On the Complexity of Computing Two Nonlinearity Measures

We study the computational complexity of two Boolean nonlinearity measures: the nonlinearity and the multiplicative complexity. We show that if one-way functions exist, no algorithm can compute the multiplicative complexity in time $2^{O(n)}$ given the truth table of length $2^n$, in fact under the same assumption it is impossible to approximate the multiplicative complexity within a factor of $(2-\epsilon)^{n/2}$. When given a circuit, the problem of determining the multiplicative complexity is in the second level of the polynomial hierarchy. For nonlinearity, we show that it is #P hard to compute given a function represented by a circuit

Online Multi-Coloring with Advice

We consider the problem of online graph multi-coloring with advice. Multi-coloring is often used to model frequency allocation in cellular networks. We give several nearly tight upper and lower bounds for the most standard topologies of cellular networks, paths and hexagonal graphs. For the path, negative results trivially carry over to bipartite graphs, and our positive results are also valid for bipartite graphs. The advice given represents information that is likely to be available, studying for instance the data from earlier similar periods of time.Comment: IMADA-preprint-c

Implementing Grover Oracles for Quantum Key Search on AES and LowMC

Grover's search algorithm gives a quantum attack against block ciphers by searching for a key that matches a small number of plaintext-ciphertext pairs. This attack uses $O(\sqrt{N})$ calls to the cipher to search a key space of size $N$. Previous work in the specific case of AES derived the full gate cost by analyzing quantum circuits for the cipher, but focused on minimizing the number of qubits. In contrast, we study the cost of quantum key search attacks under a depth restriction and introduce techniques that reduce the oracle depth, even if it requires more qubits. As cases in point, we design quantum circuits for the block ciphers AES and LowMC. Our circuits give a lower overall attack cost in both the gate count and depth-times-width cost models. In NIST's post-quantum cryptography standardization process, security categories are defined based on the concrete cost of quantum key search against AES. We present new, lower cost estimates for each category, so our work has immediate implications for the security assessment of post-quantum cryptography. As part of this work, we release Q# implementations of the full Grover oracle for AES-128, -192, -256 and for the three LowMC instantiations used in Picnic, including unit tests and code to reproduce our quantum resource estimates. To the best of our knowledge, these are the first two such full implementations and automatic resource estimations.Comment: 36 pages, 8 figures, 14 table

Spectral Karyotyping for identification of constitutional chromosomal abnormalities at a national reference laboratory

Spectral karyotyping is a diagnostic tool that allows visualization of chromosomes in different colors using the FISH technology and a spectral imaging system. To assess the value of spectral karyotyping analysis for identifying constitutional supernumerary marker chromosomes or derivative chromosomes at a national reference laboratory, we reviewed the results of 179 consecutive clinical samples (31 prenatal and 148 postnatal) submitted for spectral karyotyping. Over 90% of the cases were requested to identify either small supernumerary marker chromosomes (sSMCs) or chromosomal exchange material detected by G-banded chromosome analysis. We also reviewed clinical indications of those cases with marker chromosomes in which chromosomal origin was identified by spectral karyotyping. Our results showed that spectral karyotyping identified the chromosomal origin of marker chromosomes or the source of derivative chromosomal material in 158 (88%) of the 179 clinical cases; the identification rate was slightly higher for postnatal (89%) compared to prenatal (84%) cases. Cases in which the origin could not be identified had either a small marker chromosome present at a very low level of mosaicism (< 10%), or contained very little euchromatic material. Supplemental FISH analysis confirmed the spectral karyotyping results in all 158 cases. Clinical indications for prenatal cases were mainly for marker identification after amniocentesis. For postnatal cases, the primary indications were developmental delay and multiple congenital anomalies (MCA). The most frequently encountered markers were of chromosome 15 origin for satellited chromosomes, and chromosomes 2 and 16 for non-satellited chromosomes. We were able to obtain pertinent clinical information for 47% (41/88) of cases with an identified abnormal chromosome. We conclude that spectral karyotyping is sufficiently reliable for use and provides a valuable diagnostic tool for establishing the origin of supernumerary marker chromosomes or derivative chromosomal material that cannot be identified with standard cytogenetic techniques

Reducing the Multiplicative Complexity in Logic Networks for Cryptography and Security Applications

Reducing the number of AND gates plays a central role in many cryptography and security applications. We propose a logic synthesis algorithm and tool to minimize the number of AND gates in a logic network composed of AND, XOR, and inverter gates. Our approach is fully automatic and exploits cut enumeration algorithms to explore optimization potentials in local subcircuits. The experimental results show that our approach can reduce the number of AND gates by 34% on average compared to generic size optimization algorithms. Further, we are able to reduce the number of AND gates up to 76% in best-known benchmarks from the cryptography community

LNCS

We extend a commitment scheme based on the learning with errors over rings (RLWE) problem, and present efficient companion zeroknowledge proofs of knowledge. Our scheme maps elements from the ring (or equivalently, n elements fro

The Security of the FDH Variant of Chaum’s Undeniable Signature Scheme

In this paper, a new kind of adversarial goal called forge-and-impersonate in undeniable signature schemes is introduced. Note that forgeability does not necessarily imply impersonation ability. The security of the full-domain hash (FDH) variant of Chaum's undeniable signature scheme is then classified according to three dimensions, the goal of adversaries, the attacks, and the zero-knowledg (ZK) level of confirmation and disavowal protocols. Each security is then related to some well-known computational problem. In particular, the security of the FDH variant of Chaum's scheme with noninteractive zero-knowledge (NIZK) protocol confirmation and disavowal protocols is proven to be equivalent to the computational Diffie-Hellman (CDH) problem, as opposed to the gap Diffie-Hellman (GDH) problem as claimed by Okamoto and Pointcheval

Tight Private Circuits: Achieving Probing Security with the Least Refreshing

Masking is a common countermeasure to secure implementations against side-channel attacks. In 2003, Ishai, Sahai, and Wagner introduced a formal security model, named t-probing model, which is now widely used to theoretically reason on the security of masked implementations. While many works have provided security proofs for small masked components, called gadgets, within this model, no formal method allowed to securely compose gadgets with a tight number of shares (namely, t + 1) until recently. In 2016, Barthe et al. filled this gap with maskComp, a tool checking the security of masking schemes composed of several gadgets. This tool can achieve provable security with tight number of shares by inserting mask-refreshing gadgets at carefully selected locations. However the method is not tight in the sense that there exists some compositions of gadgets for which it cannot exhibit a flaw nor prove the security. As a result, it is overconservative and might insert more refresh gadgets than actually needed to ensure t-probing security. In this paper, we exhibit the first tool, referred to as tightPROVE, able to clearly state whether a shared circuit composed of standard gadgets (addition, multiplication, and refresh) is t-probing secure or not. Given such a composition, our tool either produces a probing-security proof (valid at any order) or exhibits a security flaw that directly implies a probing attack at a given order. Compared to maskComp, tightPROVE can drastically reduce the number of required refresh gadgets to get a probing security proof, and thus the randomness requirement for some secure shared circuits. We apply our method to a recent AES implementation secured with higher-order masking in bitslice and we show that we can save all the refresh gadgets involved in the s-box layer, which results in an significant performance gain

Quality of life assessment as a predictor of survival in non-small cell lung cancer

<p>Abstract</p> <p>Background</p> <p>There are conflicting and inconsistent results in the literature on the prognostic role of quality of life (QoL) in cancer. We investigated whether QoL at admission could predict survival in lung cancer patients.</p> <p>Methods</p> <p>The study population consisted of 1194 non-small cell lung cancer patients treated at our institution between Jan 2001 and Dec 2008. QoL was evaluated using EORTC-QLQ-C30 prior to initiation of treatment. Patient survival was defined as the time interval between the date of first patient visit and the date of death from any cause/date of last contact. Univariate and multivariate Cox regression evaluated the prognostic significance of QoL.</p> <p>Results</p> <p>Mean age at presentation was 58.3 years. There were 605 newly diagnosed and 589 previously treated patients; 601 males and 593 females. Stage of disease at diagnosis was I, 100; II, 63; III, 348; IV, 656; and 27 indeterminate. Upon multivariate analyses, global QoL as well as physical function predicted patient survival in the entire study population. Every 10-point increase in physical function was associated with a 10% increase in survival (95% CI = 6% to 14%, p < 0.001). Similarly, every 10-point increase in global QoL was associated with a 9% increase in survival (95% CI = 6% to 11%, p < 0.001). Furthermore, physical function, nausea/vomiting, insomnia, and diarrhea (p < 0.05 for all) in newly diagnosed patients, but only physical function (p < 0.001) in previously treated patients were predictive of survival.</p> <p>Conclusions</p> <p>Baseline global QoL and physical function provide useful prognostic information in non-small cell lung cancer patients.</p

More results on Shortest Linear Programs

At the FSE conference of ToSC 2018, Kranz et al. presented their results on shortest linear programs for the linear layers of several well known block ciphers in literature. Shortest linear programs are essentially the minimum number of 2-input xor gates required to completely describe a linear system of equations. In the above paper the authors showed that the commonly used metrics like d-xor/s-xor count that are used to judge the ``lightweightedness\u27\u27 do not represent the minimum number of xor gates required to describe a given MDS matrix. In fact they used heuristic based algorithms of Boyar/Peralta and Paar to find implementations of MDS matrices with even fewer xor gates than was previously known. They proved that the AES mixcolumn matrix can be implemented with as little as 97 xor gates. In this paper we show that the values reported in the above paper are not optimal. By suitably including random bits in the instances of the above algorithms we can achieve implementations of almost all matrices with lesser number of gates than were reported in the above paper. As a result we report an implementation of the AES mixcolumn matrix that uses only 95 xor gates. In the second part of the paper, we observe that most standard cell libraries contain both 2 and 3-input xor gates, with the silicon area of the 3-input xor gate being smaller than the sum of the areas of two 2-input xor gates. Hence when linear circuits are synthesized by logic compilers (with specific instructions to optimize for area), most of them would return a solution circuit containing both 2 and 3-input xor gates. Thus from a practical point of view, reducing circuit size in presence of these gates is no longer equivalent to solving the shortest linear program. In this paper we show that by adopting a graph based heuristic it is possible to convert a circuit constructed with 2-input xor gates to another functionally equivalent circuit that utilizes both 2 and 3-input xor gates and occupies less hardware area. As a result we obtain more lightweight implementations of all the matrices listed in the ToSC paper