Advances in Cryptology EUROCRYPT

2017 36th Annual International

Conference on the Theory and
Applications of Cryptographic
Techniques Paris France April 30 May 4
2017 Proceedings Part II 1st Edition
Jean-Sébastien Coron
Visit to download the full and correct content document:
https://textbookfull.com/product/advances-in-cryptology-eurocrypt-2017-36th-annual-i
nternational-conference-on-the-theory-and-applications-of-cryptographic-techniques-p
aris-france-april-30-may-4-2017-proceedings-part-ii-1st-edition-j/
More products digital (pdf, epub, mobi) instant
download maybe you interests ...

Advances in Cryptology EUROCRYPT 2017 36th Annual

International Conference on the Theory and Applications
of Cryptographic Techniques Paris France April 30 May 4
2017 Proceedings Part I 1st Edition Jean-Sébastien
Coron
https://textbookfull.com/product/advances-in-cryptology-
eurocrypt-2017-36th-annual-international-conference-on-the-
theory-and-applications-of-cryptographic-techniques-paris-france-
april-30-may-4-2017-proceedings-part-i-1st-edition-je/

Advances in Cryptology EUROCRYPT 2018 37th Annual

International Conference on the Theory and Applications
of Cryptographic Techniques Tel Aviv Israel April 29
May 3 2018 Proceedings Part I Jesper Buus Nielsen
https://textbookfull.com/product/advances-in-cryptology-
eurocrypt-2018-37th-annual-international-conference-on-the-
theory-and-applications-of-cryptographic-techniques-tel-aviv-
israel-april-29-may-3-2018-proceedings-part-i-jesper-buus/

Advances in Cryptology – ASIACRYPT 2017: 23rd

International Conference on the Theory and Applications
of Cryptology and Information Security, Hong Kong,
China, December 3-7, 2017, Proceedings, Part II 1st
Edition Tsuyoshi Takagi
https://textbookfull.com/product/advances-in-cryptology-
asiacrypt-2017-23rd-international-conference-on-the-theory-and-
applications-of-cryptology-and-information-security-hong-kong-
china-december-3-7-2017-proceedings/

Advances in Cryptology CRYPTO 2018 38th Annual

International Cryptology Conference Proceedings Part II
Hovav Shacham

https://textbookfull.com/product/advances-in-cryptology-
crypto-2018-38th-annual-international-cryptology-conference-
proceedings-part-ii-hovav-shacham/
Advances in Cryptology CRYPTO 2020 40th Annual
International Cryptology Conference Proceedings Part II
Daniele Micciancio

https://textbookfull.com/product/advances-in-cryptology-
crypto-2020-40th-annual-international-cryptology-conference-
proceedings-part-ii-daniele-micciancio/

Advances in Cryptology CRYPTO 2020 40th Annual

International Cryptology Conference Proceedings Part I
Daniele Micciancio

https://textbookfull.com/product/advances-in-cryptology-
crypto-2020-40th-annual-international-cryptology-conference-
proceedings-part-i-daniele-micciancio/

MultiMedia Modeling 23rd International Conference MMM

2017 Reykjavik Iceland January 4 6 2017 Proceedings
Part II 1st Edition Laurent Amsaleg

https://textbookfull.com/product/multimedia-modeling-23rd-
international-conference-mmm-2017-reykjavik-iceland-
january-4-6-2017-proceedings-part-ii-1st-edition-laurent-amsaleg/

Bioinformatics and Biomedical Engineering 5th

International Work Conference IWBBIO 2017 Granada Spain
April 26 28 2017 Proceedings Part II 1st Edition
Ignacio Rojas
https://textbookfull.com/product/bioinformatics-and-biomedical-
engineering-5th-international-work-conference-
iwbbio-2017-granada-spain-april-26-28-2017-proceedings-part-
ii-1st-edition-ignacio-rojas/

Advances in Knowledge Discovery and Data Mining 21st

Pacific Asia Conference PAKDD 2017 Jeju South Korea May
23 26 2017 Proceedings Part II 1st Edition Jinho Kim

https://textbookfull.com/product/advances-in-knowledge-discovery-
and-data-mining-21st-pacific-asia-conference-pakdd-2017-jeju-
south-korea-may-23-26-2017-proceedings-part-ii-1st-edition-jinho-
 Jean-Sébastien Coron
Jesper Buus Nielsen (Eds.)
LNCS 10211

Advances in Cryptology –
EUROCRYPT 2017
36th Annual International Conference on the Theory
and Applications of Cryptographic Techniques
Paris, France, April 30 – May 4, 2017, Proceedings, Part II

123
Lecture Notes in Computer Science 10211
Commenced Publication in 1973
Founding and Former Series Editors:
Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen

Editorial Board
David Hutchison
Lancaster University, Lancaster, UK
Takeo Kanade
Carnegie Mellon University, Pittsburgh, PA, USA
Josef Kittler
University of Surrey, Guildford, UK
Jon M. Kleinberg
Cornell University, Ithaca, NY, USA
Friedemann Mattern
ETH Zurich, Zurich, Switzerland
John C. Mitchell
Stanford University, Stanford, CA, USA
Moni Naor
Weizmann Institute of Science, Rehovot, Israel
C. Pandu Rangan
Indian Institute of Technology, Madras, India
Bernhard Steffen
TU Dortmund University, Dortmund, Germany
Demetri Terzopoulos
University of California, Los Angeles, CA, USA
Doug Tygar
University of California, Berkeley, CA, USA
Gerhard Weikum
Max Planck Institute for Informatics, Saarbrücken, Germany
More information about this series at http://www.springer.com/series/7410
Jean-Sébastien Coron Jesper Buus Nielsen (Eds.)
•

Advances in Cryptology –
EUROCRYPT 2017
36th Annual International Conference on the Theory
and Applications of Cryptographic Techniques
Paris, France, April 30 – May 4, 2017
Proceedings, Part II

123
Editors
Jean-Sébastien Coron Jesper Buus Nielsen
University of Luxembourg Aarhus University
Luxembourg Aarhus
Luxembourg Denmark

ISSN 0302-9743 ISSN 1611-3349 (electronic)

Lecture Notes in Computer Science
ISBN 978-3-319-56613-9 ISBN 978-3-319-56614-6 (eBook)
DOI 10.1007/978-3-319-56614-6

Library of Congress Control Number: 2017936355

LNCS Sublibrary: SL4 – Security and Cryptology

© International Association for Cryptologic Research 2017

This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the
material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation,
broadcasting, reproduction on microfilms or in any other physical way, and transmission or information
storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now
known or hereafter developed.
The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication
does not imply, even in the absence of a specific statement, that such names are exempt from the relevant
protective laws and regulations and therefore free for general use.
The publisher, the authors and the editors are safe to assume that the advice and information in this book are
believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the editors
give a warranty, express or implied, with respect to the material contained herein or for any errors or
omissions that may have been made. The publisher remains neutral with regard to jurisdictional claims in
published maps and institutional affiliations.

Printed on acid-free paper

This Springer imprint is published by Springer Nature

The registered company is Springer International Publishing AG
The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland
 Preface

Eurocrypt 2017, the 36th annual International Conference on the Theory and Appli-
cations of Cryptographic Techniques, was held in Paris, France, from April 30 to May
4, 2017. The conference was sponsored by the International Association for Crypto-
logic Research (IACR). Michel Abdalla (ENS, France) was responsible for the local
organization. He was supported by a local organizing team consisting of David
Pointcheval (ENS, France), Emmanuel Prouff (Morpho, France), Fabrice Benhamouda
(ENS, France), Pierre-Alain Dupoint (ENS, France), and Tancrède Lepoint (SRI
International). We are indebted to them for their support and smooth collaboration.
The conference program followed the now established parallel track system where
the works of the authors were presented in two concurrently running tracks. Only the
invited talks spanned over both tracks.
We received a total of 264 submissions. Each submission was anonymized for the
reviewing process and was assigned to at least three of the 56 Program Committee
members. Submissions co-authored by committee members were assigned to at least four
members. Committee members were allowed to submit at most one paper, or two if both
were co-authored. The reviewing process included a first-round notification followed by a
rebuttal for papers that made it to the second round. After extensive deliberations the
Program Committee accepted 67 papers. The revised versions of these papers are included
in these three-volume proceedings, organized topically within their respective track.
The committee decided to give the Best Paper Award to the paper “Scrypt Is Max-
imally Memory-Hard” by Joël Alwen, Binyi Chen, Krzysztof Pietrzak, Leonid Reyzin,
and Stefano Tessaro. The two runners-up to the award, “Computation of a 768-bit Prime
Field Discrete Logarithm,” by Thorsten Kleinjung, Claus Diem, Arjen K. Lenstra,
Christine Priplata, and Colin Stahlke, and “Short Stickelberger Class Relations and
Application to Ideal-SVP,” by Ronald Cramer, Léo Ducas, and Benjamin Wesolowski,
received honorable mentions. All three papers received invitations for the Journal of
Cryptology.
The program also included invited talks by Gilles Barthe, titled “Automated
Proof for Cryptography,” and by Nigel Smart, titled “Living Between the Ideal and
Real Worlds.”
We would like to thank all the authors who submitted papers. We know that the
Program Committee’s decisions, especially rejections of very good papers that did not
find a slot in the sparse number of accepted papers, can be very disappointing. We
sincerely hope that your works eventually get the attention they deserve.
We are also indebted to the Program Committee members and all external reviewers
for their voluntary work, especially since the newly established and unified page limits
and the increasing number of submissions induce quite a workload. It has been an
honor to work with everyone. The committee’s work was tremendously simplified by
Shai Halevi’s submission software and his support, including running the service on
IACR servers.
VI Preface

Finally, we thank everyone else —speakers, session chairs, and rump session chairs
— for their contribution to the program of Eurocrypt 2017. We would also like to thank
Thales, NXP, Huawei, Microsoft Research, Rambus, ANSSI, IBM, Orange, Safran,
Oberthur Technologies, CryptoExperts, and CEA Tech for their generous support.

May 2017 Jean-Sébastien Coron

Jesper Buus Nielsen
 Eurocrypt 2017

The 36th Annual International Conference

on the Theory and Applications of
Cryptographic Techniques

Sponsored by the International Association for Cryptologic Research

30 April – 4 May 2017

Paris, France

General Chair
Michel Abdalla ENS, France

Program Co-chairs
Jean-Sébastien Coron University of Luxembourg
Jesper Buus Nielsen Aarhus University, Denmark

Program Committee
Gilad Asharov Cornell Tech, USA
Nuttapong Attrapadung AIST, Japan
Fabrice Benhamouda ENS, France and IBM, USA
Nir Bitansky MIT, USA
Andrey Bogdanov Technical University of Denmark
Alexandra Boldyreva Georgia Institute of Technology, USA
Chris Brzuska Technische Universität Hamburg, Germany
Melissa Chase Microsoft, USA
Itai Dinur Ben-Gurion University, Israel
Léo Ducas CWI, Amsterdam, The Netherlands
Stefan Dziembowski University of Warsaw, Poland
Nicolas Gama Inpher, Switzerland and University of Versailles, France
Pierrick Gaudry CNRS, France
Peter Gaži IST Austria, Austria
Niv Gilboa Ben-Gurion University, Israel
Robert Granger EPFL, Switzerland
Nathan Keller Bar Ilan University, Israel
Aggelos Kiayias University of Edinburgh, UK
Eike Kiltz Ruhr-Universität Bochum, Germany
VIII Eurocrypt 2017

Vladimir Kolesnikov Bell Labs, USA

Ranjit Kumaresan MIT, USA
Eyal Kushilevitz Technion, Israel
Gregor Leander Ruhr-University Bochum, Germany
Tancrède Lepoint SRI International, USA
Benoît Libert ENS de Lyon, France
San Ling Nanyang Technological University, Singapore
Anna Lysyanskaya Brown University, USA
Tal Malkin Columbia University, USA
Willi Meier FHNW, Switzerland
Florian Mendel Graz University of Technology, Austria
Bart Mennink K.U. Leuven, Belgium
Ilya Mironov Google, USA
María Naya-Plasencia Inria, France
Ivica Nikolić Nanyang Technological University, Singapore
Miyako Ohkubo NICT, Japan
Rafail Ostrovsky UCLA, USA
Omkant Pandey Stony Brook University, USA
Omer Paneth Boston University, USA
Chris Peikert University of Michigan, USA
Thomas Peters UCL, Belgium
Krzysztof Pietrzak IST Austria, Austria
Emmanuel Prouff Morpho, France
Leonid Reyzin Boston University, USA
Louis Salvail University of Montreal, Canada
Yu Sasaki NTT Secure Platform Laboratories, Japan
Abhi Shelat University of Virginia, USA
Elaine Shi Cornell University, USA
Martijn Stam University of Bristol, UK
Damien Stehlé ENS de Lyon, France
John P. Steinberger Tsinghua University, China
Ingrid Verbauwhede K.U. Leuven, Belgium
Brent Waters University of Texas, USA
Daniel Wichs Northeastern University, USA
Mark Zhandry Princeton University, USA

Additional Reviewers

Michel Abdalla Martin Albrecht Daniel Apon

Masayuki Abe Ghada Almashaqbeh Benny Applebaum
Aysajan Abidin Jacob Alperin-Sheriff Christian Badertscher
Hamza Abusalah Joël Alwen Saikrishna
Divesh Aggarwal Abdelrahaman Aly Badrinarayanan
Shashank Agrawal Elena Andreeva Shi Bai
Navid Alamati Yoshinori Aono Josep Balasch
 Eurocrypt 2017 IX

Foteini Baldimtsi Ivan Damgård Shoichi Hirose

Marshall Ball Jean Paul Degabriele Viet Tung Hoang
Valentina Banciu Akshay Degwekar Justin Holmgren
Subhadeep Banik David Derler Fumitaka Hoshino
Razvan Barbulescu Apoorvaa Deshpande Pavel Hubácěk
Guy Barwell Julien Devigne Ilia Iliashenko
Carsten Baum Christoph Dobraunig Laurent Imbert
Anja Becker Frédéric Dupuis Takanori Isobe
Christof Beierle Nico Döttling Tetsu Iwata
Amos Beimel Maria Eichlseder Malika Izabachene
Sonia Belaïd Keita Emura Kimmo Jarvinen
Shalev Ben-David Xiong Fan Eliane Jaulmes
Iddo Bentov Pooya Farshim Dimitar Jetchev
Jean-François Biasse Sebastian Faust Daniel Jost
Begul Bilgin Omar Fawzi Marc Joye
Olivier Blazy Dario Fiore Herve Kalachi
Xavier Bonnetain Ben Fisch Seny Kamara
Joppe Bos Benjamin A. Fisch Chethan Kamath
Christina Boura Nils Fleischhacker Angshuman Karmakar
Florian Bourse Georg Fuchsbauer Pierre Karpman
Luis Brandao Eiichiro Fujisaki Nikolaos Karvelas
Dan Brownstein Steven Galbraith Marcel Keller
Chris Campbell Chaya Ganesh Elena Kirshanova
Ran Canetti Juan Garay Fuyuki Kitagawa
Anne Canteaut Sumegha Garg Susumu Kiyoshima
Angelo De Caro Romain Gay Thorsten Kleinjung
Ignacio Cascudo Ran Gelles Lars Knudsen
David Cash Mariya Georgieva Konrad Kohbrok
Wouter Castryck Benedikt Gierlichs Markulf Kohlweiss
Hubert Chan Oliver W. Gnilke Ilan Komargodski
Nishanth Chandran Faruk Göloğlu Venkata Koppula
Jie Chen Sergey Gorbunov Thomas Korak
Yilei Chen Dov Gordon Lucas Kowalczyk
Nathan Chenette Rishab Goyal Thorsten Kranz
Mahdi Cheraghchi Hannes Gross Fabien Laguillaumie
Alessandro Chiesa Vincent Grosso Kim Laine
Ilaria Chillotti Jens Groth Virginie Lallemand
Sherman S.M. Chow Daniel Gruss Adeline Langlois
Kai-Min Chung Jian Guo Hyung Tae Lee
Michele Ciampi Siyao Guo Jooyoung Lee
Ran Cohen Qian Guo Kwangsu Lee
Craig Costello Benoît Gérard Troy Lee
Alain Couvreur Felix Günther Kevin Lewi
Claude Crépeau Britta Hale Huijia (Rachel) Lin
Edouard Cuvelier Carmit Hazay Jiao Lin
Guillaume Dabosville Felix Heuer Wei-Kai Lin
X Eurocrypt 2017

Feng-Hao Liu Romain Poussier Mehdi Tibouchi

Atul Luykx Thomas Prest Elmar Tischhauser
Vadim Lyubashevsky Erick Purwanto Yosuke Todo
Xiongfeng Ma Carla Rafols Ni Trieu
Houssem Maghrebi Ananth Raghunathan Roberto Trifiletti
Mohammad Mahmoody Srinivasan Raghuraman Yiannis Tselekounis
Daniel Malinowski Sebastian Ramacher Furkan Turan
Alex Malozemoff Somindu Ramanna Thomas Unterluggauer
Antonio Marcedone Francesco Regazzoni Margarita Vald
Daniel P. Martin Ling Ren Prashant Vasudevan
Daniel Masny Oscar Reparaz Philip Vejre
Takahiro Matsuda Silas Richelson Srinivas Vivek Venkatesh
Christian Matt Thomas Ricosset Daniele Venturi
Alexander May Thomas Ristenpart Frederik Vercauteren
Sogol Mazaheri Florentin Rochet Ivan Visconti
Peihan Miao Mike Rosulek Vanessa Vitse
Kazuhiko Minematsu Yannis Rouselakis Damian Vizár
Ameer Mohammed Sujoy Sinha Roy Petros Wallden
Tal Moran Michal Rybár Michael Walter
Fabrice Mouhartem Carla Ràfols Lei Wang
Pratyay Mukherjee Robert Schilling Huaxiong Wang
Elke De Mulder Jacob Schuldt Mor Weiss
Pierrick Méaux Nicolas Sendrier Weiqiang Wen
Michael Naehrig Yannick Seurin Mario Werner
Yusuke Naito Ido Shahaf Benjamin Wesolowski
Kashif Nawaz Sina Shiehian Carolyn Whitnall
Kartik Nayak Siang Meng Sim Friedrich Wiemer
Khoa Nguyen Dave Singelee David Wu
Ryo Nishimaki Luisa Siniscalchi Keita Xagawa
Olya Ohrimenko Daniel Slamanig Sophia Yakoubov
Elisabeth Oswald Benjamin Smith Shota Yamada
Ayoub Otmani Akshayaram Srinivasan Takashi Yamakawa
Giorgos Panagiotakos François-Xavier Standaert Avishay Yanay
Alain Passelègue Ron Steinfeld Kan Yasuda
Kenneth G. Paterson Noah Eylon Yogev
Serdar Pehlivanoglou Stephens-Davidowitz Kazuki Yoneyama
Alice Pellet–Mary Katerina Stouka Henry Yuen
Pino Persiano Koutarou Suzuki Thomas Zacharias
Cécile Pierrot Alan Szepieniec Karol Zebrowski
Rafaël Del Pino Björn Tackmann Rina Zeitoun
Bertram Poettering Stefano Tessaro Bingsheng Zhang
David Pointcheval Adrian Thillard Ryan Zhou
Antigoni Polychroniadou Emmanuel Thomé Dionysis Zindros
 Contents – Part II

Functional Encryption II

On Removing Graded Encodings from Functional Encryption. . . . . . . . . . . . 3

Nir Bitansky, Huijia Lin, and Omer Paneth

Functional Encryption: Deterministic to Randomized Functions

from Simple Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Shashank Agrawal and David J. Wu

Lattice Attacks and Constructions IV

Random Sampling Revisited: Lattice Enumeration with Discrete Pruning . . . . 65

Yoshinori Aono and Phong Q. Nguyen

On Dual Lattice Attacks Against Small-Secret LWE and Parameter Choices

in HElib and SEAL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Martin R. Albrecht

Small CRT-Exponent RSA Revisited . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

Atsushi Takayasu, Yao Lu, and Liqiang Peng

Multiparty Computation II

Group-Based Secure Computation: Optimizing Rounds, Communication,

and Computation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Elette Boyle, Niv Gilboa, and Yuval Ishai

On the Exact Round Complexity of Self-composable

Two-Party Computation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Sanjam Garg, Susumu Kiyoshima, and Omkant Pandey

High-Throughput Secure Three-Party Computation for Malicious

Adversaries and an Honest Majority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Jun Furukawa, Yehuda Lindell, Ariel Nof, and Or Weinstein

Symmetric Cryptanalysis I

Conditional Cube Attack on Reduced-Round Keccak Sponge Function . . . . . 259

Senyang Huang, Xiaoyun Wang, Guangwu Xu, Meiqin Wang,
and Jingyuan Zhao
XII Contents – Part II

A New Structural-Differential Property of 5-Round AES . . . . . . . . . . . . . . . 289

Lorenzo Grassi, Christian Rechberger, and Sondre Rønjom

Zero Knowledge II

Removing the Strong RSA Assumption from Arguments over the Integers . . . 321
Geoffroy Couteau, Thomas Peters, and David Pointcheval

Magic Adversaries Versus Individual Reduction:

Science Wins Either Way. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
Yi Deng

Provable Security for Symmetric Cryptography I

The Multi-user Security of Double Encryption . . . . . . . . . . . . . . . . . . . . . . 381

Viet Tung Hoang and Stefano Tessaro

Public-Seed Pseudorandom Permutations . . . . . . . . . . . . . . . . . . . . . . . . . . 412

Pratik Soni and Stefano Tessaro

Security Models I

Cryptography with Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445

Prabhanjan Ananth, Aloni Cohen, and Abhishek Jain

Fixing Cracks in the Concrete: Random Oracles with Auxiliary

Input, Revisited . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473
Yevgeniy Dodis, Siyao Guo, and Jonathan Katz

Provable Security for Symmetric Cryptography II

Modifying an Enciphering Scheme After Deployment . . . . . . . . . . . . . . . . . 499

Paul Grubbs, Thomas Ristenpart, and Yuval Yarom

Separating Semantic and Circular Security for Symmetric-Key Bit

Encryption from the Learning with Errors Assumption. . . . . . . . . . . . . . . . . 528
Rishab Goyal, Venkata Koppula, and Brent Waters

Security Models II

Toward Fine-Grained Blackbox Separations Between Semantic

and Circular-Security Notions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 561
Mohammad Hajiabadi and Bruce M. Kapron

A Note on Perfect Correctness by Derandomization. . . . . . . . . . . . . . . . . . . 592

Nir Bitansky and Vinod Vaikuntanathan
 Contents – Part II XIII

Blockchain

Decentralized Anonymous Micropayments . . . . . . . . . . . . . . . . . . . . . . . . . 609

Alessandro Chiesa, Matthew Green, Jingcheng Liu, Peihan Miao,
Ian Miers, and Pratyush Mishra

Analysis of the Blockchain Protocol in Asynchronous Networks . . . . . . . . . . 643

Rafael Pass, Lior Seeman, and Abhi Shelat

Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 675

 Contents – Part III

Memory Hard Functions

Depth-Robust Graphs and Their Cumulative Memory Complexity. . . . . . . . . 3

Joël Alwen, Jeremiah Blocki, and Krzysztof Pietrzak

Scrypt Is Maximally Memory-Hard . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Joël Alwen, Binyi Chen, Krzysztof Pietrzak, Leonid Reyzin,
and Stefano Tessaro

Symmetric-Key Constructions

Quantum-Secure Symmetric-Key Cryptography Based on Hidden Shifts . . . . 65

Gorjan Alagic and Alexander Russell

Boolean Searchable Symmetric Encryption with Worst-Case

Sub-linear Complexity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Seny Kamara and Tarik Moataz

Obfuscation I

Patchable Indistinguishability Obfuscation: iO for Evolving Software . . . . . . 127

Prabhanjan Ananth, Abhishek Jain, and Amit Sahai

Breaking the Sub-Exponential Barrier in Obfustopia . . . . . . . . . . . . . . . . . . 156

Sanjam Garg, Omkant Pandey, Akshayaram Srinivasan,
and Mark Zhandry

Symmetric Cryptanalysis II

New Impossible Differential Search Tool from Design and Cryptanalysis

Aspects: Revealing Structural Properties of Several Ciphers . . . . . . . . . . . . . 185
Yu Sasaki and Yosuke Todo

New Collision Attacks on Round-Reduced Keccak . . . . . . . . . . . . . . . . . . . 216

Kexin Qiao, Ling Song, Meicheng Liu, and Jian Guo

Obfuscation II

Lattice-Based SNARGs and Their Application to More

Efficient Obfuscation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Dan Boneh, Yuval Ishai, Amit Sahai, and David J. Wu
XVI Contents – Part III

Cryptanalyses of Candidate Branching Program Obfuscators. . . . . . . . . . . . . 278

Yilei Chen, Craig Gentry, and Shai Halevi

Quantum Cryptography

Quantum Authentication and Encryption with Key Recycling:

Or: How to Re-use a One-Time Pad Even if P ¼ NP —
Safely & Feasibly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
Serge Fehr and Louis Salvail

Quantum Authentication with Key Recycling . . . . . . . . . . . . . . . . . . . . . . . 339

Christopher Portmann

Relativistic (or 2-Prover 1-Round) Zero-Knowledge Protocol

for NP Secure Against Quantum Adversaries . . . . . . . . . . . . . . . . . . . . . . . 369
André Chailloux and Anthony Leverrier

Multiparty Computation III

Faster Secure Two-Party Computation in the Single-Execution Setting. . . . . . 399

Xiao Wang, Alex J. Malozemoff, and Jonathan Katz

Non-interactive Secure 2PC in the Offline/Online and Batch Settings . . . . . . 425

Payman Mohassel and Mike Rosulek

Hashing Garbled Circuits for Free . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456

Xiong Fan, Chaya Ganesh, and Vladimir Kolesnikov

Public-Key Encryption and Key-Exchange

Adaptive Partitioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 489

Dennis Hofheinz

0-RTT Key Exchange with Full Forward Secrecy . . . . . . . . . . . . . . . . . . . . 519

Felix Günther, Britta Hale, Tibor Jager, and Sebastian Lauer

Multiparty Computation IV

Computational Integrity with a Public Random String

from Quasi-Linear PCPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 551
Eli Ben-Sasson, Iddo Bentov, Alessandro Chiesa, Ariel Gabizon,
Daniel Genkin, Matan Hamilis, Evgenya Pergament, Michael Riabzev,
Mark Silberstein, Eran Tromer, and Madars Virza
 Contents – Part III XVII

Ad Hoc PSM Protocols: Secure Computation Without Coordination . . . . . . . 580

Amos Beimel, Yuval Ishai, and Eyal Kushilevitz

Topology-Hiding Computation Beyond Logarithmic Diameter . . . . . . . . . . . 609

Adi Akavia and Tal Moran

Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 639

 Contents – Part I

Lattice Attacks and Constructions I

Revisiting Lattice Attacks on Overstretched NTRU Parameters . . . . . . . . . . . 3

Paul Kirchner and Pierre-Alain Fouque

Short Generators Without Quantum Computers:

The Case of Multiquadratics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Jens Bauch, Daniel J. Bernstein, Henry de Valence, Tanja Lange,
and Christine van Vredendaal

Computing Generator in Cyclotomic Integer
Rings: A Subfield Algorithm

for the Principal Ideal Problem in LjDKj 12 and Application
to the Cryptanalysis of a FHE Scheme. . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Jean-François Biasse, Thomas Espitau, Pierre-Alain Fouque,
Alexandre Gélin, and Paul Kirchner

Obfuscation and Functional Encryption

Robust Transforming Combiners from Indistinguishability Obfuscation

to Functional Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Prabhanjan Ananth, Aayush Jain, and Amit Sahai

From Minicrypt to Obfustopia via Private-Key Functional Encryption . . . . . . 122

Ilan Komargodski and Gil Segev

Projective Arithmetic Functional Encryption and Indistinguishability

Obfuscation from Degree-5 Multilinear Maps . . . . . . . . . . . . . . . . . . . . . . . 152
Prabhanjan Ananth and Amit Sahai

Discrete Logarithm

Computation of a 768-Bit Prime Field Discrete Logarithm . . . . . . . . . . . . . . 185

Thorsten Kleinjung, Claus Diem, Arjen K. Lenstra, Christine Priplata,
and Colin Stahlke

A Kilobit Hidden SNFS Discrete Logarithm Computation . . . . . . . . . . . . . . 202

Joshua Fried, Pierrick Gaudry, Nadia Heninger, and Emmanuel Thomé

Multiparty Computation I

Improved Private Set Intersection Against Malicious Adversaries . . . . . . . . . 235

Peter Rindal and Mike Rosulek
XX Contents – Part I

Formal Abstractions for Attested Execution Secure Processors . . . . . . . . . . . 260

Rafael Pass, Elaine Shi, and Florian Tramèr

Lattice Attacks and Constructions II

One-Shot Verifiable Encryption from Lattices. . . . . . . . . . . . . . . . . . . . . . . 293

Vadim Lyubashevsky and Gregory Neven

Short Stickelberger Class Relations and Application to Ideal-SVP . . . . . . . . . 324

Ronald Cramer, Léo Ducas, and Benjamin Wesolowski

Universal Composability

Concurrently Composable Security with Shielded

Super-Polynomial Simulators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
Brandon Broadnax, Nico Döttling, Gunnar Hartung,
Jörn Müller-Quade, and Matthias Nagel

Unconditional UC-Secure Computation with (Stronger-Malicious) PUFs . . . . 382

Saikrishna Badrinarayanan, Dakshita Khurana, Rafail Ostrovsky,
and Ivan Visconti

Lattice Attacks and Constructions III

Private Puncturable PRFs from Standard Lattice Assumptions. . . . . . . . . . . . 415

Dan Boneh, Sam Kim, and Hart Montgomery

Constraint-Hiding Constrained PRFs for NC1 from LWE . . . . . . . . . . . . . . . 446

Ran Canetti and Yilei Chen

Zero Knowledge I

Amortized Complexity of Zero-Knowledge Proofs Revisited: Achieving

Linear Soundness Slack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479
Ronald Cramer, Ivan Damgård, Chaoping Xing, and Chen Yuan

Sublinear Zero-Knowledge Arguments for RAM Programs. . . . . . . . . . . . . . 501

Payman Mohassel, Mike Rosulek, and Alessandra Scafuro

Side-Channel Attacks and Countermeasures

Parallel Implementations of Masking Schemes and the Bounded Moment

Leakage Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 535
Gilles Barthe, François Dupressoir, Sebastian Faust,
Benjamin Grégoire, François-Xavier Standaert, and Pierre-Yves Strub
 Contents – Part I XXI

How Fast Can Higher-Order Masking Be in Software? . . . . . . . . . . . . . . . . 567

Dahmun Goudarzi and Matthieu Rivain

Functional Encryption I

Multi-input Inner-Product Functional Encryption from Pairings . . . . . . . . . . . 601

Michel Abdalla, Romain Gay, Mariana Raykova, and Hoeteck Wee

Simplifying Design and Analysis of Complex Predicate

Encryption Schemes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 627
Shashank Agrawal and Melissa Chase

Elliptic Curves

Twisted l4 -Normal Form for Elliptic Curves . . . . . . . . . . . . . . . . . . . . . . . 659

David Kohel

Efficient Compression of SIDH Public Keys. . . . . . . . . . . . . . . . . . . . . . . . 679

Craig Costello, David Jao, Patrick Longa, Michael Naehrig,
Joost Renes, and David Urbanik

Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 707

Functional Encryption II
 On Removing Graded Encodings
from Functional Encryption

Nir Bitansky1 , Huijia Lin2 , and Omer Paneth1

1
MIT, Cambridge, USA
omerpa@gmail.com
2
UCSB, Santa Barbara, USA
rachel.lin@cs.ucsb.edu

Abstract. Functional encryption (FE) has emerged as an outstanding

concept. By now, we know that beyond the immediate application to
computation over encrypted data, variants with succinct ciphertexts are
so powerful that they yield the full might of indistinguishability obfus-
cation (IO). Understanding how, and under which assumptions, such
succinct schemes can be constructed has become a grand challenge of
current research in cryptography. Whereas the first schemes were based
themselves on IO, recent progress has produced constructions based on
constant-degree graded encodings. Still, our comprehension of such graded
encodings remains limited, as the instantiations given so far have exhib-
ited different vulnerabilities.
Our main result is that, assuming LWE, black-box constructions of
sufficiently succinct FE schemes from constant-degree graded encodings
can be transformed to rely on a much better-understood object — bilin-
ear groups. In particular, under an über assumption on bilinear groups,
such constructions imply IO in the plain model. The result demonstrates
that the exact level of ciphertext succinctness of FE schemes is of major
importance. In particular, we draw a fine line between known FE con-
structions from constant-degree graded encodings, which just fall short
of the required succinctness, and the holy grail of basing IO on better-
understood assumptions.
In the heart of our result, are new techniques for removing ideal graded
encoding oracles from FE constructions. Complementing the result, for
weaker ideal models, namely the generic group model and the random
oracle model, we show a transformation from collusion-resistant FE in
either of the two models directly to FE (and IO) in the plain model,
without assuming bilinear groups.

N. Bitansky—Supported by NSF Grants CNS-1350619 and CNS-1414119, and the

Defense Advanced Research Projects Agency (DARPA) and the U.S. Army Research
Office under contracts W911NF-15-C-0226. Part of this research was done while
visiting Tel Aviv University and supported by the Leona M. & Harry B. Helmsley
Charitable Trust and Check Point Institute for Information Security.
H. Lin—Partially supported by NSF grants CNS-1528178 and CNS-1514526.
c International Association for Cryptologic Research 2017
J.-S. Coron and J.B. Nielsen (Eds.): EUROCRYPT 2017, Part II, LNCS 10211, pp. 3–29, 2017.
DOI: 10.1007/978-3-319-56614-6 1
4 N. Bitansky et al.

1 Introduction
Functional Encryption (FE) is a fascinating object. It enables fine-grained con-
trol of encrypted data, by allowing users to learn only specific functions of the
data. This ability is captured trough the notion of function keys. A function key
SKf , associated with a function f , allows to partially decrypt a ciphertext CTx
encrypting an input x in a way that reveals f (x) and nothing else.
A salient aspect of FE schemes is their ciphertext succinctness. Focusing on
the setting of (indistinguishability-based) single-key FE where only one func-
tion key SKf is supported, we say that an FE scheme is weakly succinct if the
ciphertext size scales sub-linearly in the size of the circuit f ; namely,1

|CTx | ≤ |f |γ · poly(|x|), for some constant compression f actor γ < 1.

While non-succinct single-key FE schemes (where we allow the size of ciphertexts

to grow polynomially with |f |) are equivalent to public-key encryption (or just
one-way functions, in the secret-key setting) [28,41], weakly succinct schemes
are already known to be extremely strong. In particular, subexponentially-secure
weakly-succinct FE for functions in NC1 implies indistinguishability obfuscation
(IO) [1,6,11], and has far reaching implications in cryptography and beyond (e.g.,
[7,10,18,23,24,42]).2
Thus, understanding how, and under which assumptions, weakly-succinct
FE can be constructed has become a central question in cryptographic research.
While schemes for Boolean functions in NC1 have been constructed from LWE
[27], the existence of such FE scheme for non-Boolean functions (which is
required for the above strong implications) is still not well-founded, and has
been the subject of a substantial body of work. The first construction of gen-
eral purpose FE that achieves the required succinctness relied itself on IO [24].
Subsequent constructions were based on the algebraic framework of multilinear
graded encodings [22]. Roughly speaking, this framework extends the traditional
concept of encoding in the exponent in groups. It allows encoding values in a field
(or ring), evaluating polynomials of a certain bounded degree d over the encoded
values, and testing whether the result is zero.
Based on graded encodings of polynomial degree Garg, Gentry, Halevi, and
Zhandry [25] constructed unbounded-collusion FE, which in turn is known to
lead to weakly succinct FE [2,11]. Starting from the work of Lin [31], several
works [3,32,35] have shown that assuming also pseudorandom generators with
constant locality, weakly-succinct FE can be constructed based on constant-
degree graded encodings under simple assumptions like asymmetric DDH. How-
ever, these constructions require constant degree d ≥ 5.

1
Here weak succinctness is in contrast to full succintness, where the ciphertext size
does not depend at all on the function size.
2
Formally, [1, 11] require that not only the ciphertext is succinct, but also the encryp-
tion circuit itself. This difference can be bridged assuming LWE [34], and for sim-
plicity is ignored in this introduction. Our results will anyhow rely on LWE.
 On Removing Graded Encodings from Functional Encryption 5

Despite extensive efforts, our understanding of graded encodings of any

degree larger than two is quite limited. Known instantiations are all based
on little-understood lattice problems, and have exhibited different vulnerabili-
ties [15,20–22,38]. In contrast, bilinear group encodings [14,29], akin to degree-2
graded encodings, have essentially different instantiations based on elliptic curve
groups, which are by now quite well understood and considered standard. Bridg-
ing the gap between degree 2 and degree d > 2 is a great challenge.
Our Main Result in a Nutshell: Size Matters. We show that the exact
level of succinctness in FE schemes has a major impact on the latter challenge.
Roughly speaking, we prove that black-box constructions [40] of weakly-succinct
FE from degree-d graded encodings, with compression factor γ < d1 , can be trans-
formed to rely only on bilinear groups. Specifically, assuming LWE 3 and for any
1
constant ε, starting from d+ε -succinct FE in the ideal degree-d graded encoding
model, we construct weakly-succinct FE in the ideal bilinear model.
The ideal graded encoding model generalizes the classical generic-group
model [43]. In this model, the construction as well as the adversary perform
all graded encoding operations through an ideal oracle, without access to an
explicit representation of encoded elements. Having this ideal model as a start-
ing point allows capturing a large class of constructions and assumptions, as it
models perfectly secure graded encodings. Indeed, the FE schemes in [3,31,32,35]
can be constructed and proven secure in this model.
The resulting construction from ideal bilinear encodings can further be
instantiated in the plain model using existing bilinear groups, and proven secure
under an über assumption on bilinear groups [13,16]. In particular, assuming
also subexponential-security, it implies IO in the plain model.
How Close are We to IO from Bilinear Maps? Existing weakly-succinct
FE schemes in the ideal constant-degree model [3,31,32,35] have a compression
factor γ = C/d, for some absolute constant C > 1. Thus, our result draws a fine
line that separates known FE constructions based on constant-degree graded
encodings and constructions that would already take us to the promised land of
IO based on much better-understood mathematical objects. Crossing this line
may very well require a new set of techniques. Indeed, one may also interpret
our result as a negative one, which puts a barrier on black-box constructions of
FE from graded encodings.
Discussion: Black-Box vs Non-Black-Box Constructions. For IO schemes
(rather than FE), a combination of recent works [12,39] demonstrates that black-
box constructions from constant-degree graded encodings are already very pow-
erful. They show that any IO construction relative to a constant-degree oracle
can be converted to a construction in the plain model (under standard assump-
tions, like DDH). Since weakly-succinct FE schemes imply IO, we may be lead to
think that weakly-succinct black-box constructions of FE from constant-degree
3
More precisely, we need to assume the hardness of LWE with subexponential
modulus-to-noise ratio. For simplicity, we ignore the parameters of LWE in this
introduction; see Sect. 4 for more details.
6 N. Bitansky et al.

graded encodings would already imply IO in the plain model from standard
assumptions. Interestingly, this is not the case.
The crucial point is that the known transformations from FE to IO [1,11]
are non-black-box, they use the code of the underlying FE scheme, and thus do
not relativize with respect to graded encoding oracle. That is, we do not know
how to move from an FE scheme based on graded encodings to an IO scheme
that uses graded encodings in a black-box way. Indeed, if there existed such a
black-box transformation between FE and IO, then combining [12,31,35,36,39],
IO in the plain model could be constructed from standard assumptions.
Instead, we show how to directly remove constant-degree oracles from FE.
Our transformation relies on new techniques that are rather different than those
used in the above works for removing such oracles from IO.

1.1 Our Results in More Detail

We now describe our results in further detail. We start by describing the ideal
graded encoding model and the ideal bilinear encoding model more precisely.
The Ideal Graded Encoding Model. A graded encoding [22] is an encoding
scheme for elements of some field.4 The encoding supports a restricted set of
homomorphic operations that allow one to evaluate certain polynomials over
the encoded field elements and test whether these polynomials evaluate to zero
or not. Every field element is encoded with respect to a label (sometimes called
the level of the encoding). For a given sequence of encodings, their labels control
which polynomials are valid and can be evaluated over the encodings. The degree
of the graded encoding is the maximal degree of a polynomial that is valid with
respect to any sequence of labels.
In the ideal graded encoding model, explicit encodings are replaced by access
to an oracle that records the encoded field elements and provides an interface
to perform operations over the elements. Different formalizations of such ideal
graded encoding oracles exist in the literature (e.g. [4,5,17,39]) and differ in
details. In this work, we follow the model of Pass and shelat in [39].
The ideal graded encoding oracle M is specified by a field F and a validity
predicate V operating on a polynomial and labels taken from a set L. The oracle
M = (F, V ) provides two functions — encoding and zero-testing.
Encoding: Given a field element ξ ∈ F and a label  ∈ L the oracle M samples
a sufficiently long random string r to create a handle h = (r, ). It records the
pair (h, ξ) associating the handle with the encoded field element.
Zero-testing: a query to M consists of a polynomial p and a sequence of han-
dles h1 , · · · , hm where hi encodes the field elements ξi relative to label i .
M tests if the polynomial and the labels satisfy the validity predicate and
whether the polynomial vanishes on the corresponding field elements. That
is, M returns true if and only if V (p, 1 , · · · m ) = true and p(ξ1 , · · · ξm ) = 0.
4
For ease of exposition, we consider graded encodings over fields. Our results can also
be obtained with any commutative ring in which it is computationally hard to find
non-unit elements.
 On Removing Graded Encodings from Functional Encryption 7

Like in [39], we restrict attention to well-formed validity predicates. For such

predicates, a polynomial p is valid with respect to labels 1 , · · · , m , if and only
if every monomial Φ in p is valid with respect to the labels of the handles that Φ
acts on. Indeed, existing graded encodings all consider validity predicates that
are well-formed.5
The Ideal Bilinear Encoding Model. The ideal bilinear encoding model
corresponds to the ideal graded encoding model where valid polynomials are of
degree at most two. We note that in the ideal graded encoding model described
above, encoding is a randomized operation. In particular, encoding the same
element and label (ξ, ) twice gives back two different handles. In contrast, tra-
ditional instantiations of the ideal bilinear encoding model are based on bilinear
pairing groups (such as elliptic curve groups) where the encoding is a deter-
ministic function. We can naturally capture such instantiations, by augmenting
the ideal bilinear encoding model to use a unique handle for every pair of field
element and label (as done for instance in [4,35,44]).
The Main Result. Our main result concerns FE schemes in the ideal graded
encoding model. In such FE schemes, all algorithms (setup, key derivation,
encryption, and decryption), as well as all adversaries against the scheme, have
access to a graded encoding oracle M. We show:
Theorem 1 (Informal). Assume the hardness of LWE. For any constants d ∈
N and γ ≤ d1 , any γ-succinct secret-key FE scheme for P/poly, in the ideal
degree-d graded encoding model, can be transformed into a weakly-succinct public-
key FE scheme for P/poly in the ideal bilinear encoding model.

IO in the Plain Model under an Über Assumption. Our main transfor-

mation results in a weakly-succinct public-key FE scheme in the ideal bilinear
encoding model. By instantiating the ideal bilinear encoding oracle with concrete
bilinear pairing groups, we get a corresponding FE scheme in the plain model.
For security to hold, we make an über assumption [13] on the bilinear groups.
An über assumption essentially says that two encoded sequences of elements
in the plain model can be distinguished only if they are also distinguishable in
the ideal model. There are no known attacks on the über security of existing
instantiations of bilinear pairing groups.
Since weakly-succinct public-key FE with subexponential security in the plain
model implies IO we deduce the following corollary
Corollary 1 (Informal). Assume subexponential hardness of LWE and bilinear
groups with subexponential über security. For any constants d ∈ N, γ < d1 , any
subexponentially-secure, γ-succinct, secret-key FE for P/poly in the ideal degree-
d graded encoding model, can be transformed into an IO scheme for P/poly in
the plain model.
5
In the body, we make another structural requirement on validity predicates called
decomposability. This requirement is somewhat more technical, but is also satisfied by
all known formulations of graded encodings. For the simplified technical exposition
in this introduction it can be ignored. See further details in Definition 4.
8 N. Bitansky et al.

FE in Weaker Ideal Models. We also consider FE schemes in ideal models

that are weaker than the ideal bilinear encoding model. Specifically, we consider
the generic-group model (that corresponds to the ideal degree-1 graded encoding
model) and the random-oracle model. We give transformations from FE in these
models directly to FE in the plain model without relying on bilinear encodings.
In the transformation given by Theorem 1, from the ideal constant-degree
graded encoding model to the ideal bilinear encoding model, we considered
the notion of single-key weakly succinct FE. In contrast, our transformations
from the generic-group model and the random-oracle model to the plain model
require that we start with a stronger notion of collusion-resistant FE. Collusion-
resistance requires security in the presence of an unbounded number of functional
keys. Crucially, ciphertexts are required not to grow with the number of keys
(but are allowed to grow polynomially in the size of the evaluated functions).
Collusion-resistant FE is known to imply weakly-succinct FE through a
black-box transformation [2,11]. In the converse direction, only a non-black-
box transformation is known [26,30], and therefore we cannot apply it to ideal
model constructions of FE.

Theorem 2 (Informal). Assume the hardness of LWE. Any collusion-resistant

secret-key FE scheme in the generic-group model, or in the random-oracle model,
can be transformed into a collusion-resistant public-key FE scheme in the plain
model.

1.2 Our Techniques

We next give an overview of the main ideas behind our degree-reduction trans-
formation given by Theorem 1.
Can We Adopt Techniques from IO? As already mentioned, we do not
know how to transform FE schemes into IO schemes in a black-box way. Thus,
we cannot rely directly on existing results that remove ideal oracles from IO [39].
Furthermore, trying to import ideas from these results in the IO setting to the
setting of FE encounters some inherent difficulties, which we now explain.
Roughly speaking, removing ideal oracles from IO is done as follows. Starting
with a scheme in an ideal oracle model, we let the obfuscator emulate the oracle
by itself and publish, together with the obfuscated circuit, some partial view of
the self-emulated oracle. This partial view is on one hand, sufficient to preserve
the functionality of the obfuscated circuit on most inputs, and on the other hand,
does not compromise security. The partial view is obtained by evaluating the
obfuscation on many random inputs (consistently with the self-emulated oracle),
observing how evaluation interacts with the oracle, and performing a certain
learning process. Arguing that the published partial view does not compromise
security crucially relies on the fact that evaluating the obfuscated program is a
public procedure that does not share any secret state with the obfuscator.
The setting of FE, however, is somewhat more complicated. Here rather than
an evaluator we have a decryptor that given a function key SKf and ciphertext
 On Removing Graded Encodings from Functional Encryption 9

CT encrypting x, should be able to compute f (x). In contrast to the evaluator in

obfuscation, the state of the decryptor is not publicly samplable. Indeed, gener-
ating function keys SKf for different functions requires knowing a master secret
key. Accordingly, it is not clear how to follow the same approach as before.
XIO instead of IO. Nevertheless, we observe that there is a way to reduce
the problem to a setting much more similar to IO. Specifically, there exists [9] a
black-box transformation from FE to a weaker version of IO called XIO. XIO [33],
which stands for exponentially-efficient IO, allows the obfuscation and evaluation
algorithms to run in exponential time 2O(n) in the input size n, and only requires
 of a circuit C is slightly subexponenetial in n:
that the size of an obfuscation C
 ≤ 2γn · poly(|C|)
|C| for some constant compression f actor γ < 1.

Despite this inherent inefficiency, [33] show that XIO for logarithmic-size inputs
implies IO assuming subexponential hardness of LWE. A natural direction is
thus to try and apply the techniques used to remove oracles from IO to remove
the same oracles also from XIO; indeed, if this can be done, such oracles can
also be removed from FE, due to the black-box transformation between the two.
This, again, does not work as is. The issue is that the transformations remov-
ing degree-d graded encoding oracle from IO may blow up the size of the original
obfuscation from |C| in the oracle model to roughly |C|  2d in the plain model.
However, the known black-box construction of XIO from FE [9] is not suffi-
ciently compressing to account for this blowup. Even starting from FE with
great compression, say γFE < d−10 , the resulting XIO has a much worst com-
pression factor γXIO > 1/2. In particular, composing the two would result in a
useless plain model obfuscation of exponential size 2n·d .
Motivating our Solution. To understand our solution, let us first describe
an over-simplified candidate transformation for reducing XIO with constant-
degree graded encoding oracles to XIO with degree-1 oracles (akin to the generic-
group model). This transformation will suffer from the same size blowup of the
transformations mentioned above.
For simplicity of exposition, we first restrict attention to XIO schemes with
the following simple structure:

– Any obfuscated circuit C  consists of a set of handles h1 , . . . , hm corresponding

to field elements ξ1 , . . . , ξm encoded during obfuscation, under certain labels
1 , . . . , m .
– Evaluation on any given input x consists of performing valid zero-tests over
the above handles, which are given by degree-d polynomials p1 , . . . , pk .

A simple idea to reduce the degree-d oracle to a linear oracle is to change the
obfuscation algorithm so that it computes ahead of time the field  elements ξΦ
corresponding to all valid degree-d monomials Φ(ξ1 , . . . , ξm ) = i∈[d] ξji . Then,
rather than using the degree-d oracle, it uses the linear oracle to encode the field
elements ξΦ , and publishes the corresponding handles {hΦ }Φ . Evaluation is done
10 N. Bitansky et al.

in a straight forward manner by writing any zero-test polynomial p of degree d

as a linear function in the corresponding monomials

p(ξ1 , · · · , ξm ) = αΦ Φ(ξ1 , . . . , ξm ),
Φ

and making the corresponding zero-test query Lp ({hΦ }) := Φ αΦ hΦ to the
linear oracle.
Indeed, the transformation blows up the size of the obfuscated circuit from
roughly m, the number of encodings in the original obfuscation, to md , the
number of all possible monomials. While such a polynomial blowup is acceptable
in the context of IO, for XIO with compression d−1 ≤ γ < 1, it is devastating.
Key Idea: XIO in Decomposable Form. To overcome the above difficulty,
we observe that the known black-box construction of XIO from FE [9] has cer-
tain structural properties that we can exploit. At a very high level, it can be
decomposed into smaller pieces, so that instead of computing all monomials over
all the encodings created during obfuscation, we only need to consider a much
smaller subset of monomials. In this subset, each monomial only depends on a
few small pieces, and thus only on few encodings.
To be more concrete, we next give a high-level account of this construction.
To convey the idea in a simple setting of parameters, let us assume that we have
at our disposal an FE scheme that support an unbounded number of keys, rather
than a single key scheme, with the guarantee that the size of ciphertexts does
not grow with the number of keys. In this case, the XIO scheme in [9] works as
follows:

– To obfuscate a circuit C with n input bits, the scheme publishes a collection

of function keys {SKDτ }τ for circuits Dτ , indexed by prefixes
 τ ∈ {0,
 1}
n/2

(will be specified shortly), and a collection of ciphertexts CTρC ρ , each

encrypting the circuit C and a suffix ρ ∈ {0, 1}n/2 .
– Decrypting a ciphertext CTρC with key SKDτ reveals Dτ (ρC) := C(τ, ρ).

The obfuscated circuit indeed has slightly subexponential size. It contains:

– 2n/2 function keys SKDτ , each of size poly(|C|),

– 2n/2 ciphertexts CTρC , each of size poly(|C|).

Going back to the ideal graded-encoding model, the FE key generation and
encryption algorithms use the ideal oracle to encode elements. Therefore, gen-
erating the obfuscation involves generating a set of k encodings hτ = {hτ,i }i∈[k]
for each secret key SKDτ and a set of k encodings hρ = {hρ,i }i∈[k] for each
ciphertext CTρC , for some k = poly(|C|). The crucial point is that now, evalu-
ating the obfuscation on a given input (τ, ρ) only involves the two small sets of
encodings hτ , hρ . In particular, any zero-test made by the decryption algorithm
is a polynomial defined only over the underlying field elements ξ τ = {ξτ,i }i∈[k]
and ξ ρ = {ξρ,i }i∈[k] .
Another random document with
no related content on Scribd:
 ingetrede.… Volgt hen en offert uw dubbeltje voor ’t
zien van een natuurgedrocht, het grootste monster der
wereld!

—Waa’n smoel, lolde Hazewind, wijzend met klownig

gebaar naar de kannibalen tronie van de beverfde
wilde-vrouw-reklame,—.. En waa’n skort hep se om d’r
heupies.. op dá terain binne de Wiereloànse
neutedopjes tug veul fesoenelaiker.. ikke konsteteer
van da main maid ’n heule rokkebeweging om d’r
meroakel hange hep.…

Woest flodderde ie ’n brandenden zoen op ’n wang

van blonde Cor, die ontsteld, met gaperigen mond en
waanzinnige oogen, naar ’t reklamebord, met ’t wilde
meisje er op, stond te kijken.

—Stik, bitste ze in schrik.

Achter Hazewind joelden Dirk en Willem, Henk Hassel

en Rink met hun meiden, omsloten in drom van
kijkers. Geert en Trijn luisterden angstig gespannen
naar den impresario, die voor de tent, met z’n rosgeel
beschemerde tronie en z’n moordstem, hun de keel
snoerden van angst. Dirk en Willem dansten eng
omkringd van armen en schouders. Piet en Annie
zoenden elkaar dat ’t klakkerde en woest trombonde
Rink, boven allen uitreuzigend:

—’t Maiske frait d’r puur laifendige kenaine.… bi-jai-’t-

Hain!.. Daa’s d’r nog us ’n skepsel.… dâ set d’r sooie
an de [328]daik! da mo’k sien.. en jai Hoasewind! daa’s
’n bestige kukkerint veur Kees de strooper hee?
 —Enne glas frait s’ook! enne brandende segoàre …
waa’n koorakker hee? waa’t maid hee, huilerig
extazieerde Trijn, de vurige Trijn.

—Over twee minute.. sal de voorstelling ’n aanvang

neme.. heere! dames! voorsiet u van een plaats,—
suggereerde de stem van de estrade. Stoet op stoet
nu, drong voor ’t loketje, schoof weg achter ’n
koelisseachtig schot.

—Doar saine wai van g’diend, juichte Dirk, dâ mo’k

sien.. sloàchte mit de tande.. daa’s puur main werk!

—Nee.… neenet! nainet! ik goàn nie, goàr nie,

griezelde Annie.

Waa’n maid, vuurde Trijn weer òp, daa’s prêchtig.—Ze

rilde vooruit al van bang-griezelig genot. Stille Guurt
Hassel, schuchter bewaakt door Jan Grint, die haar nà
den draaimolen-aanval nog maar geen zoen had
durven geven,—wou ook wel kijken.

—Da waa’s d’r puur aas ’n kemaidie mi bloed, vond

ze.

Ze hield zoo dol veel van vechtpartijen met messen,

en dat zou niet minder zijn. Ze zou gaan griezelen en
rillen zooveel ze wou.—

Met hun allen, de weerbarstige Annie meegesleept,

drongen ze de tenttrap òp.

Dirk nam plaatsen aan ’t loketje, en wèg hosten ze op

den trillenden plankengrond achter ’t beschot. Ze
waren warempel al wat te laat.—
 Vóór hen, op tooneelig hokje, in schuwgeel, zwavelig
licht, grijnsde en gilde ’n soort bezetene negerin, met
krakerige stem, rauwe fausset, elk woord als ’n
wreeden vloek uit ’r zwellenden keelkrop scheurend.
Op ’r kapsel wuifden woeste veeren, donkere haartooi
in schitterenden koperen ring saamgekranst.—Haar
kangoeroe-kop grijnsde met maskerige wreedheid van
’n hellemonster. Haar harde gele oogen waanzinden
wild rond. Woest verkoeterwaalde ze schorre klanken
met den impresario, die laag vóór d’r stond op den
plankengrond, bij ’t publiek. [329]Met ’n krom zwart
zwaard hakte ’t „meiske” in driftstuip op den kerel áán,
die haar ophitste met stootende tongverdraaide
woorden, en elken kletterslag op z’n blooten kop, met
z’n groot zwaard, in snelle zekerheid afweerde. Stank
broeide er uit de menschenprop op in ’t halfduister.
Allen staarden in ontzag naar den grijnzenden
duiveligen vrouwekop op tooneeltje, waarover ’n
zwavelige lichtschemer flakkerde, d’r gele oogen nog
geheimzinniger verwoestte.

—Dat is gain maid, f’rvloekt! schreeuwde plots ’n

matroos. Nou heb ik tog twintig joar gefàre moar nooit-
nie he’k soo’n loeder sien.. dàt wee’k tog ellendig-
best.… daa is.. god-alle jesis! ’n gefèrfde
Amstirdammur!

Ontzet publiekje liet grommen den kerel, staarde,

staàrde in bange suggestie. Bij ’t levend konijntje
verorberen werd ’t Annie te benauwd. Ze rilde en
griende toen ze ’t bloed over de zwart-bronze handen
zag stroomen; de tong hoorde raspen tegen de
haarhuid òp, den kinnebak zag lekken in ’t warme
 bloed, en de apig-lenige vingers de ingewandjes
ingraven.—

—Kaik! kaik.. da stuipt d’r in hemmes klaufe, gierde

Dirk woest, die ken d’r puur ’n bairtje slagte!

Meisjes en vrouwen vergilden kreten van afschuw.

Maar doorschokt van brandende passie,
bloeddronken, drongen Dirk en Rink nog meer naar
voren, de meiden heeter omknellend en meesleurend.

De furie Marie Pijler schaterde. Geschok en getier

raasde door ’t tentje.

De roode, bang-begloeide tooneeldoeken,

waartusschen ’t kangoeroesche grijnswijf sprong als ’n
hellemonster in Vitus-dans, schroeide telkens áán, in
den lichtflakker. Onder ’t vreten rimpelde ’r kop als ’n
oudwijvenmasker; groefde en grijnsde de
wellustmond.—Bloed lekte ze van d’r vuilgrauwe
lippen en brok voor brok van ’t uiteengescheurde
konijntje verdween in den stinkenden bloedmuil,
geweldig elastisch en rood-groot gesperd.—

Guurt griezelde, genoot in schokken van huiverenden

wellust. Ze zou zich zoo, in die bloederige beestigheid
best op Rink hebben [330]kunnen smakken, op den
gierenden reus, dien ze in ’t spokende flakkerlicht
verliefderig lokte met ’r prachtoogen.—Annie had de
kijkers gesloten, stond in donkeren nàstaar te
sidderen. De blonde furie kalde tegen de vurige Trijn
en Dirk hijgde van genot.
 Allemaal in ’t hok griezelden, staaroogden in heete
ontroering wat ’r nòg gruwelijkers volgen zou.

Alleen de matroos, Wierelander van geboorte, bleef

onwillig staren op bloederigen vraatmond.

—Da waa’s d’r ’n k’nain van spek! daa’t is gain waif..

dat is ’n kerel, ’n geverfde hassebas.. gaif d’r ’n lel da
se duiselt..

—Sou jai maine.. Nou.. doas glad-en-al mis, bazuinde

Rink’s stem uit ’n vaal-lichtenden hoek, ’t is d’r ’n ègt
ekserploàr.. ’n heul ègt swart meroakel..

—Kaik d’r gele smoel … juichte Dirk hoonend, en d’r

lampies.. ’t gal is d’r deur d’r bloed hainsloàge! daa’s
main weut!

—Waa’n kakkerlak! kom d’r hier.. sloan ik je tronie

deur viere! wou jai main segge van hoe ’t mot weuse?
ikke heb d’r twintig joar in Oostinje foàre.. enne nou..
in de foestain! Sou ikke nie van de toart had hebbe?

—Oostinje.. jai mi je dronke gleuf!.. en die maid is d’r

tug heuldegoar van Estroalie!

—Nou wat, sputterde verblufd dronken drenzerige

matroos.. dat is.. god-aldegoar-een-pot-nat! Estroalie
is d’r Ostinje.. enne Ostinje.. Estroalie..

—Hou tug je bek.. soa’k d’r mi je test.. saa’k d’r mi je

test.. wai sienne d’r nie..

—Sien.. sien.. gaif d’r ’n lel.. daa’s se.. daa’s se

duiselt!
 —Als de heere nu nog brandende sigare te misse
hebbe.. zal ’t vraatsuchtigste monster der wijreld se
alle opete!

Van alle kanten gloeiden uit ’t halfduister punten áán.

Dirk had eerst z’n sigaar vuurhel aangeblazen, stopte
’n einde, ’t monster zelf in d’r lenige bronzen klauwen.

—Hier swoart meroakel, doar hai je ’n happie, eet d’r

f’rsmoakelik..

Blaasbalgend laaide ’r muil in ’t vuur, dat de vonken in

haar [331]duivelende grinniktronie spatten, lippen en
kin telkens even gloedrood opvlamden.—Haar naakte
lijf in schaamlap omplooid, danste nerveus met
klapperende sprongen op de kreunende en trillende
tooneelplanken. Haar armen pagaaiden en doller ’r
keelkrop verkrijschte zang. En telkens, als vuurpunt
van nieuw brok sigaar, ’t hevigst opgloeide in ’r blaas,
sperde ze de kaken, d’r grauwe lippen er in botten
streel overheen aaiend, beet ze toe, kauwde en spoog
ze vuur, achtereen, verslindend sigaar op sigaar.

Hazewind braakte van pret. De meiden gilden van

schrik, maar Cor en Annie hadden er genoeg van. Ze
wouen niet langer blijven. Guurt was woedend dat ze
weg gingen. Geert Grint holde ook mee, de jongens
drongen op, Willem naast Geert, Dirk dadelijk er
hanig-haastig bij.

Jan Grint drong zacht mee, maar Guurt snauwde, beet

van ’r àf, volgde in wrevel. Ze was weer nùchter,
verwenschte de gloeierigheid van den zwartkrulligen
Jan, die z’n oogen uitschroeide.
 Vlak voor hen uit, stormde uit kijktent er naast, ’n
schater-drom, die daar ’n reuzin van zevenhonderd
pond had bekeken.—

—Alle jesis waa’n hurk! hep jullie sien? da binne d’r

fierkant tien van main maid, lalde ’n vent, slap-lachend
en in bochelige verwringing de tent uitzwaaiend.

Meiden, dierlijk verhit in smerige taalwellust van kerels

bij ’t reuzinnewijf, barstten eenmaal op straat, mee uit;
lebberden zich vast op de zuigmonden der hysterische
drinkebroers, verkrijschend na elken zoen, hun vuile
liedjes.

De meid-tailles omkneld, de monden op elkaar

gezogen, hosten ze in blinde razernij, de lijven in
branderige lusten op een geplakt, door de paukende
roffeling en dreuning van de gemartelde orgels.

Stoet bij stoet, in zwalkenden krijsch, holde achter de

Hassels en Grints áán, en telkens, dronken zwaaiende
paren, strompelden uit ’t duister in den brandschijn
van kramen en spellen. Van zangmond tot zangmond
ging de flesch rond, en heele rijen lam gezopen en
verflodderd, braakten langs de boomen,
verstrompelden [332]tusschen ’t schaduwduister van
tentruggen, smakten daar spuwend neer, in rauwen
ronk, in zucht en bral, wezenloos uitrochelend
ellendegeschrei van verrampte dronkaards.

Van allen kant op Baanwijk gruizelden en smakten

flesschen en kruiken, en ’t stortend geraas van glas
rinkelde tegen de keien.
 Op middenlaan van Baanwijk, achter de
oliekoektenten en speelgoedkramen brandde het
rosse luchtrood van kermisnacht ’t bangst, tusschen
de paarse duistering van schuttingen en wat eenzame
somnambule-krotjes. Langs de allée vlaagde
moordende klankstorm van dronken kelen, eindeloos
van misère, raasden de boertjes en wijven òp, met
kleurige narrige mutsen òver hun petten gekruifd.—

Bij verre uitvlamming van koperen bakovens bleven ze

trampelend staan, met de gloedweerkaatsing,
roodbevend op de geknauwde tronies, aangevreten
van passie. Hel-omlijnd in den lichtgloei, ging
spartelend beweeg weer van armpjes en beentjes;
kaprioolden ze waggel-zwaar tegen elkaar op, om en
om meiden, de korpulente nekken scheef, dat hun
vloeimutsen krampten slaapmutserig over hun tronies,
hun boeketten en linten wegsliertten her en der. Hun
breede broekjes en pijjekkers schaterden mee in
kanaljeus-lachende plooikronkels.

Drie vloeimutsen op elkaar had de reuzige slungel

zich op z’n pofpet geplakt, en in den dansenden
waggel van z’n schonkig lijf en botten zeehondenkop,
ging rond ’n flapper van serpentines, rood, geel, groen
en blauw, in den oranje-verdampenden hemelgloed.

Plots week in achterwaartschen kankan de heele

boertjesstoet en hinkende slungel-herkuul, naar
duisteren hoek, stond stil ’t geraas, verduisterden al
meer en meer achterkoppen van boerinnen met den
glanzenden schemer van hun zilveren en gouden
kappen tusschen de tentruggen.
 Van den polder àf lag havenwoel open, kraterend,
goudspuwend en roodsmokend overdampt als ’n
vuurregenende heksenbrand, waar stank
rondsmeulde van geschroeide menschenbouten. [333]

Daaràchter, de eindelooze poldernacht, ruisch-stil en

starend geheimzinnig. Telkens uit andere hoeken van
Haven schoten vlammen òp, doofden weer wèg in
nachtzwart, en soms, uit ’t stikkeduister joelden in
moordende geruchten stoeten áán in bengaalsche hel.

Als paarse nacht openbarstend, waaruit goud-roode

stoeten-brand fantasmagoorde, en kleurschaduwen
ijlden, zóó sidderde ’t bengaalsch licht áán over
huisrompen, boomen en wezens.

Menschentronies in bijtende helheid grijnsden naakt

onder dien vuurgloed. Telkens ànder licht laaide op, in
wond’ren groei; paarsrood dat sidderde en huiverde in
schrik van helheid; violet dat brandde en verschroeide
wandaligen kermishos; en groen-fosforizeerend vuur,
met infernalen beef-weerschijn, huiverend in woeste
glanzing ’t stedeke overlaaiend, of Satan verderf-
adem uitblies door heel ’t dolle kermisbachanaal.
Krijschjubel verklonk bij elken nieuwen kleurenbrand
van de mombakkesen, de lijk-groene, de paars-
helsche, de rood-huiverende.

En telkens verstierf de gloed in ’n trillende duistering.

Dan vèr, in oranje pracht, om zwart van nacht,

vlamden nà, lampions en flambouwen, walmend en
zigzaggend door ’t duister als ’n oproer van
hellebardiers. En wreed, over de wond’re avond-hel
van kleuren en tinten, over afgronden van duister diep
en gedempt gloeisel, stormden de orgelklanken,
raasden de mannestrotten, heeschten de
vrouwekreten, ontembaar, doorschroeid van passie.
Geslagen in razernij, renden de stoeten weer her en
der, in kruis en warrel, van den starenden angst-nacht
in ’t vlammenlicht, de Baanwijk af, Haven òp, Haven
àf, Baanwijk òp, in daverende hiha’s en hos,
verhijgend in barstende opwinding.

Waanzin-beweeg trampelde áán met de sputterende

boertjes, en als ’n verzinnelijkt Hosanna schreide hun
beestige krijsch door de brandende lucht, verzwaaiden
hun flesschen, en verrochelde ’t onweer van hun
ronkende falderahee’s. Bij den hoog-walmenden
oranjigen gloed van wat Jutskoppen bleven ze weer
staan. Bral en krijsch martelden los uit hun strotten en
[334]in heete zinnedrift smakten ze zich op de mooie
Jutsmeiden.

Pal boven hun koppen en kleurmutsen dampte nu

hèvig de brand-roode luchtnevel, van die plek uit, over
de heele Baanwijk rondschroeiend. De boomen in den
damp aangeverfd, leken reuzige monniken in barsche
pijen, stil gebogen boete doend, er door Satan
neergestold in krampig schuw afgrijs-gebaar.—

Voor schiettent lawaaide ’n spullebaas overschreeuwd

door eén van panorama-mechaniek, en die vent weèr
in stemmen-worstel met somnambulen-wijven en
kinematografen-eigenaars.
 De Hassels en Grintjes, nu weer achter het
trampelende boerenstoetje, vóór de Jutskoppen
uitdringend, wouen wel slaan, maar dat beviel Guurt
en Geert niet. Dirk en Rink slurpten limonade voor ’n
gebakkraampje, waar ’n bleekgeel mopssnuitig
juffertje, goud-bekapt en fleurig gesjaald bediende. In
vroolijken fonkel rijden daar de glaasjes limonade
wijnrood.—De meiden moesten toch ook wat likken,
en wankelig keek Dirk in z’n portemonnaie onder ’t
gele licht, of ie den bodem al zien kon.

—Dat is vijf te min meneer, sprak koel verkleed

juffertje.

—Vaif? vaif? wa helhoak vaif.… daa’s glad-en-al-mis

spotte ie ’r lachend uit.

—Daa’s net! Sai hep d’r drie lait.… enne.. de maide

tien.… enne ikke twee.… en Rink.… enne Merie.…
daa’s kaike!.… daa’s.…, rekende verward Willem
mee.—

—Drie.. drie, gierde in dronkig heeten bulder Rink..

noumins.. de sel d’r salderemosterd g’nog sai’n hee?
jai smoort … smoort gain wolf an je borst hee?

—Waa’t d’r nie is betoal jai sellefers moar medam,

lachte Dirk weer tegen de nijdige mopssnuitige juffer,
—of aêrs komp ’t vast bai ’t huurtje t’regt!

—Daa’s net … debies! roggemegochel! juichte

huillachend Rink, ’n vuist bonkhamerend op de
toonbank dat ’n rilling door de vonk-roode limonade
ging, en ’n rinkel door de glazen.—
 Met ’n woesten krijsch plots was Rink tusschen ’n
aanzwierenden hostroep ingesprongen, sleurde dwars
door haakarmen van meiden en vloekend-onthutste
kerels, zijn Grintjes en Hassels [335]heen, en met ’n
stem van ’n sprekende fagot, dreunde ie uit:

Nou gaste! aa’s één man bai de Jutskoppe! màide

stoàn d’r halt! Die de prais hoalt hep d’r uit jullie te
kiese!

In ’n dronken storm, opgezenuwd in furiënde

hevigheid, waggelstapten de kerels mee, naar ’n
alleenstaanden Jut, waar niet veel volk om heen
joelde. Twee stoere kanaljemeiden, madonnig kapsel
en bloothoofds, de slanke lijven omstrakt in zwart-
zijden glanzende boezelaartjes, schreeuwde de kerels
toe.—

—Alloo manne! prebeer je g’luk! laat sien je kracht!

laat d’r vlak-af kijke wa je ken! Slaan d’r op!
Semberleen! schop ’m op s’n pet!

Rink ’t eerst, was in woeste woeling van z’n reuzig lijf

op de schreeuwmeiden toegesprongen, gaf één wijf ’n
wreeden streel onder de mollige kin en rukte de moker
uit ’r hand. Meiden en kerels waren in kring achter ’m
opgeschemerd in den flakkerigen ros-oranje gloed.—

—Op sai heere en dames! beval de andere Jutsmeid

in ’t zwart,—meneer mot ruimte hebbe.. om te rake!
Sla d’r vrij op meneer.… dat ’m ’t gal uit s’n strot spat!
hij sel d’r tog nie van bloeie!
 —Ruimbaan! schreeuwde nog ’n Jutskerel, met
geelrossigen muizensnuit, pal onder den fakkelwalm
van z’n paal bij den klapperhaak.

Geert, Guurt en heel ’t meidenstelletje week achteruit.

—De kerels scharrelden naar de Jutsvrouwen. Piet
Hassel liet Cor los, wou zoetjes de zwart-
beboezelaarde mooie kanaljes besluipen, die in ’t
flambouwenrood tusschen den walm, wondergloedig
oplichtten, met de slanke lijven en aanhalige
gezichten, de goud-felle oogen, omwaasd in den
damp van hun paal.—

Muizentronie stond aan den knalhaak om den klapper

recht te schuiven na elken slag. En Rink reuzig, half
bevlamd z’n schriklijken landlooperskop, in
kangoeroesche rugkromming, z’n herkulische
schonken donkerig omschaduwd, hijgde voor ie
begon.— [336]

Cyklopisch, even waggelend, hief ie den moker, met

één zwaai hoog door de lucht, dat ’r suizel koelde
rondom.—

Donker en dreun-dof plofte z’n hamer uit ’t duister op ’t

Jutsblok. Knettering spatte boven de omstanders en in
den fakkelgloei hitsten de meiden ’m op.—

—Dat is raak meneer Simson.. dat is d’r ’n

mannetjesvint!

—Mooi, mooi! porde de andere mee, met kanaljeuzen

lach en zinnestreeling uit ’r goud-bevlamde oogen ’m
begenadigend.—
Rink hief weer den moker. Z’n half-duistere lijf groeide
in den oranjigen nevel. Z’n beschemerde armen,
geweldig, spanden, daalden en rezen als hefboomen,
en weer in doffen dreun mokerde ie néér z’n hamer op
’t Jutsblok.

De meiden rondom juichten. Opgehitst in satanische

drift bleef ie doormokeren slag op slag, dat z’n borst
blaasbalgde, z’n beenen beefden, en z’n groene
oogen sperden in bevlamde razernij.

—Veur Semberleen! Veur Kitsener! Veur Roodes!

gilden de Jutsmeiden mee, met elken slag in rauwe
opwinding. Ze hadden schik in den reus. Elke knetter
was raak! In cyklopische mokering dreunden de
schokken door z’n krampende klauwen, ging sidder
door z’n gekromd lijf, kittelde genot door z’n
knarsende kaken.—En boven z’n woesten kop spatte
kruidknetter tot den paaltop, verwuifden de
flambouwen hoog in de lucht walmige vlammen,
sidderden de vlaggetjes in kronkel om ’t ijzer.—

Heftiger joegen de zwart-beboezelaarde meiden ’m òp

en doller mokerde dolle reus neer, in heete razernij
van dreunen, dat ’t blok waggelde en van een dreigde
te barsten.—

De Grintjes gierden van lol en de blonde slanke furie,

Marie Pijler, wou ’m te lijf, schreeuwde schor dronken,
dat ze’m doodzoenen zou.

—Daa’t is ’n mannetjesputter! Jou Rink, jòu mo’k

hebbe.. wa mo’k mi die snotter van ’n Henk! joù! joù!
gilde ze door de dreunen heen, als ’n bezetene.—Ze
sprong naar voren, naar achter en sidderende wellust
trilde door haar wiegende heupen, waarop ze zich
bofte van genot.— [337]

Rink mokerde door, in ’n blinde woeste razernij, dat de

Jutsmeiden verbleekten van angst. Z’n hamer suiselde
lucht rond, uit duister in licht.—

Marie Pijler, in ’t toortsige goudrossige rood, duivelde

van hysterie. Haar lippen schuimden en ’r handen
jeukten langs d’r borsten. Ze gilde door, tusschen z’n
mokerdreun, en wilder, opgewondener gierden de
Grintjes.

Stoeten bleven kijken naar den half-donkeren reus,

die onvermoeibaar hijgde en trilde als zou ie iedere
minuut, daar dood ter aarde storten. Toen werd ’t de
andere verblufte kerels te benauwd.

—Hee Rink! jai hep d’r Joë ’tmet an brai sloage hee?
s’n harses meroakele d’r van malkoar! Nou motte wai
de kerel nog ’n arrempie uitdroaie hee?

—Nog veur vaif sint, hijgde Rink met waanzinblik, en

weer zwaaide in krampigen lijfschok en razenden
dreun, slag op slag neer.

Als ’n beul uit de hel neergestormd, in den oranjigen

lichtflakker en walm, met even begloeide knots moord
rond-rammeiend, zoo spier-spande z’n lijf in de laatste
stuipkramp van slagen. Z’n losse overhemd fladderde
uit z’n broek, en heel z’n zondagsche plunje
vermodderd bemorst, flodderde om z’n dronken
korpus.—
Eindelijk òp, hijgend, gebroken zwaaide ie den hamer
tegen den grond, zoende, in fellen hartstochtstuip de
beboezelaarde Jutsmeiden met heeten lippenslurp, en
strompelde bek-àf, zweet-dampend achter ’n
palingstalletje neer, snakkend naar adem.—

Dichter dromde ’t gestoet om de Jutskoppen. De

mooie kanaljes, hitsten òp, streken hun handen
lokkerig langs hun zijïg-gespannen glanzende dijen,
lachten en lonkten. Willem, Dirk, Hazewind, Piet en
Jan Grint, Henk en de heele stoet sloeg raak. Jutskop
lag half aan brei. De paal met z’n knal en knetter, leek
ontvleesd karkas van levend-gemartelde die dood
gemokerd werd door lynchende bende, en bij elken
dreun op ’t veerende blok, ’n stuipende rilling door z’n
beschilderd geraamte verschokte.— [338]

Heeter hitsten de Jutsmeiden òp en telkens zwaaide

de reuzige moker de lucht in, houweelde duisterend ’n
rossigen glimstreep door den flambouwenflakker, dat
banger de oranjige sfeer, kerels, mokeraars en
meiden ombeefde.—Al meer tronies, àchter elkaar
opgestoet, schemerden áán in den hamerkring, de
heete oogen gericht op de waggelende cyklopen, die
doordreunden en beulden onder de brandende lucht.

Elke ronde betaalden de meiden voor hun galants.

Maar Rink, Rink de neergesmakte reus, had de
mokering ’t langst uitgehouden, ’t meest en felst
verknetterd. In woesten sprong smakte de blonde
Marie Pijler, met de schittermedailje, jaloersch uit de
handen der kanaljemeiden gerukt, op Rink, die
brakend te vloeken lag in kraampjesduister. Als ’n
 bezetene zoog ze ’m den vloek-mond dicht met
brandende zoenen, smakte ’m den hals vol, gilde en
raasde dat zij en niemand anders dan zij hèm hebben
most.. veur de heule kermis.

—Slaat ’m dood! Semperleen! Kitsener! krijschten de

Jutsmeiden weer achter den wijkenden stoet Hassels
en Grints áán. De kerel bij den kruithaak onder de
fakkelende walming, liet loensen z’n muizentronie,
vertrilde z’n begloeide oogen gretig naar ’t bezopen
volkje, dat de kanaljeus-lokkende boezelaars-meiden
vingen met d’r zinnestreel en hitsenden roep.—

[Inhoud]

V.

Uit de kroegen en danszalen op Baanwijk en Haven

stormde in en uit, heete woelzee van hurrie, getier van
uitzinnige meiden en kerels.—’t Was zacht gaan
regenen en vóór de wilde-vrouwtent en de panorama’s
er naast, droefde treuzelige leegte. Kerel op estrade,
melodramatiekte wel met z’n stem, naast ’m
overschreeuwd door den eigenaar van ’t „gruufelekst
seemonster”, maar ’t bleef ’r vaal voor de tenttrap; de
stoeten hosten voorbij zonder te luisteren; de regen
spetterde door het droeve ros-gele lichtgeflakker van
wat magere flambouwtjes.
 Als broeibakken, omgloeid van kermiskoorts, rookten
de kroegen [339]en kanaljeuzige dansholletjes vol,
mistig-geel doorvlamd van hel petroleumlicht. Moffen
en blazers tierden. Piano’s roffelden er; pauktsjings en
krijsch raasden verdoovend rond in de walmende
krotten. En geschreeuw uit honderden kelen braakte
de straat op, dreef àf weer in de kronkelgangetjes.

Heete bakstanken en walgelijke vetlucht van

gesmolten reuzel doorzuurde de lucht en knetterende
vuren van verflakkerende bakovens vlamden achter
enge steegdieptetjes, tegen polderlucht, in ’t zacht-
regenende duister, als kraterende grotten van
bacchanten, waarin donker en begloeid, razende
wezens rond-kaprioolden.—

Kleurige worp van lichtgloei bleef kaatsen om

menschen en spullen, en wisselglansen
verallegorieden in trillende diepte de bange realiteit
van hossers en zuipers, in tooverig koloriet van
fantastische prachtgeheimenis.

Goud-gloeiing, rembrandtiek-diep in tooverwild

begloord amber en bronsgeel, trilde op roestige
muurbrokken als lichtende helsche zwammen.
Levende fosfor kroop op hekken, kleine klinkdeurtjes
van huiverend-stille krotjes, verzakt in halve duistering
van nacht-zwart.—

Pompen en slingers donkerden reuzig tusschen

boomen, en in al zwarter damprood bacchanaalden de
schreeuwstoeten met gewonde lampions en
knetterende pekfakkels gillend door de wijkjes, in
trampelenden warrel van beenen en rompen.
Willem en Dirk hadden de meiden meegesleurd naar
’n krottig danshuis waar ze ’n uur in vagevuur-hitte
verschroeiden. In storm waren ze ’r uitgevlucht,
natgezoend, verslobberd, begrabbeld; de rokken
afgetrapt door de beestkerels daar. Rink had ’n
Lempenaar halfdood geranseld omdat ie z’n blonde
Marie aan de rokken had gegrepen in woeste passie,
zonder ’r los te laten.

Met bebloeden kop had Rink ’m achter ’t buffetje

gesmakt. De vent lag ’r te krimpen van pijn, met
uitgescheurd oor en bloedneus. Met één bakelaai had
Rink ’m z’n mes, waarmee ie steken wou, uit de
moordklauwen geslagen, en nou lag ie daar,
rampzalig vertrapt en bespogen door de joelbende.—
[340]

Rink vooròp, de blonde Marie met ’r roodgezwollen

tronie, aan z’n lijf vastgezogen, mee. Op straat gierde
de kasteleinsmeid Pijler, dat ze ’t café-chantant
inmoesten. Dat werd in schallenden schater
beklonken.

Zangkrijschend kom-kerlinekens, zeilde door

regenende duisternis, ’t stoetje van twintig ’n
zijweggetje àf, dat stil donkerde buiten kermiswoel.

Plots, over Baanwijkbaan ging angstige vluchtjacht

van duistere menschenstoeten, naar één plek.

Brandklokken alarmden in angstigen bimbam,

klankgalmen van steigerenden nood sliertend, dwars
door den demonischen jubelnacht.
 Achter fakkelflikkering, hoog tegen paardenspul,
sloegen rookige vlammen òp uit ’t duister.

—Brand! brand! schreeuwden ontzet de stemmen,

rauw en moe, schor en angstig. Woeling van donkere
massa’s, van ’t duister telkens in lichtgloei, roezigde in
stille aarzelende oproerstappen en geschuifel naar ’t
eind van Baanwijk; zwol áán in trappelenden
hakkendreun en lijvenwoel tot angstig
revolutiegerucht; rumoer, dàn donker als onweergrom
of aardbeefschok, dan hèl en lichtend in toortsbrand
van kermisjoel.

D’avondklokken beierden door, in rood-angstigen

galm, en de brandende damp boven de kermis,
gloeide áán, oranje-rooder, banger, in rook en
vlammen.

Rink, Marie en ’t heele stoetje waren in opwinding

gekeerd, en ieder z’n meid vastgekneld onder den
arm, sloegen ze op hol in den schrik, juichend van
duivelige emotie, dat ’r eindelijk iets benauwends
gebeuren ging.—

Boven ’t paardenspul, stonden twee groote gebogen

grillige haken in gloedschijn als roode valken.

Klaas Koome holde voort, z’n buldoggenkop

gezwollen van pret en z’n bijt-bek nijdig naar voren
gewrongen. Annie en Cor sleurde ie mee aan z’n
armen.—

Hij gierde: