YASIR: A Low-Latency, High-Integrity Security Retrofit for Legacy SCADA Systems (Extended Version)

We construct a bump-in-the-wire (BITW) solution that retrofits security into time-critical communications over bandwidth-limited serial links between devices in legacy Supervisory Control And Data Acquisition (SCADA) systems, on which the proper operations of critical infrastructures such as the electric power grid rely. Previous BITW solutions do not provide the necessary security within timing constraints; the previous solution that does is not BITW. At a hardware cost comparable to existing solutions, our BITW solution provides sufficient security, and yet incurs minimal end-to-end communication latency

A Long Tweak Goes a Long Way: High Multi-user Security Authenticated Encryption from Tweakable Block Ciphers

We analyze the multi-user (mu) security of a family of nonce-based authentication encryption (nAE) schemes based on a tweakable block cipher (TBC). The starting point of our work is an analysis of the mu security of the SCT-II mode which underlies the nAE scheme Deoxys-II, winner of the CAESAR competition for the defense-in-depth category. We extend this analysis in two directions, as we detail now. First, we investigate the mu security of several TBC-based variants of the counter encryption mode (including CTRT, the encryption mode used within SCT-II) that differ by the way a nonce, a random value, and a counter are combined as tweak and plaintext inputs to the TBC to produce the keystream blocks that will mask the plaintext blocks. Then, we consider the authentication part of SCT-II and study the mu security of the nonce-based MAC Nonce-as-Tweak (NaT) built from a TBC and an almost universal (AU) hash function. We also observe that the standard construction of an AU hash function from a (T)BC can be proven secure under the assumption that the underlying TBC is unpredictable rather than pseudorandom, allowing much better conjectures on the concrete AU advantage. This allows us to derive the mu security of the family of nAE modes obtained by combining these encryption/MAC building blocks through the NSIV composition method. Some of these modes require an underlying TBC with a larger tweak length than what is usually available for existing ones. We then show the practicality of our modes by instantiating them with two new TBC constructions, Deoxys-TBC-512 and Deoxys-TBC-640, which can be seen as natural extensions of the Deoxys-TBC family to larger tweak input sizes. Designing such TBCs with unusually large tweaks is prone to pitfalls: Indeed, we show that a large-tweak proposal for SKINNY published at EUROCRYPT 2020 presents an inherent construction flaw. We therefore provide a sound design strategy to construct large-tweak TBCs within the Superposition Tweakey (STK) framework, leading to new Deoxys-TBC and SKINNY variants. We provide software benchmarks indicating that while ensuring a very high security level, the performances of our proposals remain very competitive

All-or-Nothing Transforms as a Countermeasure to Differential Side-Channel Analysis

All-or-Nothing Encryption was introduced by Rivest as a countermeasure to brute force key search attacks. This work identifies a new application for All-or-Nothing Transforms, as a protocol-level countermeasure to Differential Side-Channel Analysis (DSCA). We describe an extension to the All-or-Nothing protocol, that strengthens the DCSA resistance of the cryptosystem. The resultant scheme is a practical alternative to Boolean and arithmetic masking, used to protect implementations of encryption and decryption operations on electronic devices

Multi-dimensional Packing for HEAAN for Approximate Matrix Arithmetics

HEAAN is a homomorphic encryption (HE) scheme for approximate arithmetics. Its vector packing technique proved its potential in cryptographic applications requiring approximate computations, including data analysis and machine learning. In this paper, we propose MHEAAN - a generalization of HEAAN to the case of a tensor structure of plaintext slots. Our design takes advantage of the HEAAN scheme, that the precision losses during the evaluation are limited by the depth of the circuit, and it exceeds no more than one bit compared to unencrypted approximate arithmetics, such as floating point operations. Due to the multi-dimensional structure of plaintext slots along with rotations in various dimensions, MHEAAN is a more natural choice for applications involving matrices and tensors. We provide a concrete two-dimensional construction and show the efficiency of our scheme on several matrix operations, such as matrix multiplication, matrix transposition, and inverse. As an application, we implement the non-interactive Deep Neural Network (DNN) classification algorithm on encrypted data and encrypted model. Due to our efficient bootstrapping, the implementation can be easily extended to DNN structure with an arbitrary number of hidden layer

ZMAC+ – An Efficient Variable-output-length Variant of ZMAC

There is an ongoing trend in the symmetric-key cryptographic community to construct highly secure modes and message authentication codes based on tweakable block ciphers (TBCs). Recent constructions, such as Cogliati et al.’s HaT or Iwata et al.’s ZMAC, employ both the n-bit plaintext and the t-bit tweak simultaneously for higher performance. This work revisits ZMAC, and proposes a simpler alternative finalization based on HaT. As a result, we propose HtTBC, and call its instantiation with ZHash as a hash function ZMAC+. Compared to HaT, ZMAC+ (1) requires only a single key and a single primitive. Compared to ZMAC, our construction (2) allows variable, per-query parametrizable output lengths. Moreover, ZMAC+ (3) avoids the complex finalization of ZMAC and (4) improves the security bound from Ο(σ2/2n+min(n,t)) to Ο(q/2n + q(q + σ)/2n+min(n,t)) while retaining a practical tweak space

Hardware-Supported Cryptographic Protection of Random Access Memory

Confidential Computing is the protection of data in use from access or modification by any unauthorized agent, including privileged software. For example, in Intel SGX (Client and Scalable versions) and TDX, AMD SEV, Arm CCA, and IBM Ultravisor this protection is implemented via access control policies. Some of these architectures also include memory protection schemes relying on cryptography, to protect against physical attacks. We review and classify such schemes, from academia and industry, according to protection levels corresponding of adversaries with varying capabilities, budget, and strategy. The building blocks of all memory protection schemes are encryption and integrity primitives and modes of operation, as well as anti-replay structures. We review these building blocks, consider their possible combinations, and evaluate the performance impact of the resulting schemes. We present a framework for performance evaluation in a simulated system. To understand the best and worst case overhead, systems with varying load levels are considered. We propose new solutions to further reduce the performance and memory overheads of such technologies. Advanced counter compression techniques make it viable to store counters used for replay protection in a physically protected memory. By additionally repurposing some ECC bits to store integrity tags, we can provide the highest levels of confidentiality, integrity, and replay protection at a hitherto unattained performance penalty, namely 3.32%, even under extreme load and at costs that make them reasonable in data centers. Combinations of technologies that are suitable for client devices are also discussed

Forking Sums of Permutations for Optimally Secure and Highly Efficient PRFs

The desirable encryption scheme possesses high PRF security, high efficiency, and the ability to produce variable-length outputs. Since designing dedicated secure PRFs is difficult, a series of works was devoted to building optimally secure PRFs from the sum of independent permutations (SoP), Encrypted Davies-Meyer (EDM), its Dual (EDMD), and the Summation-Truncation Hybrid (STH) for variable output lengths, which can be easily instantiated from existing permutations. For increased efficiency, reducing the number of operations in established primitives has been gaining traction: Mennink and Neves pruned EDMD to FastPRF, and Andreeva et al. introduced ForkCiphers, which take an n-bit input, process it through a reduced-round permutation, fork it into two states, and feed each of them into another reduced-round permutation to produce a 2n-bit output. The constructions above can be used in secure variable-length modes or generalizations such as MultiForkCiphers. In this paper, we suggest a framework of those constructions in terms of the three desiderata: we span the spectrum of (1) output length vs. PRF security, (2) full vs. round-reduced primitives, and (3) fixed- vs. variable-length outputs. From this point of view, we identify remaining gaps in the spectrum and fill them with the proposal of several highly secure and efficient fixed- and variable-output-length PRFs. We fork SoP and STH to ForkPRF and ForkSTH, extend STH to the variable-output-length construction STHCENC, which bridges the gap between CTR mode and CENC,and propose ForkCENC, ForkSTHCENC, ForkEDMD, as well as ForkEDM-CTR as the variable-output-length and round-reduced versions of CENC, STH, FastPRF, and FastPRF\u27s dual, respectively. Using recent results on Patarin\u27s general Mirror Theory, we have proven that almost all our proposed PRFs are optimally secure under the assumption that the permutations are pairwise independent and random and STH achieves the optimal security depending on the output length. Our constructions can be highly efficient in practice. We propose efficient instantiations from round-reduced AES and back it with the cryptanalysis lessons learned from existing earlier analysis of AES-based primitives

Prospectus, May 6, 1992

https://spark.parkland.edu/prospectus_1992/1013/thumbnail.jp

FIRST LINE AVELUMAB IN PD-L1+VE METASTATIC OR LOCALLY ADVANCED UROTHELIAL CANCER (AUC) PATIENTS UNFIT FOR CISPLATIN (CIS): THE ARIES TRIAL

Background: Avelumab (ave) was approved as maintenance therapy after platinum-based first line (1L) therapy for patients (pts) with aUC based on ph. 3 Javelin Bladder 100 study (NCT02603432), showing significant overall survival (OS) improvement. Here we tested the activity of ave as 1L of therapy in pts with aUC and PD-L1+ve expression. Methods: ARIES is a single-arm, multi-site, open-label phase II trial. Enrolled pts had aUC, were cis-unfit (at least one of: ECOG-PS=2, CrCl <60 mL/min, grade ⩾2 peripheral neuropathy/hearing loss, progression within 6-mos before the end of neo/adj chemo), had not previously received chemo for aUC and PD-L1⩾5% (SP263) centrally assessed. Pts received ave 10 mg/Kg IV Q2W until progression, unacceptable toxicity and withdrawal, whichever occurred first. The primary endpoint was the 1-year OS. Key secondary endpoints were median-OS, -PFS, ORR, DOR and safety. The outcome based on PDL1 expression >10 has also been investigated. Results: A total of 198 eligible cis-unfit pts have been tested for PD-L1 and 71 (35.6%) have been found positive. Among enrolled patients (N=71), median age was 75 y, 35 (49.3%) had visceral disease, and 22 (31.0%) had ECOG-PS=2; 50 (70.4%) had CrCl <60 mL/min and 9 (12.7%) progressed within 6-mos from the end of neo/adj chemo. At the cut-off data (Feb 2, 2022), median follow up was 10.0 mos and 14 patients are still on treatment. The median OS was 10.0 mos (95% CI, 5.5-14.5), and 43.0% of patients were alive at 1-year. The ORR for all patients was 24.0%; complete response, 8.5% (n=6); partial response, 15.5% (n=11). Clinical benefit was 43.6% (n=31). Median PFS was 2.0 mos (95% CI, 1.7-2.3). Among the 17 pts who had tumour response 13 had DOR > 1y and 5 > 2y. A total of 67 patients have been evaluated for CPS and among these 56 (83.6%) have been classified as high expression. The median OS was 11.0 mos (95%CI, 0.1 – 22.9) for those with high CPS and 7.0 mos (95%CI 2.8 – 11.2) for low CPS (p=0.13). The median PFS was 2.0 mos for both high and low CPS (p=0.34). Five (7.0%) grade 3 ave-related adverse events, and no treatment-related death were reported. Conclusions: Ave is active and safe in pts with cis-unfit, PD-L1+ve aUC and poor baseline characteristics

Synthesis of carbon nitride thin film by magnetron sputtering technique: its structural characterization and application

The purpose of this investigation was to establish a technique to deposit crystalline carbon nitride material and study its structural properties with the view to its use a s hard coating. For the first time, carbon nitride thin films have been deposited, using a Penning-type opposed-target DC reactive sputtering source, that contain large continuous nanocrystalline areas ( > 10|j,m2) of crystallography consistent with the P-C3N4 structure. In addition the creation of these P-C3N4 regions has been achieved with low substrate temperatures (<270°C) and high deposition rates (2.5 - 3 |j,m.hr"1). The IR absorption due to carbon-nitrogen bonding was observed to be independent of actual nitrogen content above —25 at.% N. It has been shown that over the range of 25-44% N/(N+C) there is no systematic variation of absorption coefficient. It was predicted and shown that films with >25 at.% nitrogen content, the nitrogen is mostly bonded to carbon either a s C=N or C^N bonds and a significant amount of nitrogen bonded with itself in IRinvisible structures. It was also seen that the C=N bond (absorbance at 2200 cm"1) concentration which controls the hardness of the film, can be eliminated at 600°C. The physical explanation of the weakness of the polymeric CN network is probably due to the formation of this C=N bonding which terminates the carbon backbone leading to less tightly bound C atoms. This feature was indicated by AES in the C KLL Auger spectrum and defined a s a defect related 71 state in the structure. It was also seen that nitrogen incorporation in the film not only increases the nitrogen-nitrogen bonding but also stabilizes the C-C sp3 type bonding. The breaking of C-C sp3 bonds results from the input thermal energy a s annealing progresses and leads to graphitisation of the film. It is also seen that between the Raman D and G peaks there exists a third peak at —1455 cm'1, designated the "N" peak, which has been assigned to the N=N stretching vibration. As nitrogen incorporation in the film increases, the N=N, C=N and C-C bonding intensities increase. The presence of different bonding structures in CN network was also determined by XPS. The core level XPS peaks were assigned to different types of bond by correlating their behaviour a s annealing takes place at different temperatures with changes in the bond structure as detected by vibrational spectroscopy. The valence band XPS spectra show the interlinked carbon backbone nature of the carbon nitride solid and thus identify the structural nature of this solid which is significantly different from diamond-like and graphitic features. It was seen that the hardness decreases a s the C^N bond concentration increases in the film. The intrinsic film stress was found to be lower for the nitrogenated films than for the pure carbon films. Unlike the film hardness it was found to be independent of the nitrogen content for films with >25 at. % N. It was also found to be independent of the film thickness indicating that the stress was introduced at the film-substrate interface during the initial growth process rather than in the bulk of the film. This is the first time that structural modification of carbon nitride solid with negative bias was observed by valence band XPS spectra. Valence band XPS spectra show a significant change in structure, i.e., sp2 to sp3, in carbon nitride solid when the substrate negative bias w as increased from -75 to -150V. Carbon nitride in thin film form is a good candidate for hard coating but it has poor adhesion on tool steel due to diffusion of nitrogen or carbon atoms into the substrate at the deposition temperature (typically ~325°C). Carbon nitride thin film has been deposited successfully for the first time directly on tool steel. Ca se hardened surfaces act a s a diffusion barrier for nitrogen or carbon atoms from the film. The adhesion properties of the film was considerably improved on the nitrided samples compared to untreated substrates on which the films do not adhere. The technique discussed here opens a new era in the production of crystalline carbon nitride solids. Successful fabrication of this C-N solid enlightens a new possibility in the field of super hard material