Analysis of Bernstein's factorization circuit

D.J. Bernstein has proposed a circuit-based implementation of the matrix step of the number field sieve factorization algorithm (see "Circuits for integer factorization: a proposal", http://cr.yp.to/papers.html#nfscircuit, 2001). These circuits offer an asymptotic cost reduction under the measure "construction cost × run time". We evaluate the cost of these circuits, in agreement with Bernstein, but argue that, compared to previously known methods, these circuits can factor integers that are 1.17 times larger, rather than 3.01 as claimed (and even this is only under the non-standard cost measure). We also propose an improved circuit design based on a new mesh routing algorithm, and show that, for factorization of 1024-bit integers, the matrix step can, under an optimistic assumption about the matrix size, be completed within a day by a device that costs a few thousand dollars. We conclude that from a practical standpoint, the security of RSA relies exclusively on the hardness of the relation collection step of the number field siev

Cache-Attacks on the ARM TrustZone implementations of AES-256 and AES-256-GCM via GPU-based analysis

The ARM TrustZone is a security extension which is used in recent Samsung flagship smartphones to create a Trusted Execution Environment (TEE) called a Secure World, which runs secure processes (Trustlets). The Samsung TEE includes cryptographic key storage and functions inside the Keymaster trustlet. The secret key used by the Keymaster trustlet is derived by a hardware device and is inaccessible to the Android OS. However, the ARM32 AES implementation used by the Keymaster is vulnerable to side channel cache-attacks. The Keymaster trustlet uses AES-256 in GCM mode, which makes mounting a cache attack against this target much harder. In this paper we show that it is possible to perform a successful cache attack against this AES implementation, in AES-256/GCM mode, using widely available hardware. Using a laptop\u27s GPU to parallelize the analysis, we are able to extract a raw AES-256 key with 7 minutes of measurements and under a minute of analysis time and an AES-256/GCM key with 40 minutes of measurements and 30 minutes of analysis

Plumo: An Ultralight Blockchain Client

Syncing the latest state of a blockchain can be a resource-intensive task, driving (especially mobile) end users towards centralized services offering instant access. To expand full decentralized access to anyone with a mobile phone, we introduce a consensus-agnostic compiler for constructing ultralight clients, providing secure and highly efficient blockchain syncing via a sequence of SNARK-based state transition proofs, and prove its security formally. Instantiating this, we present Plumo, an ultralight client for the Celo blockchain capable of syncing the latest network state summary in just a few seconds even on a low-end mobile phone. In Plumo, each transition proof covers four months of blockchain history and can be produced for just $25 USD of compute. Plumo achieves this level of efficiency thanks to two new SNARK-friendly constructions, which may also be of independent interest: a new BLS-based offline aggregate multisignature scheme in which signers do not have to know the members of their multisignature group in advance, and a new composite algebraic-symmetric cryptographic hash function

Factoring estimates for a 1024-bit RSA modulus

We estimate the yield of the number field sieve factoring algorithm when applied to the 1024-bit composite integer RSA-1024 and the parameters as proposed in the draft version [17] of the TWIRL hardware factoring device [18]. We present the details behind the resulting improved parameter choices from [18]

Chromosomal instability by mutations in the novel minor spliceosome component CENATAC

Aneuploidy is the leading cause of miscarriage and congenital birth defects, and a hallmark of cancer. Despite this strong association with human disease, the genetic causes of aneuploidy remain largely unknown. Through exome sequencing of patients with constitutional mosaic aneuploidy, we identified biallelic truncating mutations in CENATAC (CCDC84). We show that CENATAC is a novel component of the minor (U12-dependent) spliceosome that promotes splicing of a specific, rare minor intron subtype. This subtype is characterized by AT-AN splice sites and relatively high basal levels of intron retention. CENATAC depletion or expression of disease mutants resulted in excessive retention of AT-AN minor introns in similar to 100 genes enriched for nucleocytoplasmic transport and cell cycle regulators, and caused chromosome segregation errors. Our findings reveal selectivity in minor intron splicing and suggest a link between minor spliceosome defects and constitutional aneuploidy in humans.Peer reviewe

Molecular characterization of the conoid complex in Toxoplasma reveals its conservation in all apicomplexans, including Plasmodium species

The apical complex is the instrument of invasion used by apicomplexan parasites, and the conoid is a conspicuous feature of this apparatus found throughout this phylum. The conoid, however, is believed to be heavily reduced or missing from Plasmodium species and other members of the class Aconoidasida. Relatively few conoid proteins have previously been identified, making it difficult to address how conserved this feature is throughout the phylum, and whether it is genuinely missing from some major groups. Moreover, parasites such as Plasmodium species cycle through 3 invasive forms, and there is the possibility of differential presence of the conoid between these stages. We have applied spatial proteomics and high-resolution microscopy to develop a more complete molecular inventory and understanding of the organisation of conoid-associated proteins in the model apicomplexan Toxoplasma gondii. These data revealed molecular conservation of all conoid substructures throughout Apicomplexa, including Plasmodium, and even in allied Myzozoa such as Chromera and dinoflagellates. We reporter-tagged and observed the expression and location of several conoid complex proteins in the malaria model P. berghei and revealed equivalent structures in all of its zoite forms, as well as evidence of molecular differentiation between blood-stage merozoites and the ookinetes and sporozoites of the mosquito vector. Collectively, we show that the conoid is a conserved apicomplexan element at the heart of the invasion mechanisms of these highly successful and often devastating parasites

Molecular characterization of the conoid complex in Toxoplasma reveals its conservation in all apicomplexans, including Plasmodium species

The apical complex is the instrument of invasion used by apicomplexan parasites, and the conoid is a conspicuous feature of this apparatus found throughout this phylum. The conoid, however, is believed to be heavily reduced or missing from Plasmodium species and other members of the class Aconoidasida. Relatively few conoid proteins have previously been identified, making it difficult to address how conserved this feature is throughout the phylum, and whether it is genuinely missing from some major groups. Moreover, parasites such as Plasmodium species cycle through 3 invasive forms, and there is the possibility of differential presence of the conoid between these stages. We have applied spatial proteomics and high-resolution microscopy to develop a more complete molecular inventory and understanding of the organisation of conoid-associated proteins in the model apicomplexan Toxoplasma gondii. These data revealed molecular conservation of all conoid substructures throughout Apicomplexa, including Plasmodium, and even in allied Myzozoa such as Chromera and dinoflagellates. We reporter-tagged and observed the expression and location of several conoid complex proteins in the malaria model P. berghei and revealed equivalent structures in all of its zoite forms, as well as evidence of molecular differentiation between blood-stage merozoites and the ookinetes and sporozoites of the mosquito vector. Collectively, we show that the conoid is a conserved apicomplexan element at the heart of the invasion mechanisms of these highly successful and often devastating parasites

Signatures of a globally optimal searching strategy in the three-dimensional foraging flights of bumblebees

Simulated annealing is a powerful stochastic search algorithm for locating a global maximum that is hidden among many poorer local maxima in a search space. It is frequently implemented in computers working on complex optimization problems but until now has not been directly observed in nature as a searching strategy adopted by foraging animals. We analysed high-speed video recordings of the three-dimensional searching flights of bumblebees (Bombus terrestris) made in the presence of large or small artificial flowers within a 0.5 m3 enclosed arena. Analyses of the three-dimensional flight patterns in both conditions reveal signatures of simulated annealing searches. After leaving a flower, bees tend to scan back-and forth past that flower before making prospecting flights (loops), whose length increases over time. The search pattern becomes gradually more expansive and culminates when another rewarding flower is found. Bees then scan back and forth in the vicinity of the newly discovered flower and the process repeats. This looping search pattern, in which flight step lengths are typically power-law distributed, provides a relatively simple yet highly efficient strategy for pollinators such as bees to find best quality resources in complex environments made of multiple ephemeral feeding sites with nutritionally variable rewards

Drive-by Key-Extraction Cache Attacks from Portable Code

We show how malicious web content can extract cryptographic secret keys from the user\u27s computer. The attack uses portable scripting languages supported by modern browsers to induce contention for CPU cache resources, and thereby gleans information about the memory accesses of other programs running on the user\u27s computer. We show how this side-channel attack can be realized in both WebAssembly and PNaCl; how to attain very fine-grained measurements; and how to use these to extract ElGamal, ECDH and RSA decryption keys from various cryptographic libraries. The attack does not rely on bugs in the browser\u27s nominal sandboxing mechanisms, or on fooling users. It applies even to locked-down platforms with strong confinement mechanisms and browser-only functionality, such as Chromebook devices. Moreover, on browser-based platforms the attacked software too may be written in portable JavaScript; and we show that in this case even implementations of supposedly-secure constant-time algorithms, such as Curve25519\u27s, are vulnerable to our attack