An Efficient State Recovery Attack on X-FCSR-256

We describe a state recovery attack on the X-FCSR-256 stream cipher of total complexity at most $2^{57.6}$. This complexity is achievable by requiring $2^{49.3}$ output blocks with an amortized calculation effort of at most $2^{8.3}$ table lookups per output block using no more than $2^{33}$ table entries of precomputational storage

Numerical and experimental study of the redistribution of energetic and impurity ions by sawteeth in ASDEX Upgrade:Paper

In the non-linear phase of a sawtooth, the complete reconnection of field lines around the q = 1 flux surface often occurs resulting in a radial displacement of the plasma core. A complete time-dependent electromagnetic model of this type of reconnection has been developed and implemented in the EBdyna_go code. This contribution aims at studying the behaviour of ions, both impurity and fast particles, in the pattern of reconnecting field lines during sawtoothing plasma experiments in the ASDEX Upgrade tokamak by using the newly developed numerical framework. Simulations of full reconnection with tungsten impurity that include the centrifugal force are achieved and recover the soft x-ray measurements. Based on this full-reconnection description of the sawtooth, a simple tool dedicated to estimate the duration of the reconnection is introduced. This work then studies the redistribution of fast ions during several experimentally observed sawteeth. In some cases of sawteeth at ASDEX Upgrade, full reconnection is not always observed or expected so the code gives an upper estimate of the actual experimental redistribution. The results of detailed simulations of the crashes are compared with measurements from various diagnostics such as collective Thomson scattering and fast-ion D-alpha (FIDA) spectroscopy, including FIDA tomography. A convincing qualitative agreement is found in different parts of velocity space

Collective Thomson scattering measurements of fast-ion transport due to sawtooth crashes in ASDEX Upgrade

Sawtooth instabilities can modify heating and current-drive profiles and potentially increase fast-ion losses. Understanding how sawteeth redistribute fast ions as a function of sawtooth parameters and of fast-ion energy and pitch is hence a subject of particular interest for future fusion devices. Here we present the first collective Thomson scattering (CTS) measurements of sawtooth-induced redistribution of fast ions at ASDEX Upgrade. These also represent the first localized fast-ion measurements on the high-field side of this device. The results indicate fast-ion losses in the phase-space measurement volume of about 50% across sawtooth crashes, in good agreement with values predicted with the Kadomtsev sawtooth model implemented in TRANSP and with the sawtooth model in the EBdyna_go code. In contrast to the case of sawteeth, we observe no fast-ion redistribution in the presence of fishbone modes. We highlight how CTS measurements can discriminate between different sawtooth models, in particular when aided by multi-diagnostic velocity-space tomography, and briefly discuss our results in light of existing measurements from other fast-ion diagnostics

Provably secure NTRU instances over prime cyclotomic rings

Due to its remarkable performance and potential resistance to quantum attacks, NTRUEncrypt has drawn much attention recently; it also has been standardized by IEEE. However, classical NTRUEncrypt lacks a strong security guarantee and its security still relies on heuristic arguments. At Eurocrypt 2011, Stehlé and Steinfeld first proposed a variant of NTRUEncrypt with a security reduction from standard problems on ideal lattices. This variant is restricted to the family of rings ℤ[X]/(Xn + 1) with n a power of 2 and its private keys are sampled by rejection from certain discrete Gaussian so that the public key is shown to be almost uniform. Despite the fact that partial operations, especially for RLWE, over ℤ[X]/(Xn + 1) are simple and efficient, these rings are quite scarce and different from the classical NTRU setting. In this work, we consider a variant of NTRUEncrypt over prime cyclotomic rings, i.e. ℤ[X]/(Xn-1 +…+ X + 1) with n an odd prime, and obtain IND-CPA secure results in the standard model assuming the hardness of worst-case problems on ideal lattices. In our setting, the choice of the rings is much more flexible and the scheme is closer to the original NTRU, as ℤ[X]/(Xn-1+…+X+1) is a large subring of the NTRU ring ℤ[X]/(Xn-1). Some tools for prime cyclotomic rings are also developed

On Finding Quantum Multi-collisions

A $k$-collision for a compressing hash function $H$ is a set of $k$ distinct inputs that all map to the same output. In this work, we show that for any constant $k$, $\Theta\left(N^{\frac{1}{2}(1-\frac{1}{2^k-1})}\right)$ quantum queries are both necessary and sufficient to achieve a $k$-collision with constant probability. This improves on both the best prior upper bound (Hosoyamada et al., ASIACRYPT 2017) and provides the first non-trivial lower bound, completely resolving the problem

(One) Failure Is Not an Option:Bootstrapping the Search for Failures in Lattice-Based Encryption Schemes

Lattice-based encryption schemes are often subject to the possibility of decryption failures, in which valid encryptions are decrypted incorrectly. Such failures, in large number, leak information about the secret key, enabling an attack strategy alternative to pure lattice reduction. Extending the failure boosting\u27\u27 technique of D\u27Anvers et al. in PKC 2019, we propose an approach that we call directional failure boosting\u27\u27 that uses previously found failing ciphertexts\u27\u27 to accelerate the search for new ones. We analyse in detail the case where the lattice is defined over polynomial ring modules quotiented by and demonstrate it on a simple Mod-LWE-based scheme parametrized à la Kyber768/Saber. We show that, using our technique, for a given secret key (single-target setting), the cost of searching for additional failing ciphertexts after one or more have already been found, can be sped up dramatically. We thus demonstrate that, in this single-target model, these schemes should be designed so that it is hard to even obtain one decryption failure. Besides, in a wider security model where there are many target secret keys (multi-target setting), our attack greatly improves over the state of the art