Design and Reliability Performance Evaluation of Network Coding Schemes for Lossy Wireless Networks

This thesis investigates lossy wireless networks, which are wireless communication networks consisting of lossy wireless links, where the packet transmission via a lossy wireless link is successful with a certain value of probability. In particular, this thesis analyses all-to-all broadcast in lossy wireless networks, where every node has a native packet to transmit to all other nodes in the network. A challenge of all-to-all broadcast in lossy wireless networks is the reliability, which is defined as the probability that every node in the network successfully obtains a copy of the native packets of all other nodes. In this thesis, two novel network coding schemes are proposed, which are the neighbour network coding scheme and the random neighbour network coding scheme. In the two proposed network coding schemes, a node may perform a bit-wise exclusive or (XOR) operation to combine the native packet of itself and the native packet of its neighbour, called the coding neighbour, into an XOR coded packet. The reliability of all-to-all broadcast under both the proposed network coding schemes is investigated analytically using Markov chains. It is shown that the reliability of all-to-all broadcast can be improved considerably by employing the proposed network coding schemes, compared with non-coded networks with the same link conditions, i.e. same probabilities of successful packet transmission via wireless channels. Further, the proposed schemes take the link conditions of each node into account to maximise the reliability of a given network. To be more precise, the first scheme proposes the optimal coding neighbour selection method while the second scheme introduces a tuning parameter to control the probability that a node performs network coding at each transmission. The observation that channel condition can have a significant impact on the performance of network coding schemes is expected to be applicable to other network coding schemes for lossy wireless networks

CSIDH on the surface

For primes p≡3mod4, we show that setting up CSIDH on the surface, i.e., using supersingular elliptic curves with endomorphism ring Z[(1+−p−−−√)/2], amounts to just a few sign switches in the underlying arithmetic. If p≡7mod8 then horizontal 2-isogenies can be used to help compute the class group action. The formulas we derive for these 2-isogenies are very efficient (they basically amount to a single exponentiation in Fp) and allow for a noticeable speed-up, e.g., our resulting CSURF-512 protocol runs about 5.68% faster than CSIDH-512. This improvement is completely orthogonal to all previous speed-ups, constant-time measures and construction of cryptographic primitives that have appeared in the literature so far. At the same time, moving to the surface gets rid of the redundant factor Z3 of the acting ideal-class group, which is present in the case of CSIDH and offers no extra security

Detecting brute-force attacks on cryptocurrency wallets

Blockchain is a distributed ledger, which is protected against malicious modifications by means of cryptographic tools, e.g. digital signatures and hash functions. One of the most prominent applications of blockchains is cryptocurrencies, such as Bitcoin. In this work, we consider a particular attack on wallets for collecting assets in a cryptocurrency network based on brute-force search attacks. Using Bitcoin as an example, we demonstrate that if the attack is implemented successfully, a legitimate user is able to prove that fact of this attack with a high probability. We also consider two options for modification of existing cryptocurrency protocols for dealing with this type of attacks. First, we discuss a modification that requires introducing changes in the Bitcoin protocol and allows diminishing the motivation to attack wallets. Second, an alternative option is the construction of special smart-contracts, which reward the users for providing evidence of the brute-force attack. The execution of this smart-contract can work as an automatic alarm that the employed cryptographic mechanisms, and (particularly) hash functions, have an evident vulnerability.Comment: 10 pages, 2 figures; published versio

Capabilities to support responsible research & innovation in European biotechnology

Emerging biotechnologies from fields such as synthetic biology and industrial biotechnology raise challenges for governance. In response, public funders have developed new approaches to govern these technologies before decisions are locked in and products emerge onto the market. Over a decade of experience with these nascent forms of governance, such as Responsible Re- search and Innovation (RRI), shows their value but also the limitations, particularly when im- plemented without consideration of day-to-day working conditions, sector specific distinctions and institutional structures shaping research in the biological sciences. Drawing on three workshops with members of the ERA CoBioTech funding programme, we show how a new approach, grounded in the idea of human capabilities, can help to integrate the skills, knowledge and institutional conditions needed to enact upstream governance in the design of future funding programmes. We identify the goals researchers associated with RRI in the life sciences, outline five sets of capabilities that enable researchers, managers and adminis- trators to practise responsible research and innovation, and unearth a corresponding set of re- sources that these capabilities depend upon. Funders that learn to design programmes to max- imise and expand the five capability sets are likely to enable more substantive forms of upstream governance than before

A Family of Lightweight Twisted Edwards Curves for the Internet of Things

We introduce a set of four twisted Edwards curves that satisfy common security requirements and allow for fast implementations of scalar multiplication on 8, 16, and 32-bit processors. Our curves are defined by an equation of the form -x^2 + y^2 = 1 + dx^2y^2 over a prime field Fp, where d is a small non-square modulo p. The underlying prime fields are based on "pseudo-Mersenne" primes given by p = 2^k - c and have in common that p is congruent to 5 modulo 8, k is a multiple of 32 minus 1, and c is at most eight bits long. Due to these common features, our primes facilitate a parameterized implementation of the low-level arithmetic so that one and the same arithmetic function is able to process operands of different length. Each of the twisted Edwards curves we introduce in this paper is birationally equivalent to a Montgomery curve of the form -(A+2)y^2 = x^3 + Ax^2 + x where 4/(A+2) is small. Even though this contrasts with the usual practice of choosing A such that (A+2)/4 is small, we show that the Montgomery form of our curves allows for an equally efficient implementation of point doubling as Curve25519. The four curves we put forward roughly match the common security levels of 80, 96, 112 and 128 bits. In addition, their Weierstraß representations are isomorphic to curves of the form y^2 = x^3 - 3x + b so as to facilitate inter-operability with TinyECC and other legacy software

A Constant Time Full Hardware Implementation of Streamlined NTRU Prime

This paper presents a constant time hardware implementation of the NIST round 2 post-quantum cryptographic algorithm Streamlined NTRU Prime. We implement the entire KEM algorithm, including all steps for key generation, encapsulation and decapsulation, and all en- and decoding. We focus on optimizing the resources used, as well as applying optimization and parallelism available due to the hardware design. We show the core en- and decapsulation requires only a fraction of the total FPGA fabric resource cost, which is dominated by that of the hash function, and the en- and decoding algorithm. For the NIST Security Level 3, our implementation uses a total of 1841 slices on a Xilinx Zynq Ultrascale+ FPGA, together with 14 BRAMs and 19 DSPs. The maximum achieved frequency is 271 MHz, at which the key generation, encapsulation and decapsulation take 4808 μs, 524 μs and 958 μs respectively. To our knowledge, this work is the first full hardware implementation where the entire algorithm is implemented

Efficient noninteractive certification of RSA moduli and beyond

In many applications, it is important to verify that an RSA public key (N; e) speci es a permutation over the entire space ZN, in order to prevent attacks due to adversarially-generated public keys. We design and implement a simple and e cient noninteractive zero-knowledge protocol (in the random oracle model) for this task. Applications concerned about adversarial key generation can just append our proof to the RSA public key without any other modi cations to existing code or cryptographic libraries. Users need only perform a one-time veri cation of the proof to ensure that raising to the power e is a permutation of the integers modulo N. For typical parameter settings, the proof consists of nine integers modulo N; generating the proof and verifying it both require about nine modular exponentiations. We extend our results beyond RSA keys and also provide e cient noninteractive zero- knowledge proofs for other properties of N, which can be used to certify that N is suitable for the Paillier cryptosystem, is a product of two primes, or is a Blum integer. As compared to the recent work of Auerbach and Poettering (PKC 2018), who provide two-message protocols for similar languages, our protocols are more e cient and do not require interaction, which enables a broader class of applications.https://eprint.iacr.org/2018/057First author draf

HardIDX: Practical and Secure Index with SGX

Software-based approaches for search over encrypted data are still either challenged by lack of proper, low-leakage encryption or slow performance. Existing hardware-based approaches do not scale well due to hardware limitations and software designs that are not specifically tailored to the hardware architecture, and are rarely well analyzed for their security (e.g., the impact of side channels). Additionally, existing hardware-based solutions often have a large code footprint in the trusted environment susceptible to software compromises. In this paper we present HardIDX: a hardware-based approach, leveraging Intel's SGX, for search over encrypted data. It implements only the security critical core, i.e., the search functionality, in the trusted environment and resorts to untrusted software for the remainder. HardIDX is deployable as a highly performant encrypted database index: it is logarithmic in the size of the index and searches are performed within a few milliseconds rather than seconds. We formally model and prove the security of our scheme showing that its leakage is equivalent to the best known searchable encryption schemes. Our implementation has a very small code and memory footprint yet still scales to virtually unlimited search index sizes, i.e., size is limited only by the general - non-secure - hardware resources

Assessing and countering reaction attacks against post-quantum public-key cryptosystems based on QC-LDPC codes

Code-based public-key cryptosystems based on QC-LDPC and QC-MDPC codes are promising post-quantum candidates to replace quantum vulnerable classical alternatives. However, a new type of attacks based on Bob's reactions have recently been introduced and appear to significantly reduce the length of the life of any keypair used in these systems. In this paper we estimate the complexity of all known reaction attacks against QC-LDPC and QC-MDPC code-based variants of the McEliece cryptosystem. We also show how the structure of the secret key and, in particular, the secret code rate affect the complexity of these attacks. It follows from our results that QC-LDPC code-based systems can indeed withstand reaction attacks, on condition that some specific decoding algorithms are used and the secret code has a sufficiently high rate.Comment: 21 pages, 2 figures, to be presented at CANS 201

CacheZoom: How SGX Amplifies The Power of Cache Attacks

In modern computing environments, hardware resources are commonly shared, and parallel computation is widely used. Parallel tasks can cause privacy and security problems if proper isolation is not enforced. Intel proposed SGX to create a trusted execution environment within the processor. SGX relies on the hardware, and claims runtime protection even if the OS and other software components are malicious. However, SGX disregards side-channel attacks. We introduce a powerful cache side-channel attack that provides system adversaries a high resolution channel. Our attack tool named CacheZoom is able to virtually track all memory accesses of SGX enclaves with high spatial and temporal precision. As proof of concept, we demonstrate AES key recovery attacks on commonly used implementations including those that were believed to be resistant in previous scenarios. Our results show that SGX cannot protect critical data sensitive computations, and efficient AES key recovery is possible in a practical environment. In contrast to previous works which require hundreds of measurements, this is the first cache side-channel attack on a real system that can recover AES keys with a minimal number of measurements. We can successfully recover AES keys from T-Table based implementations with as few as ten measurements.Comment: Accepted at Conference on Cryptographic Hardware and Embedded Systems (CHES '17