Speeding up lattice sieve with Xeon Phi coprocessor

Major substep in a lattice sieve algorithm which solves the Euclidean shortest vector problem (SVP) is the computation of sums and Euclidean norms of many vector pairs. Finding a solution to the SVP is the foundation of an attack against many lattice based crypto systems. We optimize the main subfunction of a sieve for the regular main processor and for the co-processor to speed up the algorithm in total. Furthermore, we show that the co-processor can provide a significant performance improvement for highly parallel tasks in the lattice sieve. Four-fold speed up achieved, compared to the CPU, indicates that co-processors are a viable choice for implementation of lattice sieve algorithms

Binding BIKE errors to a key pair

The KEM BIKE is a Round-3 alternative finalist in the NIST Post-Quantum Cryptography project. It uses the FO$^{\not \bot}$ transformation so that an instantiation with a decoder that has a DFR of $2^{-128}$ will make it IND-CCA secure. The current BIKE design does not bind the randomness of the ciphertexts (i.e., the error vectors) to a specific public key. We propose to change this design, although currently, there is no attack that leverages this property. This modification can be considered if BIKE is eventually standardized

Improved key recovery on the Legendre PRF

We give an algorithm for key recovery of the Legendre pseudorandom function that supersedes the best known algorithms so far. The expected number of operations is $O(\sqrt{p\log{\log{p}}})$ on a $\Theta(\log{p})$-bit word machine, under reasonable heuristic assumptions, and requires only $\sqrt[4]{p~{\log^2{p}}\log{\log{p}}}$ oracle queries. If the number of queries $M$ is smaller, the expected number of operations is $\frac{{p}\log{p}\log\log{p}}{M^2}$. We further show that the algorithm works in many different generalisations -- using a different character instead of the Legendre symbol, using the Jacobi symbol, or using a degree $r$ polynomial in the Legendre symbol numerator. In the latter case we show how to use Möbius transforms to lower the complexity to $O(p^{\operatorname{max}\{r-3,r/2\}}r^2\log{p})$ Legendre symbol computations, and $O(p^{\operatorname{max}\{r-4,r/2\}}r^2\log{p})$ in the case of a reducible polynomial. We also give an $O(\sqrt[3]{p})$ quantum algorithm that does not require a quantum oracle, and comments on the action of the Möbius group in the linear PRF case. On the practical side we give implementational details of our algorithm. We give the solutions of the $64, 74$ and $84$-bit prime challenges for key recovery with $M=2^{20}$ queries posed by Ethereum, out of which only the $64$ and $74$-bit were solved earlier

On constant-time QC-MDPC decoding with negligible failure rate

The QC-MDPC code-based KEM Bit Flipping Key Encapsulation (BIKE) is one of the Round-2 candidates of the NIST PQC standardization project. It has a variant that is proved to be IND-CCA secure. The proof models the KEM with some black-box ( ideal ) primitives. Specifically, the decapsulation invokes an ideal primitive called decoder , required to deliver its output with a negligible Decoding Failure Rate (DFR). The concrete instantiation of BIKE substitutes this ideal primitive with a new decoding algorithm called Backflip , that is shown to have the required negligible DFR. However, it runs in a variable number of steps and this number depends on the input and on the key. This paper proposes a decoder that has a negligible DFR and also runs in a fixed (and small) number of steps. We propose that the instantiation of BIKE uses this decoder with our recommended parameters. We study the decoder\u27s DFR as a function of the scheme\u27s parameters to obtain a favorable balance between the communication bandwidth and the number of steps that the decoder runs. In addition, we build a constant-time software implementation of the proposed instantiation, and show that its performance characteristics are quite close to the IND-CPA variant. Finally, we discuss a subtle gap that needs to be resolved for every IND-CCA secure KEM (BIKE included) where the decapsulation has nonzero failure probability: the difference between average DFR and worst-case failure probability per key and ciphertext

Savremeni pristupi u monitoringu kvaliteta voda u akvakulturi

Merenje fizičkih, hemijskih, bioloških parametara je važno za praćenje stanja kvaliteta voda, a samim tim i veoma važno i u akvakulturi. Visokofrekventna merenja kvaliteta voda se poslednjih godina uspešno obavljaju i u Srbiji upotrebom multiparametarske sonde, jednostavne za rukovanje a složene po pitanju parametara koje može meriti u istom trenutku. Potreba za kontrolom kvaliteta vode raste sa povećanjem produkcije ribnjaka. Od ekstenzivnog gajenja, poluintezivnog, preko intenzivnog i superintenzivnog gajenja ribe, proces kontrole kvaliteta vode se usložnjava, dakle od povremenog kontrolisanja kvaliteta (mesečno, kod ekstenzivne proizvodnje), preko dnevne, kontrole na sat, i konačno do kontinuiranog praćenja kontrole kvaliteta (super-intenzivno). Praćenje kvaliteta senzorima i sondom je moguce u svim navedenim tipovima ribnjaka, ali je svakako primena takve metode najpotrebnija u superintenzivnoj ribnjačkoj proizvodnji

On the Applicability of the Fujisaki-Okamoto Transformation to the BIKE KEM

The QC-MDPC code-based KEM BIKE is one of the Round-2 candidates of the NIST PQC standardization project. Its specification document describes a version that is claimed to have IND-CCA security. The security proof uses the Fujisaki-Okamoto transformation and a de-coder that targeted a Decoding Failure Rate (DFR) of 2^{-128} (for Level-1 security). However, there are several aspects that need to be amended in order for the IND-CCA proof to hold. The main issue is that using a decoder with DFR of 2^{-128} does not necessarily imply that the underlying PKE is \delta correct with \delta=2^{-128}, as required. In this paper, we handle the necessary aspects in the definitions of the KEM to ensure the security claim is correct. In particular, we close the gap in the proof by defining the notion of a message-agnostic PKE for which decryption failures are independent of the encrypted message. We show that all the PKE underlying the BIKE versions are message-agnostic. This implies that BIKE with a decoder that has a sufficiently low DFR is also an IND-CCA KEM

Design of Proportional-Resonant Control for Current Harmonic Compliance in Electric Railway Power Systems

This paper presents the process of designing proportional-resonant controller for a four-quadrant rectifier in electric railway traction system. In the context of ever-stricter power quality and electromagnetic compatibility standards in electric railway power systems, developers of electric locomotives need to adapt with new ways to comply. This paper develops on the process of designing a four-quadrant rectifier proportional-resonant control for mitigation of low frequency current harmonic distortion, a novel method in the field of railway EMC. The control parameters are determined through analytical modeling of the rectifier through transfer functions. For the purpose of studying the harmonic distortion mitigation effects, only the current control loop was modeled and designed. The modeling starts with simplification of the model via large-signal modeling of the power converter. The parameters of the circuit then were used to develop the transfer functions, and select the appropriate parameter values of the current loop plant. The control loop and parameters were evaluated on test locomotive to validate the control, with results confirming the improved impact on the electromagnetic compatibility and conformity to regulation

Role of recombinant factor VIIa in the treatment of intractable bleeding in vascular surgery

BackgroundMost recent publications have shown that the recombinant form of activated factor VII (rFVIIa; NovoSeven, Novo Nordisk A/S, Bagsværd, Denmark) induces excellent hemostasis in patients with severe intractable bleeding caused by trauma and major surgery. The purpose of this study was to determine the influence of rFVIIa on the treatment of intractable perioperative bleeding in vascular surgery when conventional hemostatic measures are inadequate.Materials and MethodsThere were two groups of patients: the NovoSeven group (group N), 10 patients with ruptured abdominal aortic aneurysms (RAAAs) and 14 patients operated on due to thoracoabdominal aortic aneurysms (TAAAs); the control group (group C), 14 patients with RAAAs and 17 patients with TAAAs. All patients suffered intractable hemorrhage refractory to conventional hemostatic measures, while patients from group N were additionally treated with rFVIIa.ResultsPostoperative blood loss was significantly lower in group N treated with rFVII (P < .0001). Postoperative administration of packed red blood cells, fresh frozen plasma, and platelets was lower in patients from group N, (P < .0001). Successful hemorrhage arrest was reported in 21 patients (87.5%) treated with rFVIIa, and in 9 patients (29.03%) in group C (P < .001). Thirty-day mortality in these two groups significantly differed. The mortality rate was 12.5% (3 patients) in group N and 80.65% (25 patients) in group C (P < .0001).ConclusionOur findings suggest that rFVIIa may play a role in controlling the intractable perioperative and postoperative bleeding in surgical patients undergoing a repair of RAAAs and TAAAs. Certainly, prospective randomized trials are necessary to further confirm the efficacy and cost-effectiveness of rFVIIa in these patients