to go in and pick up
their clothes. Fanny and Mr. Duncan were singing in the parlor, but I
did not go down until I heard mamma’s voice. They were talking
about Mrs. Whitcomb.
He had found her so admirable. Lady-like and refined, yet not
weak; clear-eyed and resolute, yet without any hardness.
“She is always in bloom, I believe. The winter, and the desert, and
the bare, bristling hill-tops may be a short distance off, but just
around her it is spring.”
“There everlasting spring abides,

And never withering flowers;”—
Fan murmured softly.

“That is just it. She has had some troubles, also.”
“Indeed she has,” returned mamma, “Losses, deaths and trials.
But now she has gone out of her own life. Her perceptions are so
quick, tender and unerring. She seems to discern from afar off the
needs and wants of human souls and ministers gently to your own
thought, not hers.”
“What is it, Mrs. Endicott?”
Mamma answered with a smile and said it all. She often talked
with the expressions of her face in that sweet instantaneous manner,
explaining a subject better than many words would have done.
“I begin to believe that religion has something in it. There is a point
beyond natural amiability.”
“Have you been doubting?”
He blushed and laughed in an embarrassed, school-boy fashion.
“I don’t know that I have exactly doubted, but I have not believed
in any vital way. Still I considered myself a Christian gentleman until
very recently.”
“And what then?”
“I found myself a proud and honorable gentleman instead, who
abhorred meanness, falsehood, dishonesty and the whole catalogue
of those sins because they were blots and stains, hideous in my
sight. I had no patience with them in that they never tempted me. I
liked my life to be pure and just, but it was for myself alone. I did not
think of what God might require; the higher aim. After all, it is His
relation with every human soul, His holding out the faith and love and
atonement to us, made for us so long ago in His great wisdom, and
which is for us whether we take it or not. But we want to try our
wisdom first.”
“That leads to the trouble and the clashing. We so often set up our
own will and when we are buffeted about take it as a sort of direct
martyrdom, when it is only a natural result of an ordinary cause. We
sometimes cry out—‘Why has God sent this upon me?’ when we
bring the trials upon ourselves.”
“Yes. Then we have to go back. We find the plans and
specifications and the materials all right, left on the highway, while
we used stones and timber of our own, changed the plan according
to our liking. We have to take out a good deal of work in this life.”
“And we learn by degrees to be careful, to come to Him, to ask
first of all—‘Lord, what wilt thou have me to do?’”
“And learning to follow it, is the great lesson.”
He turned his head a trifle and lapsed into deep thought. Fan
glanced over at me in a peculiar manner as if she triumphed in what
he said, and it was only proving a well established point. She
puzzled me. Why, when she liked him so well herself, was there not
the deeper and farther-reaching sympathy of love? He was really
nobler than Winthrop Ogden.
We did not have any confidence until late Saturday afternoon. Fan
was writing a letter in her room and mamma had gone to visit some
sick people. I had Edith fenced off in a corner of the porch and was
amusing her while I sewed a little.
He came and studied me curiously. That was what I did not like. If
I had been as pretty as Fan, or if my hair were any other color!
“You have not asked me a word about your friend. Have you lost
interest in him now that he is delivered over to my keeping?”
I understood whom he meant.
“Why, we have all talked—I have heard—” and I paused in
surprise, for a tiny frown came in his brow.
“But the work was so much yours.”
“You exaggerate it, Mr. Duncan.”
I might have spoken coldly. Somehow I could not let myself be
praised in his words, and with his eyes upon me.
“Are you so used to good deeds that you consider this nothing?”
I flushed and felt a lump rising in my throat.
“I would have done it for any one.”
“I believe you, Miss Endicott. Louis is not so admirable that he
should be singled out.”
“He is—you don’t do him justice;” I said almost ready to cry.
“I did not I will admit, but I am trying to now. Will you not accept my
penitence and my sincere desire to be tender as well as just?”
“I know you mean to do the very best. I think you will.”
“Thank you. I am afraid you consider us all rather heathenish. I
have only recently come to understand the full duty that I owe my
brothers. I had left them in my uncle’s hands, quite satisfied, and
believing that boys came up, somehow. I had no great trouble.”
“Because you were stronger. And Louis’ health and temperament
are so different.”
“I have learned that I could not make him come to me, so I have
gone to him.”
“He did come—”
“Yes; that was not the point I referred to, however. It is in the
matter of confidence. He is so very reserved, so sensitive, so touchy,
to use a common phrase. At a word he draws into his shell and
keeps silence.”
“I found that out last summer,” I said with a smile.
“How did you manage?”
“I don’t know,” I answered looking over at the distant hills. “It just
came, I think. When he wouldn’t talk on any subject I let it drop.”
“Ah, wise little one, there may be a secret, in that. I fancy that I
have a failing in my desire to convince people. I want them to see
the right.”
“It is easier seen than confessed, sometimes.”
“True. And Louis has a giant of pride. If he is hurt he will not stop
to explain. If you misunderstand, he will not set you right. You have
to grope your way along in perplexity. Yet I think we are coming a
little nearer to each other, through you.”
“And Mrs. Whitcomb. She has a way of uniting people, of healing
differences.”
“I am doubly fortunate in having her. Otherwise I must have
borrowed—your mother.”
I smiled a little at this. It made me think of the Churchills borrowing
Fan. Isn’t it so the world over? The sweetness and brightness of
other lives comes into ours, sometimes the darkness and sorrow. We
rarely stand alone.
“I believe I like frank, open natures the best;” he went on. “And
cheerfulness. A great outgiving like the world and the sunshine.”
“But when one has been in a cave a long while the light dazzles.
Some people do not want to take in but a little at a time, and perhaps
we hurt them by thrusting so much into their very souls.”
“Yes,” he answered, “When a man is starving you do not feast him
at once. I must remember that.”
Edith began to worry. I took her up in my arms and hushed her
softly.
Mr. Duncan was not looking at me, but a strange, tender light
came into his face, a half smile that brought the dawn to my mind by
way of comparison. He seemed to pay no attention to me for many
minutes, but just to be occupied with his own reflections. I rose to
take Edith in, as she evinced unmistakable symptoms of hunger.
He put his arm over her and partly over my shoulder.
“I cannot let you go without an acknowledgement,” he began
hurriedly. “I should like to tell you just how Louis came back. There
was a manliness in his penitence that has given me a great deal of
hope. Yet I know that he did not come out of actual love for me. If we
ever could reach that state, but I must wait patiently. I have thought
so little of him all these years, except to look after his personal
comfort, that I must not complain if I reap weeds instead of flowers.
You were brave and strong in your advice to him, and God above
knows how deeply and sincerely I thank you. Your note to me was
wisdom itself. Only—”
There was a peculiar wistfulness in his face that somehow gave
him a little look of Louis.
“Only what?” If there was any fault to find let us have it out now.
“If you could have trusted me unreservedly. Do you think I am so
very stern and rigid and unforgiving?”
“I was afraid you might—I did not know—” and I stopped,
distressed and blushing.
“Will you have a little more faith in me?”
He uttered the words slowly.
“I know you desire to do what is best.”
He looked a trifle disappointed, I thought, but I went in with Edith
and left him standing there.
After all I had not done anything very wonderful that there should
be such a fuss and thanks and all that bother. It annoyed me. I could
not carry triumphs gracefully as Fan did, sit in the centre and have
an admiring audience around me.
One part of the visit proved an unalloyed delight, and that was
papa’s enjoyment of it. He and Mr. Duncan fitted, if you can
understand the term. It was almost like father and son. Plans were
talked over, the boys’ future discussed, and in Stephen’s newer
experience there was a great charm. Like the young man who came
to Christ, he had kept the commandments from his youth up, he had
been truth and integrity itself, but the one greater thing had come to
him now. It crowned his manliness. He did not speak of it in a
shame-faced way, as if it was something to be kept on one side of
his life and rather in the background, but he set it in the very midst. A
rare, almost boyish humility was discernable in his conversations
with papa. I liked so much better to listen than to have him talk to
me.
“I am afraid I shall grow proud in my old days,” said papa a few
evenings afterward. “Such first fruits as Mr. Duncan and Miss
Churchill seem a whole harvest. I shall never be discouraged again.”
Indeed, Miss Churchill had become the Lady Bountiful of the
parish. I do not mean simply among the poor. The rich need the
gospel of charity and loving kindness as well. They were meeting
together, being incited to good works, losing the narrow feelings and
prejudices.
Fan and I had a lovely episode this summer. Just at the beginning
of the hot weather Miss Lucy had a spell of feeling very weak and
miserable.
“She must have a change,” declared good old Doctor Hawley.
“She has been among the mountains so long that she has worn
them out. Take her away to the sea-side.”
“I can’t go,” said Miss Lucy in faint protest. “I do not like strange
faces nor places, and the worry and bustle will consume what little
strength I have.”
“You will wear out this old strength and get some new. You are
tired to death of this, though you are so set in your way that you will
not confess it. I know what is best for you! Miss Esther, if you want to
keep Christmas with her, take her away now.”
Then he thumped his cane resolutely on the floor, a way he had
when he was very much in earnest.
When it came to that something must be done.
They talked it over—Miss Churchill and her brother, then Miss
Churchill and mamma. And this came out of it all, as if we were to be
in the midst of everything.
They would go to Martha’s Vineyard. In earlier years they had
spent whole summers there. And she and Miss Lucy wanted us. We
had seen so little outside of our own home, that the change would do
us good. There was the great sea, the islands all about, and a new
world, so to speak.
“I don’t know how to get both of them ready,” mamma exclaimed in
a hopeless puzzle.
“You are thinking of the dresses—but we are not going to be
fashionable. Some nice light worsted goods for traveling, and
beyond that there is nothing as pretty as white. We shall have a
cottage to ourselves and our meals sent in. Then I intend to take
Martha, who is an excellent laundress, so the dresses will be no
trouble. Kenton is counting on the pleasure, and you must not
refuse.”
“It is a great—favor,” said mamma timidly.
“I don’t want you to think of it in that light. Kenton and I are getting
along in years, and Lucy will not last forever. We might as well take
and give a little pleasure. It is just as if a sister asked you.”
And it actually came about. We had new gray dresses trimmed
with bands of pongee; Fan’s a shade lighter and mine two or three
shades darker than the material. When they were all finished they
had cost but twenty-three dollars. Our spring straw hats were
retrimmed, our gloves and ribbons and boots looked over.
“One trunk will hold our modest wardrobe,” declared Fan. “I often
think of the Vicar of Wakefield and the many devices the girls
resorted to. It is rather funny to be poor, after all! You are not so
much worried and fidgeted and dissatisfied. You take the best you
can get, and you know you cannot do any better. So you enjoy the
tour or the journey or whatever it is, because you are altogether
outside of your troublesome self.”
“But you will be—very well off—some day,” I said with bashful
hesitation.
“I don’t think of that, any more. Until the very day of my marriage
my life is here. What papa can give me will always be infinitely
precious to me. We will have all the happiness out of our poverty that
we can.”
“Yes,” I answered.
“And I know just how Miss Churchill is giving us this. So far as the
money goes she will never feel it. We will afford her pleasure,
satisfaction and delight in return, which will make it quite an even
thing.”
We remained three weeks and it was enchanting. The great ocean
with its ceaseless surges and swells, its floods of molten gold at
sunset, the showers and one tremendous storm, the walks and rides
on the sands, the short sails hither and thither, the quaint cottages,
the strange people from almost everywhere, some of whom we soon
became acquainted with, the newness and the variety was splendid!
We enjoyed every moment. Sometimes I felt quite wild indeed, as if I
could race along the sea sands and shout with the wildest of the
birds.
The last week was the crowning point. Winthrop came and Miss
Churchill took us to Newport for one night and two days. There was
elegance and fashion at the hotel to be sure, but Fan in her pretty
white over-dress and the bloom of her fresh, sweet youth, attracted
many a glance of admiration on the one side, and almost envy from
some of the worn and faded women. It was a bit of Arabian Nights’
Entertainment brought into our own lives.
Miss Lucy did improve ever so much. She could not bathe to be
sure, but the pungent air revived and strengthened her. We were all
so bright and happy, so full of fun and whims and oddities. There is a
fascinating queerness about almost every person when the true self
comes out and you forget that any one is watching you.
It was so delightful that we came home with almost a sigh, until we
reached the familiar places. It was the first time that we had ever
been so long away from mamma, and when we thought of that our
hearts were full to overflowing.
There was Mrs. Whitcomb in the midst helping to keep house,
filling up our vacant places.
“You need not think you are the only ones who can have a
holiday!” she exclaimed laughingly.
Oh, the blessedness of being right among the accustomed faces,
to be kissed and kissed again, to be pulled about hither and yon, to
be shown this and that, “which was not so when you went away;” the
atmosphere of home-living and thinking, which is so different from
railroad cars and hotels, or even other people’s cottages.
“But the sea still sings in my ears,” I said to Fan as I laid my head
on my pillow.
“And to-morrow morning it will be robins or swallows ‘twittering’
under the eaves. What a great, grand thing it is to live and be happy!
Rose, if people could realize the satisfying joy they put in the lives of
others when they share their pleasures I think the whole world would
go at it. It would be giving and receiving all round the wide earth.”
Are we thankful enough for happiness, I wonder? For that is
something a little apart from life, one of the things not surely
promised, like the peace of God. Should there not be a special
thanksgiving for every blessed day, for the breath of fragrance, the
pleasantness of sunshine, and the subtle essence of delight that
wafts itself across our sky—tender human love?
CHAPTER XVI.
TEPHEN DUNCAN had taken the boys West, and

would be gone a month or more. They had grown so
much, Mrs. Whitcomb said, and were almost men.
“Which do you like best?” asked Fan.
“I think Louis will make the nobler character. Stuart would rather
take life just as it is, picking out the best for himself, to be sure, and
not minding much what scraps fall to other people. He may feed the
hungry after he is satisfied, he never will before.”
“Everybody likes him,” I replied.
“Yes. He is fascinating.”
“And you don’t need real virtues to be fascinated with,” I said
rather blunderingly, the thought being more than the sentence.
“No, only outside pleasantnesses. That is, they answer.
Sometimes when you are down deep in the heart of things, you
cannot take quite so much pains with the finishing. Not but what I
consider finishing a great deal. Clean paths beautify a garden so
much, but I have seen people just hoe off the tops and sprinkle
gravel or sand over them. The weeds spring up after a rain.”
“Has not Louis the outside and inside faults as well?” asked Fan.
“Yes. Only his weeds are seldom covered up. Some folks never
can cover up anything. He cannot be good outside until he has killed
the weeds inside. Stuart may be fair all his life without any fighting.”
“He is good-tempered;” I subjoined.
“He has a pleasant, sunny temper, perfect health, and no nerves
to speak of. It is no effort for him to be jolly. He is gentlemanly by
instinct, he likes to be in the centre, shooting rays in every direction.
Is it wonderful if somebody comes within their radius? The
somebody may think this particular brightness is meant for him, but
in an instant Stuart may wheel round and leave this very person in
the dark.”
“I am glad you have some hope of Louis;” I said.
She seemed to study Fan, the great column of wisteria and me, all
at the same moment.
“There are some special providences in this world, I do believe,”
she began. “Mr. Duncan’s coming here was one, and your taking the
boys another.”
“Which we should not have done if we had not been very poor,”
said Fan with an odd pucker in her face.
“Well, we will give poverty the credit. Mr. Duncan’s visit here taught
him some new ideas of duty. Not but what he would have been a
just, even a kind brother in any event. But relationship counts for so
little now-a-days. Very few people expect to be their brothers’
keepers. They are willing to do grand things for others, for the
heathen, for some great accident that stirs up the sympathy of the
whole world, but the common every day duties are tiresome.”
“They are,” said Fan. “It may be heterodox, but it is true all the
same.”
“That is just it,” and Mrs. Whitcomb gave her sweet, tender smile
that was worth a week of June sunshine. “God knew how tiresome
they would be, or he would not have given such continual lessons of
patience and love, of working and waiting. Think of the mustard seed
and the corn, and the candle; the piece of money and the one lost
sheep. It is nearly all little things. And when He saith—‘If a man love
not his brother whom he hath seen, how can he love God whom he
hath not seen.’ It is the home love that is going to save the world.
Stephen saw it here, and it roused his dormant affection.”
“You see it would not do for us to quarrel,” said Fan drolly. “We are
packed in like peas in a pod, or birds in a nest, or bricks in a
sidewalk. There isn’t any room.”
“I am glad you have learned that. I think too, it is the lesson you
are all to teach the world.”
“Oh!” exclaimed Fan with a blush of real humility.
“We must be poor and barren indeed, if we do not teach
something. And the influence last summer did a great deal for Louis.
It was the beginning of his salvation. It was the beginning of
Stephen’s higher life, also. Before that he would have saved his
brothers for pride’s sake, now he will endeavor to do it for God’s
sake, because he has been redeemed in the love, as well.”
“It is sermons in everything,” said Fanny.
“Mrs. Whitcomb,” I began presently, “do you know anything about
—Louis when he came home?” Somehow I could never have asked
Stephen, much as I wanted to know.
“It was late in the afternoon, just growing dusky. I did not know him
when he asked for Mr. Duncan, but before I had crossed the hall I
guessed, so I took him to the library, and summoned Stephen from
his room up stairs. They talked for a long while and then Stephen
asked that tea might be brought to them. Louis lay on the sofa while I
spread the little table. I could hear the sound of tears in Stephen’s
voice at every word he spoke. At nine, perhaps, he took Louis up to
the chamber that had been prepared for him. When he came down I
was busy putting the library in order. I just asked—‘Is it all right?’ and
he answered—‘It is the beginning of right.’ And then he added—shall
I tell you Rose?—‘I think Louis and I will owe something of what is
best in our lives to Rose Endicott!’”
“I wish they wouldn’t;” I cried in distress. “But it is all made up
between them?”
“Yes, in a better manner than if the trouble had not happened. Out
of it all they have learned to love each other. Louis has a great, shy,
morbid, hungry heart, and a most unfortunate temper.”
“And we are as poor as church mice, and angelic;” said Fan in her
gayest mood. “After all, the gifts and graces are pretty fairly
distributed.”
We went into supper and had other topics of conversation. One of
the most important was sending papa away for a little vacation.
When Mr. Churchill heard of that he held up both hands, and they
were not empty. Papa must stay over one Sunday and he would see
about a clergyman. It was very odd to be without a head to our
household that length of time. He went to Long Island, to Cape May
and Philadelphia, bringing Daisy home with him.
In the meanwhile Fan and I were in the midst of a small
excitement. Jennie Ryder was to be married and wanted us both for
bridesmaids, “that is,” she said—“I want you, and Richard wants
Fan. And I don’t wish you to make a bit of fuss. I am going to be
married in church at eight in the morning, in white organdie, because
Richard loves white so much. Otherwise I should take my traveling
dress. We do not intend to send out any invitations, and you must be
simple, so as not to outshine me.”
“I am glad you have instructed us. We might have rushed into
some extravagance. May we have our white gowns done up fresh,
please?” asked Fan comically.
Jennie laughed. She was very happy, one could see that. A
connection had come to stay with Mrs. Ryder while Jennie was
away, for Richard had insisted upon Niagara and the Canadas.
Afterward they were to move into the great house.
Papa came home on Saturday night, looking brown and bright and
rested. On Tuesday morning Jennie was married. Winthrop came to
stand with Fan, I think he would not have trusted any one else. He
was troubled with an insane belief that every body wanted Fan,
“which is werry flattering on his part,” said Fan, “considering that the
only other lover I ever had has gone off and married some one else,
never breaking his heart a bit!”
“Would you have had him, Fanny?”
“No, little goosie! And he has the best wife that he could have
found in the wide world.”
The fact had been noised abroad, and the marriage was quite
largely attended. It provoked various comments. I think there were
some who did envy Jennie Ryder her good fortune, and many who
rejoiced in it. Still there was a feeling that Richard’s mother would not
quite approve. He had written to her and Kate, not giving them time
to answer by the marriage date.
I felt my own heart beat as I stood there so still and solemn. There
was a great awe in going out of the old life and putting on the new,
belonging to yourself one moment, and the next having the sense of
ownership irrevocably taken away. I shivered a little wondering how
any one could be glad to do it. Some day Fan would stand there, and
I would feel her gone out of my life.
Then Mrs. Whitcomb had to return to get the house in order. Louis
expected to enter Columbia College. Stephen thought it better on
account of his health, and the home influence. Stuart would be away
another year.
Enclosed in her letter was a note to mamma. Would it be
agreeable for Louis to spend a week or ten days with us? He was
very anxious so to do.
“Of course,” answered mamma.
Indeed we were pleased with the opportunity of seeing him.
Somehow he had become quite a hero in our eyes.
I really do not think I should have known him elsewhere. I was up
in my room sitting on the low window-sill in the breeze, reading a
magazine. The blinds were tied a little apart, bowed, and as I heard
the gate click I looked down. He was nearly as tall as Stephen, and
though slender had filled out to a certain manly roundness. He
nodded to some one, threw back his head and laughed, and he was
positively handsome. His complexion was dark but no longer sallow,
it had the bronze tint of exposure and a healthful red in the cheeks.
His black hair was cropped pretty close, but it showed his broad
forehead, and there was a tiny line of dark moustache that
contrasted with the fresh scarlet of his lips.
I ran down. Mamma and Edith were on the porch. I do really
believe that mamma had been kissing him, at all events his face was
flushed and his eyes had a soft, dewy look.
“You are the same, you haven’t altered a bit! It was so good of you
to let me come.”
“Why, we wanted to see you,” replied mamma.
He was still holding my hands, and I could not help blushing under
his steady gaze.
“But you have grown and changed out of all reason.”
“Minnesota did that! For the first time in my life I am not absolutely
scrawny! We had such a splendid tour! Stephen was just royal, as
much of a boy as either of us. We have climbed mountains, camped
out, hunted and fished and everything! I did not want to come back.”
“I am glad to see you so much improved,” and mamma glanced
him over with a sort of motherly pride.
He sat down on the step at her feet, and began to play with Edith
who affected baby shyness. We did not have him long to ourselves
though, for Nelly came and in a moment or two the children. They
were all surprised.
I watched him as he talked. He was so much more fluent and self-
possessed. It was not Stuart’s brightness, but more like Stephen’s
reliance, and a peculiar command of self, an earnestness that sat
well upon him.
“You cannot think how I wanted to see this place once more. How
good you were to me when I lay sick up-stairs. Miss Rose, do you
remember getting me some honeysuckle blooms one afternoon? I
shall always associate them with you. I shall be glad to the latest day
of my life that Stephen sent me here, though I made a desperate
fight to go to Lake George with some school-fellows.”
“It was fortunate that you did not, for you would have been ill in
any event,” answered mamma quietly.
“Yes. How is—everybody? And that Mr. Fairlie is married? Does
Miss Churchill come as she used?”
She was still among our best friends, we told him. Fanny was
there spending the day.
Presently papa returned and he was full of joy at the improvement.
Why, it was almost like having a boy of one’s very own! I would not
have believed that he could be so agreeable if I had not seen it, or
else I wondered if we had not made a mistake last summer.
There was supper and music after that, and Fan’s return, and the
next day papa invited him to go over the river with him, as he had a
horse and wagon. Consequently I saw nothing of him until evening.
Mamma asked me to take some grapes to a sick parishioner.
“Allow me to accompany you;” he said, getting his hat.
It was very foolish but I could not help the color coming into my
face as we walked down the path. He had such a grown-up,
gentlemanly air; he opened the gate and closed it again, and took
the outside of the walk and glanced at me in a kind of protecting
fashion.
“Do you know that you are very little?” he began presently.
“Fully five feet.”
“But then I am getting to be such a great fellow!”
I looked at him and laughed.
“What now?” and he colored suddenly.
“I was thinking—of something so absurd! Fan used to accuse me
of preaching—”
“And very good sermons they were. I may want you to preach
again.”
“I should be afraid,” glancing up at him.
He laughed then. After a moment or two another expression
crossed his face, and it grew more and more serious.
“I believe the sermons saved me. There was a time when I should
have hated to own such a thing—and from a woman, too; so you
may know how I have conquered myself.”
“The best of all victories.”
“Looking back at myself I wonder how you tolerated me last
summer. I was ill and nervous to the last degree, but I had a frightful

Full Chapter Advances in Cryptology Crypto 2020 40Th Annual International Cryptology Conference Proceedings Part I Daniele Micciancio PDF

Uploaded by

Copyright:

Available Formats

You might also like

Full Chapter Advances in Cryptology Crypto 2020 40Th Annual International Cryptology Conference Proceedings Part I Daniele Micciancio PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Full Chapter Advances in Cryptology Crypto 2020 40Th Annual International Cryptology Conference Proceedings Part I Daniele Micciancio PDF

Uploaded by

Copyright:

Available Formats

Advances in Cryptology CRYPTO 2020

40th Annual International Cryptology

Advances in Cryptology CRYPTO 2020 40th Annual

Advances in Cryptology CRYPTO 2018 38th Annual

Advances in Cryptology ASIACRYPT 2020 26th

Advances in Cryptology ASIACRYPT 2020 26th

Progress in Cryptology INDOCRYPT 2020 21st

Advances in Cryptology – ASIACRYPT 2018: 24th

Advances in Cryptology ASIACRYPT 2019 25th

Advances in Cryptology EUROCRYPT 2018 37th Annual

Editorial Board Members

ISSN 0302-9743 ISSN 1611-3349 (electronic)

© International Association for Cryptologic Research 2020

The 40th International Cryptology Conference (Crypto 2020), sponsored by the

July 2020 Daniele Micciancio

Program Committee Chairs

Giulio Malavolta Carnegie Mellon University and UC Berkeley, USA

Masayuki Abe Fabrice Benhamouda

Yilei Chen Nicholas Genise

Dakshita Khurana Pratyay Mukherjee

John Schanck Ni Trieu

Handling Adaptive Compromise for Practical Encryption Schemes . . . . . . . . 3

Overcoming Impossibility Results in Composable Security Using

Indifferentiability for Public Key Cryptosystems . . . . . . . . . . . . . . . . . . . . . 63

Quantifying the Security Cost of Migrating Protocols to Practice . . . . . . . . . 94

Symmetric and Real World Cryptography

The Memory-Tightness of Authenticated Encryption . . . . . . . . . . . . . . . . . . 127

Time-Space Tradeoffs and Short Collisions in Merkle-Damgård

The Summation-Truncation Hybrid: Reusing Discarded Bits for Free. . . . . . . 187

Security Analysis of NIST CTR-DRBG . . . . . . . . . . . . . . . . . . . . . . . . . . . 218

Security Analysis and Improvements for the IETF MLS Standard

Universally Composable Relaxed Password Authenticated Key Exchange . . . . 278

Anonymous Tokens with Private Metadata Bit . . . . . . . . . . . . . . . . . . . . . . 308

Hardware Security and Leakage Resilience

Random Probing Security: Verification, Composition, Expansion

Mode-Level vs. Implementation-Level Physical Security in Symmetric

Leakage-Resilient Key Exchange and Two-Seed Extractors . . . . . . . . . . . . . 401

Lower Bounds for Encrypted Multi-Maps and Searchable Encryption

Fast and Secure Updatable Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464

Incompressible Encodings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494

Adaptively Secure Constrained Pseudorandom Functions

Collusion Resistant Watermarkable PRFs from Standard Assumptions . . . . . . 590

Verifiable Registration-Based Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . 621

Public Key Cryptography

Functional Encryption for Attribute-Weighted Sums from k-Lin . . . . . . . . . . 685

Amplifying the Security of Functional Encryption, Unconditionally . . . . . . . . 717

Dynamic Decentralized Functional Encryption . . . . . . . . . . . . . . . . . . . . . . 747

On Succinct Arguments and Witness Encryption from Groups . . . . . . . . . . . 776

Fully Deniable Interactive Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . 807

Chosen Ciphertext Security from Injective Trapdoor Functions . . . . . . . . . . . 836

Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 867

Public Key Cryptanalysis

A Polynomial-Time Algorithm for Solving the Hidden Subset

Asymptotic Complexities of Discrete Logarithm Algorithms

Comparing the Difficulty of Factorization and Discrete Logarithm:

Breaking the Decisional Diffie-Hellman Problem for Class Group Actions

A Classification of Computational Assumptions in the Algebraic

Lattice Algorithms and Cryptanalysis