---
_id: '14428'
abstract:
- lang: eng
text: "Suppose we have two hash functions h1 and h2, but we trust the security of
only one of them. To mitigate this worry, we wish to build a hash combiner Ch1,h2
which is secure so long as one of the underlying hash functions is. This question
has been well-studied in the regime of collision resistance. In this case, concatenating
the two hash function outputs clearly works. Unfortunately, a long series of works
(Boneh and Boyen, CRYPTO’06; Pietrzak, Eurocrypt’07; Pietrzak, CRYPTO’08) showed
no (noticeably) shorter combiner for collision resistance is possible.\r\nIn this
work, we revisit this pessimistic state of affairs, motivated by the observation
that collision-resistance is insufficient for many interesting applications of
cryptographic hash functions anyway. We argue the right formulation of the “hash
combiner” is to build what we call random oracle (RO) combiners, utilizing stronger
assumptions for stronger constructions.\r\nIndeed, we circumvent the previous
lower bounds for collision resistance by constructing a simple length-preserving
RO combiner C˜h1,h2Z1,Z2(M)=h1(M,Z1)⊕h2(M,Z2),where Z1,Z2\r\n are random salts
of appropriate length. We show that this extra randomness is necessary for RO
combiners, and indeed our construction is somewhat tight with this lower bound.\r\nOn
the negative side, we show that one cannot generically apply the composition theorem
to further replace “monolithic” hash functions h1 and h2 by some simpler indifferentiable
construction (such as the Merkle-Damgård transformation) from smaller components,
such as fixed-length compression functions. Finally, despite this issue, we directly
prove collision resistance of the Merkle-Damgård variant of our combiner, where
h1 and h2 are replaced by iterative Merkle-Damgård hashes applied to a fixed-length
compression function. Thus, we can still subvert the concatenation barrier for
collision-resistance combiners while utilizing practically small fixed-length
components underneath."
alternative_title:
- LNCS
article_processing_charge: No
author:
- first_name: Yevgeniy
full_name: Dodis, Yevgeniy
last_name: Dodis
- first_name: Niels
full_name: Ferguson, Niels
last_name: Ferguson
- first_name: Eli
full_name: Goldin, Eli
last_name: Goldin
- first_name: Peter
full_name: Hall, Peter
last_name: Hall
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
citation:
ama: 'Dodis Y, Ferguson N, Goldin E, Hall P, Pietrzak KZ. Random oracle combiners:
Breaking the concatenation barrier for collision-resistance. In: 43rd Annual
International Cryptology Conference. Vol 14082. Springer Nature; 2023:514-546.
doi:10.1007/978-3-031-38545-2_17'
apa: 'Dodis, Y., Ferguson, N., Goldin, E., Hall, P., & Pietrzak, K. Z. (2023).
Random oracle combiners: Breaking the concatenation barrier for collision-resistance.
In 43rd Annual International Cryptology Conference (Vol. 14082, pp. 514–546).
Santa Barbara, CA, United States: Springer Nature. https://doi.org/10.1007/978-3-031-38545-2_17'
chicago: 'Dodis, Yevgeniy, Niels Ferguson, Eli Goldin, Peter Hall, and Krzysztof
Z Pietrzak. “Random Oracle Combiners: Breaking the Concatenation Barrier for Collision-Resistance.”
In 43rd Annual International Cryptology Conference, 14082:514–46. Springer
Nature, 2023. https://doi.org/10.1007/978-3-031-38545-2_17.'
ieee: 'Y. Dodis, N. Ferguson, E. Goldin, P. Hall, and K. Z. Pietrzak, “Random oracle
combiners: Breaking the concatenation barrier for collision-resistance,” in 43rd
Annual International Cryptology Conference, Santa Barbara, CA, United States,
2023, vol. 14082, pp. 514–546.'
ista: 'Dodis Y, Ferguson N, Goldin E, Hall P, Pietrzak KZ. 2023. Random oracle combiners:
Breaking the concatenation barrier for collision-resistance. 43rd Annual International
Cryptology Conference. CRYPTO: Advances in Cryptology, LNCS, vol. 14082, 514–546.'
mla: 'Dodis, Yevgeniy, et al. “Random Oracle Combiners: Breaking the Concatenation
Barrier for Collision-Resistance.” 43rd Annual International Cryptology Conference,
vol. 14082, Springer Nature, 2023, pp. 514–46, doi:10.1007/978-3-031-38545-2_17.'
short: Y. Dodis, N. Ferguson, E. Goldin, P. Hall, K.Z. Pietrzak, in:, 43rd Annual
International Cryptology Conference, Springer Nature, 2023, pp. 514–546.
conference:
end_date: 2023-08-24
location: Santa Barbara, CA, United States
name: 'CRYPTO: Advances in Cryptology'
start_date: 2023-08-20
corr_author: '1'
date_created: 2023-10-15T22:01:11Z
date_published: 2023-08-09T00:00:00Z
date_updated: 2025-09-09T13:06:18Z
day: '09'
department:
- _id: KrPi
doi: 10.1007/978-3-031-38545-2_17
external_id:
isi:
- '001314616100017'
intvolume: ' 14082'
isi: 1
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://eprint.iacr.org/2023/1041
month: '08'
oa: 1
oa_version: Preprint
page: 514-546
publication: 43rd Annual International Cryptology Conference
publication_identifier:
eissn:
- 1611-3349
isbn:
- '9783031385445'
issn:
- 0302-9743
publication_status: published
publisher: Springer Nature
quality_controlled: '1'
scopus_import: '1'
status: public
title: 'Random oracle combiners: Breaking the concatenation barrier for collision-resistance'
type: conference
user_id: 317138e5-6ab7-11ef-aa6d-ffef3953e345
volume: 14082
year: '2023'
...
---
_id: '14454'
abstract:
- lang: eng
text: As AI and machine-learned software are used increasingly for making decisions
that affect humans, it is imperative that they remain fair and unbiased in their
decisions. To complement design-time bias mitigation measures, runtime verification
techniques have been introduced recently to monitor the algorithmic fairness of
deployed systems. Previous monitoring techniques assume full observability of
the states of the (unknown) monitored system. Moreover, they can monitor only
fairness properties that are specified as arithmetic expressions over the probabilities
of different events. In this work, we extend fairness monitoring to systems modeled
as partially observed Markov chains (POMC), and to specifications containing arithmetic
expressions over the expected values of numerical functions on event sequences.
The only assumptions we make are that the underlying POMC is aperiodic and starts
in the stationary distribution, with a bound on its mixing time being known. These
assumptions enable us to estimate a given property for the entire distribution
of possible executions of the monitored POMC, by observing only a single execution.
Our monitors observe a long run of the system and, after each new observation,
output updated PAC-estimates of how fair or biased the system is. The monitors
are computationally lightweight and, using a prototype implementation, we demonstrate
their effectiveness on several real-world examples.
acknowledgement: 'This work is supported by the European Research Council under Grant
No.: ERC-2020-AdG 101020093.'
alternative_title:
- LNCS
article_processing_charge: No
arxiv: 1
author:
- first_name: Thomas A
full_name: Henzinger, Thomas A
id: 40876CD8-F248-11E8-B48F-1D18A9856A87
last_name: Henzinger
orcid: 0000-0002-2985-7724
- first_name: Konstantin
full_name: Kueffner, Konstantin
id: 8121a2d0-dc85-11ea-9058-af578f3b4515
last_name: Kueffner
orcid: 0000-0001-8974-2542
- first_name: Kaushik
full_name: Mallik, Kaushik
id: 0834ff3c-6d72-11ec-94e0-b5b0a4fb8598
last_name: Mallik
orcid: 0000-0001-9864-7475
citation:
ama: 'Henzinger TA, Kueffner K, Mallik K. Monitoring algorithmic fairness under
partial observations. In: 23rd International Conference on Runtime Verification.
Vol 14245. Springer Nature; 2023:291-311. doi:10.1007/978-3-031-44267-4_15'
apa: 'Henzinger, T. A., Kueffner, K., & Mallik, K. (2023). Monitoring algorithmic
fairness under partial observations. In 23rd International Conference on Runtime
Verification (Vol. 14245, pp. 291–311). Thessaloniki, Greece: Springer Nature.
https://doi.org/10.1007/978-3-031-44267-4_15'
chicago: Henzinger, Thomas A, Konstantin Kueffner, and Kaushik Mallik. “Monitoring
Algorithmic Fairness under Partial Observations.” In 23rd International Conference
on Runtime Verification, 14245:291–311. Springer Nature, 2023. https://doi.org/10.1007/978-3-031-44267-4_15.
ieee: T. A. Henzinger, K. Kueffner, and K. Mallik, “Monitoring algorithmic fairness
under partial observations,” in 23rd International Conference on Runtime Verification,
Thessaloniki, Greece, 2023, vol. 14245, pp. 291–311.
ista: 'Henzinger TA, Kueffner K, Mallik K. 2023. Monitoring algorithmic fairness
under partial observations. 23rd International Conference on Runtime Verification.
RV: Conference on Runtime Verification, LNCS, vol. 14245, 291–311.'
mla: Henzinger, Thomas A., et al. “Monitoring Algorithmic Fairness under Partial
Observations.” 23rd International Conference on Runtime Verification, vol.
14245, Springer Nature, 2023, pp. 291–311, doi:10.1007/978-3-031-44267-4_15.
short: T.A. Henzinger, K. Kueffner, K. Mallik, in:, 23rd International Conference
on Runtime Verification, Springer Nature, 2023, pp. 291–311.
conference:
end_date: 2023-10-06
location: Thessaloniki, Greece
name: 'RV: Conference on Runtime Verification'
start_date: 2023-10-03
corr_author: '1'
date_created: 2023-10-29T23:01:15Z
date_published: 2023-10-01T00:00:00Z
date_updated: 2025-04-14T07:55:55Z
day: '01'
department:
- _id: ToHe
doi: 10.1007/978-3-031-44267-4_15
ec_funded: 1
external_id:
arxiv:
- '2308.00341'
intvolume: ' 14245'
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://doi.org/10.48550/arXiv.2308.00341
month: '10'
oa: 1
oa_version: Preprint
page: 291-311
project:
- _id: 62781420-2b32-11ec-9570-8d9b63373d4d
call_identifier: H2020
grant_number: '101020093'
name: Vigilant Algorithmic Monitoring of Software
publication: 23rd International Conference on Runtime Verification
publication_identifier:
eissn:
- 1611-3349
isbn:
- '9783031442667'
issn:
- 0302-9743
publication_status: published
publisher: Springer Nature
quality_controlled: '1'
scopus_import: '1'
status: public
title: Monitoring algorithmic fairness under partial observations
type: conference
user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87
volume: 14245
year: '2023'
...
---
_id: '14456'
abstract:
- lang: eng
text: In this paper, we present novel algorithms that efficiently compute a shortest
reconfiguration sequence between two given dominating sets in trees and interval
graphs under the TOKEN SLIDING model. In this problem, a graph is provided along
with its two dominating sets, which can be imagined as tokens placed on vertices.
The objective is to find a shortest sequence of dominating sets that transforms
one set into the other, with each set in the sequence resulting from sliding a
single token in the previous set. While identifying any sequence has been well
studied, our work presents the first polynomial algorithms for this optimization
variant in the context of dominating sets.
alternative_title:
- LNCS
article_processing_charge: No
arxiv: 1
author:
- first_name: Jan Matyáš
full_name: Křišťan, Jan Matyáš
last_name: Křišťan
- first_name: Jakub
full_name: Svoboda, Jakub
id: 130759D2-D7DD-11E9-87D2-DE0DE6697425
last_name: Svoboda
orcid: 0000-0002-1419-3267
citation:
ama: 'Křišťan JM, Svoboda J. Shortest dominating set reconfiguration under token
sliding. In: 24th International Symposium on Fundamentals of Computation Theory.
Vol 14292. Springer Nature; 2023:333-347. doi:10.1007/978-3-031-43587-4_24'
apa: 'Křišťan, J. M., & Svoboda, J. (2023). Shortest dominating set reconfiguration
under token sliding. In 24th International Symposium on Fundamentals of Computation
Theory (Vol. 14292, pp. 333–347). Trier, Germany: Springer Nature. https://doi.org/10.1007/978-3-031-43587-4_24'
chicago: Křišťan, Jan Matyáš, and Jakub Svoboda. “Shortest Dominating Set Reconfiguration
under Token Sliding.” In 24th International Symposium on Fundamentals of Computation
Theory, 14292:333–47. Springer Nature, 2023. https://doi.org/10.1007/978-3-031-43587-4_24.
ieee: J. M. Křišťan and J. Svoboda, “Shortest dominating set reconfiguration under
token sliding,” in 24th International Symposium on Fundamentals of Computation
Theory, Trier, Germany, 2023, vol. 14292, pp. 333–347.
ista: 'Křišťan JM, Svoboda J. 2023. Shortest dominating set reconfiguration under
token sliding. 24th International Symposium on Fundamentals of Computation Theory.
FCT: Fundamentals of Computation Theory, LNCS, vol. 14292, 333–347.'
mla: Křišťan, Jan Matyáš, and Jakub Svoboda. “Shortest Dominating Set Reconfiguration
under Token Sliding.” 24th International Symposium on Fundamentals of Computation
Theory, vol. 14292, Springer Nature, 2023, pp. 333–47, doi:10.1007/978-3-031-43587-4_24.
short: J.M. Křišťan, J. Svoboda, in:, 24th International Symposium on Fundamentals
of Computation Theory, Springer Nature, 2023, pp. 333–347.
conference:
end_date: 2023-09-21
location: Trier, Germany
name: 'FCT: Fundamentals of Computation Theory'
start_date: 2023-09-18
date_created: 2023-10-29T23:01:16Z
date_published: 2023-09-21T00:00:00Z
date_updated: 2025-09-09T13:07:40Z
day: '21'
department:
- _id: KrCh
doi: 10.1007/978-3-031-43587-4_24
external_id:
arxiv:
- '2307.10847'
isi:
- '001162288800024'
intvolume: ' 14292'
isi: 1
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://doi.org/10.48550/arXiv.2307.10847
month: '09'
oa: 1
oa_version: Preprint
page: 333-347
publication: 24th International Symposium on Fundamentals of Computation Theory
publication_identifier:
eissn:
- 1611-3349
isbn:
- '9783031435867'
issn:
- 0302-9743
publication_status: published
publisher: Springer Nature
quality_controlled: '1'
related_material:
link:
- relation: erratum
url: https://doi.org/10.1007/978-3-031-43587-4_31
scopus_import: '1'
status: public
title: Shortest dominating set reconfiguration under token sliding
type: conference
user_id: 317138e5-6ab7-11ef-aa6d-ffef3953e345
volume: 14292
year: '2023'
...
---
_id: '14457'
abstract:
- lang: eng
text: "Threshold secret sharing allows a dealer to split a secret s into n shares,
such that any t shares allow for reconstructing s, but no t-1 shares reveal any
information about s. Leakage-resilient secret sharing requires that the secret
remains hidden, even when an adversary additionally obtains a limited amount of
leakage from every share. Benhamouda et al. (CRYPTO’18) proved that Shamir’s secret
sharing scheme is one bit leakage-resilient for reconstruction threshold t≥0.85n
and conjectured that the same holds for t = c.n for any constant 0≤c≤1. Nielsen
and Simkin (EUROCRYPT’20) showed that this is the best one can hope for by proving
that Shamir’s scheme is not secure against one-bit leakage when t0c.n/log(n).\r\nIn
this work, we strengthen the lower bound of Nielsen and Simkin. We consider noisy
leakage-resilience, where a random subset of leakages is replaced by uniformly
random noise. We prove a lower bound for Shamir’s secret sharing, similar to that
of Nielsen and Simkin, which holds even when a constant fraction of leakages is
replaced by random noise. To this end, we first prove a lower bound on the share
size of any noisy-leakage-resilient sharing scheme. We then use this lower bound
to show that there exist universal constants c1, c2, such that for sufficiently
large n it holds that Shamir’s secret sharing scheme is not noisy-leakage-resilient
for t≤c1.n/log(n), even when a c2 fraction of leakages are replaced by random
noise.\r\n\r\n\r\n\r\n"
alternative_title:
- LNCS
article_processing_charge: No
author:
- first_name: Charlotte
full_name: Hoffmann, Charlotte
id: 0f78d746-dc7d-11ea-9b2f-83f92091afe7
last_name: Hoffmann
orcid: 0000-0003-2027-5549
- first_name: Mark
full_name: Simkin, Mark
last_name: Simkin
citation:
ama: 'Hoffmann C, Simkin M. Stronger lower bounds for leakage-resilient secret sharing.
In: 8th International Conference on Cryptology and Information Security in
Latin America. Vol 14168. Springer Nature; 2023:215-228. doi:10.1007/978-3-031-44469-2_11'
apa: 'Hoffmann, C., & Simkin, M. (2023). Stronger lower bounds for leakage-resilient
secret sharing. In 8th International Conference on Cryptology and Information
Security in Latin America (Vol. 14168, pp. 215–228). Quito, Ecuador: Springer
Nature. https://doi.org/10.1007/978-3-031-44469-2_11'
chicago: Hoffmann, Charlotte, and Mark Simkin. “Stronger Lower Bounds for Leakage-Resilient
Secret Sharing.” In 8th International Conference on Cryptology and Information
Security in Latin America, 14168:215–28. Springer Nature, 2023. https://doi.org/10.1007/978-3-031-44469-2_11.
ieee: C. Hoffmann and M. Simkin, “Stronger lower bounds for leakage-resilient secret
sharing,” in 8th International Conference on Cryptology and Information Security
in Latin America, Quito, Ecuador, 2023, vol. 14168, pp. 215–228.
ista: 'Hoffmann C, Simkin M. 2023. Stronger lower bounds for leakage-resilient secret
sharing. 8th International Conference on Cryptology and Information Security in
Latin America. LATINCRYPT: Cryptology and Information Security in Latin America,
LNCS, vol. 14168, 215–228.'
mla: Hoffmann, Charlotte, and Mark Simkin. “Stronger Lower Bounds for Leakage-Resilient
Secret Sharing.” 8th International Conference on Cryptology and Information
Security in Latin America, vol. 14168, Springer Nature, 2023, pp. 215–28,
doi:10.1007/978-3-031-44469-2_11.
short: C. Hoffmann, M. Simkin, in:, 8th International Conference on Cryptology and
Information Security in Latin America, Springer Nature, 2023, pp. 215–228.
conference:
end_date: 2023-10-06
location: Quito, Ecuador
name: 'LATINCRYPT: Cryptology and Information Security in Latin America'
start_date: 2023-10-03
corr_author: '1'
date_created: 2023-10-29T23:01:16Z
date_published: 2023-10-01T00:00:00Z
date_updated: 2025-09-09T13:09:21Z
day: '01'
department:
- _id: KrPi
doi: 10.1007/978-3-031-44469-2_11
external_id:
isi:
- '001157041900011'
intvolume: ' 14168'
isi: 1
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://eprint.iacr.org/2023/1017
month: '10'
oa: 1
oa_version: Preprint
page: 215-228
publication: 8th International Conference on Cryptology and Information Security in
Latin America
publication_identifier:
eissn:
- 1611-3349
isbn:
- '9783031444685'
issn:
- 0302-9743
publication_status: published
publisher: Springer Nature
quality_controlled: '1'
scopus_import: '1'
status: public
title: Stronger lower bounds for leakage-resilient secret sharing
type: conference
user_id: 317138e5-6ab7-11ef-aa6d-ffef3953e345
volume: 14168
year: '2023'
...
---
_id: '14559'
abstract:
- lang: eng
text: We consider the problem of learning control policies in discrete-time stochastic
systems which guarantee that the system stabilizes within some specified stabilization
region with probability 1. Our approach is based on the novel notion of stabilizing
ranking supermartingales (sRSMs) that we introduce in this work. Our sRSMs overcome
the limitation of methods proposed in previous works whose applicability is restricted
to systems in which the stabilizing region cannot be left once entered under any
control policy. We present a learning procedure that learns a control policy together
with an sRSM that formally certifies probability 1 stability, both learned as
neural networks. We show that this procedure can also be adapted to formally verifying
that, under a given Lipschitz continuous control policy, the stochastic system
stabilizes within some stabilizing region with probability 1. Our experimental
evaluation shows that our learning procedure can successfully learn provably stabilizing
policies in practice.
acknowledgement: This work was supported in part by the ERC-2020-AdG 101020093, ERC
CoG 863818 (FoRM-SMArt) and the European Union’s Horizon 2020 research and innovation
programme under the Marie Skłodowska-Curie Grant Agreement No. 665385.
alternative_title:
- LNCS
article_processing_charge: No
arxiv: 1
author:
- first_name: Matin
full_name: Ansaripour, Matin
last_name: Ansaripour
- first_name: Krishnendu
full_name: Chatterjee, Krishnendu
id: 2E5DCA20-F248-11E8-B48F-1D18A9856A87
last_name: Chatterjee
orcid: 0000-0002-4561-241X
- first_name: Thomas A
full_name: Henzinger, Thomas A
id: 40876CD8-F248-11E8-B48F-1D18A9856A87
last_name: Henzinger
orcid: 0000-0002-2985-7724
- first_name: Mathias
full_name: Lechner, Mathias
id: 3DC22916-F248-11E8-B48F-1D18A9856A87
last_name: Lechner
- first_name: Dorde
full_name: Zikelic, Dorde
id: 294AA7A6-F248-11E8-B48F-1D18A9856A87
last_name: Zikelic
orcid: 0000-0002-4681-1699
citation:
ama: 'Ansaripour M, Chatterjee K, Henzinger TA, Lechner M, Zikelic D. Learning provably
stabilizing neural controllers for discrete-time stochastic systems. In: 21st
International Symposium on Automated Technology for Verification and Analysis.
Vol 14215. Springer Nature; 2023:357-379. doi:10.1007/978-3-031-45329-8_17'
apa: 'Ansaripour, M., Chatterjee, K., Henzinger, T. A., Lechner, M., & Zikelic,
D. (2023). Learning provably stabilizing neural controllers for discrete-time
stochastic systems. In 21st International Symposium on Automated Technology
for Verification and Analysis (Vol. 14215, pp. 357–379). Singapore, Singapore:
Springer Nature. https://doi.org/10.1007/978-3-031-45329-8_17'
chicago: Ansaripour, Matin, Krishnendu Chatterjee, Thomas A Henzinger, Mathias Lechner,
and Dorde Zikelic. “Learning Provably Stabilizing Neural Controllers for Discrete-Time
Stochastic Systems.” In 21st International Symposium on Automated Technology
for Verification and Analysis, 14215:357–79. Springer Nature, 2023. https://doi.org/10.1007/978-3-031-45329-8_17.
ieee: M. Ansaripour, K. Chatterjee, T. A. Henzinger, M. Lechner, and D. Zikelic,
“Learning provably stabilizing neural controllers for discrete-time stochastic
systems,” in 21st International Symposium on Automated Technology for Verification
and Analysis, Singapore, Singapore, 2023, vol. 14215, pp. 357–379.
ista: 'Ansaripour M, Chatterjee K, Henzinger TA, Lechner M, Zikelic D. 2023. Learning
provably stabilizing neural controllers for discrete-time stochastic systems.
21st International Symposium on Automated Technology for Verification and Analysis.
ATVA: Automated Technology for Verification and Analysis, LNCS, vol. 14215, 357–379.'
mla: Ansaripour, Matin, et al. “Learning Provably Stabilizing Neural Controllers
for Discrete-Time Stochastic Systems.” 21st International Symposium on Automated
Technology for Verification and Analysis, vol. 14215, Springer Nature, 2023,
pp. 357–79, doi:10.1007/978-3-031-45329-8_17.
short: M. Ansaripour, K. Chatterjee, T.A. Henzinger, M. Lechner, D. Zikelic, in:,
21st International Symposium on Automated Technology for Verification and Analysis,
Springer Nature, 2023, pp. 357–379.
conference:
end_date: 2023-10-27
location: Singapore, Singapore
name: 'ATVA: Automated Technology for Verification and Analysis'
start_date: 2023-10-24
corr_author: '1'
date_created: 2023-11-19T23:00:56Z
date_published: 2023-10-22T00:00:00Z
date_updated: 2025-09-09T13:20:26Z
day: '22'
department:
- _id: ToHe
- _id: KrCh
doi: 10.1007/978-3-031-45329-8_17
ec_funded: 1
external_id:
arxiv:
- '2210.05304'
isi:
- '001456127300017'
intvolume: ' 14215'
isi: 1
language:
- iso: eng
main_file_link:
- open_access: '1'
url: ' https://doi.org/10.48550/arXiv.2210.05304'
month: '10'
oa: 1
oa_version: Preprint
page: 357-379
project:
- _id: 62781420-2b32-11ec-9570-8d9b63373d4d
call_identifier: H2020
grant_number: '101020093'
name: Vigilant Algorithmic Monitoring of Software
- _id: 0599E47C-7A3F-11EA-A408-12923DDC885E
call_identifier: H2020
grant_number: '863818'
name: 'Formal Methods for Stochastic Models: Algorithms and Applications'
- _id: 2564DBCA-B435-11E9-9278-68D0E5697425
call_identifier: H2020
grant_number: '665385'
name: International IST Doctoral Program
publication: 21st International Symposium on Automated Technology for Verification
and Analysis
publication_identifier:
eissn:
- 1611-3349
isbn:
- '9783031453281'
issn:
- 0302-9743
publication_status: published
publisher: Springer Nature
quality_controlled: '1'
scopus_import: '1'
status: public
title: Learning provably stabilizing neural controllers for discrete-time stochastic
systems
type: conference
user_id: 317138e5-6ab7-11ef-aa6d-ffef3953e345
volume: 14215
year: '2023'
...
---
_id: '14691'
abstract:
- lang: eng
text: "Continuous Group-Key Agreement (CGKA) allows a group of users to maintain
a shared key. It is the fundamental cryptographic primitive underlying group messaging
schemes and related protocols, most notably TreeKEM, the underlying key agreement
protocol of the Messaging Layer Security (MLS) protocol, a standard for group
messaging by the IETF. CKGA works in an asynchronous setting where parties only
occasionally must come online, and their messages are relayed by an untrusted
server. The most expensive operation provided by CKGA is that which allows for
a user to refresh their key material in order to achieve forward secrecy (old
messages are secure when a user is compromised) and post-compromise security (users
can heal from compromise). One caveat of early CGKA protocols is that these update
operations had to be performed sequentially, with any user wanting to update their
key material having had to receive and process all previous updates. Late versions
of TreeKEM do allow for concurrent updates at the cost of a communication overhead
per update message that is linear in the number of updating parties. This was
shown to be indeed necessary when achieving PCS in just two rounds of communication
by [Bienstock et al. TCC’20].\r\nThe recently proposed protocol CoCoA [Alwen et
al. Eurocrypt’22], however, shows that this overhead can be reduced if PCS requirements
are relaxed, and only a logarithmic number of rounds is required. The natural
question, thus, is whether CoCoA is optimal in this setting.\r\nIn this work we
answer this question, providing a lower bound on the cost (concretely, the amount
of data to be uploaded to the server) for CGKA protocols that heal in an arbitrary
k number of rounds, that shows that CoCoA is very close to optimal. Additionally,
we extend CoCoA to heal in an arbitrary number of rounds, and propose a modification
of it, with a reduced communication cost for certain k.\r\nWe prove our bound
in a combinatorial setting where the state of the protocol progresses in rounds,
and the state of the protocol in each round is captured by a set system, each
set specifying a set of users who share a secret key. We show this combinatorial
model is equivalent to a symbolic model capturing building blocks including PRFs
and public-key encryption, related to the one used by Bienstock et al.\r\nOur
lower bound is of order k•n1+1/(k-1)/log(k), where 2≤k≤log(n) is the number of
updates per user the protocol requires to heal. This generalizes the n2 bound
for k=2 from Bienstock et al.. This bound almost matches the k⋅n1+2/(k-1) or k2⋅n1+1/(k-1)
efficiency we get for the variants of the CoCoA protocol also introduced in this
paper."
alternative_title:
- LNCS
article_processing_charge: No
author:
- first_name: Benedikt
full_name: Auerbach, Benedikt
id: D33D2B18-E445-11E9-ABB7-15F4E5697425
last_name: Auerbach
orcid: 0000-0002-7553-6606
- first_name: Miguel
full_name: Cueto Noval, Miguel
id: ffc563a3-f6e0-11ea-865d-e3cce03d17cc
last_name: Cueto Noval
orcid: 0000-0002-2505-4246
- first_name: Guillermo
full_name: Pascual Perez, Guillermo
id: 2D7ABD02-F248-11E8-B48F-1D18A9856A87
last_name: Pascual Perez
orcid: 0000-0001-8630-415X
- first_name: Krzysztof Z
full_name: Pietrzak, Krzysztof Z
id: 3E04A7AA-F248-11E8-B48F-1D18A9856A87
last_name: Pietrzak
orcid: 0000-0002-9139-1654
citation:
ama: 'Auerbach B, Cueto Noval M, Pascual Perez G, Pietrzak KZ. On the cost of post-compromise
security in concurrent Continuous Group-Key Agreement. In: 21st International
Conference on Theory of Cryptography. Vol 14371. Springer Nature; 2023:271-300.
doi:10.1007/978-3-031-48621-0_10'
apa: 'Auerbach, B., Cueto Noval, M., Pascual Perez, G., & Pietrzak, K. Z. (2023).
On the cost of post-compromise security in concurrent Continuous Group-Key Agreement.
In 21st International Conference on Theory of Cryptography (Vol. 14371,
pp. 271–300). Taipei, Taiwan: Springer Nature. https://doi.org/10.1007/978-3-031-48621-0_10'
chicago: Auerbach, Benedikt, Miguel Cueto Noval, Guillermo Pascual Perez, and Krzysztof
Z Pietrzak. “On the Cost of Post-Compromise Security in Concurrent Continuous
Group-Key Agreement.” In 21st International Conference on Theory of Cryptography,
14371:271–300. Springer Nature, 2023. https://doi.org/10.1007/978-3-031-48621-0_10.
ieee: B. Auerbach, M. Cueto Noval, G. Pascual Perez, and K. Z. Pietrzak, “On the cost
of post-compromise security in concurrent Continuous Group-Key Agreement,” in
21st International Conference on Theory of Cryptography, Taipei, Taiwan,
2023, vol. 14371, pp. 271–300.
ista: 'Auerbach B, Cueto Noval M, Pascual Perez G, Pietrzak KZ. 2023. On the cost
of post-compromise security in concurrent Continuous Group-Key Agreement. 21st
International Conference on Theory of Cryptography. TCC: Theory of Cryptography,
LNCS, vol. 14371, 271–300.'
mla: Auerbach, Benedikt, et al. “On the Cost of Post-Compromise Security in Concurrent
Continuous Group-Key Agreement.” 21st International Conference on Theory of
Cryptography, vol. 14371, Springer Nature, 2023, pp. 271–300, doi:10.1007/978-3-031-48621-0_10.
short: B. Auerbach, M. Cueto Noval, G. Pascual Perez, K.Z. Pietrzak, in:, 21st International
Conference on Theory of Cryptography, Springer Nature, 2023, pp. 271–300.
conference:
end_date: 2023-12-02
location: Taipei, Taiwan
name: 'TCC: Theory of Cryptography'
start_date: 2023-11-29
corr_author: '1'
date_created: 2023-12-17T23:00:53Z
date_published: 2023-11-27T00:00:00Z
date_updated: 2025-09-09T13:42:16Z
day: '27'
department:
- _id: KrPi
doi: 10.1007/978-3-031-48621-0_10
external_id:
isi:
- '001160724400010'
intvolume: ' 14371'
isi: 1
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://eprint.iacr.org/2023/1123
month: '11'
oa: 1
oa_version: Preprint
page: 271-300
publication: 21st International Conference on Theory of Cryptography
publication_identifier:
eissn:
- 1611-3349
isbn:
- '9783031486203'
issn:
- 0302-9743
publication_status: published
publisher: Springer Nature
quality_controlled: '1'
scopus_import: '1'
status: public
title: On the cost of post-compromise security in concurrent Continuous Group-Key
Agreement
type: conference
user_id: 317138e5-6ab7-11ef-aa6d-ffef3953e345
volume: 14371
year: '2023'
...
---
_id: '14692'
abstract:
- lang: eng
text: "The generic-group model (GGM) aims to capture algorithms working over groups
of prime order that only rely on the group operation, but do not exploit any additional
structure given by the concrete implementation of the group. In it, it is possible
to prove information-theoretic lower bounds on the hardness of problems like the
discrete logarithm (DL) or computational Diffie-Hellman (CDH). Thus, since its
introduction, it has served as a valuable tool to assess the concrete security
provided by cryptographic schemes based on such problems. A work on the related
algebraic-group model (AGM) introduced a method, used by many subsequent works,
to adapt GGM lower bounds for one problem to another, by means of conceptually
simple reductions.\r\nIn this work, we propose an alternative approach to extend
GGM bounds from one problem to another. Following an idea by Yun [EC15], we show
that, in the GGM, the security of a large class of problems can be reduced to
that of geometric search-problems. By reducing the security of the resulting geometric-search
problems to variants of the search-by-hypersurface problem, for which information
theoretic lower bounds exist, we give alternative proofs of several results that
used the AGM approach.\r\nThe main advantage of our approach is that our reduction
from geometric search-problems works, as well, for the GGM with preprocessing
(more precisely the bit-fixing GGM introduced by Coretti, Dodis and Guo [Crypto18]).
As a consequence, this opens up the possibility of transferring preprocessing
GGM bounds from one problem to another, also by means of simple reductions. Concretely,
we prove novel preprocessing bounds on the hardness of the d-strong discrete logarithm,
the d-strong Diffie-Hellman inversion, and multi-instance CDH problems, as well
as a large class of Uber assumptions. Additionally, our approach applies to Shoup’s
GGM without additional restrictions on the query behavior of the adversary, while
the recent works of Zhang, Zhou, and Katz [AC22] and Zhandry [Crypto22] highlight
that this is not the case for the AGM approach."
alternative_title:
- LNCS
article_processing_charge: No
author:
- first_name: Benedikt
full_name: Auerbach, Benedikt
id: D33D2B18-E445-11E9-ABB7-15F4E5697425
last_name: Auerbach
orcid: 0000-0002-7553-6606
- first_name: Charlotte
full_name: Hoffmann, Charlotte
id: 0f78d746-dc7d-11ea-9b2f-83f92091afe7
last_name: Hoffmann
orcid: 0000-0003-2027-5549
- first_name: Guillermo
full_name: Pascual Perez, Guillermo
id: 2D7ABD02-F248-11E8-B48F-1D18A9856A87
last_name: Pascual Perez
orcid: 0000-0001-8630-415X
citation:
ama: 'Auerbach B, Hoffmann C, Pascual Perez G. Generic-group lower bounds via reductions
between geometric-search problems: With and without preprocessing. In: 21st
International Conference on Theory of Cryptography. Vol 14371. Springer Nature;
2023:301-330. doi:10.1007/978-3-031-48621-0_11'
apa: 'Auerbach, B., Hoffmann, C., & Pascual Perez, G. (2023). Generic-group
lower bounds via reductions between geometric-search problems: With and without
preprocessing. In 21st International Conference on Theory of Cryptography
(Vol. 14371, pp. 301–330). Springer Nature. https://doi.org/10.1007/978-3-031-48621-0_11'
chicago: 'Auerbach, Benedikt, Charlotte Hoffmann, and Guillermo Pascual Perez. “Generic-Group
Lower Bounds via Reductions between Geometric-Search Problems: With and without
Preprocessing.” In 21st International Conference on Theory of Cryptography,
14371:301–30. Springer Nature, 2023. https://doi.org/10.1007/978-3-031-48621-0_11.'
ieee: 'B. Auerbach, C. Hoffmann, and G. Pascual Perez, “Generic-group lower bounds
via reductions between geometric-search problems: With and without preprocessing,”
in 21st International Conference on Theory of Cryptography, 2023, vol.
14371, pp. 301–330.'
ista: 'Auerbach B, Hoffmann C, Pascual Perez G. 2023. Generic-group lower bounds
via reductions between geometric-search problems: With and without preprocessing.
21st International Conference on Theory of Cryptography. , LNCS, vol. 14371, 301–330.'
mla: 'Auerbach, Benedikt, et al. “Generic-Group Lower Bounds via Reductions between
Geometric-Search Problems: With and without Preprocessing.” 21st International
Conference on Theory of Cryptography, vol. 14371, Springer Nature, 2023, pp.
301–30, doi:10.1007/978-3-031-48621-0_11.'
short: B. Auerbach, C. Hoffmann, G. Pascual Perez, in:, 21st International Conference
on Theory of Cryptography, Springer Nature, 2023, pp. 301–330.
corr_author: '1'
date_created: 2023-12-17T23:00:54Z
date_published: 2023-11-27T00:00:00Z
date_updated: 2025-09-09T14:02:04Z
day: '27'
department:
- _id: KrPi
doi: 10.1007/978-3-031-48621-0_11
external_id:
isi:
- '001160724400011'
intvolume: ' 14371'
isi: 1
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://eprint.iacr.org/2023/808
month: '11'
oa: 1
oa_version: Preprint
page: 301-330
publication: 21st International Conference on Theory of Cryptography
publication_identifier:
eissn:
- 1611-3349
isbn:
- '9783031486203'
issn:
- 0302-9743
publication_status: published
publisher: Springer Nature
quality_controlled: '1'
scopus_import: '1'
status: public
title: 'Generic-group lower bounds via reductions between geometric-search problems:
With and without preprocessing'
type: conference
user_id: 317138e5-6ab7-11ef-aa6d-ffef3953e345
volume: 14371
year: '2023'
...
---
_id: '14693'
abstract:
- lang: eng
text: "Lucas sequences are constant-recursive integer sequences with a long history
of applications in cryptography, both in the design of cryptographic schemes and
cryptanalysis. In this work, we study the sequential hardness of computing Lucas
sequences over an RSA modulus.\r\nFirst, we show that modular Lucas sequences
are at least as sequentially hard as the classical delay function given by iterated
modular squaring proposed by Rivest, Shamir, and Wagner (MIT Tech. Rep. 1996)
in the context of time-lock puzzles. Moreover, there is no obvious reduction in
the other direction, which suggests that the assumption of sequential hardness
of modular Lucas sequences is strictly weaker than that of iterated modular squaring.
In other words, the sequential hardness of modular Lucas sequences might hold
even in the case of an algorithmic improvement violating the sequential hardness
of iterated modular squaring.\r\nSecond, we demonstrate the feasibility of constructing
practically-efficient verifiable delay functions based on the sequential hardness
of modular Lucas sequences. Our construction builds on the work of Pietrzak (ITCS
2019) by leveraging the intrinsic connection between the problem of computing
modular Lucas sequences and exponentiation in an appropriate extension field."
acknowledgement: "Home Theory of Cryptography Conference paper\r\n(Verifiable) Delay
Functions from Lucas Sequences\r\nDownload book PDF\r\nDownload book EPUB\r\nSimilar
content being viewed by others\r\n\r\nSlider with three content items shown per
slide. Use the Previous and Next buttons to navigate the slides or the slide controller
buttons at the end to navigate through each slide.\r\nPrevious slide\r\nGeneric-Group
Delay Functions Require Hidden-Order Groups\r\nChapter© 2020\r\n\r\nShifted powers
in Lucas–Lehmer sequences\r\nArticle30 January 2019\r\n\r\nA New Class of Trapdoor
Verifiable Delay Functions\r\nChapter© 2023\r\n\r\nWeak Pseudoprimality Associated
with the Generalized Lucas Sequences\r\nChapter© 2022\r\n\r\nOn the Security of
Time-Lock Puzzles and Timed Commitments\r\nChapter© 2020\r\n\r\nGeneration of full
cycles by a composition of NLFSRs\r\nArticle08 March 2014\r\n\r\nCryptographically
Strong de Bruijn Sequences with Large Periods\r\nChapter© 2013\r\n\r\nOpen Problems
on With-Carry Sequence Generators\r\nChapter© 2014\r\n\r\nGenerically Speeding-Up
Repeated Squaring Is Equivalent to Factoring: Sharp Thresholds for All Generic-Ring
Delay Functions\r\nChapter© 2020\r\n\r\nNext slide\r\nGo to slide 1\r\nGo to slide
2\r\nGo to slide 3\r\n(Verifiable) Delay Functions from Lucas Sequences\r\nCharlotte
Hoffmann, Pavel Hubáček, Chethan Kamath & Tomáš Krňák \r\nConference paper\r\nFirst
Online: 27 November 2023\r\n83 Accesses\r\n\r\nPart of the Lecture Notes in Computer
Science book series (LNCS,volume 14372)\r\n\r\nAbstract\r\nLucas sequences are constant-recursive
integer sequences with a long history of applications in cryptography, both in the
design of cryptographic schemes and cryptanalysis. In this work, we study the sequential
hardness of computing Lucas sequences over an RSA modulus.\r\n\r\nFirst, we show
that modular Lucas sequences are at least as sequentially hard as the classical
delay function given by iterated modular squaring proposed by Rivest, Shamir, and
Wagner (MIT Tech. Rep. 1996) in the context of time-lock puzzles. Moreover, there
is no obvious reduction in the other direction, which suggests that the assumption
of sequential hardness of modular Lucas sequences is strictly weaker than that of
iterated modular squaring. In other words, the sequential hardness of modular Lucas
sequences might hold even in the case of an algorithmic improvement violating the
sequential hardness of iterated modular squaring.\r\n\r\nSecond, we demonstrate
the feasibility of constructing practically-efficient verifiable delay functions
based on the sequential hardness of modular Lucas sequences. Our construction builds
on the work of Pietrzak (ITCS 2019) by leveraging the intrinsic connection between
the problem of computing modular Lucas sequences and exponentiation in an appropriate
extension field.\r\n\r\nKeywords\r\nDelay functions\r\nVerifiable delay functions\r\nLucas
sequences\r\nDownload conference paper PDF\r\n\r\n1 Introduction\r\nA verifiable
delay function (VDF) \r\n is a function that satisfies two properties. First, it
is a delay function, which means it must take a prescribed (wall) time T to compute
f, irrespective of the amount of parallelism available. Second, it should be possible
for anyone to quickly verify – say, given a short proof \r\n – the value of the
function (even without resorting to parallelism), where by quickly we mean that
the verification time should be independent of or significantly smaller than T (e.g.,
logarithmic in T). If we drop either of the two requirements, then the primitive
turns out trivial to construct. For instance, for an appropriately chosen hash function
h, the delay function \r\n defined by T-times iterated hashing of the input is a
natural heuristic for an inherently sequential task which, however, seems hard to
verify more efficiently than by recomputing. On the other hand, the identity function
\r\n is trivial to verify but also easily computable. Designing a simple function
satisfying the two properties simultaneously proved to be a nontrivial task.\r\n\r\nThe
notion of VDFs was introduced in [31] and later formalised in [9]. In principle,
since the task of constructing a VDF reduces to the task of incrementally-verifiable
computation [9, 53], constructions of VDFs could leverage succinct non-interactive
arguments of knowledge (SNARKs): take any sequentially-hard function f (for instance,
iterated hashing) as the delay function and then use the SNARK on top of it as the
mechanism for verifying the computation of the delay function. However, as discussed
in [9], the resulting construction is not quite practical since we would rely on
a general-purpose machinery of SNARKs with significant overhead.\r\n\r\nEfficient
VDFs via Algebraic Delay Functions. VDFs have recently found interesting applications
in design of blockchains [17], randomness beacons [43, 51], proofs of data replication
[9], or short-lived zero-knowledge proofs and signatures [3]. Since efficiency is
an important factor there, this has resulted in a flurry of constructions of VDFs
that are tailored with application and practicality in mind. They rely on more algebraic,
structured delay functions that often involve iterating an atomic operation so that
one can resort to custom proof systems to achieve verifiability. These constructions
involve a range of algebraic settings like the RSA or class groups [5, 8, 25, 42,
55], permutation polynomials over finite fields [9], isogenies of elliptic curves
[21, 52] and, very recently, lattices [15, 28]. The constructions in [42, 55] are
arguably the most practical and the mechanism that underlies their delay function
is the same: carry out iterated squaring in groups of unknown order, like RSA groups
[47] or class groups [12]. What distinguishes these two proposals is the way verification
is carried out, i.e., how the underlying “proof of exponentiation” works: while
Pietrzak [42] resorts to an LFKN-style recursive proof system [35], Wesolowski [55]
uses a clever linear decomposition of the exponent.\r\n\r\nIterated Modular Squaring
and Sequentiality. The delay function that underlies the VDFs in [5, 25, 42, 55]
is the same, and its security relies on the conjectured sequential hardness of iterated
squaring in a group of unknown order (suggested in the context of time-lock puzzles
by Rivest, Shamir, and Wagner [48]). Given that the practically efficient VDFs all
rely on the above single delay function, an immediate open problem is to identify
additional sources of sequential hardness that are structured enough to support
practically efficient verifiability.\r\n\r\n1.1 Our Approach to (Verifiable) Delay
Functions\r\nIn this work, we study an alternative source of sequential hardness
in the algebraic setting and use it to construct efficient verifiable delay functions.
The sequentiality of our delay function relies on an atomic operation that is related
to the computation of so-called Lucas sequences [29, 34, 57], explained next.\r\n\r\nLucas
Sequences. A Lucas sequence is a constant-recursive integer sequence that satisfies
the recurrence relation\r\n\r\nfor integers P and Q.Footnote1 Specifically, the
Lucas sequences of integers \r\n and \r\n of the first and second type (respectively)
are defined recursively as\r\n\r\nwith \r\n, and\r\n\r\nwith \r\n.\r\n\r\nThese
sequences can be alternatively defined by the characteristic polynomial \r\n. Specifically,
given the discriminant \r\n of the characteristic polynomial, one can alternatively
compute the above sequences by performing operations in the extension field\r\n\r\nusing
the identities\r\n\r\nwhere \r\n and its conjugate \r\n are roots of the characteristic
polynomial. Since conjugation and exponentiation commute in the extension field
(i.e., \r\n), computing the i-th terms of the two Lucas sequences over integers
reduces to computing \r\n in the extension field, and vice versa.\r\n\r\nThe intrinsic
connection between computing the terms in the Lucas sequences and that of exponentiation
in the extension has been leveraged to provide alternative instantiations of public-key
encryption schemes like RSA and ElGamal in terms of Lucas sequences [7, 30]. However,
as we explain later, the corresponding underlying computational hardness assumptions
are not necessarily equivalent.\r\n\r\nOverview of Our Delay Function. The delay
function in [5, 25, 42, 55] is defined as the iterated squaring base x in a (safe)
RSA groupFootnote2 modulo N:\r\n\r\nOur delay function is its analogue in the setting
of Lucas sequences:\r\n\r\nAs mentioned above, computing \r\n can be carried out
equivalently in the extension field \r\n using the known relationship to roots of
the characteristic polynomial of the Lucas sequence. Thus, the delay function can
be alternatively defined as\r\n\r\nNote that the atomic operation of our delay function
is “doubling” the index of an element of the Lucas sequence modulo N (i.e., \r\n)
or, equivalently, squaring in the extension field \r\n (as opposed to squaring in
\r\n). Using the representation of \r\n as \r\n, squaring in \r\n can be expressed
as a combination of squaring, multiplication and addition modulo N, since\r\n\r\n(1)\r\nSince
\r\n is a group of unknown order (provided the factorization of N is kept secret),
iterated squaring remains hard here. In fact, we show in Sect. 3.2 that iterated
squaring in \r\n is at least as hard as iterated squaring for RSA moduli N. Moreover,
we conjecture in Conjecture 1 that it is, in fact, strictly harder (also see discussion
below on advantages of our approach).\r\n\r\nVerifying Modular Lucas Sequence. To
obtain a VDF, we need to show how to efficiently verify our delay function. To this
end, we show how to adapt the interactive proof of exponentiation from [42] to our
setting, which then – via the Fiat-Shamir Transform [22] – yields the non-interactive
verification algorithm.Footnote3 Thus, our main result is stated informally below.\r\n\r\nTheorem
1\r\n(Informally stated, see Theorem 2). Assuming sequential hardness of modular
Lucas sequence, there exists statistically-sound VDF in the random-oracle model.\r\n\r\nHowever,
the modification of Pietrzak’s protocol is not trivial and we have to overcome several
hurdles that we face in this task, which we elaborate on in Sect. 1.2. We conclude
this section with discussions about our results.\r\n\r\nAdvantage of Our Approach.
Our main advantage is the reliance on a potentially weaker (sequential) hardness
assumption while maintaining efficiency: we show in Sect. 3.2 that modular Lucas
sequences are at least as sequentially-hard as the classical delay function given
by iterated modular squaring [48]. Despite the linear recursive structure of Lucas
sequences, there is no obvious reduction in the other direction, which suggests
that the assumption of sequential hardness of modular Lucas sequences is strictly
weaker than that of iterated modular squaring (Conjecture 1). In other words, the
sequential hardness of modular Lucas sequences might hold even in the case of an
algorithmic improvement violating the sequential hardness of iterated modular squaring.
Even though both assumptions need the group order to be hidden, we believe that
there is need for a nuanced analysis of sequential hardness assumptions in hidden
order groups, especially because all current delay functions that provide sufficient
structure for applications are based on iterated modular squaring. If the iterated
modular squaring assumption is broken, our delay function is currently the only
practical alternative in the RSA group.\r\n\r\nDelay Functions in Idealised Models.
Recent works studied the relationship of group-theoretic (verifiable) delay functions
to the hardness of factoring in idealised models such as the algebraic group model
and the generic ring model [27, 50]. In the generic ring model, Rotem and Segev
[50] showed the equivalence of straight-line delay functions in the RSA setting
and factoring. Our construction gives rise to a straight-line delay function and,
by their result, its sequentiality is equivalent to factoring for generic algorithms.
However, their result holds only in the generic ring model and leaves the relationship
between the two assumptions unresolved in the standard model.\r\n\r\nCompare this
with the status of the RSA assumption and factoring. On one hand, we know that in
the generic ring model, RSA and factoring are equivalent [2]. Yet, it is possible
to rule out certain classes of reductions from factoring to RSA in the standard
model [11]. Most importantly, despite the equivalence in the generic ring model,
there is currently no reduction from factoring to RSA in the standard model and
it remains one of the major open problems in number theory related to cryptography
since the introduction of the RSA assumption.\r\n\r\nIn summary, speeding up iterated
squaring by a non-generic algorithm could be possible (necessarily exploiting the
representations of ring elements modulo N), while such an algorithm may not lead
to a speed-up in the computation of modular Lucas sequences despite the result of
Rotem and Segev [50].\r\n\r\n1.2 Technical Overview\r\nPietrzak’s VDF. Let \r\n
be an RSA modulus where p and q are safe primes and let x be a random element from
\r\n. At its core, Pietrzak’s VDF relies on the interactive protocol for the statement\r\n\r\n“(N,
x, y, T) satisfies \r\n”.\r\n\r\nThe protocol is recursive and, in a round-by-round
fashion, reduces the claim to a smaller statement by halving the time parameter.
To be precise, in each round, the (honest) prover sends the “midpoint” \r\n of the
current statement to the verifier and they together reduce the statement to\r\n\r\n“\r\n
satisfies \r\n”,\r\n\r\nwhere \r\n and \r\n for a random challenge r. This is continued
till \r\n is obtained at which point the verifier simply checks whether \r\n using
a single modular squaring.\r\n\r\nSince the challenges r are public, the protocol
can be compiled into a non-interactive one using the Fiat-Shamir transform [22]
and this yields a means to verify the delay function\r\n\r\nIt is worth pointing
out that the choice of safe primes is crucial for proving soundness: in case the
group has easy-to-find elements of small order then it becomes easy to break soundness
(see, e.g., [10]).\r\n\r\nAdapting Pietrzak’s Protocol to Lucas Sequences. For a
modulus \r\n and integers \r\n, recall that our delay function is defined as\r\n\r\nor
equivalently\r\n\r\nfor the discriminant \r\n of the characteristic polynomial \r\n.
Towards building a verification algorithm for this delay function, the natural first
step is to design an interactive protocol for the statement\r\n\r\n“(N, P, Q, y,
T) satisfies \r\n.”\r\n\r\nIt turns out that the interactive protocol from [42]
can be adapted for this purpose. However, we encounter two technicalities in this
process.\r\n\r\nDealing with elements of small order. The main problem that we face
while designing our protocol is avoiding elements of small order. In the case of
[42], this was accomplished by moving to the setting of signed quadratic residues
[26] in which the sub-groups are all of large order. It is not clear whether a corresponding
object exists for our algebraic setting. However, in an earlier draft of Pietrzak’s
protocol [41], this problem was dealt with in a different manner: the prover sends
a square root of \r\n, from which the original \r\n can be recovered easily (by
squaring it) with a guarantee that the result lies in a group of quadratic residues
\r\n. Notice that the prover knows the square root of \r\n, because it is just a
previous term in the sequence he computed.\r\n\r\nIn our setting, we cannot simply
ask for the square root of the midpoint as the subgroup of \r\n we effectively work
in has a different structure. Nevertheless, we can use a similar approach: for an
appropriately chosen small a, we provide an a-th root of \r\n (instead of \r\n itself)
to the prover in the beginning of the protocol. The prover then computes the whole
sequence for \r\n. In the end, he has the a-th root of every term of the original
sequence and he can recover any element of the original sequence by raising to the
a-th power.\r\n\r\nSampling strong modulus. The second technicality is related to
the first one. In order to ensure that we can use the above trick, we require a
modulus where the small subgroups are reasonably small not only in the group \r\n
but also in the extension \r\n. Thus the traditional sampling algorithms that are
used to sample strong primes (e.g., [46]) are not sufficient for our purposes. However,
sampling strong primes that suit our criteria can still be carried out efficiently
as we show in the full version.\r\n\r\nComparing Our Technique with [8, 25]. The
VDFs in [8, 25] are also inspired by [42] and, hence, faced the same problem of
low-order elements. In [8], this is dealt with by amplifying the soundness at the
cost of parallel repetition and hence larger proofs and extra computation. In [25],
the number of repetitions of [8] is reduced significantly by introducing the following
technique: The exponent of the initial instance is reduced by some parameter \r\n
and at the end of an interactive phase, the verifier performs final exponentiation
with \r\n, thereby weeding out potential false low-order elements in the claim.
This technique differs from the approach taken in our work in the following ways:
The technique from [25] works in arbitrary groups but it requires the parameter
\r\n to be large and of a specific form. In particular, the VDF becomes more efficient
when \r\n is larger than \r\n. In our protocol, we work in RSA groups whose modulus
is the product of primes that satisfy certain conditions depending on a. This enables
us to choose a parameter a that is smaller than a statistical security parameter
and thereby makes the final exponentiation performed by the verifier much more efficient.
Further, a can be any natural number, while \r\n must be set as powers of all small
prime numbers up a certain bound in [25].\r\n\r\n1.3 More Related Work\r\nTimed
Primitives. The notion of VDFs was introduced in [31] and later formalised in [9].
VDFs are closely related to the notions of time-lock puzzles [48] and proofs of
sequential work [36]. Roughly speaking, a time-lock puzzle is a delay function that
additionally allows efficient sampling of the output via a trapdoor. A proof of
sequential work, on the other hand, is a delay “multi-function”, in the sense that
the output is not necessarily unique. Constructions of time-lock puzzles are rare
[6, 38, 48], and there are known limitations: e.g., that it cannot exist in the
random-oracle model [36]. However, we know how to construct proofs of sequential
work in the random-oracle model [1, 16, 19, 36].\r\n\r\nSince VDFs have found several
applications, e.g., in the design of resource-efficient blockchains [17], randomness
beacons [43, 51] and proof of data replication [9], there have been several constructions.
Among them, the most notable are the iterated-squaring based construction from [8,
25, 42, 55], the permutation-polynomial based construction from [9], the isogenies-based
construction from [13, 21, 52] and the construction from lattice problems [15, 28].
The constructions in [42, 55] are quite practical (see the survey [10]) and the
VDF deployed in the cryptocurrency Chia is basically their construction adapted
to the algebraic setting of class groups [17]. This is arguably the closest work
to ours. On the other hand, the constructions from [21, 52], which work in the algebraic
setting of isogenies of elliptic curves where no analogue of square and multiply
is known, simply rely on “exponentiation”. Although, these constructions provide
a certain form of quantum resistance, they are presently far from efficient. Freitag
et al. [23] constructed VDFs from any sequentially hard function and polynomial
hardness of learning with errors, the first from standard assumptions. The works
of Cini, Lai, and Malavolta [15, 28] constructed the first VDF from lattice-based
assumptions and conjectured it to be post-quantum secure.\r\n\r\nSeveral variants
of VDFs have also been proposed. A VDF is said to be unique if the proof that is
used for verification is unique [42]. Recently, Choudhuri et al. [5] constructed
unique VDFs from the sequential hardness of iterated squaring in any RSA group and
polynomial hardness of LWE. A VDF is tight [18] if the gap between simply computing
the function and computing it with a proof is small. Yet another extension is a
continuous VDF [20]. The feasibility of time-lock puzzles and proofs of sequential
works were recently extended to VDFs. It was shown [50] that the latter requirement,
i.e., working in a group of unknown order, is inherent in a black-box sense. It
was shown in [18, 37] that there are barriers to constructing tight VDFs in the
random-oracle model.\r\n\r\nVDFs also have surprising connection to complexity theory
[14, 20, 33].\r\n\r\nWork Related to Lucas Sequences. Lucas sequences have long
been studied in the context of number theory: see for example [45] or [44] for a
survey of its applications to number theory. Its earliest application to cryptography
can be traced to the \r\n factoring algorithm [56]. Constructive applications were
found later thanks to the parallels with exponentiation. Several encryption and
signature schemes were proposed, most notably the LUC family of encryption and signatures
[30, 39]. It was later shown that some of these schemes can be broken or that the
advantages it claimed were not present [7]. Other applications can be found in [32].\r\n\r\n2
Preliminaries\r\n2.1 Interactive Proof Systems\r\nInteractive Protocols. An interactive
protocol consists of a pair \r\n of interactive Turing machines that are run on
a common input \r\n. The first machine \r\n is the prover and is computationally
unbounded. The second machine \r\n is the verifier and is probabilistic polynomial-time.\r\n\r\nIn
an \r\n-round (i.e., \r\n-message) interactive protocol, in each round \r\n, first
\r\n sends a message \r\n to \r\n and then \r\n sends a message \r\n to \r\n, where
\r\n is a finite alphabet. At the end of the interaction, \r\n runs a (deterministic)
Turing machine on input \r\n. The interactive protocol is public-coin if \r\n is
a uniformly distributed random string in \r\n.\r\n\r\nInteractive Proof Systems.
The notion of an interactive proof for a language L is due to Goldwasser, Micali
and Rackoff [24].\r\n\r\nDefinition 1\r\nFor a function \r\n, an interactive protocol
\r\n is an \r\n-statistically-sound interactive proof system for L if:\r\n\r\nCompleteness:
For every \r\n, if \r\n interacts with \r\n on common input \r\n, then \r\n accepts
with probability 1.\r\n\r\nSoundness: For every \r\n and every (computationally-unbounded)
cheating prover strategy \r\n, the verifier \r\n accepts when interacting with \r\n
with probability less than \r\n, where \r\n is called the soundness error.\r\n\r\n2.2
Verifiable Delay Functions\r\nWe adapt the definition of verifiable delay functions
from [9] but we decouple the verifiability and sequentiality properties for clarity
of exposition of our results. First, we present the definition of a delay function.\r\n\r\nDefinition
2\r\nA delay function \r\n consists of a triple of algorithms with the following
syntax:\r\n\r\n:\r\n\r\nOn input a security parameter \r\n, the algorithm \r\n outputs
public parameters \r\n.\r\n\r\n:\r\n\r\nOn input public parameters \r\n and a time
parameter \r\n, the algorithm \r\n outputs a challenge x.\r\n\r\n:\r\n\r\nOn input
a challenge pair (x, T), the (deterministic) algorithm \r\n outputs the value y
of the delay function in time T.\r\n\r\nThe security property required of a delay
function is sequential hardness as defined below.\r\n\r\nDefinition 3\r\n(Sequentiality).
We say that a delay function \r\n satisfies the sequentiality property, if there
exists an \r\n such that for all \r\n and for every adversary \r\n, where \r\n uses
\r\n processors and runs in time \r\n, there exists a negligible function \r\n such
that\r\n\r\nfigure a\r\nA few remarks about our definition of sequentiality are
in order:\r\n\r\n1.\r\nWe require computing \r\n to be hard in less than T sequential
steps even using any polynomially-bounded amount of parallelism and precomputation.
Note that it is necessary to bound the amount of parallelism, as an adversary could
otherwise break the underlying hardness assumption (e.g. hardness of factorization).
Analogously, T should be polynomial in \r\n as, otherwise, breaking the underlying
hardness assumptions becomes easier than computing \r\n itself for large values
of T.\r\n\r\n2.\r\nAnother issue is what bound on the number of sequential steps
of the adversary should one impose. For example, the delay function based on T repeated
modular squarings can be computed in sequential time \r\n using polynomial parallelism
[4]. Thus, one cannot simply bound the sequential time of the adversary by o(T).
Similarly to [38], we adapt the \r\n bound for \r\n which, in particular, is asymptotically
smaller than \r\n.\r\n\r\n3.\r\nWithout loss of generality, we assume that the size
of \r\n is at least linear in n and the adversary A does not have to get the unary
representation of the security parameter \r\n as its input.\r\n\r\nThe definition
of verifiable delay function extends a delay function with the possibility to compute
publicly-verifiable proofs of correctness of the output value.\r\n\r\nDefinition
4\r\nA delay function \r\n is a verifiable delay function if it is equipped with
two additional algorithms \r\n and \r\n with the following syntax:\r\n\r\n:\r\n\r\nOn
input public parameters and a challenge pair (x, T), the \r\n algorithm outputs
\r\n, where \r\n is a proof that the output y is the output of \r\n.\r\n\r\n:\r\n\r\nOn
input public parameters, a challenge pair (x, T), and an output/proof pair \r\n,
the (deterministic) algorithm \r\n outputs either \r\n or \r\n.\r\n\r\nIn addition
to sequentiality (inherited from the underlying delay function), the \r\n and \r\n
algorithms must together satisfy correctness and (statistical) soundness as defined
below.\r\n\r\nDefinition 5\r\n(Correctness). A verifiable delay function \r\n is
correct if for all \r\n\r\nfigure b\r\nDefinition 6\r\n(Statistical soundness).
A verifiable delay function \r\n is statistically sound if for every (computationally
unbounded) malicious prover \r\n there exists a negligible function \r\n such that
for all \r\n\r\nfigure c\r\n3 Delay Functions from Lucas Sequences\r\nIn this section,
we propose a delay function based on Lucas sequences and prove its sequentiality
assuming that iterated squaring in a group of unknown order is sequential (Sect.
3.1). Further, we conjecture (Sect. 3.2) that our delay function candidate is even
more robust than its predecessor proposed by Rivest, Shamir, and Wagner [48]. Finally,
we turn our delay function candidate into a verifiable delay function (Sect. 4).\r\n\r\n3.1
The Atomic Operation\r\nOur delay function is based on subsequences of Lucas sequences,
whose indexes are powers of two. Below, we use \r\n to denote the set of non-negative
integers.\r\n\r\nDefinition 7\r\nFor integers \r\n, the Lucas sequences \r\n and
\r\n are defined for all \r\n as\r\n\r\nwith \r\n and \r\n, and\r\n\r\nwith \r\n
and \r\n.\r\n\r\nWe define subsequences \r\n, respectively \r\n, of \r\n, respectively
\r\n for all \r\n as\r\n\r\n(2)\r\nAlthough the value of \r\n depends on parameters
(P, Q), we omit (P, Q) from the notation because these parameters will be always
obvious from the context.\r\n\r\nThe underlying atomic operation for our delay function
is\r\n\r\nThere are several ways to compute \r\n in T sequential steps, and we describe
two of them below.\r\n\r\nAn Approach Based on Squaring in a Suitable Extension
Ring. To compute the value \r\n, we can use the extension ring \r\n, where \r\n
is the discriminant of the characteristic polynomial \r\n of the Lucas sequence.
The characteristic polynomial f(z) has a root \r\n, and it is known that, for all
\r\n, it holds that\r\n\r\nThus, by iterated squaring of \r\n, we can compute terms
of our target subsequences. To get a better understanding of squaring in the extension
ring, consider the representation of the root \r\n for some \r\n. Then,\r\n\r\nThen,
the atomic operation of our delay function can be interpreted as \r\n, defined for
all \r\n as\r\n\r\n(3)\r\nAn Approach Based on Known Identities. Many useful identities
for members of modular Lucas sequences are known, such as\r\n\r\n(4)\r\nSetting
\r\n we get\r\n\r\n(5)\r\nThe above identities are not hard to derive (see, e.g.,
Lemma 12.5 in [40]). Indexes are doubled on each of application of the identities
in Eq. (5), and, thus, for \r\n, we define an auxiliary sequence \r\n by \r\n. Using
the identities in Eq. (5), we get recursive equations\r\n\r\n(6)\r\nThen, the atomic
operation of our delay function can be interpreted as \r\n, defined for all \r\n
as\r\n\r\n(7)\r\nAfter a closer inspection, the reader may have an intuition that
an auxiliary sequence \r\n, which introduces a third state variable, is redundant.
This intuition is indeed right. In fact, there is another easily derivable identity\r\n\r\n(8)\r\nwhich
can be found, e.g., as Lemma 12.2 in [40]. On the other hand, Eq. (8) is quite interesting
because it allows us to compute large powers of an element \r\n using two Lucas
sequences. We use this fact in the security reduction in Sect. 3.2. Our construction
of a delay function, denoted \r\n, is given in Fig. 1.\r\n\r\nFig. 1.\r\nfigure
1\r\nOur delay function candidate \r\n based on a modular Lucas sequence.\r\n\r\nFull
size image\r\nOn the Discriminant D. Notice that whenever D is a quadratic residue
modulo N, the value \r\n is an element of \r\n and hence \r\n. By definition, LCS.Gen
generates a parameter D that is a quadratic residue with probability 1/4, so it
might seem that in one fourth of the cases there is another approach to compute
\r\n: find the element \r\n and then perform n sequential squarings in the group
\r\n. However, it is well known that finding square roots of uniform elements in
\r\n is equivalent to factoring the modulus N, so this approach is not feasible.
We can therefore omit any restrictions on the discriminant D in the definition of
our delay function LCS.\r\n\r\n3.2 Reduction from RSW Delay Function\r\nIn order
to prove the sequentiality property (Definition 3) of our candidate \r\n, we rely
on the standard conjecture of the sequentiality of the \r\n time-lock puzzles, implicitly
stated in [48] as the underlying hardness assumption.\r\n\r\nDefinition 8\r\n(\r\n
delay function). The \r\n delay function is defined as follows:\r\n\r\n: Samples
two n-bit primes p and q and outputs \r\n.\r\n\r\n: Outputs an x sampled from the
uniform distribution on \r\n.\r\n\r\n: Outputs \r\n.\r\n\r\nTheorem 2\r\nIf the
\r\n delay function has the sequentiality property, then the \r\n delay function
has the sequentiality property.\r\n\r\nProof\r\nSuppose there exists an adversary
\r\n who contradicts the sequentiality of \r\n, where \r\n is a precomputation algorithm
and \r\n is an online algorithm. We construct an adversary \r\n who contradicts
the sequentiality of \r\n as follows:\r\n\r\nThe algorithm \r\n is defined identically
to the algorithm \r\n.\r\n\r\nOn input \r\n, \r\n picks a P from the uniform distribution
on \r\n, sets\r\n\r\nand it runs \r\n to compute \r\n. The algorithm \r\n computes
\r\n using the identity in Eq. (8).\r\n\r\nNote that the input distribution for
the algorithm \r\n produced by \r\n differs from the one produced by \r\n, because
the \r\n generator samples Q from the uniform distribution on \r\n (instead of \r\n).
However, this is not a problem since the size of \r\n is negligible compared to
the size of \r\n, so the statistical distance between the distribution of D produced
by \r\n and the distribution of D sampled by \r\n is negligible in the security
parameter. Thus, except for a negligible multiplicative loss, the adversary \r\n
attains the same success probability of breaking the sequentiality of \r\n as the
probability of \r\n breaking the sequentiality of \r\n – a contradiction to the
assumption of the theorem. \r\n\r\nWe believe that the converse implication to
Theorem 2 is not true, i.e., that breaking the sequentiality of \r\n does not necessarily
imply breaking the sequentiality of \r\n. Below, we state it as a conjecture.\r\n\r\nConjecture
1\r\nSequentiality of \r\n cannot be reduced to sequentiality of \r\n.\r\n\r\nOne
reason why the above conjecture might be true is that, while the \r\n delay function
is based solely only on multiplication in the group \r\n, our \r\n delay function
uses the full arithmetic (addition and multiplication) of the commutative ring \r\n.\r\n\r\nOne
way to support the conjecture would be to construct an algorithm that speeds up
iterated squaring but is not immediately applicable to Lucas sequences. By [49]
we know that this cannot be achieved by a generic algorithm. A non-generic algorithm
that solves iterated squaring in time \r\n is presented in [4]. The main tool of
their construction is the Explicit Chinese Remainder Theorem modulo N. However,
a similiar theorem exists also for univariate polynomial rings, which suggests that
a similar speed-up can be obtained for our delay function by adapting the techniques
in [4] to our setting.\r\n\r\n4 VDF from Lucas Sequences\r\nIn Sect. 3.1 we saw
different ways of computing the atomic operation of the delay function. Computing
\r\n in the extension field seems to be the more natural and time and space effective
approach. Furthermore, writing the atomic operation \r\n as \r\n is very clear,
and, thus, we follow this approach throughout the rest of the paper.\r\n\r\n4.1
Structure of \r\nTo construct a VDF based on Lucas sequences, we use an algebraic
extension\r\n\r\n(9)\r\nwhere N is an RSA modulus and \r\n. In this section, we
describe the structure of the algebraic extension given in Expression (9). Based
on our understanding of the structure of the above algebraic extension, we can conclude
that using modulus N composed of safe primes (i.e., for all prime factors p of N,
\r\n has a large prime divisor) is necessary but not sufficient condition for security
of our construction. We specify some sufficient conditions on factors of N in the
subsequent Sect. 4.2.\r\n\r\nFirst, we introduce some simplifying notation for quotient
rings.\r\n\r\nDefinition 9\r\nFor \r\n and \r\n, we denote by \r\n the quotient
ring \r\n, where (m, f(x)) denotes the ideal of the ring \r\n generated by m and
f(x).\r\n\r\nObservation 1, below, allows us to restrict our analysis only to the
structure of \r\n for prime \r\n.\r\n\r\nObservation 1\r\nLet \r\n be distinct primes,
\r\n and \r\n. Then\r\n\r\nProof\r\nUsing the Chinese reminder theorem, we get\r\n\r\nas
claimed. \r\n\r\nThe following lemma characterizes the structure of \r\n with
respect to the discriminant of f. We use \r\n to denote the standard Legendre symbol.\r\n\r\nLemma
1\r\nLet \r\n and \r\n be a polynomial of degree 2 with the discriminant D. Then\r\n\r\nProof\r\nWe
consider each case separately:\r\n\r\nIf \r\n, then f(x) is irreducible over \r\n
and \r\n is a field with \r\n elements. Since \r\n is a finite field, \r\n is cyclic
and contains \r\n elements.\r\n\r\nIf \r\n, then \r\n and f has some double root
\r\n and it can be written as \r\n for some \r\n. Since the ring \r\n is isomorphic
to the ring \r\n (consider the isomorphism \r\n), we can restrict ourselves to describing
the structure of \r\n.\r\n\r\nWe will prove that the function \r\n,\r\n\r\nis an
isomorphism. First, the polynomial \r\n is invertible if and only if \r\n (inverse
is \r\n). For the choice \r\n, we have\r\n\r\nThus \r\n is onto. Second, \r\n is,
in fact, a bijection, because\r\n\r\n(10)\r\nFinally, \r\n is a homomorphism, because\r\n\r\nIf
\r\n, then f(x) has two roots \r\n. We have an isomorphism\r\n\r\nand \r\n. \r\n\r\n4.2
Strong Groups and Strong Primes\r\nTo achieve the verifiability property of our
construction, we need \r\n to contain a strong subgroup (defined next) of order
asymptotically linear in p. We remark that our definition of strong primes is stronger
than the one by Rivest and Silverman [46].\r\n\r\nDefinition 10\r\n(Strong groups).
For \r\n, we say that a non-trivial group \r\n is \r\n-strong, if the order of each
non-trivial subgroup of \r\n is greater than \r\n.\r\n\r\nObservation 2\r\nIf \r\n
and \r\n are \r\n-strong groups, then \r\n is a \r\n-strong group.\r\n\r\nIt can
be seen from Lemma 1 that \r\n always contains groups of small order (e.g. \r\n).
To avoid these, we descend into the subgroup of a-th powers of elements of \r\n.
Below, we introduce the corresponding notation.\r\n\r\nDefinition 11\r\nFor an Abelian
group \r\n and \r\n, we define the subgroup \r\n of \r\n in the multiplicative notation
and \r\n in the additive notation.\r\n\r\nFurther, we show in Lemma 2 below that
\r\n-strong primality (defined next) is a sufficient condition for \r\n to be a
\r\n-strong group.\r\n\r\nDefinition 12\r\n(Strong primes). Let \r\n and \r\n. We
say that p is a \r\n-strong prime, if \r\n and there exists \r\n, \r\n, such that
\r\n and every prime factor of W is greater than \r\n.\r\n\r\nSince a is a public
parameter in our setup, super-polynomial a could reveal partial information about
the factorization of N. However, we could allow a to be polynomial in \r\n while
maintaining hardness of factoring N.Footnote4 For the sake of simplicity of Definition
12, we rather use stronger condition \r\n. The following simple observation will
be useful for proving Lemma 2.\r\n\r\nObservation 3\r\nFor \r\n.\r\n\r\nLemma 2\r\nLet
p be a \r\n-strong prime and \r\n be a quadratic polynomial. Then, \r\n is a \r\n-strong
group.\r\n\r\nProof\r\nFrom definition of the strong primes, there exists \r\n,
whose factors are bigger than \r\n and \r\n. We denote \r\n a factor of W. Applying
Observation 3 to Lemma 1, we get\r\n\r\nIn particular, we used above the fact that
Observation 2 implies that \r\n as explained next. Since \r\n, all divisors of \r\n
are divisors of aW. By definition of a and W in Definition 12, we also have that
\r\n, which implies that any factor of \r\n divides either a or W, but not both.
When we divide \r\n by all the common divisors with a, only the common divisors
with W are left, which implies \r\n. The proof of the lemma is now completed by
Observation 2.\r\n\r\nCorollary 1\r\nLet p be a \r\n-strong prime, q be a \r\n-strong
prime, \r\n, \r\n, \r\n and \r\n. Then \r\n is \r\n-strong.\r\n\r\n4.3 Our Interactive
Protocol\r\nOur interactive protocol is formally described in Fig. 3. To understand
this protocol, we first recall the outline of Pietrzak’s interactive protocol from
Sect. 1.2 and then highlight the hurdles. Let \r\n be an RSA modulus where p and
q are strong primes and let x be a random element from \r\n. The interactive protocol
in [42] allows a prover to convince the verifier of the statement\r\n\r\n“(N, x,
y, T) satisfies \r\n”.\r\n\r\nThe protocol is recursive and in a round-by-round
fashion reduces the claim to a smaller statement by halving the time parameter.
To be precise, in each round the (honest) prover sends the “midpoint” \r\n of the
current statement to the verifier and they together reduce the statement to\r\n\r\n“\r\n
satisfies \r\n”,\r\n\r\nwhere \r\n and \r\n for a random challenge r. This is continued
until \r\n is obtained at which point the verifier simply checks whether \r\n.\r\n\r\nThe
main problem, we face while designing our protocol is ensuring that the verifier
can check whether \r\n sent by prover lies in an appropriate subgroup of \r\n. In
the first draft of Pietrzak’s protocol [41], prover sends a square root of \r\n,
from which the original \r\n can be recovered easily (by simply squaring it) with
a guarantee, that the result lies in a group of quadratic residues \r\n. Notice
that the prover knows the square root of \r\n, because it is just a previous term
in the sequence he computed.\r\n\r\nUsing Pietrzak’s protocol directly for our delay
function would require computing a-th roots in RSA group for some arbitrary a. Since
this is a computationally hard problem, we cannot use the same trick. In fact, the
VDF construction of Wesolowski [54] is based on similar hardness assumption.\r\n\r\nWhile
Pietrzak shifted from \r\n to the group of signed quadratic residues \r\n in his
following paper [42] to get unique proofs, we resort to his old idea of ‘squaring
a square root’ and generalise it.\r\n\r\nThe high level idea is simple. First, on
input \r\n, prover computes the sequence \r\n. Next, during the protocol, verifier
maps all elements sent by the prover by homomorphism\r\n\r\n(11)\r\ninto the target
strong group \r\n. This process is illustrated in Fig. 2. Notice that the equality
\r\n for the original sequence implies the equality \r\n for the mapped sequence
\r\n.\r\n\r\nFig. 2.\r\nfigure 2\r\nIllustration of our computation of the iterated
squaring using the a-th root of \r\n. Horizontal arrows are \r\n and diagonal arrows
are \r\n.\r\n\r\nFull size image\r\nRestriction to Elements of \r\n. Mapping Eq.
(11) introduces a new technical difficulty. Since \r\n is not injective, we narrow
the domain inputs, for which the output of our VDF is verifiable, from \r\n to \r\n.
Furthermore, the only way to verify that a certain x is an element of \r\n is to
get an a-th root of x and raise it to the ath power. So we have to represent elements
of \r\n by elements of \r\n anyway. To resolve these two issues, we introduce a
non-unique representation of elements of \r\n.\r\n\r\nDefinition 13\r\nFor \r\n
and \r\n, we denote \r\n (an element of \r\n) by [x]. Since this representation
of \r\n is not unique, we define an equality relation by\r\n\r\nWe will denote by
tilde () the elements that were already powered to the a by a verifier (i.e. ).
Thus tilded variables verifiably belong to the target group \r\n.\r\n\r\nIn the
following text, the goal of the brackets notation in Definition 13 is to distinguish
places where the equality means the equality of elements of \r\n from those places,
where the equality holds up to \r\n. A reader can also see the notation in Definition
13 as a concrete representation of elements of a factor group \r\n.\r\n\r\nOur security
reduction 2 required the delay function to operate everywhere on \r\n. This is not
a problem if the \r\n algorithm is modified to output the set \r\n.\r\n\r\nFig.
3.\r\nfigure 3\r\nOur Interactive Protocol for \r\n.\r\n\r\nFull size image\r\n4.4
Security\r\nRecall here that \r\n is \r\n-strong group, so there exist\r\n\r\n and
\r\n such that\r\n\r\n(12)\r\nDefinition 14\r\nFor \r\n and \r\n, we define \r\n
as i-th coordinate of \r\n, where \r\n is the isomorphism given by Eq. (12).\r\n\r\nLemma
3\r\nLet \r\n and \r\n. If \r\n, then\r\n\r\n\t(13)\r\nProof\r\nFix \r\n, \r\n and
y. Let some \r\n satisfy\r\n\r\n(14)\r\nUsing notation from Definition 14, we rewrite
Eq. (14) as a set of equations\r\n\r\nFor every \r\n, by reordering the terms, the
j-th equation becomes\r\n\r\n(15)\r\nIf \r\n, then \r\n. Further for every \r\n.
It follows that \r\n. Putting these two equations together gives us \r\n, which
contradicts our assumption \r\n.\r\n\r\nIt follows that there exists \r\n such that\r\n\r\n(16)\r\nThereafter
there exists \r\n such that \r\n divides \r\n and\r\n\r\n(17)\r\nFurthermore, from
Eq. (15), \r\n divides \r\n. Finally, dividing eq. Eq. (15) by \r\n, we get that
r is determined uniquely (\r\n),\r\n\r\nUsing the fact that \r\n, this uniqueness
of r upper bounds number of \r\n, such that Eq. (14) holds, to one. It follows that
the probability that Eq. (14) holds for r chosen randomly from the uniform distribution
over \r\n is less than \r\n. \r\n\r\nCorollary 2\r\nThe halving protocol will
turn an invalid input tuple (i.e. \r\n) into a valid output tuple (i.e. \r\n) with
probability less than \r\n.\r\n\r\nTheorem 3\r\nFor any computationally unbounded
prover who submits anything other than \r\n such that \r\n in phase 2 of the protocol,
the soundness error is upper-bounded by \r\n\r\nProof\r\nIn each round of the protocol,
T decreases to \r\n. It follows that the number of rounds of the halving protocol
before reaching \r\n is upper bounded by \r\n.\r\n\r\nIf the verifier accepts the
solution tuple \r\n in the last round, then the equality \r\n must hold. It follows
that the initial inequality must have turned into equality in some round of the
halving protocol. By Lemma 3, the probability of this event is bounded by \r\n.
Finally, using the union bound for all rounds, we obtain the upper bound (\r\n.
\ \r\n\r\n4.5 Our VDF\r\nAnalogously to the VDF of Pietrzak [42], we compile our
public-coin interactive proof given in Fig. 3 into a VDF using the Fiat-Shamir heuristic.
The complete construction is given in Fig. 4. For ease of exposition, we assume
that the time parameter T is always a power of two.\r\n\r\nFig. 4.\r\nfigure 4\r\n
based on Lucas sequences\r\n\r\nFull size image\r\nAs discussed in Sect. 4.3, it
is crucial for the security of the protocol that the prover computes a sequence
of powers of the a-th root of the challenge and the resulting value (as well as
the intermediate values) received from the prover is lifted to the appropriate group
by raising it to the a-th power. We use the tilde notation in Fig. 4 in order to
denote elements on the sequence relative to the a-th root.\r\n\r\nNote that, by
the construction, the output of our VDF is the \r\n-th power of the root of the
characteristic polynomial for Lucas sequence with parameters P and Q. Therefore,
the value of the delay function implicitly corresponds to the \r\n-th term of the
Lucas sequence.\r\n\r\nTheorem 4\r\nLet \r\n be the statistical security parameter.
The \r\n VDF defined in Fig. 4 is correct and statistically-sound with a negligible
soundness error if \r\n is modelled as a random oracle, against any adversary that
makes \r\n oracle queries.\r\n\r\nProof\r\nThe correctness follows directly by construction.\r\n\r\nTo
prove its statistical soundness, we proceed in a similar way to [42]. We cannot
apply Fiat-Shamir transformation directly, because our protocol does not have constant
number of rounds, thus we use Fiat-Shamir heuristic to each round separately.\r\n\r\nFirst,
we use a random oracle as the \r\n function. Second, if a malicious prover computed
a proof accepted by verifier for some tuple \r\n such that\r\n\r\n(19)\r\nthen he
must have succeeded in turning inequality from Eq. (19) into equality in some round.
By Lemma 3, probability of such a flipping is bounded by \r\n. Every such an attempt
requires one query to random oracle. Using a union bound, it follows that the probability
that a malicious prover who made q queries to random oracle succeeds in flipping
initial inequality into equality in some round is upper-bounded by \r\n.\r\n\r\nSince
q is \r\n, \r\n is a negligible function and thus the soundness error is negligible.
\ \r\n\r\nNotes\r\n1.\r\nNote that integer sequences like Fibonacci numbers and
Mersenne numbers are special cases of Lucas sequences.\r\n\r\n2.\r\nThe choice of
modulus N is said to be safe if \r\n for safe primes \r\n and \r\n, where \r\n and
\r\n are also prime.\r\n\r\n3.\r\nFurther, using the ideas from [14, 20], it is
possible to construct so-called continuous VDFs from Lucas sequences.\r\n\r\n4.\r\nSince
we set a to be at most polynomial in \r\n, its is possible to go over all possible
candidate values for a in time polynomial in \r\n. Thus, any algorithm that could
factor N using the knowledge of a can be efficiently simulated even without the
knowledge of a.\r\n\r\nReferences\r\nAbusalah, H., Kamath, C., Klein, K., Pietrzak,
K., Walter, M.: Reversible proofs of sequential work. In: Ishai, Y., Rijmen, V.
(eds.) EUROCRYPT 2019. LNCS, vol. 11477, pp. 277–291. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17656-3_10\r\n\r\nCrossRef\r\n
\r\nGoogle Scholar\r\n \r\n\r\nAggarwal, D., Maurer, U.: Breaking RSA generically
is equivalent to factoring. IEEE Trans. Inf. Theory 62(11), 6251–6259 (2016). https://doi.org/10.1109/TIT.2016.2594197\r\n\r\nCrossRef\r\n
\r\nMathSciNet\r\n \r\nMATH\r\n \r\nGoogle Scholar\r\n \r\n\r\nArun, A., Bonneau,
J., Clark, J.: Short-lived zero-knowledge proofs and signatures. In: Agrawal, S.,
Lin, D. (eds.) Advances in Cryptology – ASIACRYPT 2022. Lecture Notes in Computer
Science, vol. 13793, pp. 487–516. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-22969-5_17\r\n\r\nCrossRef\r\n
\r\nGoogle Scholar\r\n \r\n\r\nBernstein, D., Sorenson, J.: Modular exponentiation
via the explicit Chinese remainder theorem. Math. Comput. 76, 443–454 (2007). https://doi.org/10.1090/S0025-5718-06-01849-7\r\n\r\nCrossRef\r\n
\r\nMathSciNet\r\n \r\nMATH\r\n \r\nGoogle Scholar\r\n \r\n\r\nBitansky, N., et
al.: PPAD is as hard as LWE and iterated squaring. IACR Cryptol. ePrint Arch., p.
1072 (2022)\r\n\r\nGoogle Scholar\r\n \r\n\r\nBitansky, N., Goldwasser, S., Jain,
A., Paneth, O., Vaikuntanathan, V., Waters, B.: Time-lock puzzles from randomized
encodings. In: ITCS, pp. 345–356. ACM (2016)\r\n\r\nGoogle Scholar\r\n \r\n\r\nBleichenbacher,
D., Bosma, W., Lenstra, A.K.: Some remarks on Lucas-based cryptosystems. In: Coppersmith,
D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 386–396. Springer, Heidelberg (1995).
https://doi.org/10.1007/3-540-44750-4_31\r\n\r\nCrossRef\r\n \r\nGoogle Scholar\r\n
\r\n\r\nBlock, A.R., Holmgren, J., Rosen, A., Rothblum, R.D., Soni, P.: Time- and
space-efficient arguments from groups of unknown order. In: Malkin, T., Peikert,
C. (eds.) CRYPTO 2021. LNCS, vol. 12828, pp. 123–152. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84259-8_5\r\n\r\nCrossRef\r\n
\r\nGoogle Scholar\r\n \r\n\r\nBoneh, D., Bonneau, J., Bünz, B., Fisch, B.: Verifiable
delay functions. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10991,
pp. 757–788. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96884-1_25\r\n\r\nCrossRef\r\n
\r\nGoogle Scholar\r\n \r\n\r\nBoneh, D., Bünz, B., Fisch, B.: A survey of two verifiable
delay functions. IACR Cryptol. ePrint Arch. 2018, 712 (2018)\r\n\r\nMATH\r\n \r\nGoogle
Scholar\r\n \r\n\r\nBoneh, D., Venkatesan, R.: Breaking RSA may not be equivalent
to factoring. In: Nyberg, K. (ed.) Advances in Cryptology - EUROCRYPT ’98. Lecture
Notes in Computer Science, vol. 1403, pp. 59–71. Springer, Cham (1998). https://doi.org/10.1007/BFb0054117\r\n\r\nCrossRef\r\n
\r\nGoogle Scholar\r\n \r\n\r\nBuchmann, J., Williams, H.C.: A key-exchange system
based on imaginary quadratic fields. J. Cryptol. 1(2), 107–118 (1988). https://doi.org/10.1007/BF02351719\r\n\r\nCrossRef\r\n
\r\nMathSciNet\r\n \r\nMATH\r\n \r\nGoogle Scholar\r\n \r\n\r\nChavez-Saab, J.,
Rodríguez-Henríquez, F., Tibouchi, M.: Verifiable Isogeny walks: towards an isogeny-based
postquantum VDF. In: AlTawy, R., Hülsing, A. (eds.) SAC 2021. LNCS, vol. 13203,
pp. 441–460. Springer, Cham (2022). https://doi.org/10.1007/978-3-030-99277-4_21\r\n\r\nCrossRef\r\n
\r\nGoogle Scholar\r\n \r\n\r\nChoudhuri, A.R., Hubáček, P., Kamath, C., Pietrzak,
K., Rosen, A., Rothblum, G.N.: PPAD-hardness via iterated squaring modulo a composite.
IACR Cryptol. ePrint Arch. 2019, 667 (2019)\r\n\r\nGoogle Scholar\r\n \r\n\r\nCini,
V., Lai, R.W.F., Malavolta, G.: Lattice-based succinct arguments from vanishing
polynomials. In: Handschuh, H., Lysyanskaya, A. (eds.) Advances in Cryptology -
CRYPTO 2023. Lecture Notes in Computer Science, pp. 72–105. Springer Nature Switzerland,
Cham (2023). https://doi.org/10.1007/978-3-031-38545-2_3\r\n\r\nCrossRef\r\n \r\nGoogle
Scholar\r\n \r\n\r\nCohen, B., Pietrzak, K.: Simple proofs of sequential work. In:
Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10821, pp. 451–467.
Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78375-8_15\r\n\r\nCrossRef\r\n
\r\nGoogle Scholar\r\n \r\n\r\nCohen, B., Pietrzak, K.: The Chia network blockchain.
Technical report, Chia Network (2019). https://www.chia.net/assets/ChiaGreenPaper.pdf.
Accessed 29 July 2022\r\n\r\nDöttling, N., Garg, S., Malavolta, G., Vasudevan, P.N.:
Tight verifiable delay functions. In: Galdi, C., Kolesnikov, V. (eds.) SCN 2020.
LNCS, vol. 12238, pp. 65–84. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-57990-6_4\r\n\r\nCrossRef\r\n
\r\nGoogle Scholar\r\n \r\n\r\nDöttling, N., Lai, R.W.F., Malavolta, G.: Incremental
proofs of sequential work. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS,
vol. 11477, pp. 292–323. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17656-3_11\r\n\r\nCrossRef\r\n
\r\nGoogle Scholar\r\n \r\n\r\nEphraim, N., Freitag, C., Komargodski, I., Pass,
R.: Continuous verifiable delay functions. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT
2020. LNCS, vol. 12107, pp. 125–154. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45727-3_5\r\n\r\nCrossRef\r\n
\r\nGoogle Scholar\r\n \r\n\r\nDe Feo, L., Masson, S., Petit, C., Sanso, A.: Verifiable
delay functions from supersingular isogenies and pairings. In: Galbraith, S.D.,
Moriai, S. (eds.) ASIACRYPT 2019. LNCS, vol. 11921, pp. 248–277. Springer, Cham
(2019). https://doi.org/10.1007/978-3-030-34578-5_10\r\n\r\nCrossRef\r\n \r\nGoogle
Scholar\r\n \r\n\r\nFiat, A., Shamir, A.: How to prove yourself: practical solutions
to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS,
vol. 263, pp. 186–194. Springer, Heidelberg (1987). https://doi.org/10.1007/3-540-47721-7_12\r\n\r\nCrossRef\r\n
\r\nGoogle Scholar\r\n \r\n\r\nFreitag, C., Pass, R., Sirkin, N.: Parallelizable
delegation from LWE. IACR Cryptol. ePrint Arch., p. 1025 (2022)\r\n\r\nGoogle Scholar\r\n
\r\n\r\nGoldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive
proof systems. SIAM J. Comput. 18(1), 186–208 (1989)\r\n\r\nCrossRef\r\n \r\nMathSciNet\r\n
\r\nMATH\r\n \r\nGoogle Scholar\r\n \r\n\r\nHoffmann, C., Hubáček, P., Kamath, C.,
Klein, K., Pietrzak, K.: Practical statistically sound proofs of exponentiation
in any group. In: Dodis, Y., Shrimpton, T. (eds.) Advances in Cryptology – CRYPTO
2022. Lecture Notes in Computer Science, vol. 13508, pp. 1–30. Springer, Cham (2022).
https://doi.org/10.1007/978-3-031-15979-4_13\r\n\r\nCrossRef\r\n \r\nMATH\r\n \r\nGoogle
Scholar\r\n \r\n\r\nHofheinz, D., Kiltz, E.: The group of signed quadratic residues
and applications. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 637–653.
Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03356-8_37\r\n\r\nCrossRef\r\n
\r\nGoogle Scholar\r\n \r\n\r\nKatz, J., Loss, J., Xu, J.: On the security of time-lock
puzzles and timed commitments. In: Pass, R., Pietrzak, K. (eds.) TCC 2020, Part
III. LNCS, vol. 12552, pp. 390–413. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64381-2_14\r\n\r\nCrossRef\r\n
\r\nMATH\r\n \r\nGoogle Scholar\r\n \r\n\r\nLai, R.W.F., Malavolta, G.: Lattice-based
timed cryptography. In: Handschuh, H., Lysyanskaya, A. (eds.) Advances in Cryptology
- CRYPTO 2023. Lecture Notes in Computer Science, pp. 782–804. Springer Nature Switzerland,
Cham (2023). https://doi.org/10.1007/978-3-031-38554-4_25\r\n\r\nCrossRef\r\n \r\nGoogle
Scholar\r\n \r\n\r\nLehmer, D.H.: An extended theory of Lucas’ functions. Ann. Math.
31(3), 419–448 (1930). https://www.jstor.org/stable/1968235\r\n\r\nLennon, M.J.J.,
Smith, P.J.: LUC: A new public key system. In: Douglas, E.G. (ed.) Ninth IFIP Symposium
on Computer Security, pp. 103–117. Elsevier Science Publishers (1993)\r\n\r\nGoogle
Scholar\r\n \r\n\r\nLenstra, A.K., Wesolowski, B.: Trustworthy public randomness
with sloth, unicorn, and trx. IJACT 3(4), 330–343 (2017)\r\n\r\nCrossRef\r\n \r\nMathSciNet\r\n
\r\nMATH\r\n \r\nGoogle Scholar\r\n \r\n\r\nLipmaa, H.: On Diophantine complexity
and statistical zero-knowledge arguments. In: Laih, C.-S. (ed.) ASIACRYPT 2003.
LNCS, vol. 2894, pp. 398–415. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-40061-5_26\r\n\r\nCrossRef\r\n
\r\nGoogle Scholar\r\n \r\n\r\nLombardi, A., Vaikuntanathan, V.: Fiat-Shamir for
repeated squaring with applications to PPAD-hardness and VDFs. In: Micciancio, D.,
Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12172, pp. 632–651. Springer, Cham
(2020). https://doi.org/10.1007/978-3-030-56877-1_22\r\n\r\nCrossRef\r\n \r\nGoogle
Scholar\r\n \r\n\r\nLucas, E.: Théorie des fonctions numériques simplement périodiques.
Am. J. Math. 1(4), 289–321 (1878). https://www.jstor.org/stable/2369373\r\n\r\nLund,
C., Fortnow, L., Karloff, H.J., Nisan, N.: Algebraic methods for interactive proof
systems. J. ACM 39(4), 859–868 (1992)\r\n\r\nCrossRef\r\n \r\nMathSciNet\r\n \r\nMATH\r\n
\r\nGoogle Scholar\r\n \r\n\r\nMahmoody, M., Moran, T., Vadhan, S.P.: Publicly verifiable
proofs of sequential work. In: ITCS, pp. 373–388. ACM (2013)\r\n\r\nGoogle Scholar\r\n
\r\n\r\nMahmoody, M., Smith, C., Wu, D.J.: A note on the (Im)possibility of verifiable
delay functions in the random oracle model. IACR Cryptol. ePrint Arch. 2019, 663
(2019)\r\n\r\nGoogle Scholar\r\n \r\n\r\nMalavolta, G., Thyagarajan, S.A.K.: Homomorphic
time-lock puzzles and applications. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO
2019. LNCS, vol. 11692, pp. 620–649. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26948-7_22\r\n\r\nCrossRef\r\n
\r\nGoogle Scholar\r\n \r\n\r\nMüller, W.B., Nöbauer, W.: Some remarks on public-key
cryptosystems. Studia Sci. Math. Hungar. 16, 71–76 (1981)\r\n\r\nMathSciNet\r\n
\r\nMATH\r\n \r\nGoogle Scholar\r\n \r\n\r\nBressoud, D.M.: Factorization and primality
testing. Math. Comput. 56(193), 400 (1991)\r\n\r\nCrossRef\r\n \r\nGoogle Scholar\r\n
\r\n\r\nPietrzak, K.: Simple verifiable delay functions. IACR Cryptol. ePrint Arch.
2018, 627 (2018). https://eprint.iacr.org/2018/627/20180720:081000\r\n\r\nPietrzak,
K.: Simple verifiable delay functions. In: ITCS. LIPIcs, vol. 124, pp. 1–15. Schloss
Dagstuhl - Leibniz-Zentrum für Informatik (2019)\r\n\r\nGoogle Scholar\r\n \r\n\r\nRabin,
M.O.: Transaction protection by beacons. J. Comput. Syst. Sci. 27(2), 256–267 (1983)\r\n\r\nCrossRef\r\n
\r\nMathSciNet\r\n \r\nMATH\r\n \r\nGoogle Scholar\r\n \r\n\r\nRibenboim, P.: My
Numbers, My Friends: Popular Lectures on Number Theory. Springer-Verlag, New York
(2000)\r\n\r\nCrossRef\r\n \r\nMATH\r\n \r\nGoogle Scholar\r\n \r\n\r\nRiesel, H.:
Prime Numbers and Computer Methods for Factorization, Progress in Mathematics, vol.
57. Birkhäuser, Basel (1985)\r\n\r\nCrossRef\r\n \r\nMATH\r\n \r\nGoogle Scholar\r\n
\r\n\r\nRivest, R., Silverman, R.: Are ’strong’ primes needed for RSA. Cryptology
ePrint Archive, Report 2001/007 (2001). https://eprint.iacr.org/2001/007\r\n\r\nRivest,
R.L., Shamir, A., Adleman, L.M.: A method for obtaining digital signatures and public-key
cryptosystems (reprint). Commun. ACM 26(1), 96–99 (1983)\r\n\r\nCrossRef\r\n \r\nMATH\r\n
\r\nGoogle Scholar\r\n \r\n\r\nRivest, R.L., Shamir, A., Wagner, D.A.: Time-lock
puzzles and timed-release crypto. Technical report, Massachusetts Institute of Technology
(1996)\r\n\r\nGoogle Scholar\r\n \r\n\r\nRotem, L., Segev, G.: Generically speeding-up
repeated squaring is equivalent to factoring: sharp thresholds for all generic-ring
delay functions. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol.
12172, pp. 481–509. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56877-1_17\r\n\r\nCrossRef\r\n
\r\nGoogle Scholar\r\n \r\n\r\nRotem, L., Segev, G., Shahaf, I.: Generic-group delay
functions require hidden-order groups. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT
2020. LNCS, vol. 12107, pp. 155–180. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45727-3_6\r\n\r\nCrossRef\r\n
\r\nGoogle Scholar\r\n \r\n\r\nSchindler, P., Judmayer, A., Hittmeir, M., Stifter,
N., Weippl, E.R.: RandRunner: distributed randomness from trapdoor VDFs with strong
uniqueness. In: 28th Annual Network and Distributed System Security Symposium, NDSS
2021, virtually, 21–25 February 2021. The Internet Society (2021)\r\n\r\nGoogle
Scholar\r\n \r\n\r\nShani, B.: A note on isogeny-based hybrid verifiable delay functions.
IACR Cryptol. ePrint Arch. 2019, 205 (2019)\r\n\r\nGoogle Scholar\r\n \r\n\r\nValiant,
P.: Incrementally verifiable computation or proofs of knowledge imply time/space
efficiency. In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948, pp. 1–18. Springer,
Heidelberg (2008). https://doi.org/10.1007/978-3-540-78524-8_1\r\n\r\nCrossRef\r\n
\r\nMATH\r\n \r\nGoogle Scholar\r\n \r\n\r\nWesolowski, B.: Efficient verifiable
delay functions. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11478,
pp. 379–407. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17659-4_13\r\n\r\nCrossRef\r\n
\r\nGoogle Scholar\r\n \r\n\r\nWesolowski, B.: Efficient verifiable delay functions.
J. Cryptol. 33(4), 2113–2147 (2020). https://doi.org/10.1007/s00145-020-09364-x\r\n\r\nCrossRef\r\n
\r\nMathSciNet\r\n \r\nMATH\r\n \r\nGoogle Scholar\r\n \r\n\r\nWilliams, H.C.: A
\r\n method of factoring. Math. Comput. 39(159), 225–234 (1982)\r\n\r\nMathSciNet\r\n
\r\nMATH\r\n \r\nGoogle Scholar\r\n \r\n\r\nWilliams, H.C.: Édouard lucas and primality
testing. Math. Gaz. 83, 173 (1999)\r\n\r\nCrossRef\r\n \r\nGoogle Scholar\r\n \r\n\r\nDownload
references\r\n\r\nAcknowledgements\r\nWe thank Krzysztof Pietrzak and Alon Rosen
for several fruitful discussions about this work and the anonymous reviewers of
SCN 2022 and TCC 2023 for valuable suggestions.\r\n\r\nPavel Hubáček is supported
by the Czech Academy of Sciences (RVO 67985840), by the Grant Agency of the Czech
Republic under the grant agreement no. 19-27871X, and by the Charles University
project UNCE/SCI/004. Chethan Kamath is supported by Azrieli International Postdoctoral
Fellowship, by the European Research Council (ERC) under the European Union’s Horizon
Europe research and innovation programme (grant agreement No. 101042417, acronym
SPP), and by ISF grant 1789/19."
alternative_title:
- LNCS
article_processing_charge: No
author:
- first_name: Charlotte
full_name: Hoffmann, Charlotte
id: 0f78d746-dc7d-11ea-9b2f-83f92091afe7
last_name: Hoffmann
orcid: 0000-0003-2027-5549
- first_name: Pavel
full_name: Hubáček, Pavel
last_name: Hubáček
- first_name: Chethan
full_name: Kamath, Chethan
last_name: Kamath
- first_name: Tomáš
full_name: Krňák, Tomáš
last_name: Krňák
citation:
ama: 'Hoffmann C, Hubáček P, Kamath C, Krňák T. (Verifiable) delay functions from
Lucas sequences. In: 21st International Conference on Theory of Cryptography.
Vol 14372. Springer Nature; 2023:336-362. doi:10.1007/978-3-031-48624-1_13'
apa: 'Hoffmann, C., Hubáček, P., Kamath, C., & Krňák, T. (2023). (Verifiable)
delay functions from Lucas sequences. In 21st International Conference on Theory
of Cryptography (Vol. 14372, pp. 336–362). Taipei, Taiwan: Springer Nature.
https://doi.org/10.1007/978-3-031-48624-1_13'
chicago: Hoffmann, Charlotte, Pavel Hubáček, Chethan Kamath, and Tomáš Krňák. “(Verifiable)
Delay Functions from Lucas Sequences.” In 21st International Conference on
Theory of Cryptography, 14372:336–62. Springer Nature, 2023. https://doi.org/10.1007/978-3-031-48624-1_13.
ieee: C. Hoffmann, P. Hubáček, C. Kamath, and T. Krňák, “(Verifiable) delay functions
from Lucas sequences,” in 21st International Conference on Theory of Cryptography,
Taipei, Taiwan, 2023, vol. 14372, pp. 336–362.
ista: 'Hoffmann C, Hubáček P, Kamath C, Krňák T. 2023. (Verifiable) delay functions
from Lucas sequences. 21st International Conference on Theory of Cryptography.
TCC: Theory of Cryptography, LNCS, vol. 14372, 336–362.'
mla: Hoffmann, Charlotte, et al. “(Verifiable) Delay Functions from Lucas Sequences.”
21st International Conference on Theory of Cryptography, vol. 14372, Springer
Nature, 2023, pp. 336–62, doi:10.1007/978-3-031-48624-1_13.
short: C. Hoffmann, P. Hubáček, C. Kamath, T. Krňák, in:, 21st International Conference
on Theory of Cryptography, Springer Nature, 2023, pp. 336–362.
conference:
end_date: 2023-12-02
location: Taipei, Taiwan
name: 'TCC: Theory of Cryptography'
start_date: 2023-11-29
corr_author: '1'
date_created: 2023-12-17T23:00:54Z
date_published: 2023-11-27T00:00:00Z
date_updated: 2025-09-09T14:01:23Z
day: '27'
department:
- _id: KrPi
doi: 10.1007/978-3-031-48624-1_13
external_id:
isi:
- '001160733700013'
intvolume: ' 14372'
isi: 1
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://eprint.iacr.org/2023/1404
month: '11'
oa: 1
oa_version: Preprint
page: 336-362
publication: 21st International Conference on Theory of Cryptography
publication_identifier:
eissn:
- 1611-3349
isbn:
- '9783031486234'
issn:
- 0302-9743
publisher: Springer Nature
quality_controlled: '1'
scopus_import: '1'
status: public
title: (Verifiable) delay functions from Lucas sequences
type: conference
user_id: 317138e5-6ab7-11ef-aa6d-ffef3953e345
volume: 14372
year: '2023'
...
---
OA_place: repository
OA_type: green
_id: '14736'
abstract:
- lang: eng
text: Payment channel networks (PCNs) are a promising technology to improve the
scalability of cryptocurrencies. PCNs, however, face the challenge that the frequent
usage of certain routes may deplete channels in one direction, and hence prevent
further transactions. In order to reap the full potential of PCNs, recharging
and rebalancing mechanisms are required to provision channels, as well as an admission
control logic to decide which transactions to reject in case capacity is insufficient.
This paper presents a formal model of this optimisation problem. In particular,
we consider an online algorithms perspective, where transactions arrive over time
in an unpredictable manner. Our main contributions are competitive online algorithms
which come with provable guarantees over time. We empirically evaluate our algorithms
on randomly generated transactions to compare the average performance of our algorithms
to our theoretical bounds. We also show how this model and approach differs from
related problems in classic communication networks.
acknowledgement: Supported by the German Federal Ministry of Education and Research
(BMBF), grant 16KISK020K (6G-RIC), 2021–2025, and ERC CoG 863818 (ForM-SMArt).
alternative_title:
- LNCS
article_processing_charge: No
author:
- first_name: Mahsa
full_name: Bastankhah, Mahsa
last_name: Bastankhah
- first_name: Krishnendu
full_name: Chatterjee, Krishnendu
id: 2E5DCA20-F248-11E8-B48F-1D18A9856A87
last_name: Chatterjee
orcid: 0000-0002-4561-241X
- first_name: Mohammad Ali
full_name: Maddah-Ali, Mohammad Ali
last_name: Maddah-Ali
- first_name: Stefan
full_name: Schmid, Stefan
last_name: Schmid
- first_name: Jakub
full_name: Svoboda, Jakub
id: 130759D2-D7DD-11E9-87D2-DE0DE6697425
last_name: Svoboda
orcid: 0000-0002-1419-3267
- first_name: Michelle X
full_name: Yeo, Michelle X
id: 2D82B818-F248-11E8-B48F-1D18A9856A87
last_name: Yeo
orcid: 0009-0001-3676-4809
citation:
ama: 'Bastankhah M, Chatterjee K, Maddah-Ali MA, Schmid S, Svoboda J, Yeo MX. R2:
Boosting liquidity in payment channel networks with online admission control.
In: 27th International Conference on Financial Cryptography and Data Security.
Vol 13950. Springer Nature; 2023:309-325. doi:10.1007/978-3-031-47754-6_18'
apa: 'Bastankhah, M., Chatterjee, K., Maddah-Ali, M. A., Schmid, S., Svoboda, J.,
& Yeo, M. X. (2023). R2: Boosting liquidity in payment channel networks with online
admission control. In 27th International Conference on Financial Cryptography
and Data Security (Vol. 13950, pp. 309–325). Bol, Brac, Croatia: Springer
Nature. https://doi.org/10.1007/978-3-031-47754-6_18'
chicago: 'Bastankhah, Mahsa, Krishnendu Chatterjee, Mohammad Ali Maddah-Ali, Stefan
Schmid, Jakub Svoboda, and Michelle X Yeo. “R2: Boosting Liquidity in Payment
Channel Networks with Online Admission Control.” In 27th International Conference
on Financial Cryptography and Data Security, 13950:309–25. Springer Nature,
2023. https://doi.org/10.1007/978-3-031-47754-6_18.'
ieee: 'M. Bastankhah, K. Chatterjee, M. A. Maddah-Ali, S. Schmid, J. Svoboda, and
M. X. Yeo, “R2: Boosting liquidity in payment channel networks with online admission
control,” in 27th International Conference on Financial Cryptography and Data
Security, Bol, Brac, Croatia, 2023, vol. 13950, pp. 309–325.'
ista: 'Bastankhah M, Chatterjee K, Maddah-Ali MA, Schmid S, Svoboda J, Yeo MX. 2023.
R2: Boosting liquidity in payment channel networks with online admission control.
27th International Conference on Financial Cryptography and Data Security. FC:
Financial Cryptography and Data Security, LNCS, vol. 13950, 309–325.'
mla: 'Bastankhah, Mahsa, et al. “R2: Boosting Liquidity in Payment Channel Networks
with Online Admission Control.” 27th International Conference on Financial
Cryptography and Data Security, vol. 13950, Springer Nature, 2023, pp. 309–25,
doi:10.1007/978-3-031-47754-6_18.'
short: M. Bastankhah, K. Chatterjee, M.A. Maddah-Ali, S. Schmid, J. Svoboda, M.X.
Yeo, in:, 27th International Conference on Financial Cryptography and Data Security,
Springer Nature, 2023, pp. 309–325.
conference:
end_date: 2023-05-05
location: Bol, Brac, Croatia
name: 'FC: Financial Cryptography and Data Security'
start_date: 2023-05-01
date_created: 2024-01-08T09:30:22Z
date_published: 2023-12-01T00:00:00Z
date_updated: 2025-11-05T07:37:31Z
day: '01'
department:
- _id: KrCh
- _id: KrPi
doi: 10.1007/978-3-031-47754-6_18
ec_funded: 1
external_id:
isi:
- '001150222600018'
intvolume: ' 13950'
isi: 1
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://openreview.net/forum?id=Dg0qdd9uha
month: '12'
oa: 1
oa_version: Submitted Version
page: 309-325
project:
- _id: 0599E47C-7A3F-11EA-A408-12923DDC885E
call_identifier: H2020
grant_number: '863818'
name: 'Formal Methods for Stochastic Models: Algorithms and Applications'
publication: 27th International Conference on Financial Cryptography and Data Security
publication_identifier:
eisbn:
- '9783031477546'
eissn:
- 1611-3349
isbn:
- '9783031477539'
issn:
- 0302-9743
publication_status: published
publisher: Springer Nature
quality_controlled: '1'
scopus_import: '1'
status: public
title: 'R2: Boosting liquidity in payment channel networks with online admission control'
type: conference
user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87
volume: 13950
year: '2023'
...
---
_id: '18218'
abstract:
- lang: eng
text: Deep neural networks are known to be susceptible to adversarial perturbations
– small perturbations that alter the output of the network and exist under strict
norm limitations. While such perturbations are usually discussed as tailored to
a specific input, a universal perturbation can be constructed to alter the model’s
output on a set of inputs. Universal perturbations present a more realistic case
of adversarial attacks, as awareness of the model’s exact input is not required.
In addition, the universal attack setting raises the subject of generalization
to unseen data, where given a set of inputs, the universal perturbations aim to
alter the model’s output on out-of-sample data. In this work, we study physical
passive patch adversarial attacks on visual odometry-based autonomous navigation
systems. A visual odometry system aims to infer the relative camera motion between
two corresponding viewpoints, and is frequently used by vision-based autonomous
navigation systems to estimate their state. For such navigation systems, a patch
adversarial perturbation poses a severe security issue, as it can be used to mislead
a system onto some collision course. To the best of our knowledge, we show for
the first time that the error margin of a visual odometry model can be significantly
increased by deploying patch adversarial attacks in the scene. We provide evaluation
on synthetic closed-loop drone navigation data and demonstrate that a comparable
vulnerability exists in real data. A reference implementation of the proposed
method and the reported experiments is provided at https://github.com/patchadversarialattacks/patchadversarialattacks.
alternative_title:
- LNCS
article_processing_charge: No
arxiv: 1
author:
- first_name: Yaniv
full_name: Nemcovsky, Yaniv
last_name: Nemcovsky
- first_name: Matan
full_name: Jacoby, Matan
last_name: Jacoby
- first_name: Alexander
full_name: Bronstein, Alexander
id: 58f3726e-7cba-11ef-ad8b-e6e8cb3904e6
last_name: Bronstein
orcid: 0000-0001-9699-8730
- first_name: Chaim
full_name: Baskin, Chaim
last_name: Baskin
citation:
ama: 'Nemcovsky Y, Jacoby M, Bronstein AM, Baskin C. Physical passive patch adversarial
attacks on visual odometry systems. In: 16th Asian Conference on Computer Vision.
Vol 13847. Springer Nature; 2023:518-534. doi:10.1007/978-3-031-26293-7_31'
apa: 'Nemcovsky, Y., Jacoby, M., Bronstein, A. M., & Baskin, C. (2023). Physical
passive patch adversarial attacks on visual odometry systems. In 16th Asian
Conference on Computer Vision (Vol. 13847, pp. 518–534). Macao, China: Springer
Nature. https://doi.org/10.1007/978-3-031-26293-7_31'
chicago: Nemcovsky, Yaniv, Matan Jacoby, Alex M. Bronstein, and Chaim Baskin. “Physical
Passive Patch Adversarial Attacks on Visual Odometry Systems.” In 16th Asian
Conference on Computer Vision, 13847:518–34. Springer Nature, 2023. https://doi.org/10.1007/978-3-031-26293-7_31.
ieee: Y. Nemcovsky, M. Jacoby, A. M. Bronstein, and C. Baskin, “Physical passive
patch adversarial attacks on visual odometry systems,” in 16th Asian Conference
on Computer Vision, Macao, China, 2023, vol. 13847, pp. 518–534.
ista: 'Nemcovsky Y, Jacoby M, Bronstein AM, Baskin C. 2023. Physical passive patch
adversarial attacks on visual odometry systems. 16th Asian Conference on Computer
Vision. ACCV: Asian Conference on Computer Vision, LNCS, vol. 13847, 518–534.'
mla: Nemcovsky, Yaniv, et al. “Physical Passive Patch Adversarial Attacks on Visual
Odometry Systems.” 16th Asian Conference on Computer Vision, vol. 13847,
Springer Nature, 2023, pp. 518–34, doi:10.1007/978-3-031-26293-7_31.
short: Y. Nemcovsky, M. Jacoby, A.M. Bronstein, C. Baskin, in:, 16th Asian Conference
on Computer Vision, Springer Nature, 2023, pp. 518–534.
conference:
end_date: 2022-12-08
location: Macao, China
name: 'ACCV: Asian Conference on Computer Vision'
start_date: 2022-12-04
date_created: 2024-10-08T12:51:14Z
date_published: 2023-03-11T00:00:00Z
date_updated: 2024-10-09T12:13:36Z
day: '11'
doi: 10.1007/978-3-031-26293-7_31
extern: '1'
external_id:
arxiv:
- '2207.05729'
intvolume: ' 13847'
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://doi.org/10.48550/arXiv.2207.05729
month: '03'
oa: 1
oa_version: Preprint
page: 518-534
publication: 16th Asian Conference on Computer Vision
publication_identifier:
eisbn:
- '9783031262937'
eissn:
- 1611-3349
isbn:
- '9783031262920'
issn:
- 0302-9743
publication_status: published
publisher: Springer Nature
quality_controlled: '1'
related_material:
link:
- relation: software
url: https://github.com/patchadversarialattacks/patchadversarialattacks
scopus_import: '1'
status: public
title: Physical passive patch adversarial attacks on visual odometry systems
type: conference
user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87
volume: 13847
year: '2023'
...
---
_id: '12467'
abstract:
- lang: eng
text: Safety and liveness are elementary concepts of computation, and the foundation
of many verification paradigms. The safety-liveness classification of boolean
properties characterizes whether a given property can be falsified by observing
a finite prefix of an infinite computation trace (always for safety, never for
liveness). In quantitative specification and verification, properties assign not
truth values, but quantitative values to infinite traces (e.g., a cost, or the
distance to a boolean property). We introduce quantitative safety and liveness,
and we prove that our definitions induce conservative quantitative generalizations
of both (1)~the safety-progress hierarchy of boolean properties and (2)~the safety-liveness
decomposition of boolean properties. In particular, we show that every quantitative
property can be written as the pointwise minimum of a quantitative safety property
and a quantitative liveness property. Consequently, like boolean properties, also
quantitative properties can be min-decomposed into safety and liveness parts,
or alternatively, max-decomposed into co-safety and co-liveness parts. Moreover,
quantitative properties can be approximated naturally. We prove that every quantitative
property that has both safe and co-safe approximations can be monitored arbitrarily
precisely by a monitor that uses only a finite number of states.
acknowledgement: We thank the anonymous reviewers for their helpful comments. This
work was supported in part by the ERC-2020-AdG 101020093.
alternative_title:
- LNCS
article_processing_charge: No
arxiv: 1
author:
- first_name: Thomas A
full_name: Henzinger, Thomas A
id: 40876CD8-F248-11E8-B48F-1D18A9856A87
last_name: Henzinger
orcid: 0000-0002-2985-7724
- first_name: Nicolas Adrien
full_name: Mazzocchi, Nicolas Adrien
id: b26baa86-3308-11ec-87b0-8990f34baa85
last_name: Mazzocchi
- first_name: Naci E
full_name: Sarac, Naci E
id: 8C6B42F8-C8E6-11E9-A03A-F2DCE5697425
last_name: Sarac
citation:
ama: 'Henzinger TA, Mazzocchi NA, Sarac NE. Quantitative safety and liveness. In:
26th International Conference Foundations of Software Science and Computation
Structures. Vol 13992. Springer Nature; 2023:349-370. doi:10.1007/978-3-031-30829-1_17'
apa: 'Henzinger, T. A., Mazzocchi, N. A., & Sarac, N. E. (2023). Quantitative
safety and liveness. In 26th International Conference Foundations of Software
Science and Computation Structures (Vol. 13992, pp. 349–370). Paris, France:
Springer Nature. https://doi.org/10.1007/978-3-031-30829-1_17'
chicago: Henzinger, Thomas A, Nicolas Adrien Mazzocchi, and Naci E Sarac. “Quantitative
Safety and Liveness.” In 26th International Conference Foundations of Software
Science and Computation Structures, 13992:349–70. Springer Nature, 2023. https://doi.org/10.1007/978-3-031-30829-1_17.
ieee: T. A. Henzinger, N. A. Mazzocchi, and N. E. Sarac, “Quantitative safety and
liveness,” in 26th International Conference Foundations of Software Science
and Computation Structures, Paris, France, 2023, vol. 13992, pp. 349–370.
ista: 'Henzinger TA, Mazzocchi NA, Sarac NE. 2023. Quantitative safety and liveness.
26th International Conference Foundations of Software Science and Computation
Structures. FOSSACS: Foundations of Software Science and Computation Structures,
LNCS, vol. 13992, 349–370.'
mla: Henzinger, Thomas A., et al. “Quantitative Safety and Liveness.” 26th International
Conference Foundations of Software Science and Computation Structures, vol.
13992, Springer Nature, 2023, pp. 349–70, doi:10.1007/978-3-031-30829-1_17.
short: T.A. Henzinger, N.A. Mazzocchi, N.E. Sarac, in:, 26th International Conference
Foundations of Software Science and Computation Structures, Springer Nature, 2023,
pp. 349–370.
conference:
end_date: 2023-04-27
location: Paris, France
name: 'FOSSACS: Foundations of Software Science and Computation Structures'
start_date: 2023-04-22
corr_author: '1'
date_created: 2023-01-31T07:23:56Z
date_published: 2023-04-21T00:00:00Z
date_updated: 2025-09-09T12:21:08Z
day: '21'
ddc:
- '000'
department:
- _id: GradSch
- _id: ToHe
doi: 10.1007/978-3-031-30829-1_17
ec_funded: 1
external_id:
arxiv:
- '2301.11175'
isi:
- '001288609300017'
file:
- access_level: open_access
checksum: 981025aed580b6b27c426cb8856cf63e
content_type: application/pdf
creator: esarac
date_created: 2023-01-31T07:22:21Z
date_updated: 2023-01-31T07:22:21Z
file_id: '12468'
file_name: qsl.pdf
file_size: 449027
relation: main_file
success: 1
- access_level: open_access
checksum: f16e2af1e0eb243158ab0f0fe74e7d5a
content_type: application/pdf
creator: dernst
date_created: 2023-06-19T10:28:09Z
date_updated: 2023-06-19T10:28:09Z
file_id: '13153'
file_name: 2023_LNCS_HenzingerT.pdf
file_size: 1048171
relation: main_file
success: 1
file_date_updated: 2023-06-19T10:28:09Z
has_accepted_license: '1'
intvolume: ' 13992'
isi: 1
language:
- iso: eng
month: '04'
oa: 1
oa_version: Published Version
page: 349-370
project:
- _id: 62781420-2b32-11ec-9570-8d9b63373d4d
call_identifier: H2020
grant_number: '101020093'
name: Vigilant Algorithmic Monitoring of Software
publication: 26th International Conference Foundations of Software Science and Computation
Structures
publication_identifier:
eissn:
- 1611-3349
isbn:
- '9783031308284'
issn:
- 0302-9743
publication_status: published
publisher: Springer Nature
quality_controlled: '1'
scopus_import: '1'
status: public
title: Quantitative safety and liveness
tmp:
image: /images/cc_by.png
legal_code_url: https://creativecommons.org/licenses/by/4.0/legalcode
name: Creative Commons Attribution 4.0 International Public License (CC-BY 4.0)
short: CC BY (4.0)
type: conference
user_id: 317138e5-6ab7-11ef-aa6d-ffef3953e345
volume: 13992
year: '2023'
...
---
_id: '12854'
abstract:
- lang: eng
text: "The main idea behind BUBAAK is to run multiple program analyses in parallel
and use runtime monitoring and enforcement to observe and control their progress
in real time. The analyses send information about (un)explored states of the program
and discovered invariants to a monitor. The monitor processes the received data
and can force an analysis to stop the search of certain program parts (which have
already been analyzed by other analyses), or to make it utilize a program invariant
found by another analysis.\r\nAt SV-COMP 2023, the implementation of data exchange
between the monitor and the analyses was not yet completed, which is why BUBAAK
only ran several analyses in parallel, without any coordination. Still, BUBAAK
won the meta-category FalsificationOverall and placed very well in several other
(sub)-categories of the competition."
acknowledgement: This work was supported by the ERC-2020-AdG 10102009 grant.
alternative_title:
- LNCS
article_processing_charge: No
author:
- first_name: Marek
full_name: Chalupa, Marek
id: 87e34708-d6c6-11ec-9f5b-9391e7be2463
last_name: Chalupa
- first_name: Thomas A
full_name: Henzinger, Thomas A
id: 40876CD8-F248-11E8-B48F-1D18A9856A87
last_name: Henzinger
orcid: 0000-0002-2985-7724
citation:
ama: 'Chalupa M, Henzinger TA. Bubaak: Runtime monitoring of program verifiers.
In: Tools and Algorithms for the Construction and Analysis of Systems.
Vol 13994. Springer Nature; 2023:535-540. doi:10.1007/978-3-031-30820-8_32'
apa: 'Chalupa, M., & Henzinger, T. A. (2023). Bubaak: Runtime monitoring of
program verifiers. In Tools and Algorithms for the Construction and Analysis
of Systems (Vol. 13994, pp. 535–540). Paris, France: Springer Nature. https://doi.org/10.1007/978-3-031-30820-8_32'
chicago: 'Chalupa, Marek, and Thomas A Henzinger. “Bubaak: Runtime Monitoring of
Program Verifiers.” In Tools and Algorithms for the Construction and Analysis
of Systems, 13994:535–40. Springer Nature, 2023. https://doi.org/10.1007/978-3-031-30820-8_32.'
ieee: 'M. Chalupa and T. A. Henzinger, “Bubaak: Runtime monitoring of program verifiers,”
in Tools and Algorithms for the Construction and Analysis of Systems, Paris,
France, 2023, vol. 13994, pp. 535–540.'
ista: 'Chalupa M, Henzinger TA. 2023. Bubaak: Runtime monitoring of program verifiers.
Tools and Algorithms for the Construction and Analysis of Systems. TACAS: Tools
and Algorithms for the Construction and Analysis of Systems, LNCS, vol. 13994,
535–540.'
mla: 'Chalupa, Marek, and Thomas A. Henzinger. “Bubaak: Runtime Monitoring of Program
Verifiers.” Tools and Algorithms for the Construction and Analysis of Systems,
vol. 13994, Springer Nature, 2023, pp. 535–40, doi:10.1007/978-3-031-30820-8_32.'
short: M. Chalupa, T.A. Henzinger, in:, Tools and Algorithms for the Construction
and Analysis of Systems, Springer Nature, 2023, pp. 535–540.
conference:
end_date: 2023-04-27
location: Paris, France
name: 'TACAS: Tools and Algorithms for the Construction and Analysis of Systems'
start_date: 2023-04-22
corr_author: '1'
date_created: 2023-04-20T08:22:53Z
date_published: 2023-04-20T00:00:00Z
date_updated: 2025-09-09T12:24:56Z
day: '20'
ddc:
- '000'
department:
- _id: ToHe
doi: 10.1007/978-3-031-30820-8_32
ec_funded: 1
external_id:
isi:
- '001288698100041'
file:
- access_level: open_access
checksum: 120d2c2a38384058ad0630fdf8288312
content_type: application/pdf
creator: dernst
date_created: 2023-04-25T06:58:36Z
date_updated: 2023-04-25T06:58:36Z
file_id: '12864'
file_name: 2023_LNCS_Chalupa.pdf
file_size: 16096413
relation: main_file
success: 1
file_date_updated: 2023-04-25T06:58:36Z
has_accepted_license: '1'
intvolume: ' 13994'
isi: 1
language:
- iso: eng
month: '04'
oa: 1
oa_version: Published Version
page: 535-540
project:
- _id: 62781420-2b32-11ec-9570-8d9b63373d4d
call_identifier: H2020
grant_number: '101020093'
name: Vigilant Algorithmic Monitoring of Software
publication: Tools and Algorithms for the Construction and Analysis of Systems
publication_identifier:
eisbn:
- '9783031308208'
eissn:
- 1611-3349
isbn:
- '9783031308192'
issn:
- 0302-9743
publication_status: published
publisher: Springer Nature
quality_controlled: '1'
scopus_import: '1'
status: public
title: 'Bubaak: Runtime monitoring of program verifiers'
tmp:
image: /images/cc_by.png
legal_code_url: https://creativecommons.org/licenses/by/4.0/legalcode
name: Creative Commons Attribution 4.0 International Public License (CC-BY 4.0)
short: CC BY (4.0)
type: conference
user_id: 317138e5-6ab7-11ef-aa6d-ffef3953e345
volume: 13994
year: '2023'
...
---
_id: '12856'
abstract:
- lang: eng
text: "As the complexity and criticality of software increase every year, so does
the importance of run-time monitoring. Third-party monitoring, with limited knowledge
of the monitored software, and best-effort monitoring, which keeps pace with the
monitored software, are especially valuable, yet underexplored areas of run-time
monitoring. Most existing monitoring frameworks do not support their combination
because they either require access to the monitored code for instrumentation purposes
or the processing of all observed events, or both.\r\n\r\nWe present a middleware
framework, VAMOS, for the run-time monitoring of software which is explicitly
designed to support third-party and best-effort scenarios. The design goals of
VAMOS are (i) efficiency (keeping pace at low overhead), (ii) flexibility (the
ability to monitor black-box code through a variety of different event channels,
and the connectability to monitors written in different specification languages),
and (iii) ease-of-use. To achieve its goals, VAMOS combines aspects of event broker
and event recognition systems with aspects of stream processing systems.\r\nWe
implemented a prototype toolchain for VAMOS and conducted experiments including
a case study of monitoring for data races. The results indicate that VAMOS enables
writing useful yet efficient monitors, is compatible with a variety of event sources
and monitor specifications, and simplifies key aspects of setting up a monitoring
system from scratch."
acknowledgement: This work was supported in part by the ERC-2020-AdG 101020093. The
authors would like to thank the anonymous FASE reviewers for their valuable feedback
and suggestions.
alternative_title:
- LNCS
article_processing_charge: No
author:
- first_name: Marek
full_name: Chalupa, Marek
id: 87e34708-d6c6-11ec-9f5b-9391e7be2463
last_name: Chalupa
- first_name: Fabian
full_name: Mühlböck, Fabian
id: 6395C5F6-89DF-11E9-9C97-6BDFE5697425
last_name: Mühlböck
orcid: 0000-0003-1548-0177
- first_name: Stefanie
full_name: Muroya Lei, Stefanie
id: a376de31-8972-11ed-ae7b-d0251c13c8ff
last_name: Muroya Lei
- first_name: Thomas A
full_name: Henzinger, Thomas A
id: 40876CD8-F248-11E8-B48F-1D18A9856A87
last_name: Henzinger
orcid: 0000-0002-2985-7724
citation:
ama: 'Chalupa M, Mühlböck F, Muroya Lei S, Henzinger TA. Vamos: Middleware for best-effort
third-party monitoring. In: Fundamental Approaches to Software Engineering.
Vol 13991. Springer Nature; 2023:260-281. doi:10.1007/978-3-031-30826-0_15'
apa: 'Chalupa, M., Mühlböck, F., Muroya Lei, S., & Henzinger, T. A. (2023).
Vamos: Middleware for best-effort third-party monitoring. In Fundamental Approaches
to Software Engineering (Vol. 13991, pp. 260–281). Paris, France: Springer
Nature. https://doi.org/10.1007/978-3-031-30826-0_15'
chicago: 'Chalupa, Marek, Fabian Mühlböck, Stefanie Muroya Lei, and Thomas A Henzinger.
“Vamos: Middleware for Best-Effort Third-Party Monitoring.” In Fundamental
Approaches to Software Engineering, 13991:260–81. Springer Nature, 2023. https://doi.org/10.1007/978-3-031-30826-0_15.'
ieee: 'M. Chalupa, F. Mühlböck, S. Muroya Lei, and T. A. Henzinger, “Vamos: Middleware
for best-effort third-party monitoring,” in Fundamental Approaches to Software
Engineering, Paris, France, 2023, vol. 13991, pp. 260–281.'
ista: 'Chalupa M, Mühlböck F, Muroya Lei S, Henzinger TA. 2023. Vamos: Middleware
for best-effort third-party monitoring. Fundamental Approaches to Software Engineering.
FASE: Fundamental Approaches to Software Engineering, LNCS, vol. 13991, 260–281.'
mla: 'Chalupa, Marek, et al. “Vamos: Middleware for Best-Effort Third-Party Monitoring.”
Fundamental Approaches to Software Engineering, vol. 13991, Springer Nature,
2023, pp. 260–81, doi:10.1007/978-3-031-30826-0_15.'
short: M. Chalupa, F. Mühlböck, S. Muroya Lei, T.A. Henzinger, in:, Fundamental
Approaches to Software Engineering, Springer Nature, 2023, pp. 260–281.
conference:
end_date: 2023-04-27
location: Paris, France
name: 'FASE: Fundamental Approaches to Software Engineering'
start_date: 2023-04-22
corr_author: '1'
date_created: 2023-04-20T08:29:42Z
date_published: 2023-04-20T00:00:00Z
date_updated: 2025-09-09T12:25:29Z
day: '20'
ddc:
- '000'
department:
- _id: ToHe
doi: 10.1007/978-3-031-30826-0_15
ec_funded: 1
external_id:
isi:
- '001284136600015'
file:
- access_level: open_access
checksum: 17a7c8e08be609cf2408d37ea55e322c
content_type: application/pdf
creator: dernst
date_created: 2023-04-25T07:16:36Z
date_updated: 2023-04-25T07:16:36Z
file_id: '12865'
file_name: 2023_LNCS_ChalupaM.pdf
file_size: 580828
relation: main_file
success: 1
file_date_updated: 2023-04-25T07:16:36Z
has_accepted_license: '1'
intvolume: ' 13991'
isi: 1
language:
- iso: eng
month: '04'
oa: 1
oa_version: Published Version
page: 260-281
project:
- _id: 62781420-2b32-11ec-9570-8d9b63373d4d
call_identifier: H2020
grant_number: '101020093'
name: Vigilant Algorithmic Monitoring of Software
publication: Fundamental Approaches to Software Engineering
publication_identifier:
eisbn:
- '9783031308260'
eissn:
- 1611-3349
isbn:
- '9783031308253'
issn:
- 0302-9743
publication_status: published
publisher: Springer Nature
quality_controlled: '1'
related_material:
record:
- id: '18169'
relation: later_version
status: public
- id: '12407'
relation: earlier_version
status: public
scopus_import: '1'
status: public
title: 'Vamos: Middleware for best-effort third-party monitoring'
tmp:
image: /images/cc_by.png
legal_code_url: https://creativecommons.org/licenses/by/4.0/legalcode
name: Creative Commons Attribution 4.0 International Public License (CC-BY 4.0)
short: CC BY (4.0)
type: conference
user_id: 317138e5-6ab7-11ef-aa6d-ffef3953e345
volume: 13991
year: '2023'
...
---
_id: '13139'
abstract:
- lang: eng
text: A classical problem for Markov chains is determining their stationary (or
steady-state) distribution. This problem has an equally classical solution based
on eigenvectors and linear equation systems. However, this approach does not scale
to large instances, and iterative solutions are desirable. It turns out that a
naive approach, as used by current model checkers, may yield completely wrong
results. We present a new approach, which utilizes recent advances in partial
exploration and mean payoff computation to obtain a correct, converging approximation.
alternative_title:
- LNCS
article_processing_charge: No
arxiv: 1
author:
- first_name: Tobias
full_name: Meggendorfer, Tobias
id: b21b0c15-30a2-11eb-80dc-f13ca25802e1
last_name: Meggendorfer
orcid: 0000-0002-1712-2165
citation:
ama: 'Meggendorfer T. Correct approximation of stationary distributions. In: TACAS
2023: Tools and Algorithms for the Construction and Analysis of Systems. Vol
13993. Springer Nature; 2023:489-507. doi:10.1007/978-3-031-30823-9_25'
apa: 'Meggendorfer, T. (2023). Correct approximation of stationary distributions.
In TACAS 2023: Tools and Algorithms for the Construction and Analysis of Systems
(Vol. 13993, pp. 489–507). Paris, France: Springer Nature. https://doi.org/10.1007/978-3-031-30823-9_25'
chicago: 'Meggendorfer, Tobias. “Correct Approximation of Stationary Distributions.”
In TACAS 2023: Tools and Algorithms for the Construction and Analysis of Systems,
13993:489–507. Springer Nature, 2023. https://doi.org/10.1007/978-3-031-30823-9_25.'
ieee: 'T. Meggendorfer, “Correct approximation of stationary distributions,” in
TACAS 2023: Tools and Algorithms for the Construction and Analysis of Systems,
Paris, France, 2023, vol. 13993, pp. 489–507.'
ista: 'Meggendorfer T. 2023. Correct approximation of stationary distributions.
TACAS 2023: Tools and Algorithms for the Construction and Analysis of Systems.
TACAS: Tools and Algorithms for the Construction and Analysis of Systems, LNCS,
vol. 13993, 489–507.'
mla: 'Meggendorfer, Tobias. “Correct Approximation of Stationary Distributions.”
TACAS 2023: Tools and Algorithms for the Construction and Analysis of Systems,
vol. 13993, Springer Nature, 2023, pp. 489–507, doi:10.1007/978-3-031-30823-9_25.'
short: 'T. Meggendorfer, in:, TACAS 2023: Tools and Algorithms for the Construction
and Analysis of Systems, Springer Nature, 2023, pp. 489–507.'
conference:
end_date: 2023-04-27
location: Paris, France
name: 'TACAS: Tools and Algorithms for the Construction and Analysis of Systems'
start_date: 2023-04-22
corr_author: '1'
date_created: 2023-06-18T22:00:46Z
date_published: 2023-04-22T00:00:00Z
date_updated: 2025-09-09T12:28:12Z
day: '22'
ddc:
- '000'
department:
- _id: KrCh
doi: 10.1007/978-3-031-30823-9_25
external_id:
arxiv:
- '2301.08137'
isi:
- '001288688000025'
file:
- access_level: open_access
checksum: 59f707a3949c03793251b0d04c62542a
content_type: application/pdf
creator: dernst
date_created: 2023-06-19T07:18:40Z
date_updated: 2023-06-19T07:18:40Z
file_id: '13148'
file_name: 2023_LNCS_Meggendorfer.pdf
file_size: 521951
relation: main_file
success: 1
file_date_updated: 2023-06-19T07:18:40Z
has_accepted_license: '1'
intvolume: ' 13993'
isi: 1
language:
- iso: eng
month: '04'
oa: 1
oa_version: Published Version
page: 489-507
publication: 'TACAS 2023: Tools and Algorithms for the Construction and Analysis of
Systems'
publication_identifier:
eissn:
- 1611-3349
isbn:
- '9783031308222'
issn:
- 0302-9743
publication_status: published
publisher: Springer Nature
quality_controlled: '1'
related_material:
record:
- id: '14990'
relation: research_data
status: public
scopus_import: '1'
status: public
title: Correct approximation of stationary distributions
tmp:
image: /images/cc_by.png
legal_code_url: https://creativecommons.org/licenses/by/4.0/legalcode
name: Creative Commons Attribution 4.0 International Public License (CC-BY 4.0)
short: CC BY (4.0)
type: conference
user_id: 317138e5-6ab7-11ef-aa6d-ffef3953e345
volume: 13993
year: '2023'
...
---
_id: '13141'
abstract:
- lang: eng
text: "We automatically compute a new class of environment assumptions in two-player
turn-based finite graph games which characterize an “adequate cooperation” needed
from the environment to allow the system player to win. Given an ω-regular winning
condition Φ for the system player, we compute an ω-regular assumption Ψ for the
environment player, such that (i) every environment strategy compliant with Ψ
allows the system to fulfill Φ (sufficiency), (ii) Ψ\r\n can be fulfilled by the
environment for every strategy of the system (implementability), and (iii) Ψ does
not prevent any cooperative strategy choice (permissiveness).\r\nFor parity games,
which are canonical representations of ω-regular games, we present a polynomial-time
algorithm for the symbolic computation of adequately permissive assumptions and
show that our algorithm runs faster and produces better assumptions than existing
approaches—both theoretically and empirically. To the best of our knowledge, for
ω\r\n-regular games, we provide the first algorithm to compute sufficient and
implementable environment assumptions that are also permissive."
alternative_title:
- LNCS
article_processing_charge: No
author:
- first_name: Ashwani
full_name: Anand, Ashwani
last_name: Anand
- first_name: Kaushik
full_name: Mallik, Kaushik
id: 0834ff3c-6d72-11ec-94e0-b5b0a4fb8598
last_name: Mallik
orcid: 0000-0001-9864-7475
- first_name: Satya Prakash
full_name: Nayak, Satya Prakash
last_name: Nayak
- first_name: Anne Kathrin
full_name: Schmuck, Anne Kathrin
last_name: Schmuck
citation:
ama: 'Anand A, Mallik K, Nayak SP, Schmuck AK. Computing adequately permissive assumptions
for synthesis. In: TACAS 2023: Tools and Algorithms for the Construction and
Analysis of Systems. Vol 13994. Springer Nature; 2023:211-228. doi:10.1007/978-3-031-30820-8_15'
apa: 'Anand, A., Mallik, K., Nayak, S. P., & Schmuck, A. K. (2023). Computing
adequately permissive assumptions for synthesis. In TACAS 2023: Tools and Algorithms
for the Construction and Analysis of Systems (Vol. 13994, pp. 211–228). Paris,
France: Springer Nature. https://doi.org/10.1007/978-3-031-30820-8_15'
chicago: 'Anand, Ashwani, Kaushik Mallik, Satya Prakash Nayak, and Anne Kathrin
Schmuck. “Computing Adequately Permissive Assumptions for Synthesis.” In TACAS
2023: Tools and Algorithms for the Construction and Analysis of Systems, 13994:211–28.
Springer Nature, 2023. https://doi.org/10.1007/978-3-031-30820-8_15.'
ieee: 'A. Anand, K. Mallik, S. P. Nayak, and A. K. Schmuck, “Computing adequately
permissive assumptions for synthesis,” in TACAS 2023: Tools and Algorithms
for the Construction and Analysis of Systems, Paris, France, 2023, vol. 13994,
pp. 211–228.'
ista: 'Anand A, Mallik K, Nayak SP, Schmuck AK. 2023. Computing adequately permissive
assumptions for synthesis. TACAS 2023: Tools and Algorithms for the Construction
and Analysis of Systems. TACAS: Tools and Algorithms for the Construction and
Analysis of Systems, LNCS, vol. 13994, 211–228.'
mla: 'Anand, Ashwani, et al. “Computing Adequately Permissive Assumptions for Synthesis.”
TACAS 2023: Tools and Algorithms for the Construction and Analysis of Systems,
vol. 13994, Springer Nature, 2023, pp. 211–28, doi:10.1007/978-3-031-30820-8_15.'
short: 'A. Anand, K. Mallik, S.P. Nayak, A.K. Schmuck, in:, TACAS 2023: Tools and
Algorithms for the Construction and Analysis of Systems, Springer Nature, 2023,
pp. 211–228.'
conference:
end_date: 2023-04-27
location: Paris, France
name: 'TACAS: Tools and Algorithms for the Construction and Analysis of Systems'
start_date: 2023-04-22
date_created: 2023-06-18T22:00:47Z
date_published: 2023-04-20T00:00:00Z
date_updated: 2025-09-09T12:30:00Z
day: '20'
ddc:
- '000'
department:
- _id: ToHe
doi: 10.1007/978-3-031-30820-8_15
external_id:
isi:
- '001288698100015'
file:
- access_level: open_access
checksum: 60dcafc1b4f6f070be43bad3fe877974
content_type: application/pdf
creator: dernst
date_created: 2023-06-19T08:43:21Z
date_updated: 2023-06-19T08:43:21Z
file_id: '13151'
file_name: 2023_LNCS_Anand.pdf
file_size: 521425
relation: main_file
success: 1
file_date_updated: 2023-06-19T08:43:21Z
has_accepted_license: '1'
intvolume: ' 13994'
isi: 1
language:
- iso: eng
month: '04'
oa: 1
oa_version: Published Version
page: 211-228
publication: 'TACAS 2023: Tools and Algorithms for the Construction and Analysis of
Systems'
publication_identifier:
eissn:
- 1611-3349
isbn:
- '9783031308192'
issn:
- 0302-9743
publication_status: published
publisher: Springer Nature
quality_controlled: '1'
scopus_import: '1'
status: public
title: Computing adequately permissive assumptions for synthesis
tmp:
image: /images/cc_by.png
legal_code_url: https://creativecommons.org/licenses/by/4.0/legalcode
name: Creative Commons Attribution 4.0 International Public License (CC-BY 4.0)
short: CC BY (4.0)
type: conference
user_id: 317138e5-6ab7-11ef-aa6d-ffef3953e345
volume: 13994
year: '2023'
...
---
_id: '13142'
abstract:
- lang: eng
text: Reinforcement learning has received much attention for learning controllers
of deterministic systems. We consider a learner-verifier framework for stochastic
control systems and survey recent methods that formally guarantee a conjunction
of reachability and safety properties. Given a property and a lower bound on the
probability of the property being satisfied, our framework jointly learns a control
policy and a formal certificate to ensure the satisfaction of the property with
a desired probability threshold. Both the control policy and the formal certificate
are continuous functions from states to reals, which are learned as parameterized
neural networks. While in the deterministic case, the certificates are invariant
and barrier functions for safety, or Lyapunov and ranking functions for liveness,
in the stochastic case the certificates are supermartingales. For certificate
verification, we use interval arithmetic abstract interpretation to bound the
expected values of neural network functions.
acknowledgement: This work was supported in part by the ERC-2020-AdG 101020093, ERC
CoG 863818 (FoRM-SMArt) and the European Union’s Horizon 2020 research and innovation
programme under the Marie Skłodowska-Curie Grant Agreement No. 665385.
alternative_title:
- LNCS
article_processing_charge: No
author:
- first_name: Krishnendu
full_name: Chatterjee, Krishnendu
id: 2E5DCA20-F248-11E8-B48F-1D18A9856A87
last_name: Chatterjee
orcid: 0000-0002-4561-241X
- first_name: Thomas A
full_name: Henzinger, Thomas A
id: 40876CD8-F248-11E8-B48F-1D18A9856A87
last_name: Henzinger
orcid: 0000-0002-2985-7724
- first_name: Mathias
full_name: Lechner, Mathias
id: 3DC22916-F248-11E8-B48F-1D18A9856A87
last_name: Lechner
- first_name: Dorde
full_name: Zikelic, Dorde
id: 294AA7A6-F248-11E8-B48F-1D18A9856A87
last_name: Zikelic
orcid: 0000-0002-4681-1699
citation:
ama: 'Chatterjee K, Henzinger TA, Lechner M, Zikelic D. A learner-verifier framework
for neural network controllers and certificates of stochastic systems. In: Tools
and Algorithms for the Construction and Analysis of Systems . Vol 13993. Springer
Nature; 2023:3-25. doi:10.1007/978-3-031-30823-9_1'
apa: 'Chatterjee, K., Henzinger, T. A., Lechner, M., & Zikelic, D. (2023). A
learner-verifier framework for neural network controllers and certificates of
stochastic systems. In Tools and Algorithms for the Construction and Analysis
of Systems (Vol. 13993, pp. 3–25). Paris, France: Springer Nature. https://doi.org/10.1007/978-3-031-30823-9_1'
chicago: Chatterjee, Krishnendu, Thomas A Henzinger, Mathias Lechner, and Dorde
Zikelic. “A Learner-Verifier Framework for Neural Network Controllers and Certificates
of Stochastic Systems.” In Tools and Algorithms for the Construction and Analysis
of Systems , 13993:3–25. Springer Nature, 2023. https://doi.org/10.1007/978-3-031-30823-9_1.
ieee: K. Chatterjee, T. A. Henzinger, M. Lechner, and D. Zikelic, “A learner-verifier
framework for neural network controllers and certificates of stochastic systems,”
in Tools and Algorithms for the Construction and Analysis of Systems ,
Paris, France, 2023, vol. 13993, pp. 3–25.
ista: 'Chatterjee K, Henzinger TA, Lechner M, Zikelic D. 2023. A learner-verifier
framework for neural network controllers and certificates of stochastic systems.
Tools and Algorithms for the Construction and Analysis of Systems . TACAS: Tools
and Algorithms for the Construction and Analysis of Systems, LNCS, vol. 13993,
3–25.'
mla: Chatterjee, Krishnendu, et al. “A Learner-Verifier Framework for Neural Network
Controllers and Certificates of Stochastic Systems.” Tools and Algorithms for
the Construction and Analysis of Systems , vol. 13993, Springer Nature, 2023,
pp. 3–25, doi:10.1007/978-3-031-30823-9_1.
short: K. Chatterjee, T.A. Henzinger, M. Lechner, D. Zikelic, in:, Tools and Algorithms
for the Construction and Analysis of Systems , Springer Nature, 2023, pp. 3–25.
conference:
end_date: 2023-04-27
location: Paris, France
name: 'TACAS: Tools and Algorithms for the Construction and Analysis of Systems'
start_date: 2023-04-22
corr_author: '1'
date_created: 2023-06-18T22:00:47Z
date_published: 2023-04-22T00:00:00Z
date_updated: 2025-09-09T12:29:26Z
day: '22'
ddc:
- '000'
department:
- _id: KrCh
- _id: ToHe
doi: 10.1007/978-3-031-30823-9_1
ec_funded: 1
external_id:
isi:
- '001288688000001'
file:
- access_level: open_access
checksum: 3d8a8bb24d211bc83360dfc2fd744307
content_type: application/pdf
creator: dernst
date_created: 2023-06-19T08:29:30Z
date_updated: 2023-06-19T08:29:30Z
file_id: '13150'
file_name: 2023_LNCS_Chatterjee.pdf
file_size: 528455
relation: main_file
success: 1
file_date_updated: 2023-06-19T08:29:30Z
has_accepted_license: '1'
intvolume: ' 13993'
isi: 1
language:
- iso: eng
month: '04'
oa: 1
oa_version: Published Version
page: 3-25
project:
- _id: 0599E47C-7A3F-11EA-A408-12923DDC885E
call_identifier: H2020
grant_number: '863818'
name: 'Formal Methods for Stochastic Models: Algorithms and Applications'
- _id: 2564DBCA-B435-11E9-9278-68D0E5697425
call_identifier: H2020
grant_number: '665385'
name: International IST Doctoral Program
publication: 'Tools and Algorithms for the Construction and Analysis of Systems '
publication_identifier:
eissn:
- 1611-3349
isbn:
- '9783031308222'
issn:
- 0302-9743
publication_status: published
publisher: Springer Nature
quality_controlled: '1'
scopus_import: '1'
status: public
title: A learner-verifier framework for neural network controllers and certificates
of stochastic systems
tmp:
image: /images/cc_by.png
legal_code_url: https://creativecommons.org/licenses/by/4.0/legalcode
name: Creative Commons Attribution 4.0 International Public License (CC-BY 4.0)
short: CC BY (4.0)
type: conference
user_id: 317138e5-6ab7-11ef-aa6d-ffef3953e345
volume: 13993
year: '2023'
...
---
_id: '13236'
abstract:
- lang: eng
text: We present an auction algorithm using multiplicative instead of constant weight
updates to compute a (1−ε)-approximate maximum weight matching (MWM) in a bipartite
graph with n vertices and m edges in time O(mε−1log(ε−1)), matching the running
time of the linear-time approximation algorithm of Duan and Pettie [JACM ’14].
Our algorithm is very simple and it can be extended to give a dynamic data structure
that maintains a (1−ε)-approximate maximum weight matching under (1) one-sided
vertex deletions (with incident edges) and (2) one-sided vertex insertions (with
incident edges sorted by weight) to the other side. The total time time used is
O(mε−1log(ε−1)), where m is the sum of the number of initially existing and inserted
edges.
acknowledgement: The first author thanks to Chandra Chekuri for useful discussions
about this paper. This project has received funding from the European Research Council
(ERC) under the European Union’s Horizon 2020 research and innovation programme
(Grant agreement No. 101019564 “The Design of Modern Fully Dynamic Data Structures
(MoDynStruct)” and from the Austrian Science Fund (FWF) project “Fast Algorithms
for a Reactive Network Layer (ReactNet)”, P 33775-N, with additional funding from
the netidee SCIENCE Stiftung, 2020–2024.
alternative_title:
- LNCS
article_processing_charge: No
arxiv: 1
author:
- first_name: Da Wei
full_name: Zheng, Da Wei
last_name: Zheng
- first_name: Monika H
full_name: Henzinger, Monika H
id: 540c9bbd-f2de-11ec-812d-d04a5be85630
last_name: Henzinger
orcid: 0000-0002-5008-6530
citation:
ama: 'Zheng DW, Henzinger M. Multiplicative auction algorithm for approximate maximum
weight bipartite matching. In: International Conference on Integer Programming
and Combinatorial Optimization. Vol 13904. Springer Nature; 2023:453-465.
doi:10.1007/978-3-031-32726-1_32'
apa: 'Zheng, D. W., & Henzinger, M. (2023). Multiplicative auction algorithm
for approximate maximum weight bipartite matching. In International Conference
on Integer Programming and Combinatorial Optimization (Vol. 13904, pp. 453–465).
Madison, WI, United States: Springer Nature. https://doi.org/10.1007/978-3-031-32726-1_32'
chicago: Zheng, Da Wei, and Monika Henzinger. “Multiplicative Auction Algorithm
for Approximate Maximum Weight Bipartite Matching.” In International Conference
on Integer Programming and Combinatorial Optimization, 13904:453–65. Springer
Nature, 2023. https://doi.org/10.1007/978-3-031-32726-1_32.
ieee: D. W. Zheng and M. Henzinger, “Multiplicative auction algorithm for approximate
maximum weight bipartite matching,” in International Conference on Integer
Programming and Combinatorial Optimization, Madison, WI, United States, 2023,
vol. 13904, pp. 453–465.
ista: 'Zheng DW, Henzinger M. 2023. Multiplicative auction algorithm for approximate
maximum weight bipartite matching. International Conference on Integer Programming
and Combinatorial Optimization. IPCO: Integer Programming and Combinatorial Optimization,
LNCS, vol. 13904, 453–465.'
mla: Zheng, Da Wei, and Monika Henzinger. “Multiplicative Auction Algorithm for Approximate
Maximum Weight Bipartite Matching.” International Conference on Integer Programming
and Combinatorial Optimization, vol. 13904, Springer Nature, 2023, pp. 453–65,
doi:10.1007/978-3-031-32726-1_32.
short: D.W. Zheng, M. Henzinger, in:, International Conference on Integer Programming
and Combinatorial Optimization, Springer Nature, 2023, pp. 453–465.
conference:
end_date: 2023-06-23
location: Madison, WI, United States
name: 'IPCO: Integer Programming and Combinatorial Optimization'
start_date: 2023-06-21
date_created: 2023-07-16T22:01:11Z
date_published: 2023-05-22T00:00:00Z
date_updated: 2025-09-09T12:39:59Z
day: '22'
department:
- _id: MoHe
doi: 10.1007/978-3-031-32726-1_32
ec_funded: 1
external_id:
arxiv:
- '2301.09217'
isi:
- '001281059600032'
intvolume: ' 13904'
isi: 1
language:
- iso: eng
main_file_link:
- open_access: '1'
url: https://doi.org/10.48550/arXiv.2301.09217
month: '05'
oa: 1
oa_version: Preprint
page: 453-465
project:
- _id: bd9ca328-d553-11ed-ba76-dc4f890cfe62
call_identifier: H2020
grant_number: '101019564'
name: The design and evaluation of modern fully dynamic data structures
- _id: bd9e3a2e-d553-11ed-ba76-8aa684ce17fe
grant_number: P33775
name: Fast Algorithms for a Reactive Network Layer
publication: International Conference on Integer Programming and Combinatorial Optimization
publication_identifier:
eissn:
- 1611-3349
isbn:
- '9783031327254'
issn:
- 0302-9743
publication_status: published
publisher: Springer Nature
quality_controlled: '1'
related_material:
record:
- id: '15121'
relation: later_version
status: public
scopus_import: '1'
status: public
title: Multiplicative auction algorithm for approximate maximum weight bipartite matching
type: conference
user_id: 317138e5-6ab7-11ef-aa6d-ffef3953e345
volume: 13904
year: '2023'
...
---
_id: '13310'
abstract:
- lang: eng
text: Machine-learned systems are in widespread use for making decisions about humans,
and it is important that they are fair, i.e., not biased against individuals based
on sensitive attributes. We present runtime verification of algorithmic fairness
for systems whose models are unknown, but are assumed to have a Markov chain structure.
We introduce a specification language that can model many common algorithmic fairness
properties, such as demographic parity, equal opportunity, and social burden.
We build monitors that observe a long sequence of events as generated by a given
system, and output, after each observation, a quantitative estimate of how fair
or biased the system was on that run until that point in time. The estimate is
proven to be correct modulo a variable error bound and a given confidence level,
where the error bound gets tighter as the observed sequence gets longer. Our monitors
are of two types, and use, respectively, frequentist and Bayesian statistical
inference techniques. While the frequentist monitors compute estimates that are
objectively correct with respect to the ground truth, the Bayesian monitors compute
estimates that are correct subject to a given prior belief about the system’s
model. Using a prototype implementation, we show how we can monitor if a bank
is fair in giving loans to applicants from different social backgrounds, and if
a college is fair in admitting students while maintaining a reasonable financial
burden on the society. Although they exhibit different theoretical complexities
in certain cases, in our experiments, both frequentist and Bayesian monitors took
less than a millisecond to update their verdicts after each observation.
acknowledgement: 'This work is supported by the European Research Council under Grant
No.: ERC-2020-AdG101020093.'
alternative_title:
- LNCS
article_processing_charge: Yes (in subscription journal)
arxiv: 1
author:
- first_name: Thomas A
full_name: Henzinger, Thomas A
id: 40876CD8-F248-11E8-B48F-1D18A9856A87
last_name: Henzinger
orcid: 0000-0002-2985-7724
- first_name: Mahyar
full_name: Karimi, Mahyar
id: 6e5417ba-5355-11ee-ae5a-94c2e510b26b
last_name: Karimi
orcid: 0009-0005-0820-1696
- first_name: Konstantin
full_name: Kueffner, Konstantin
id: 8121a2d0-dc85-11ea-9058-af578f3b4515
last_name: Kueffner
orcid: 0000-0001-8974-2542
- first_name: Kaushik
full_name: Mallik, Kaushik
id: 0834ff3c-6d72-11ec-94e0-b5b0a4fb8598
last_name: Mallik
orcid: 0000-0001-9864-7475
citation:
ama: 'Henzinger TA, Karimi M, Kueffner K, Mallik K. Monitoring algorithmic fairness.
In: Computer Aided Verification. Vol 13965. Springer Nature; 2023:358–382.
doi:10.1007/978-3-031-37703-7_17'
apa: 'Henzinger, T. A., Karimi, M., Kueffner, K., & Mallik, K. (2023). Monitoring
algorithmic fairness. In Computer Aided Verification (Vol. 13965, pp. 358–382).
Paris, France: Springer Nature. https://doi.org/10.1007/978-3-031-37703-7_17'
chicago: Henzinger, Thomas A, Mahyar Karimi, Konstantin Kueffner, and Kaushik Mallik.
“Monitoring Algorithmic Fairness.” In Computer Aided Verification, 13965:358–382.
Springer Nature, 2023. https://doi.org/10.1007/978-3-031-37703-7_17.
ieee: T. A. Henzinger, M. Karimi, K. Kueffner, and K. Mallik, “Monitoring algorithmic
fairness,” in Computer Aided Verification, Paris, France, 2023, vol. 13965,
pp. 358–382.
ista: 'Henzinger TA, Karimi M, Kueffner K, Mallik K. 2023. Monitoring algorithmic
fairness. Computer Aided Verification. CAV: Computer Aided Verification, LNCS,
vol. 13965, 358–382.'
mla: Henzinger, Thomas A., et al. “Monitoring Algorithmic Fairness.” Computer
Aided Verification, vol. 13965, Springer Nature, 2023, pp. 358–382, doi:10.1007/978-3-031-37703-7_17.
short: T.A. Henzinger, M. Karimi, K. Kueffner, K. Mallik, in:, Computer Aided Verification,
Springer Nature, 2023, pp. 358–382.
conference:
end_date: 2023-07-22
location: Paris, France
name: 'CAV: Computer Aided Verification'
start_date: 2023-07-17
corr_author: '1'
date_created: 2023-07-25T18:32:40Z
date_published: 2023-07-18T00:00:00Z
date_updated: 2026-01-21T07:24:31Z
day: '18'
ddc:
- '000'
department:
- _id: GradSch
- _id: ToHe
doi: 10.1007/978-3-031-37703-7_17
ec_funded: 1
external_id:
arxiv:
- '2305.15979'
isi:
- '001310804800017'
file:
- access_level: open_access
checksum: ccaf94bf7d658ba012c016e11869b54c
content_type: application/pdf
creator: dernst
date_created: 2023-07-31T08:11:20Z
date_updated: 2023-07-31T08:11:20Z
file_id: '13327'
file_name: 2023_LNCS_CAV_HenzingerT.pdf
file_size: 647760
relation: main_file
success: 1
file_date_updated: 2023-07-31T08:11:20Z
has_accepted_license: '1'
intvolume: ' 13965'
isi: 1
language:
- iso: eng
month: '07'
oa: 1
oa_version: Published Version
page: 358–382
project:
- _id: 62781420-2b32-11ec-9570-8d9b63373d4d
call_identifier: H2020
grant_number: '101020093'
name: Vigilant Algorithmic Monitoring of Software
publication: Computer Aided Verification
publication_identifier:
eisbn:
- '9783031377037'
eissn:
- 1611-3349
isbn:
- '9783031377020'
issn:
- 0302-9743
publication_status: published
publisher: Springer Nature
quality_controlled: '1'
scopus_import: '1'
status: public
title: Monitoring algorithmic fairness
tmp:
image: /images/cc_by.png
legal_code_url: https://creativecommons.org/licenses/by/4.0/legalcode
name: Creative Commons Attribution 4.0 International Public License (CC-BY 4.0)
short: CC BY (4.0)
type: conference
user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87
volume: 13965
year: '2023'
...
---
OA_type: closed access
_id: '19985'
abstract:
- lang: eng
text: We consider a natural problem dealing with weighted packet selection across
a rechargeable link, which e.g., finds applications in cryptocurrency networks.
The capacity of a link (u, v) is determined by how much nodes u and v allocate
for this link. Specifically, the input is a finite ordered sequence of packets
that arrive in both directions along a link. Given (u, v) and a packet of weight
x going from u to v, node u can either accept or reject the packet. If u accepts
the packet, the capacity on link (u, v) decreases by x. Correspondingly, v’s capacity
on (u, v) increases by x. If a node rejects the packet, this will entail a cost
affinely linear in the weight of the packet. A link is “rechargeable” in the sense
that the total capacity of the link has to remain constant, but the allocation
of capacity at the ends of the link can depend arbitrarily on the nodes’ decisions.
The goal is to minimise the sum of the capacity injected into the link and the
cost of rejecting packets. We show that the problem is NP-hard, but can be approximated
efficiently with a ratio of (1 + E) . (1 + square3) for some arbitrary E>0.
acknowledgement: We thank Mahsa Bastankhah and Mohammad Ali Maddah-Ali for fruitful
discussions about different variants of the problem. This work is supported by the
European Research Council (ERC) Consolidator Project 864228 (AdjustNet), 2020-2025,
the ERC CoG 863818 (ForM-SMArt), and the German Research Foundation (DFG) grant
470029389 (FlexNets), 2021–2024.
alternative_title:
- LNCS
article_processing_charge: No
author:
- first_name: Stefan
full_name: Schmid, Stefan
last_name: Schmid
- first_name: Jakub
full_name: Svoboda, Jakub
id: 130759D2-D7DD-11E9-87D2-DE0DE6697425
last_name: Svoboda
orcid: 0000-0002-1419-3267
- first_name: Michelle X
full_name: Yeo, Michelle X
id: 2D82B818-F248-11E8-B48F-1D18A9856A87
last_name: Yeo
orcid: 0009-0001-3676-4809
citation:
ama: 'Schmid S, Svoboda J, Yeo MX. Weighted acket selection for rechargeable links
in cryptocurrency networks: Complexity and approximation. In: 30th International
Colloquium on Structural Information and Communication Complexity. Vol 13892.
Springer Nature; 2023:576-594. doi:10.1007/978-3-031-32733-9_26'
apa: 'Schmid, S., Svoboda, J., & Yeo, M. X. (2023). Weighted acket selection
for rechargeable links in cryptocurrency networks: Complexity and approximation.
In 30th International Colloquium on Structural Information and Communication
Complexity (Vol. 13892, pp. 576–594). Alcalá de Henares, Spain: Springer Nature.
https://doi.org/10.1007/978-3-031-32733-9_26'
chicago: 'Schmid, Stefan, Jakub Svoboda, and Michelle X Yeo. “Weighted Acket Selection
for Rechargeable Links in Cryptocurrency Networks: Complexity and Approximation.”
In 30th International Colloquium on Structural Information and Communication
Complexity, 13892:576–94. Springer Nature, 2023. https://doi.org/10.1007/978-3-031-32733-9_26.'
ieee: 'S. Schmid, J. Svoboda, and M. X. Yeo, “Weighted acket selection for rechargeable
links in cryptocurrency networks: Complexity and approximation,” in 30th International
Colloquium on Structural Information and Communication Complexity, Alcalá
de Henares, Spain, 2023, vol. 13892, pp. 576–594.'
ista: 'Schmid S, Svoboda J, Yeo MX. 2023. Weighted acket selection for rechargeable
links in cryptocurrency networks: Complexity and approximation. 30th International
Colloquium on Structural Information and Communication Complexity. SIROCCO: International
Colloquium on Structural Information and Communication Complexity, LNCS, vol.
13892, 576–594.'
mla: 'Schmid, Stefan, et al. “Weighted Acket Selection for Rechargeable Links in Cryptocurrency
Networks: Complexity and Approximation.” 30th International Colloquium on Structural
Information and Communication Complexity, vol. 13892, Springer Nature, 2023,
pp. 576–94, doi:10.1007/978-3-031-32733-9_26.'
short: S. Schmid, J. Svoboda, M.X. Yeo, in:, 30th International Colloquium on Structural
Information and Communication Complexity, Springer Nature, 2023, pp. 576–594.
conference:
end_date: 2023-06-09
location: Alcalá de Henares, Spain
name: 'SIROCCO: International Colloquium on Structural Information and Communication
Complexity'
start_date: 2023-06-06
corr_author: '1'
date_created: 2025-07-10T13:15:43Z
date_published: 2023-05-25T00:00:00Z
date_updated: 2025-12-02T14:02:38Z
day: '25'
department:
- _id: KrCh
- _id: KrPi
doi: 10.1007/978-3-031-32733-9_26
ec_funded: 1
external_id:
isi:
- '001292782600026'
intvolume: ' 13892'
isi: 1
language:
- iso: eng
month: '05'
oa_version: None
page: 576-594
project:
- _id: 0599E47C-7A3F-11EA-A408-12923DDC885E
call_identifier: H2020
grant_number: '863818'
name: 'Formal Methods for Stochastic Models: Algorithms and Applications'
publication: 30th International Colloquium on Structural Information and Communication
Complexity
publication_identifier:
eisbn:
- '9783031327339'
eissn:
- 1611-3349
isbn:
- '9783031327322'
issn:
- 0302-9743
publication_status: published
publisher: Springer Nature
quality_controlled: '1'
related_material:
record:
- id: '14820'
relation: later_version
status: public
scopus_import: '1'
status: public
title: 'Weighted acket selection for rechargeable links in cryptocurrency networks:
Complexity and approximation'
type: conference
user_id: 2DF688A6-F248-11E8-B48F-1D18A9856A87
volume: 13892
year: '2023'
...
---
_id: '14744'
abstract:
- lang: eng
text: "Sharding distributed ledgers is a promising on-chain solution for scaling
blockchains but lacks formal grounds, nurturing skepticism on whether such complex
systems can scale blockchains securely. We fill this gap by introducing the first
formal framework as well as a roadmap to robust sharding. In particular, we first
define the properties sharded distributed ledgers should fulfill. We build upon
and extend the Bitcoin backbone protocol by defining consistency and scalability.
Consistency encompasses the need for atomic execution of cross-shard transactions
to preserve safety, whereas scalability encapsulates the speedup a sharded system
can gain in comparison to a non-sharded system.\r\nUsing our model, we explore
the limitations of sharding. We show that a sharded ledger with n participants
cannot scale under a fully adaptive adversary, but it can scale up to m shards
where n=c'm log m, under an epoch-adaptive adversary; the constant c' encompasses
the trade-off between security and scalability. This is possible only if the sharded
ledgers create succinct proofs of the valid state updates at every epoch. We leverage
our results to identify the sufficient components for robust sharding, which we
incorporate in a protocol abstraction termed Divide & Scale. To demonstrate the
power of our framework, we analyze the most prominent sharded blockchains (Elastico,
Monoxide, OmniLedger, RapidChain) and pinpoint where they fail to meet the desired
properties."
acknowledgement: The work was partially supported by the Austrian Science Fund (FWF)
through the project CoRaF (grant agreement 2020388).
alternative_title:
- LNCS
article_processing_charge: No
author:
- first_name: Zeta
full_name: Avarikioti, Zeta
last_name: Avarikioti
- first_name: Antoine
full_name: Desjardins, Antoine
id: 06d0c166-aec1-11ee-a7c0-b96e840a602b
last_name: Desjardins
- first_name: Eleftherios
full_name: Kokoris Kogias, Eleftherios
id: f5983044-d7ef-11ea-ac6d-fd1430a26d30
last_name: Kokoris Kogias
- first_name: Roger
full_name: Wattenhofer, Roger
last_name: Wattenhofer
citation:
ama: 'Avarikioti Z, Desjardins A, Kokoris Kogias E, Wattenhofer R. Divide &
Scale: Formalization and roadmap to robust sharding. In: 30th International
Colloquium on Structural Information and Communication Complexity. Vol 13892.
Springer Nature; 2023:199-245. doi:10.1007/978-3-031-32733-9_10'
apa: 'Avarikioti, Z., Desjardins, A., Kokoris Kogias, E., & Wattenhofer, R.
(2023). Divide & Scale: Formalization and roadmap to robust sharding. In 30th
International Colloquium on Structural Information and Communication Complexity
(Vol. 13892, pp. 199–245). Alcalá de Henares, Spain: Springer Nature. https://doi.org/10.1007/978-3-031-32733-9_10'
chicago: 'Avarikioti, Zeta, Antoine Desjardins, Eleftherios Kokoris Kogias, and
Roger Wattenhofer. “Divide & Scale: Formalization and Roadmap to Robust Sharding.”
In 30th International Colloquium on Structural Information and Communication
Complexity, 13892:199–245. Springer Nature, 2023. https://doi.org/10.1007/978-3-031-32733-9_10.'
ieee: 'Z. Avarikioti, A. Desjardins, E. Kokoris Kogias, and R. Wattenhofer, “Divide
& Scale: Formalization and roadmap to robust sharding,” in 30th International
Colloquium on Structural Information and Communication Complexity, Alcalá
de Henares, Spain, 2023, vol. 13892, pp. 199–245.'
ista: 'Avarikioti Z, Desjardins A, Kokoris Kogias E, Wattenhofer R. 2023. Divide
& Scale: Formalization and roadmap to robust sharding. 30th International
Colloquium on Structural Information and Communication Complexity. SIROCCO: Structural
Information and Communication Complexity, LNCS, vol. 13892, 199–245.'
mla: 'Avarikioti, Zeta, et al. “Divide & Scale: Formalization and Roadmap to Robust
Sharding.” 30th International Colloquium on Structural Information and Communication
Complexity, vol. 13892, Springer Nature, 2023, pp. 199–245, doi:10.1007/978-3-031-32733-9_10.'
short: Z. Avarikioti, A. Desjardins, E. Kokoris Kogias, R. Wattenhofer, in:, 30th
International Colloquium on Structural Information and Communication Complexity,
Springer Nature, 2023, pp. 199–245.
conference:
end_date: 2023-06-09
location: Alcalá de Henares, Spain
name: 'SIROCCO: Structural Information and Communication Complexity'
start_date: 2023-06-06
date_created: 2024-01-08T12:56:46Z
date_published: 2023-06-01T00:00:00Z
date_updated: 2025-09-09T14:10:46Z
day: '01'
department:
- _id: ElKo
doi: 10.1007/978-3-031-32733-9_10
external_id:
isi:
- '001292782600010'
intvolume: ' 13892'
isi: 1
language:
- iso: eng
month: '06'
oa_version: None
page: 199-245
publication: 30th International Colloquium on Structural Information and Communication
Complexity
publication_identifier:
eisbn:
- '9783031327339'
eissn:
- 1611-3349
isbn:
- '9783031327322'
issn:
- 0302-9743
publication_status: published
publisher: Springer Nature
quality_controlled: '1'
scopus_import: '1'
status: public
title: 'Divide & Scale: Formalization and roadmap to robust sharding'
type: conference
user_id: 317138e5-6ab7-11ef-aa6d-ffef3953e345
volume: 13892
year: '2023'
...