Post-Quantum Privacy Pass via Post-Quantum Anonymous Credentials

It is known that one can generically construct a post-quantum anonymous credential scheme, supporting the showing of arbitrary predicates on its attributes using general-purpose zero-knowledge proofs secure against quantum adversaries [Fischlin, CRYPTO 2006]. Traditionally, such a generic instantiation is thought to come with impractical sizes and performance. We show that with careful choices and optimizations, such a scheme can perform surprisingly well. In fact, it performs competitively against state-of-the-art post-quantum blind signatures, for the simpler problem of post-quantum unlinkable tokens, required for a post-quantum version of Privacy Pass. To wit, a post-quantum Privacy Pass constructed in this way using zkDilithium, our proposal for a STARK-friendly variation on Dilithium2, allows for a trade-off between token size (85–175KB) and generation time (0.3–5s) with a proof security level of 115 bits. Verification of these tokens can be done in 20–30ms. We argue that these tokens are reasonably practical, adding less than a second upload time over traditional tokens, supported by a measurement study. Finally, we point out a clear advantage of our approach: the flexibility afforded by the general purpose zero-knowledge proofs. We demonstrate this by showing how we can construct a rate-limited variant of Privacy Pass that doesn\u27t not rely on non-collusion for privacy

SIKE Round 2 Speed Record on ARM Cortex-M4

We present the first practical software implementation of Supersingular Isogeny Key Encapsulation (SIKE) round 2, targeting NIST’s 1, 2, and 5 security levels on 32-bit ARM Cortex-M4 microcontrollers. The proposed library introduces a new speed record of SIKE protocol on the target platform. We achieved this record by adopting several state-of-the-art engineering techniques as well as highly-optimized hand-crafted assembly implementation of finite field arithmetic. In particular, we carefully redesign the previous optimized implementations of filed arithmetic on 32-bit ARM Cortex-M4 platform and propose a set of novel techniques which are explicitly suitable for SIKE/SIDH primes. Moreover, the proposed arithmetic implementations are fully scalable to larger bit-length integers and can be adopted over different security levels. The benchmark result on STM32F4 Discovery board equipped with 32-bit ARM Cortex-M4 microcontrollers shows that the entire key encapsulation over p434 takes about 326 million clock cycles (i.e. 1.94 seconds @168MHz). In contrast to the previous optimized implementation of the isogeny-based key exchange on low-power 32-bit ARM Cortex-M4, our performance evaluation shows feasibility of using SIKE mechanism on the target platform. In comparison to the most of the post-quantum candidates, SIKE requires an excessive number of arithmetic operations, resulting in significantly slower timings. However, its small key size makes this scheme as a promising candidate on low-end microcontrollers in the quantum era by ensuring the lower energy consumption for key transmission than other schemes

On the cost of computing isogenies between supersingular elliptic curves

The security of the Jao-De Feo Supersingular Isogeny Diffie-Hellman (SIDH) key agreement scheme is based on the intractability of the Computational Supersingular Isogeny (CSSI) problem --- computing ${\mathbb F}_{p^2}$-rational isogenies of degrees $2^e$ and $3^e$ between certain supersingular elliptic curves defined over ${\mathbb F}_{p^2}$. The classical meet-in-the-middle attack on CSSI has an expected running time of $O(p^{1/4})$, but also has $O(p^{1/4})$ storage requirements. In this paper, we demonstrate that the van Oorschot-Wiener collision finding algorithm has a lower cost (but higher running time) for solving CSSI, and thus should be used instead of the meet-in-the-middle attack to assess the security of SIDH against classical attacks. The smaller parameter $p$ brings significantly improved performance for SIDH

Computing supersingular isogenies on Kummer surfaces

We apply Scholten\u27s construction to give explicit isogenies between the Weil restriction of supersingular Montgomery curves with full rational 2-torsion over $GF(p^2)$ and corresponding abelian surfaces over $GF(p)$. Subsequently, we show that isogeny-based public key cryptography can exploit the fast Kummer surface arithmetic that arises from the theory of theta functions. In particular, we show that chains of 2-isogenies between elliptic curves can instead be computed as chains of Richelot (2,2)-isogenies between Kummer surfaces. This gives rise to new possibilities for efficient supersingular isogeny-based cryptography

FourQ on Embedded Devices with Strong Countermeasures Against Side-Channel Attacks

This work deals with the energy-efficient, high-speed and high-security implementation of elliptic curve scalar multiplication, elliptic curve Diffie-Hellman (ECDH) key exchange and elliptic curve digital signatures on embedded devices using FourQ and incorporating strong countermeasures to thwart a wide variety of side-channel attacks. First, we set new speed records for constant-time curve-based scalar multiplication, DH key exchange and digital signatures at the 128-bit security level with implementations targeting 8, 16 and 32-bit microcontrollers. For example, our software computes a static ECDH shared secret in 6.9 million cycles (or 0.86 seconds @8MHz) on a low-power 8-bit AVR microcontroller which, compared to the fastest Curve25519 and genus-2 Kummer implementations on the same platform, offers 2x and 1.4x speedups, respectively. Similarly, it computes the same operation in 496 thousand cycles on a 32-bit ARM Cortex-M4 microcontroller, achieving a factor-2.9 speedup when compared to the fastest Curve25519 implementation targeting the same platform. A similar speed performance is observed in the case of digital signatures. Second, we engineer a set of side-channel countermeasures taking advantage of FourQ\u27s rich arithmetic and propose a secure implementation that offers protection against a wide range of sophisticated side-channel attacks, including differential power analysis (DPA). Despite the use of strong countermeasures, the experimental results show that our FourQ software is still efficient enough to outperform implementations of Curve25519 that only protect against timing attacks. Finally, we perform a differential power analysis evaluation of our software running on an ARM Cortex-M4, and report that no leakage was detected with up to 10 million traces. These results demonstrate the potential of deploying FourQ on low-power applications such as protocols for the Internet of Things

Brain white matter damage in aging and cognitive ability in youth and older age

AbstractCerebral white matter hyperintensities (WMH) reflect accumulating white matter damage with aging and impair cognition. The role of childhood intelligence is rarely considered in associations between cognitive impairment and WMH. We studied community-dwelling older people all born in 1936, in whom IQ had been assessed at age 11 years. We assessed medical histories, current cognitive ability and quantified WMH on MR imaging. Among 634 participants, mean age 72.7 (SD 0.7), age 11 IQ was the strongest predictor of late life cognitive ability. After accounting for age 11 IQ, greater WMH load was significantly associated with lower late life general cognitive ability (β = −0.14, p < 0.01) and processing speed (β = −0.19, p < 0.001). WMH were also associated independently with lower age 11 IQ (β = −0.08, p < 0.05) and hypertension. In conclusion, having more WMH is significantly associated with lower cognitive ability, after accounting for prior ability, age 11IQ. Early-life IQ also influenced WMH in later life. Determining how lower IQ in youth leads to increasing brain damage with aging is important for future successful cognitive aging

Vol. 8, Núm. 2 (2010)

El estudio fue desarrollado en las instalaciones del INIFAP-Valle de Juárez, para evaluar 12 genotipos de canola en cinco concentraciones salinas con el propósito de identificar aquellos materiales genéticos que presenten una mayor tolerancia. La investigación fue llevada a cabo en macetas de plástico de un litro y el material inerte fue arena procedente de dunas, que fue lavada con agua desionizada. Los tratamientos de estudio fueron los niveles de conductividad eléctrica (CE) 1.40, 3.25, 5.10, 8.35 y 11.60 dS m-1, generados con una fuente altamente salina de agua de bombeo (11.60 dS m-1) y una fuente de agua potable (1.40 dS m-1), las que fueron diluidas en diferente proporción y que se aproximan a las características hidrogeoquímicas del acuífero local. Se utilizó como fuente nutrimental una solución de Steiner y el periodo de evaluación correspondió para 7 semanas. El diseño experimental fue un bifactorial completamente al azar con cuatro repeticiones. Las variables agronómicas evaluadas fueron materia verde y materia seca de follaje, materia seca de raíces y altura final de plantas. Se obtuvieron análisis de varianza y regresiones entre respuesta agronómica con niveles de salinidad. Se estableció el valor CE (dS m-1) al cual se tiene una respuesta agronómica de cada variable agronómica para 0, 25, 50, 75 y 100% de rendimiento relativo (RR). Los genotipos tolerantes fueron: IMC 108, CNH 517 e Hyola 60, en tanto los susceptibles corresponden para Scoop, IMC 2004 e Hyola 401

Montgomery Modular Multiplication on ARM-NEON Revisited

Montgomery modular multiplication constitutes the arithmetic foundation of modern public-key cryptography with applications ranging from RSA, DSA and Diffie-Hellman over elliptic curve schemes to pairing-based cryptosystems. The increased prevalence of SIMD-type instructions in commodity processors (e.g. Intel SSE, ARM NEON) has initiated a massive body of research on vector-parallel implementations of Montgomery modular multiplication. In this paper, we introduce the Cascade Operand Scanning (COS) method to speed up multi-precision multiplication on SIMD architectures. We developed the COS technique with the goal of reducing Read-After-Write (RAW) dependencies in the propagation of carries, which also reduces the number of pipeline stalls (i.e. bubbles). The COS method operates on 32-bit words in a row-wise fashion (similar to the operand-scanning method) and does not require a non-canonical representation of operands with a reduced radix. We show that two COS computations can be coarsely integrated into an efficient vectorized variant of Montgomery multiplication, which we call Coarsely Integrated Cascade Operand Scanning (CICOS) method. Due to our sophisticated instruction scheduling, the CICOS method reaches record-setting execution times for Montgomery modular multiplication on ARM-NEON platforms. Detailed benchmarking results obtained on an ARM Cortex-A9 and Cortex-A15 processors show that the proposed CICOS method outperforms Bos et al\u27s implementation from SAC 2013 by up to 57% (A9) and 40% (A15), respectively. Furthermore, our COS multiplication is faster than lastest GMP 6.0.0 by up to 55% (A9) and 52% (A15), respectively

Faster Software for Fast Endomorphisms

Abstract. GLV curves (Gallant et al.) have performance advantages over standard elliptic curves, using half the number of point doublings for scalar multiplication. Despite their introduction in 2001, implemen-tations of the GLV method have yet to permeate widespread software libraries. Furthermore, side-channel vulnerabilities, specifically cache-timing attacks, remain unpatched in the OpenSSL code base since the first attack in 2009 (Brumley and Hakala) even still after the most recent attack in 2014 (Benger et al.). This work reports on the integration of the GLV method in OpenSSL for curves from 160 to 256 bits, as well as deploying and evaluating two side-channel defenses. Performance gains are up to 51%, and with these improvements GLV curves are now the fastest elliptic curves in OpenSSL for these bit sizes

Semi-commutative masking: A framework for isogeny-based protocols, with an application to fully secure two-round isogeny-based OT

We define semi-commutative invertible masking structures which aim to capture the methodology of exponentiation-only protocol design (such as discrete logarithm and isogeny-based cryptography). We give an instantiation based on the semi-commutative action of isogenies of supersingular elliptic curves, in the style of the SIDH key-exchange protocol. We then construct an oblivious transfer protocol using this new structure and prove that it UC-securely realises the oblivious transfer functionality in the random-oracle-hybrid model against passive adversaries with static corruptions. Moreover, we show that it satisfies the security properties required by the compiler of Döttling et al. (Eurocrypt 2020), achieving the first fully UC-secure two-round OT protocol based on supersingular isogenies.SCOPUS: cp.kinfo:eu-repo/semantics/published19th International Conference on Cryptology and Network Security, CANS 2020; Vienna; Austria; 14 December 2020 through 16 December 2020ISBN: 978-303065410-8Volume Editors: Krenn S.Shulman H.Vaudenay S.Publisher: Springer Science and Business Media Deutschland Gmb