Grafting Trees: a Fault Attack against the SPHINCS framework

Because they require no assumption besides the preimage or collision resistance of hash functions, hash-based signatures are a unique and very attractive class of post-quantum primitives. Among them, the schemes of the SPHINCS family are arguably the most practical stateless schemes, and can be implemented on embedded devices such as FPGAs or smart cards. This naturally raises the question of their resistance to implementation attacks. In this paper, we propose the first fault attack against the framework underlying SPHINCS, Gravity-SPHINCS and SPHINCS+. Our attack allows to forge any message signature at the cost of a single faulted message. Furthermore, the fault model is very reasonable and the faulted signatures remain valid, which renders our attack both stealthy and practical. As the attack involves a non-negligible computational cost, we propose a fine-grained trade-off allowing to lower this cost by slightly increasing the number of faulted messages. Our attack is generic in the sense that it does not depend on the underlying hash function(s) used

Supersingular isogeny graphs and endomorphism rings:reductions and solutions

In this paper, we study several related computational problems for supersingular elliptic curves, their isogeny graphs, and their endomorphism rings. We prove reductions between the problem of path finding in the -isogeny graph, computing maximal orders isomorphic to the endomorphism ring of a supersingular elliptic curve, and computing the endomorphism ring itself. We also give constructive versions of Deuring’s correspondence, which associates to a maximal order in a certain quaternion algebra an isomorphism class of supersingular elliptic curves. The reductions are based on heuristics regarding the distribution of norms of elements in quaternion algebras. We show that conjugacy classes of maximal orders have a representative of polynomial size, and we define a way to represent endomorphism ring generators in a way that allows for efficient evaluation at points on the curve. We relate these problems to the security of the Charles-Goren-Lauter hash function. We provide a collision attack for special but natural parameters of the hash function and prove that for general parameters its preimage and collision resistance are also equivalent to the endomorphism ring computation problem.SCOPUS: cp.kinfo:eu-repo/semantics/published37th Annual International Conference on the Theory and Applications of Cryptographic Techniques, EUROCRYPT 2018; Tel Aviv; Israel; 29 April 2018 through 3 May 2018ISBN: 978-331978371-0Volume Editors: Nielsen J.B.Rijmen V.Publisher: Springer Verla

High genetic differentiation and low connectivity in the coral Pocillopora damicornis type beta at different spatial scales in the Southwestern Indian Ocean and the Tropical Southwestern Pacific

Studying genetic connectivity in marine populations aims to understand the dispersal of an organism through the seascape and thus its gene flow. Here, we focused on one lineage of the recently revised coral Pocillopora damicornis complex, P. damicornis type beta, corresponding to Primary Species Hypothesis PSH05 in Gelin et al. (Mol Ecol 19:430-446, 2017b): it had been hypothesized that P. damicornis type beta encompasses four distinct lineages, representing Secondary Species Hypotheses (SSH05a, SSH05b, SSH05c and SSH05d). The aim of the present study was to confirm this partition and to infer the genetic structuring and connectivity among 27 populations for this widespread and common scleractinian. For this, a total of 1418 colonies were hierarchically sampled from two marine provinces of the southern parts of its distribution range, which remain largely understudied: the Western Indian Ocean and the Tropical Southwestern Pacific. Using 13 microsatellite loci and assignment tests, our findings confirmed the partition into four SSHs, each SSH splitting into clusters, suggesting that P. damicornis beta type may represent a complex of cryptic species. Moreover, within each SSH, clonal propagation was evidenced in almost every population, but clonal dispersal was mostly restricted to sampling site (except in Reunion Island and northern Madagascar, where clones were found in several populations approximately 50 km apart). Nevertheless, wherever the cursor of species level is placed (one or several species), populations were highly differentiated both within the Western Indian Ocean and the Tropical Southwestern Pacific, suggesting restricted gene flow at different spatial scales (marine province, ecoregions, islands/regions), leading to diverging lineages

Shell evolution and the N=34 “magic number”

Measurements of de–excitation gamma–rays in coincidence with target-like residues produced in deep inelastic transfer reactions of $^{238}$U on a $^{48}$Ca target at an energy near the Coulomb barrier are presented. A systematic analysis of the measured low lying states in the odd and even neutron-rich Ca isotopes shows the absence of a predicted shell closure at N = 34 in neutron-rich calcium isotopes

Reactions induced beyond the dripline at low energy by secondary beams

International audienceReactions induced on protons at low incident energy (3.5 MeV/n) were measured with a $^{8}$He beam accelerated by Spiral at Ganil. The particles were detected in the active target Maya, filled with $C_4$$H_10$ gas. The beam was stopped in the detector, so energies from incident beam energy down to detector threshold were covered. Proton elastic scattering, one neutron pick-up (p, d) and (p, t) reactions were observed. In the (p, d) reaction very high cross-sections of the order of 1barn were observed, that could be reproduced using a direct reaction formalism. This is the first time that this strong increase of transfer reaction cross-sections at very low energy predicted for loosely bound systems was observed. Spectroscopic factors are in agreement with a simple shell model configuration. No evidence for a low lying excited state in $^{7}$He was found

Measurement of the GMR in the Unstable 56^{56}Ni Nucleus using the Active Target Maya

International audienceThe measurement of the Isoscalar Giant Monopole Resonance(GMR) in unstable nuclei remains a major experimental challenge due to low radioactive beam intensities and unfavourable conditions in reverse kinematics. At GANIL, we have tested a new experimental method based on the unique capabilities of the active target Maya to probe the GMR by the inelastic scattering reaction 56Ni(d,d') at 50 AMeV. The preliminary excitation energy spectrum of 56Ni presents a bump between 12 and 25 MeV where isoscalar resonances are expecte

Stronger and Faster Side-Channel Protections for CSIDH

This work has been accepted in LATINCRYPT-2019International audienceCSIDH is a recent quantum-resistant primitive based on the difficulty of finding isogeny paths between supersingular curves. Recently, two constant-time versions of CSIDH have been proposed: first by Meyer, Campos and Reith, and then by Onuki, Aikawa, Yamazaki and Takagi. While both offer protection against timing attacks and simple power consumption analysis, they are vulnerable to more powerful attacks such as fault injections. In this work, we identify and repair two oversights in these algorithms that compromised their constant-time character. By exploiting Edwards arithmetic and optimal addition chains, we produce the fastest constant-time version of CSIDH to date. We then consider the stronger attack scenario of fault injection, which is relevant for the security of CSIDH static keys in embedded hardware. We propose and evaluate a dummy-free CSIDH algorithm. While these CSIDH variants are slower, their performance is still within a small constant factor of less-protected variants. Finally, we discuss derandomized CSIDH algorithms