Towards joint decoding of binary Tardos fingerprinting codes

The class of joint decoder of probabilistic fingerprinting codes is of utmost importance in theoretical papers to establish the concept of fingerprint capacity. However, no implementation supporting a large user base is known to date. This article presents an iterative decoder which is, as far as we are aware of, the first practical attempt towards joint decoding. The discriminative feature of the scores benefits on one hand from the side-information of previously accused users, and on the other hand, from recently introduced universal linear decoders for compound channels. Neither the code construction nor the decoder make precise assumptions about the collusion (size or strategy). The extension to incorporate soft outputs from the watermarking layer is straightforward. An extensive experimental work benchmarks the very good performance and offers a clear comparison with previous state-of-the-art decoders.Comment: submitted to IEEE Trans. on Information Forensics and Security. - typos corrected, one new plot, references added about ECC based fingerprinting code

Contribution to the construction of fingerprinting and watermarking schemes to protect mobile agents and multimedia content

The main characteristic of fingerprinting codes is the need of high error-correction capacity due to the fact that they are designed to avoid collusion attacks which will damage many symbols from the codewords. Moreover, the use of fingerprinting schemes depends on the watermarking system that is used to embed the codeword into the content and how it honors the marking assumption. In this sense, even though fingerprinting codes were mainly used to protect multimedia content, using them on software protection systems seems an option to be considered. This thesis, studies how to use codes which have iterative-decoding algorithms, mainly turbo-codes, to solve the fingerprinting problem. Initially, it studies the effectiveness of current approaches based on concatenating tradicioanal fingerprinting schemes with convolutional codes and turbo-codes. It is shown that these kind of constructions ends up generating a high number of false positives. Even though this thesis contains some proposals to improve these schemes, the direct use of turbo-codes without using any concatenation with a fingerprinting code as inner code has also been considered. It is shown that the performance of turbo-codes using the appropiate constituent codes is a valid alternative for environments with hundreds of users and 2 or 3 traitors. As constituent codes, we have chosen low-rate convolutional codes with maximum free distance. As for how to use fingerprinting codes with watermarking schemes, we have studied the option of using watermarking systems based on informed coding and informed embedding. It has been discovered that, due to different encodings available for the same symbol, its applicability to embed fingerprints is very limited. On this sense, some modifications to these systems have been proposed in order to properly adapt them to fingerprinting applications. Moreover the behavior and impact over a video produced as a collusion of 2 users by the YouTube’s s ervice has been s tudied. We have also studied the optimal parameters for viable tracking of users who have used YouTube and conspired to redistribute copies generated by a collusion attack. Finally, we have studied how to implement fingerprinting schemes and software watermarking to fix the problem of malicious hosts on mobile agents platforms. In this regard, four different alternatives have been proposed to protect the agent depending on whether you want only detect the attack or avoid it in real time. Two of these proposals are focused on the protection of intrusion detection systems based on mobile agents. Moreover, each of these solutions has several implications in terms of infrastructure and complexity.Els codis fingerprinting es caracteritzen per proveir una alta capacitat correctora ja que han de fer front a atacs de confabulació que malmetran una part important dels símbols de la paraula codi. D'atra banda, la utilització de codis de fingerprinting en entorns reals està subjecta a que l'esquema de watermarking que gestiona la incrustació sigui respectuosa amb la marking assumption. De la mateixa manera, tot i que el fingerprinting neix de la protecció de contingut multimèdia, utilitzar-lo en la protecció de software comença a ser una aplicació a avaluar. En aquesta tesi s'ha estudiat com aplicar codis amb des codificació iterativa, concretament turbo-codis, al problema del rastreig de traïdors en el context del fingerprinting digital. Inicialment s'ha qüestionat l'eficàcia dels enfocaments actuals en la utilització de codis convolucionals i turbo-codis que plantegen concatenacions amb esquemes habituals de fingerprinting. S'ha demostrat que aquest tipus de concatenacions portaven, de forma implícita, a una elevada probabilitat d'inculpar un usuari innocent. Tot i que s'han proposat algunes millores sobre aquests esquemes , finalment s'ha plantejat l'ús de turbocodis directament, evitant així la concatenació amb altres esquemes de fingerprinting. S'ha demostrat que, si s'utilitzen els codis constituents apropiats, el rendiment del turbo-descodificador és suficient per a ser una alternativa aplicable en entorns amb varis centenars d'usuaris i 2 o 3 confabuladors . Com a codis constituents s'ha optat pels codis convolucionals de baix ràtio amb distància lliure màxima. Pel que fa a com utilitzar els codis de fingerprinting amb esquemes de watermarking, s'ha estudiat l'opció d'utilitzar sistemes de watermarking basats en la codificació i la incrustació informada. S'ha comprovat que, degut a la múltiple codificació del mateix símbol, la seva aplicabilitat per incrustar fingerprints és molt limitada. En aquest sentit s'ha plantejat algunes modificacions d'aquests sistemes per tal d'adaptar-los correctament a aplicacions de fingerprinting. D'altra banda s'ha avaluat el comportament i l'impacte que el servei de YouTube produeix sobre un vídeo amb un fingerprint incrustat. A més , s'ha estudiat els paràmetres òptims per a fer viable el rastreig d'usuaris que han confabulat i han utilitzat YouTube per a redistribuir la copia fruït de la seva confabulació. Finalment, s'ha estudiat com aplicar els esquemes de fingerprinting i watermarking de software per solucionar el problema de l'amfitrió maliciós en agents mòbils . En aquest sentit s'han proposat quatre alternatives diferents per a protegir l'agent en funció de si és vol només detectar l'atac o evitar-lo en temps real. Dues d'aquestes propostes es centren en la protecció de sistemes de detecció d'intrusions basats en agents mòbils. Cadascuna de les solucions té diverses implicacions a nivell d'infrastructura i de complexitat.Postprint (published version

Cryptographic error correction

Thesis (Ph. D.)--Massachusetts Institute of Technology, Dept. of Electrical Engineering and Computer Science, 2006.Includes bibliographical references (leaves 67-71).It has been said that "cryptography is about concealing information, and coding theory is about revealing it." Despite these apparently conflicting goals, the two fields have common origins and many interesting relationships. In this thesis, we establish new connections between cryptography and coding theory in two ways: first, by applying cryptographic tools to solve classical problems from the theory of error correction; and second, by studying special kinds of codes that are motivated by cryptographic applications. In the first part of this thesis, we consider a model of error correction in which the source of errors is adversarial, but limited to feasible computation. In this model, we construct appealingly simple, general, and efficient cryptographic coding schemes which can recover from much larger error rates than schemes for classical models of adversarial noise. In the second part, we study collusion-secure fingerprinting codes, which are of fundamental importance in cryptographic applications like data watermarking and traitor tracing. We demonstrate tight lower bounds on the lengths of such codes by devising and analyzing a general collusive attack that works for any code.by Christopher Jason Peikert.Ph.D

Almost separating and almost secure frameproof codes over q-ary alphabets

The final publication is available at Springer via http://dx.doi.org/10.1007/s10623-015-0060-zIn this paper we discuss some variations of the notion of separating code for alphabets of arbitrary size. We show how the original definition can be relaxed in two different ways, namely almost separating and almost secure frameproof codes, yielding two different concepts. The new definitions enable us to obtain codes of higher rate, at the expense of satisfying the separating property partially. These new definitions become useful when complete separation is only required with high probability, rather than unconditionally. We also show how the codes proposed can be used to improve the rate of existing constructions of families of fingerprinting codes.Peer ReviewedPostprint (author's final draft

Gossip Codes for Fingerprinting: Construction, Erasure Analysis and Pirate Tracing

This work presents two new construction techniques for q-ary Gossip codes from tdesigns and Traceability schemes. These Gossip codes achieve the shortest code length specified in terms of code parameters and can withstand erasures in digital fingerprinting applications. This work presents the construction of embedded Gossip codes for extending an existing Gossip code into a bigger code. It discusses the construction of concatenated codes and realisation of erasure model through concatenated codes.Comment: 28 page

Perfect hash families, identifiable parent property codes and covering arrays

In letzter Zeit haben einige kombinatorische Strukturen und Codes eine Vielzahl verschiedener Anwendungen in der Kommunikationstechnik, Kryptographie, Netzwerktechnik und der Informatik gefunden. Der Zweck dieser Dissertation ist, offene Probleme im Zusammenhang mit verschiedenen kombinatorischen Objekten zu lösen, welche durch praktische Anwendungen im Bereich der Informatik und Kryptographie motiviert sind. Genauer gesagt, untersuchen wir perfect hash families, identifiable parent property codes und covering arrays. Perfect hash families sind kombinatorische Strukturen, die verschiedene praktische Anwendungen haben, so wie Compilerbau, Probleme der Komplexität von Schaltkreisen, Datenbank-Verwaltung, Betriebssysteme, derandomization probabilistischer Algorithmen und broadcast encryption. Wir konzentrieren uns auf explizite Konstruktionsverfahren für perfect hash families. Erstens liefern wir eine explizite rekursive Konstruktion einer unendlichen Klasse von perfect hash families mit dem besten bekannten asymptotischen Verhalten unter allen ähnlichen, bekannten Klassen. Zum zweiten stellen wir ein neues rekursives Konstruktionsverfahren vor, mit dessen Hilfe man gute perfect hash families für kleine Parameter erzeugen kann. Durch diese Methode erhalten wir eine unendliche Klasse von perfect hash families, die eine sehr große Menge von Parameter-Werten abdeckt. Weiterhin leiten wir eine neue untere Schranke für die minimale Anzahl von Hash-Funktionen her. Ein Vergleich der existierenden Schranken zeigt, dass unsere Schranke für einige Parameter-Bereiche schärfer ist als andere bekannte Schranken. Identifiable parent property codes (IPP) wurden entwickelt für die Anwendung in Verfahren, die urheberrechtlich geschützte digitale Daten gegen unerlaubte Kopien schützen, die gemeinsam von mehreren berechtigten Nutzern hergestellt werden. TA codes sind eine gut erforschte Teilmenge der IPP-Codes. Wir stellen zwei neue Konstruktionen für IPP-Codes vor. Unsere erste Konstruktion bietet eine unendlichen Klasse von IPP-Codes mit dem besten bekannten asymptotischen Verhalten unter allen ähnlichen Klassen in der Literatur. Weiterhin beweisen wir, dass diese Codes ein Verfahren zum Finden von Verrätern mit im Allgemeinen Laufzeit O(M) erlauben, wobei M die Code-Größe ist. Man beachte, dass vorher außer den TA-Codes keine IPP-Codes mit dieser Eigenschaft bekannt waren. Für einige unendliche Unterklassen dieser Codes kann man sogar noch schnellere Verfahren zum Aufspüren von Verrätern finden, mit Laufzeit poly(logM). Außerdem wird eine neue unendliche Klasse von IPP-Codes konstruiert, die gute IPP-Codes für nicht zu große Werte von n liefert, wobei n die Code-Länge bezeichnet. Diese Klasse von IPP-Codes deckt einen großen Bereich von Parameter-Werten ab. Weiterhin konstruieren wir eine große Klasse von w-TA-Codes, die eine positive Antwort auf ein offenes Existenzproblem geben. Covering arrays sind von vielen Wissenschaftlern intensiv untersucht worden, aufgrund ihrer zahlreichen Anwendungen in der Informatik, so wie Software- oder Schaltkreis-Testen, switching networks, Datenkompressions-Probleme, und etliche mathematische Anwendungen, so wie Differenz-Matrizen, Such-Theorie und Wahrheits-Funktionen. Wir untersuchen explizite Konstruktions-Methoden für t-covering arrays. Zuerst benutzen wir den Zusammenhang zwischen perfect hash families und covering arrays, um unendliche Familien von t-covering arrays zu finden, für die wir beweisen, dass sie besser sind als die augenblicklich bekannten probabilistischen Schranken für covering arrays. Diese Familien haben ein sehr gutes asymptotisches Verhalten. Zum zweiten liefern wir, angeregt durch ein Ergebnis von Roux und auch von einem kürzlich erzielten Ergebnis von Chateauneuf und Kreher für 3-covering arrays, verschiedene neue Konstruktionen für t-covering arrays, t >_ 4, die als eine Verallgemeinerung dieser Ergebnisse gesehen werden können

On codes for traceability schemes: constructions and bounds

A traceability or fingerprinting scheme is a cryptographic scheme that facilitates the identification of the source of leaked information. In a fingerprinting setting, a distributor delivers copies of a given content to a set of authorized users. If there are dishonest members (traitors) among them, the distributor can deter plain redistribution of the content by delivering a personalized, i.e., marked, copy to each user. The set of all user marks is known as a fingerprinting code. There is, however, another threat. If several traitors collude to create a copy that is a combination of theirs, then the pirated copy generated will contain a corrupted mark, which may obstruct the identification of traitors. This dissertation is about the study and analysis of codes for their use in traceability and fingerprinting schemes, under the presence of collusion attacks. Moreover, another of the main concerns in the present work will be the design of identification algorithms that run efficiently, i.e., in polynomial time in the code length. In Chapters 1 and 2, we introduce the topic and the notation used. We also discuss some properties that characterize fingerprinting codes known under the names of separating, traceability (TA), and identifiable parent property (IPP), which will be subject of research in the present work. Chapter 3 is devoted to the study of the Kötter-Vardy algorithm to solve a variety of problems that appear in fingerprinting schemes. The concern of the chapter is restricted to schemes based on Reed-Solomon codes. By using the Kötter-Vardy algorithm as the core part of the identification processes, three different settings are approached: identification in TA codes, identification in IPP codes and identification in binary concatenated fingerprinting codes. It is also discussed how by a careful setting of a reliability matrix, i.e., the channel information, all possibly identifiable traitors can be found. In Chapter 4, we introduce a relaxed version of separating codes. Relaxing the separating property lead us to two different notions, namely, almost separating and almost secure frameproof codes. From one of the main results it is seen that the lower bounds on the asymptotical rate for almost separating and almost secure frameproof codes are greater than the currently known lower bounds for ordinary separating codes. Moreover, we also discuss how these new relaxed versions of separating codes can be used to show the existence of families of fingerprinting codes of small error, equipped with polynomial-time identification algorithms. In Chapter 5, we present explicit constructions of almost secure frameproof codes based on weakly biased arrays. We show how such arrays provide us with a natural framework to construct these codes. Putting the results obtained in this chapter together with the results from Chapter 4, shows that there exist explicit constructions of fingerprinting codes based on almost secure frameproof codes with positive rate, small error and polynomial-time identification complexity. We remark that showing the existence of such explicit constructions was one of the main objectives of the present work. Finally, in Chapter 6, we study the relationship between the separating and traceability properties of Reed-Solomon codes. It is a well-known result that a TA code is an IPP code, and that an IPP code is a separating code. The converse of these implications is in general false. However, it has been conjectured for some time that for Reed-Solomon codes all three properties are equivalent. Giving an answer to this conjecture has importance in the field of fingerprinting, because a proper characterization of these properties is directly related to an upper bound on the code rate i.e., the maximum users that a fingerprinting scheme can allocate. In this chapter we investigate the equivalence between these properties, and provide a positive answer for a large number of families of Reed-Solomon codes.Un sistema de trazabilidad o de fingerprinting es un mecanismo criptogr afi co que permite identi car el origen de informaci on que ha sido fi ltrada. En el modelo de aplicación de estos sistemas, un distribuidor entrega copias de un determinado contenido a un conjunto de usuarios autorizados. Si existen miembros deshonestos (traidores) entre ellos, el distribuidor puede disuadir que realicen una redistribuci on ingenua del contenido entregando copias personalizadas, es decir, marcadas, a cada uno de los usuarios. El conjunto de todas las marcas de usuario se conoce como c ódigo de fingerprinting. No obstante, existe otra amenaza m as grave. Si diversos traidores confabulan para crear una copia que es una combinación de sus copias del contenido, entonces la copia pirata generada contendr a una marca corrompida que di ficultar a el proceso de identificaci on de traidores. Esta tesis versa sobre el estudio y an alisis de c odigos para su uso en sistemas de trazabilidad o de fi ngerprinting bajo la presencia de ataques de confabulaci on. Otra de las cuestiones importantes que se tratan es el diseño de algoritmos de identi caci on e ficientes, es decir, algoritmos que se ejecuten en tiempo polin omico en la longitud del c odigo. En los Cap tulos 1 y 2 presentamos el tema e introducimos la notaci on que utilizaremos. Tambi en presentaremos algunas propiedades que caracterizan los c odigos de fi ngerprinting, conocidas bajo los nombres de propiedad de separaci on, propiedad identi cadora de padres (IPP) y propiedad de trazabilidad (TA), que est an sujetas a estudio en este trabajo. El Cap tulo 3 est a dedicado al estudio del algoritmo de decodi caci on de lista con informaci on de canal de Kötter-Vardy en la resoluci on de determinados problemas que aparecen en sistemas de fingerprinting. El ambito de estudio del cap ítulo son sistemas basados en c odigos de Reed-Solomon. Empleando el algoritmo de Kötter-Vardy como parte central de los algoritmos de identifi caci on, se analizan tres propuestas en el cap ítulo: identi caci on en c odigos TA, identifi caci on en c odigos IPP e identifi caci on en c odigos de fingerprinting binarios concatenados. Tambi en se analiza c omo mediante un cuidadoso ajuste de una matriz de abilidad, es decir, de la informaci on del canal, se pueden encontrar a todos los traidores que es posible identi car e ficientemente. En el Capí tulo 4 presentamos una versi on relajada de los c odigos separables. Relajando la propiedad de separaci on nos llevar a a obtener dos nociones diferentes: c odigos cuasi separables y c odigos cuasi seguros contra incriminaciones. De los resultados principales se puede observar que las cotas inferiores de las tasas asint oticas para c odigos cuasi separables y cuasi seguros contra incriminaciones son mayores que las cotas inferiores actualmente conocidas para c odigos separables ordinarios. Adem as, tambi en estudiamos como estas nuevas familias de c odigos pueden utilizarse para demostrar la existencia de familias de c odigos de ngerprinting de baja probabilidad de error y dotados de un algoritmo de identi caci on en tiempo polin omico. En el Capí tulo 5 presentamos construcciones expl citas de c odigos cuasi seguros contra incriminaciones, basadas en matrices de bajo sesgo. Mostramos como tales matrices nos proporcionan una herramienta para construir dichos c odigos. Poniendo en com un los resultados de este cap tulo con los del Capí tulo 4, podemos ver que, bas andonos en c odigos cuasi seguros contra incriminaciones, existen construcciones expl ícitas de c odigos de fi ngerprinting de tasa positiva, baja probabilidad de error y con un proceso de identi caci on en tiempo polin omico. Demostrar que existen dichas construcciones expl citas era uno de los principales objetivos de este trabajo. Finalmente, en el Capí tulo 6, estudiamos la relaci on existente entre las propiedades de separaci on y trazabilidad de los c odigos de Reed-Solomon. Es un resultado bien conocido el hecho que un c odigo TA es un c odigo IPP, y que un c odigo IPP es un c odigo separable. Las implicaciones en el sentido opuesto son falsas en general. No obstante, existe una conjetura acerca de la equivalencia de estas tres propiedades en el caso de cóodigos de Reed-Solomon. Obtener una respuesta a esta conjetura es de una importancia relevante en el campo del fi ngerprinting, puesto que la caracterización de estas propiedades est a directamente relacionada con una cota superior en la tasa del c odigo, es decir, con el n umero de usuarios que puede gestionar un sistema de fi ngerprinting. En este cap ítulo investigamos esta equivalencia y proporcionamos una respuesta afirmativa para un gran n umero de familias de c odigos de Reed-Solomon. Los resultados obtenidos parecen sugerir que la conjetura es cierta

Framework for privacy-aware content distribution in peer-to- peer networks with copyright protection

The use of peer-to-peer (P2P) networks for multimedia distribution has spread out globally in recent years. This mass popularity is primarily driven by the efficient distribution of content, also giving rise to piracy and copyright infringement as well as privacy concerns. An end user (buyer) of a P2P content distribution system does not want to reveal his/her identity during a transaction with a content owner (merchant), whereas the merchant does not want the buyer to further redistribute the content illegally. Therefore, there is a strong need for content distribution mechanisms over P2P networks that do not pose security and privacy threats to copyright holders and end users, respectively. However, the current systems being developed to provide copyright and privacy protection to merchants and end users employ cryptographic mechanisms, which incur high computational and communication costs, making these systems impractical for the distribution of big files, such as music albums or movies.El uso de soluciones de igual a igual (peer-to-peer, P2P) para la distribución multimedia se ha extendido mundialmente en los últimos años. La amplia popularidad de este paradigma se debe, principalmente, a la distribución eficiente de los contenidos, pero también da lugar a la piratería, a la violación del copyright y a problemas de privacidad. Un usuario final (comprador) de un sistema de distribución de contenidos P2P no quiere revelar su identidad durante una transacción con un propietario de contenidos (comerciante), mientras que el comerciante no quiere que el comprador pueda redistribuir ilegalmente el contenido más adelante. Por lo tanto, existe una fuerte necesidad de mecanismos de distribución de contenidos por medio de redes P2P que no supongan un riesgo de seguridad y privacidad a los titulares de derechos y los usuarios finales, respectivamente. Sin embargo, los sistemas actuales que se desarrollan con el propósito de proteger el copyright y la privacidad de los comerciantes y los usuarios finales emplean mecanismos de cifrado que implican unas cargas computacionales y de comunicaciones muy elevadas que convierten a estos sistemas en poco prácticos para distribuir archivos de gran tamaño, tales como álbumes de música o películas.L'ús de solucions d'igual a igual (peer-to-peer, P2P) per a la distribució multimèdia s'ha estès mundialment els darrers anys. L'àmplia popularitat d'aquest paradigma es deu, principalment, a la distribució eficient dels continguts, però també dóna lloc a la pirateria, a la violació del copyright i a problemes de privadesa. Un usuari final (comprador) d'un sistema de distribució de continguts P2P no vol revelar la seva identitat durant una transacció amb un propietari de continguts (comerciant), mentre que el comerciant no vol que el comprador pugui redistribuir il·legalment el contingut més endavant. Per tant, hi ha una gran necessitat de mecanismes de distribució de continguts per mitjà de xarxes P2P que no comportin un risc de seguretat i privadesa als titulars de drets i els usuaris finals, respectivament. Tanmateix, els sistemes actuals que es desenvolupen amb el propòsit de protegir el copyright i la privadesa dels comerciants i els usuaris finals fan servir mecanismes d'encriptació que impliquen unes càrregues computacionals i de comunicacions molt elevades que fan aquests sistemes poc pràctics per a distribuir arxius de grans dimensions, com ara àlbums de música o pel·lícules

Risky Traitor Tracing and New Differential Privacy Negative Results

In this work we seek to construct collusion-resistant traitor tracing systems with small ciphertexts from standard assumptions that also move toward practical efficiency. In our approach we will hold steadfast to the principle of collusion resistance, but relax the requirement on catching a traitor from a successful decoding algorithm. We define a $f$-risky traitor tracing system as one where the probability of identifying a traitor is $f(\lambda,n)$ times the probability a successful box is produced. We then go on to show how to build such systems from prime order bilinear groups with assumptions close to those used in prior works. Our core system achieves, for any $k > 0$, $f(\lambda,n) \approx \frac{k}{n + k - 1}$ where ciphertexts consists of $(k + 4)$ group elements and decryption requires $(k + 3)$ pairing operations. At first glance the utility of such a system might seem questionable since the $f$ we achieve for short ciphertexts is relatively small. Indeed an attacker in such a system can more likely than not get away with producing a decoding box. However, we believe this approach to be viable for four reasons: 1. A risky traitor tracing system will provide deterrence against risk averse attackers. In some settings the consequences of being caught might bear a high cost and an attacker will have to weigh his utility of producing a decryption $D$ box against the expected cost of being caught. 2. Consider a broadcast system where we want to support low overhead broadcast encrypted communications, but will periodically allow for a more expensive key refresh operation. We refer to an adversary produced algorithm that maintains the ability to decrypt across key refreshes as a persistent decoder. We show how if we employ a risky traitor tracing systems in this setting, even for a small $f$, we can amplify the chances of catching such a ``persistent decoder\u27\u27 to be negligibly close to 1. 3. In certain resource constrained settings risky traitor tracing provides a best tracing effort where there are no other collusion-resistant alternatives. For instance, suppose we had to support 100K users over a radio link that had just 10KB of additional resources for extra ciphertext overhead. None of the existing $\sqrt N$ bilinear map systems can fit in these constraints. On the other hand a risky traitor tracing system provides a spectrum of tracing probability versus overhead tradeoffs and can be configured to at least give some deterrence in this setting. 4. Finally, we can capture impossibility results for differential privacy from $\frac{1}{n}$-risky traitor tracing. Since our ciphertexts are short ($O(\lambda)$), we get the negative result which matches what one would get plugging in the obfuscation based tracing system Boneh-Zhandry (CRYPTO 2014) solution into the prior impossibility result of Dwork et al. (STOC 2009)