DOCSLIB.ORG

Verifiable Random Functions

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Verifiable Random Functions Verifiable Random Functions The Harvard community has made this article openly available. Please share how this access benefits you. Your story matters Citation Micali, Silvio, Michael Rabin, and Salil Vadhan. 1999. Verifiable random functions. In Proceedings of the 40th Annual Symposium on the Foundations of Computer Science (FOCS `99), 120-130. New York: IEEE Computer Society Press. Published Version http://dx.doi.org/10.1109/SFFCS.1999.814584 Citable link http://nrs.harvard.edu/urn-3:HUL.InstRepos:5028196 Terms of Use This article was downloaded from Harvard University’s DASH repository, and is made available under the terms and conditions applicable to Other Posted Material, as set forth at http:// nrs.harvard.edu/urn-3:HUL.InstRepos:dash.current.terms-of- use#LAA Verifiable Random Functions y z Silvio Micali Michael Rabin Salil Vadhan Abstract random string of the proper length. The possibility thus ex- ists that, if it so suits him, the party knowing the seed s may We efficiently combine unpredictability and verifiability by declare that the value of his pseudorandom oracle at some x f x extending the Goldreich–Goldwasser–Micali construction point is other than s without fear of being detected. It f s of pseudorandom functions s from a secret seed , so that is for this reason that we refer to these objects as “pseudo- s f knowledge of not only enables one to evaluate s at any random oracles” rather than using the standard terminology f x x NP point , but also to provide an -proof that the value “pseudorandom functions” — the values s come “out f x s is indeed correct without compromising the unpre- of the blue,” as if from an oracle, and the receiver must sim- s f dictability of s at any other point for which no such a proof ply trust that they are computed correctly from the seed . was provided. Therefore, though quite large, the applicability of pseu- dorandom oracles is limited: for instance, to settings in which (1) the “seed owner”, and thus the one evaluating 1 Introduction the pseudorandom oracle, is totally trusted; or (2) it is to the seed-owner’s advantage to evaluate his pseudorandom oracle correctly; or (3) there is absolutely nothing for the PSEUDORANDOM ORACLES. Goldreich, Goldwasser, and seed-owner to gain from being dishonest. Micali [GGM86] show how to simulate a random ora- f x One efficient way of enabling anyone to verify that s b cle from a-bit strings to -bit strings by means of a con- f x really is the value of pseudorandom oracle s at point struction using a seed, that is, a secret and short random clearly consists of publicizing the seed s. However, this string. They show that, if pseudorandom generators exist f will also destroy the unpredictability of s : anyone could [BM84, Yao82], then there exists a polynomial-time algo- f easily compute the value of s at any point. s rithm F such that, letting denote the seed, the func- We instead wish to provide a new type of pseudoran- def a b f F s f g f g tion s passes all effi- dom oracle. Informally, we want one in which the owner f cient statistical tests for oracles. That is, to an observer s of the seed can, as usual, evaluate s at any point, but 1 with sufficiently limited computational resources, accessing also prove (with an NP proof ) that the so obtained values a b g f g a random oracle from f to is provably indis- are indeed correct without compromising the unpredictabil- f s x tinguishable from accessing (as an oracle) , even if al- f ity of the value of s at any point for which no proof F s x gorithm is publicly known (provided that is still kept f of correctness for s is given. That is, given an input secret). x, the seed-owner should be able to produce in polynomial v f x proof time the value s together with a string ef- x THE PROBLEM OF CONSTRUCTING VERIFIABLE PSEUDO- ficiently proving that v is correct. The scheme should have RANDOM FUNCTIONS. By its very definition, a pseudoran- the property that a unique value v is provable as the value f x dom oracle `ala [GGM86] is not verifiable: without knowl- of s . We call such a mathematical object a verifiable edge of the seed (or any other additional information), upon (pseudo-)random function, VRF for brevity. z f receiving the value of a pseudorandom oracle s at point x, one cannot distinguish it from an independently selected A WEAKER SOLUTION: PSEUDORANDOM ORACLES + ZERO-KNOWLEDGE PROOFS. If interaction were allowed, Laboratory for Computer Science, MIT, Cambridge, MA 02139. VRFs could be constructed from GGM pseudorandom or- y Department of Applied Science, Harvard University, Cambridge, MA 02138. Work supported in part by NSF Contract CCR-9877138. acles via zero-knowledge proofs [GMR89] and a commit- z MIT Laboratory for Computer Science. 545 Technology Square. ment scheme. Indeed, as suggested in a signature scheme Cambridge, MA 02139. E-mail: [email protected]. of Bellare and Goldwasser [BG89], the owner of the seed URL: http://theory.lcs.mit.edu/˜salil. Supported by a 1 DOD/NDSEG fellowship and partially by DARPA grant DABT63-96-C- Strictly speaking, we actually allow “MA proofs”, since their verifi- 0018. cation may be probabilistic. s f c to a pseudorandom oracle s can publish a commitment changed. But VRFs may also be useful in settings where v to s. Whenever he wishes to prove that is the value of his the public key is provided “on the fly” to prove that vari- V oracle at a point x to a verifier , he proves in zero knowl- ous function values (given previously or at the same time) V v f x c s edge to that s and that is a commitment to . are indeed consistent with one single VRF. In case the VRF Such a statement is provable in zero knowledge because all outputs strings longer than the public key, it may even be NP statements are provable in zero knowledge [GMW91]. useful to provide the public key on the fly to prove that The trouble with such an approach is that it requires inter- a single value is consistent with some VRF, as this would action. A very efficient incarnation of this idea is given by limit the owner to relatively few choices. Naor and Reingold [NR97], but it still suffers from the need In addition to introducing this notion, we provide an ex- for interaction. plicit VRF construction, based on a variant of the RSA as- Such interaction could be removed by using noninter- sumption. Informally stated, we prove: active zero-knowledge proofs (NIZK) [BFM88, BDMP91], as done by Bellare and Goldwasser [BG89]. This ap- Main Theorem: Assume that the RSA function with proach however suffers from another drawback: noninterac- large prime exponents cannot be inverted in polyno- g tive zero-knowledge proofs presuppose that the prover and mial time. Then, there exists a VRF from f into g verifier share a bit-string that is guaranteed to be random. f . So the question is who is to select this shared random string R . Each of the possibilities has a deficiency that we wish to OVERVIEW OF THE CONSTRUCTION. We motivate our avoid in defining VRFs: construction by first discussing the relationship between 1. The seed owner selects R : If the seed owner selects the VRFs and secure signature schemes. In a signature scheme shared random string improperly, the soundness of the that is existentially unforgeable against a chosen message NIZK proof system is no longer guaranteed, so there attack [GMR88], the signature of a message x, denoted v f x may be many values that are “provable” as s . x SIG , is a value that is unpredictable (even given sig- 2. The verifier selects R : If the verifier selects the shared natures of chosen other messages), but verifiable (given the random string improperly, the zero-knowledge prop- proper public key). However, such schemes do not directly x SIG x erty of the NIZK proof system is no longer guaranteed. give rise to VRFs by setting f to be , for two f x v Thus, by proving s with respect to such an reasons: improperly chosen R , the prover may leak knowledge 1. There may be many valid signatures for a given string s f about the seed and s will “lose” its pseudorandom- x (violating the unique provability requirement). ness. x 2. SIG is only unpredictable, not necessarily pseudo- 3. The seed owner and verifier jointly select R by a “coin- random. flipping” protocol.: This requires interaction, which we wish to avoid. We begin by discussing the first deficiency, as it is the 4. A trusted third party selects R : We do not want to as- more serious one. Even though the definition does not guar- sume the existence of such a trusted third party. antee the uniqueness of signatures, one might hope that ex- isting signature schemes happen to have this property. How- ever, most known secure signature schemes are either prob- OUR SOLUTION. We propose a notion of VRF’s which abilistic or history dependent. Either property violates the needs neither interaction nor sharing a guaranteed ran- x the unique provability requirement: if we define f to be dom string. Rather, we only require that the owner of the x x SIG , there may be a multiplicity of signatures of and PK function f publish a public key , which can be viewed x thus a multiplicity of f values, all duly provable.
Load more

Recommended publications
  • Reproducibility and Pseudo-Determinism in Log-Space
    Reproducibility and Pseudo-determinism in Log-Space by Ofer Grossman S.B., Massachusetts Institute of Technology (2017) Submitted to the Department of Electrical Engineering and Computer Science in partial fulfillment of the requirements for the degree of Master of Science in Electrical Engineering and Computer Science at the MASSACHUSETTS INSTITUTE OF TECHNOLOGY May 2020 c Massachusetts Institute of Technology 2020. All rights reserved. Author...................................................................... Department of Electrical Engineering and Computer Science May 15, 2020 Certified by.................................................................. Shafi Goldwasser RSA Professor of Electrical Engineering and Computer Science Thesis Supervisor Accepted by................................................................. Leslie A. Kolodziejski Professor of Electrical Engineering and Computer Science Chair, Department Committee on Graduate Students 2 Reproducibility and Pseudo-determinism in Log-Space by Ofer Grossman Submitted to the Department of Electrical Engineering and Computer Science on May 15, 2020, in partial fulfillment of the requirements for the degree of Master of Science in Electrical Engineering and Computer Science Abstract Acuriouspropertyofrandomizedlog-spacesearchalgorithmsisthattheiroutputsareoften longer than their workspace. This leads to the question: how can we reproduce the results of a randomized log space computation without storing the output or randomness verbatim? Running the algorithm again with new
    [Show full text]
  • Tarjan Transcript Final with Timestamps
    A.M. Turing Award Oral History Interview with Robert (Bob) Endre Tarjan by Roy Levin San Mateo, California July 12, 2017 Levin: My name is Roy Levin. Today is July 12th, 2017, and I’m in San Mateo, California at the home of Robert Tarjan, where I’ll be interviewing him for the ACM Turing Award Winners project. Good afternoon, Bob, and thanks for spending the time to talk to me today. Tarjan: You’re welcome. Levin: I’d like to start by talking about your early technical interests and where they came from. When do you first recall being interested in what we might call technical things? Tarjan: Well, the first thing I would say in that direction is my mom took me to the public library in Pomona, where I grew up, which opened up a huge world to me. I started reading science fiction books and stories. Originally, I wanted to be the first person on Mars, that was what I was thinking, and I got interested in astronomy, started reading a lot of science stuff. I got to junior high school and I had an amazing math teacher. His name was Mr. Wall. I had him two years, in the eighth and ninth grade. He was teaching the New Math to us before there was such a thing as “New Math.” He taught us Peano’s axioms and things like that. It was a wonderful thing for a kid like me who was really excited about science and mathematics and so on. The other thing that happened was I discovered Scientific American in the public library and started reading Martin Gardner’s columns on mathematical games and was completely fascinated.
    [Show full text]
  • Fault-Tolerant Distributed Computing in Full-Information Networks
    Fault-Tolerant Distributed Computing in Full-Information Networks Shafi Goldwasser∗ Elan Pavlov Vinod Vaikuntanathan∗ CSAIL, MIT MIT CSAIL, MIT Cambridge MA, USA Cambridge MA, USA Cambridge MA, USA December 15, 2006 Abstract In this paper, we use random-selection protocols in the full-information model to solve classical problems in distributed computing. Our main results are the following: • An O(log n)-round randomized Byzantine Agreement (BA) protocol in a synchronous full-information n network tolerating t < 3+ faulty players (for any constant > 0). As such, our protocol is asymp- totically optimal in terms of fault-tolerance. • An O(1)-round randomized BA protocol in a synchronous full-information network tolerating t = n O( (log n)1.58 ) faulty players. • A compiler that converts any randomized protocol Πin designed to tolerate t fail-stop faults, where the n source of randomness of Πin is an SV-source, into a protocol Πout that tolerates min(t, 3 ) Byzantine ∗ faults. If the round-complexity of Πin is r, that of Πout is O(r log n). Central to our results is the development of a new tool, “audited protocols”. Informally “auditing” is a transformation that converts any protocol that assumes built-in broadcast channels into one that achieves a slightly weaker guarantee, without assuming broadcast channels. We regard this as a tool of independent interest, which could potentially find applications in the design of simple and modular randomized distributed algorithms. ∗Supported by NSF grants CNS-0430450 and CCF0514167. 1 1 Introduction The problem of how n players, some of who may be faulty, can make a common random selection in a set, has received much attention.
    [Show full text]
  • Single-To-Multi-Theorem Transformations for Non-Interactive Statistical Zero-Knowledge
    Single-to-Multi-Theorem Transformations for Non-Interactive Statistical Zero-Knowledge Marc Fischlin Felix Rohrbach Cryptoplexity, Technische Universität Darmstadt, Germany www.cryptoplexity.de [email protected] [email protected] Abstract. Non-interactive zero-knowledge proofs or arguments allow a prover to show validity of a statement without further interaction. For non-trivial statements such protocols require a setup assumption in form of a common random or reference string (CRS). Generally, the CRS can only be used for one statement (single-theorem zero-knowledge) such that a fresh CRS would need to be generated for each proof. Fortunately, Feige, Lapidot and Shamir (FOCS 1990) presented a transformation for any non-interactive zero-knowledge proof system that allows the CRS to be reused any polynomial number of times (multi-theorem zero-knowledge). This FLS transformation, however, is only known to work for either computational zero-knowledge or requires a structured, non-uniform common reference string. In this paper we present FLS-like transformations that work for non-interactive statistical zero-knowledge arguments in the common random string model. They allow to go from single-theorem to multi-theorem zero-knowledge and also preserve soundness, for both properties in the adaptive and non-adaptive case. Our first transformation is based on the general assumption that one-way permutations exist, while our second transformation uses lattice-based assumptions. Additionally, we define different possible soundness notions for non-interactive arguments and discuss their relationships. Keywords. Non-interactive arguments, statistical zero-knowledge, soundness, transformation, one-way permutation, lattices, dual-mode commitments 1 Introduction In a non-interactive proof for a language L the prover P shows validity of some theorem x ∈ L via a proof π based on a common string crs chosen by some external setup procedure.
    [Show full text]
  • 1 Introduction
    Logic Activities in Europ e y Yuri Gurevich Intro duction During Fall thanks to ONR I had an opp ortunity to visit a fair numb er of West Eu rop ean centers of logic research I tried to learn more ab out logic investigations and appli cations in Europ e with the hop e that my exp erience may b e useful to American researchers This rep ort is concerned only with logic activities related to computer science and Europ e here means usually Western Europ e one can learn only so much in one semester The idea of such a visit may seem ridiculous to some The mo dern world is quickly growing into a global village There is plenty of communication b etween Europ e and the US Many Europ ean researchers visit the US and many American researchers visit Europ e Neither Americans nor Europ eans make secret of their logic research Quite the opp osite is true They advertise their research From ESPRIT rep orts the Bulletin of Europ ean Asso ciation for Theoretical Computer Science the Newsletter of Europ ean Asso ciation for Computer Science Logics publications of Europ ean Foundation for Logic Language and Information publications of particular Europ ean universities etc one can get a go o d idea of what is going on in Europ e and who is doing what Some Europ ean colleagues asked me jokingly if I was on a reconnaissance mission Well sometimes a cow wants to suckle more than the calf wants to suck a Hebrew proverb It is amazing however how dierent computer science is esp ecially theoretical com puter science in Europ e and the US American theoretical
    [Show full text]
  • Concurrent Non-Malleable Zero Knowledge Proofs
    Concurrent Non-Malleable Zero Knowledge Proofs Huijia Lin?, Rafael Pass??, Wei-Lung Dustin Tseng???, and Muthuramakrishnan Venkitasubramaniam Cornell University, {huijia,rafael,wdtseng,vmuthu}@cs.cornell.edu Abstract. Concurrent non-malleable zero-knowledge (NMZK) consid- ers the concurrent execution of zero-knowledge protocols in a setting where the attacker can simultaneously corrupt multiple provers and ver- ifiers. Barak, Prabhakaran and Sahai (FOCS’06) recently provided the first construction of a concurrent NMZK protocol without any set-up assumptions. Their protocol, however, is only computationally sound (a.k.a., a concurrent NMZK argument). In this work we present the first construction of a concurrent NMZK proof without any set-up assump- tions. Our protocol requires poly(n) rounds assuming one-way functions, or O~(log n) rounds assuming collision-resistant hash functions. As an additional contribution, we improve the round complexity of con- current NMZK arguments based on one-way functions (from poly(n) to O~(log n)), and achieve a near linear (instead of cubic) security reduc- tions. Taken together, our results close the gap between concurrent ZK protocols and concurrent NMZK protocols (in terms of feasibility, round complexity, hardness assumptions, and tightness of the security reduc- tion). 1 Introduction Zero-knowledge (ZK) interactive proofs [GMR89] are fundamental constructs that allow the Prover to convince the Verifier of the validity of a mathematical statement x 2 L, while providing zero additional knowledge to the Verifier. Con- current ZK, first introduced and achieved by Dwork, Naor and Sahai [DNS04], considers the execution of zero-knowledge protocols in an asynchronous and con- current setting.
    [Show full text]
  • FOCS 2005 Program SUNDAY October 23, 2005
    FOCS 2005 Program SUNDAY October 23, 2005 Talks in Grand Ballroom, 17th floor Session 1: 8:50am – 10:10am Chair: Eva´ Tardos 8:50 Agnostically Learning Halfspaces Adam Kalai, Adam Klivans, Yishay Mansour and Rocco Servedio 9:10 Noise stability of functions with low influences: invari- ance and optimality The 46th Annual IEEE Symposium on Elchanan Mossel, Ryan O’Donnell and Krzysztof Foundations of Computer Science Oleszkiewicz October 22-25, 2005 Omni William Penn Hotel, 9:30 Every decision tree has an influential variable Pittsburgh, PA Ryan O’Donnell, Michael Saks, Oded Schramm and Rocco Servedio Sponsored by the IEEE Computer Society Technical Committee on Mathematical Foundations of Computing 9:50 Lower Bounds for the Noisy Broadcast Problem In cooperation with ACM SIGACT Navin Goyal, Guy Kindler and Michael Saks Break 10:10am – 10:30am FOCS ’05 gratefully acknowledges financial support from Microsoft Research, Yahoo! Research, and the CMU Aladdin center Session 2: 10:30am – 12:10pm Chair: Satish Rao SATURDAY October 22, 2005 10:30 The Unique Games Conjecture, Integrality Gap for Cut Problems and Embeddability of Negative Type Metrics Tutorials held at CMU University Center into `1 [Best paper award] Reception at Omni William Penn Hotel, Monongahela Room, Subhash Khot and Nisheeth Vishnoi 17th floor 10:50 The Closest Substring problem with small distances Tutorial 1: 1:30pm – 3:30pm Daniel Marx (McConomy Auditorium) Chair: Irit Dinur 11:10 Fitting tree metrics: Hierarchical clustering and Phy- logeny Subhash Khot Nir Ailon and Moses Charikar On the Unique Games Conjecture 11:30 Metric Embeddings with Relaxed Guarantees Break 3:30pm – 4:00pm Ittai Abraham, Yair Bartal, T-H.
    [Show full text]
  • Magic Adversaries Versus Individual Reduction: Science Wins Either Way ?
    Magic Adversaries Versus Individual Reduction: Science Wins Either Way ? Yi Deng1;2 1 SKLOIS, Institute of Information Engineering, CAS, Beijing, P.R.China 2 State Key Laboratory of Cryptology, P. O. Box 5159, Beijing ,100878,China [email protected] Abstract. We prove that, assuming there exists an injective one-way function f, at least one of the following statements is true: – (Infinitely-often) Non-uniform public-key encryption and key agreement exist; – The Feige-Shamir protocol instantiated with f is distributional concurrent zero knowledge for a large class of distributions over any OR NP-relations with small distinguishability gap. The questions of whether we can achieve these goals are known to be subject to black-box lim- itations. Our win-win result also establishes an unexpected connection between the complexity of public-key encryption and the round-complexity of concurrent zero knowledge. As the main technical contribution, we introduce a dissection procedure for concurrent ad- versaries, which enables us to transform a magic concurrent adversary that breaks the distribu- tional concurrent zero knowledge of the Feige-Shamir protocol into non-black-box construc- tions of (infinitely-often) public-key encryption and key agreement. This dissection of complex algorithms gives insight into the fundamental gap between the known universal security reductions/simulations, in which a single reduction algorithm or simu- lator works for all adversaries, and the natural security definitions (that are sufficient for almost all cryptographic primitives/protocols), which switch the order of qualifiers and only require that for every adversary there exists an individual reduction or simulator. 1 Introduction The seminal work of Impagliazzo and Rudich [IR89] provides a methodology for studying the lim- itations of black-box reductions.
    [Show full text]
  • Secure Multi-Party Computation in Practice
    SECURE MULTI-PARTY COMPUTATION IN PRACTICE Marcella Christine Hastings A DISSERTATION in Computer and Information Science Presented to the Faculties of the University of Pennsylvania in Partial Fulfillment of the Requirements for the Degree of Doctor of Philosophy 2021 Supervisor of Dissertation Nadia Heninger Adjunct Associate Professor, University of Pennsylvania Associate Professor, University of California, San Diego Graduate Group Chairperson Mayur Naik Professor and Computer and Information Science Graduate Group Chair Dissertation Committee Brett Hemenway Falk, Research Assistant Professor Stephan A. Zdancewic, Professor Sebastian Angel, Raj and Neera Singh Term Assistant Professor abhi shelat, Associate Professor at Khoury College of Computer Sciences, Northeastern University ACKNOWLEDGMENT This dissertation would have been much less pleasant to produce without the presence of many people in my life. I would like to thank my advisor and my dissertation committee for their helpful advice, direction, and long-distance phone calls over the past six years. I would like to thank my fellow PhD students at the University of Pennsylvania, especially the ever-changing but consistently lovely office mates in the Distributed Systems Laboratory and my cohort. Our shared tea-time, cookies, disappointments, and achievements provided an essential community that brought me great joy during my time at Penn. I would like to thank the mentors and colleagues who hosted me at the Security and Privacy Lab at the University of Washington in 2018, the Software & Application Innovation Lab at Boston University in 2019, and the Cryptography and Privacy Research group at Microsoft Research in 2020. My career and happiness greatly benefited from spending these summers exploring fresh research directions and rediscovering the world outside my own work.
    [Show full text]
  • A Decade of Lattice Cryptography
    Full text available at: http://dx.doi.org/10.1561/0400000074 A Decade of Lattice Cryptography Chris Peikert Computer Science and Engineering University of Michigan, United States Boston — Delft Full text available at: http://dx.doi.org/10.1561/0400000074 Foundations and Trends R in Theoretical Computer Science Published, sold and distributed by: now Publishers Inc. PO Box 1024 Hanover, MA 02339 United States Tel. +1-781-985-4510 www.nowpublishers.com [email protected] Outside North America: now Publishers Inc. PO Box 179 2600 AD Delft The Netherlands Tel. +31-6-51115274 The preferred citation for this publication is C. Peikert. A Decade of Lattice Cryptography. Foundations and Trends R in Theoretical Computer Science, vol. 10, no. 4, pp. 283–424, 2014. R This Foundations and Trends issue was typeset in LATEX using a class file designed by Neal Parikh. Printed on acid-free paper. ISBN: 978-1-68083-113-9 c 2016 C. Peikert All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, mechanical, photocopying, recording or otherwise, without prior written permission of the publishers. Photocopying. In the USA: This journal is registered at the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923. Authorization to photocopy items for in- ternal or personal use, or the internal or personal use of specific clients, is granted by now Publishers Inc for users registered with the Copyright Clearance Center (CCC). The ‘services’ for users can be found on the internet at: www.copyright.com For those organizations that have been granted a photocopy license, a separate system of payment has been arranged.
    [Show full text]
  • Jeremiah Blocki
    Jeremiah Blocki Current Position (August 2016 to present) Phone: (765) 494-9432 Assistant Professor Office: 1165 Lawson Computer Science Building Computer Science Department Email: [email protected] Purdue University Homepage: https://www.cs.purdue.edu/people/faculty/jblocki/ West Lafayette, IN 47907 Previous Positions (August 2015 - June 2016) (May 2015-August 2015) (June 2014-May 2015) Post-Doctoral Researcher Cryptography Research Fellow Post-Doctoral Fellow Microsoft Research Simons Institute Computer Science Department New England Lab (Summer of Cryptography) Carnegie Mellon University Cambridge, MA UC Berkeley Pittsburgh, PA 15213 Berkeley, CA Education Ph.D. in Computer Science, Carnegie Mellon University, 2014. Advisors: Manuel Blum and Anupam Datta. Committee: Manuel Blum, Anupam Datta, Luis Von Ahn, Ron Rivest Thesis Title: Usable Human Authentication: A Quantitative Treatment B.S. in Computer Science, Carnegie Mellon University, 2009. (3.92 GPA). Senior Research Thesis: Direct Zero-Knowledge Proofs Allen Newell Award for Excellence in Undergraduate Research Research Research Interests Passwords, Usable and Secure Password Management, Human Computable Cryptography, Password Hash- ing, Memory Hard Functions, Differential Privacy, Game Theory and Security Journal Publications 1. Blocki, J., Gandikota, V., Grigorescu, G. and Zhou, S. Relaxed Locally Correctable Codes in Computa- tionally Bounded Channels. IEEE Transactions on Information Theory, 2021. [https://ieeexplore. ieee.org/document/9417090] 2. Harsha, B., Morton, R., Blocki, J., Springer, J. and Dark, M. Bicycle Attacks Consider Harmful: Quantifying the Damage of Widespread Password Length Leakage. Computers & Security, Volume 100, 2021. [https://doi.org/10.1016/j.cose.2020.102068] 3. Chong, I., Proctor, R., Li, N. and Blocki, J. Surviving in the Digital Environment: Does Survival Processing Provide and Additional Memory Benefit to Password Generation Strategies.
    [Show full text]
  • Hard Communication Channels for Steganography
    Hard Communication Channels for Steganography Sebastian Berndt1 and Maciej Liśkiewicz2 1 University of Lübeck, Lübeck, Germany [email protected] 2 University of Lübeck, Lübeck, Germany [email protected] Abstract This paper considers steganography – the concept of hiding the presence of secret messages in legal communications – in the computational setting and its relation to cryptography. Very re- cently the first (non-polynomial time) steganographic protocol has been shown which, for any communication channel, is provably secure, reliable, and has nearly optimal bandwidth. The security is unconditional, i.e. it does not rely on any unproven complexity-theoretic assumption. This disproves the claim that the existence of one-way functions and access to a communication channel oracle are both necessary and sufficient conditions for the existence of secure steganogra- phy in the sense that secure and reliable steganography exists independently of the existence of one-way functions. In this paper, we prove that this equivalence also does not hold in the more realistic setting, where the stegosystem is polynomial time bounded. We prove this by construct- ing (a) a channel for which secure steganography exists if and only if one-way functions exist and (b) another channel such that secure steganography implies that no one-way functions exist. We therefore show that security-preserving reductions between cryptography and steganography need to be treated very carefully. 1998 ACM Subject Classification E.3 Data Encryption Keywords and phrases provable secure steganography, cryptographic assumptions, pseudoran- dom functions, one-way functions, signature schemes Digital Object Identifier 10.4230/LIPIcs.ISAAC.2016.16 1 Introduction Digital steganography has recently received substantial interest in modern computer science since it allows secret communication without revealing its presence.
    [Show full text]