Related Randomness Attacks for Public Key Encryption

Abstract. Several recent and high-profile incidents give cause to believe that randomness failures of various kinds are endemic in deployed cryptographic systems. In the face of this, it behoves cryptographic researchers to develop methods to immunise – to the extent that it is possible – cryptographic schemes against such failures. This paper considers the practically-motivated situation where an adversary is able to force a public key encryption scheme to reuse random values, and functions of those values, in encryption computations involving adversarially chosen public keys and messages. It presents a security model appropriate to this situation, along with variants of this model. It also provides necessary conditions on the set of functions used in order to attain this security notation, and demonstrates that these conditions are also sufficient in the Random Oracle Model. Further standard model constructions achieving weaker security notions are also given, with these constructions having interesting connections to other primitives including: pseudo-random functions that are secure in the related key attack setting; Correlated Input Secure hash functions; and public key encryption schemes that are secure in the auxiliary input setting (this being a special type of leakage resilience)

Silicon on ceramic process. Silicon sheet growth development for the large-area silicon sheet task of the low-cost silicon solar array project

The technical and economic feasibility of producing solar-cell-quality sheet silicon was investigated. The sheets were made by coating one surface of carbonized ceramic substrates with a thin layer of large-grain polycrystalline silicon from the melt. Significant progress was made in all areas of the program

Dip-coating process: Silicon sheet growth development for the large-area silicon sheet task of the low-cost silicon solar array project

The objective of this research program is to investigate the technical and economic feasibility of producing solar-cell-quality sheet silicon by coating one surface of carbonized ceramic substrates with a thin layer of large-grain polycrystalline silicon from the melt. The past quarter demonstrated significant progress in several areas. Seeded growth of silicon-on-ceramic (SOC) with an EFG ribbon seed was demonstrated. Different types of mullite were successfully coated with silicon. A new method of deriving minority carrier diffusion length, L sub n from spectral response measurements was evaluated. ECOMOD cost projections were found to be in good agreement with the interim SAMIS method proposed by JPL. On the less positive side, there was a decrease in cell performance which we believe to be due to an unidentified source of impurities

Silicon on Ceramic Process: Silicon Sheet Growth and Device Development for the Large-area Silicon Sheet and Cell Development Tasks of the Low-cost Solar Array Project

The technical and economic feasibility of producing solar cell quality sheet silicon was investigated. It was hoped this could be done by coating one surface of carbonized ceramic substrates with a thin layer of large-grain polycrystalline silicon from the melt. Work was directed towards the solution of unique cell processing/design problems encountered with the silicon-ceramic (SOC) material due to its intimate contact with the ceramic substrate. Significant progress was demonstrated in the following areas; (1) the continuous coater succeeded in producing small-area coatings exhibiting unidirectional solidification and substatial grain size; (2) dip coater succeeded in producing thick (more than 500 micron) dendritic layers at coating speeds of 0.2-0.3 cm/sec; and (3) a standard for producing total area SOC solar cells using slotted ceramic substrates was developed

Related Randomness Security for Public Key Encryption, Revisited

Motivated by the history of randomness failures in practical systems, Paterson, Schuldt, and Sibborn (PKC 2014) introduced the notion of related randomness security for public key encryption. In this paper, we firstly show an inherent limitation of this notion: if the family of related randomness functions is sufficiently rich to express the encryption function of the considered scheme, then security cannot be achieved. This suggests that achieving security for function families capable of expressing more complex operations, such as those used in random number generation, might be difficult. The current constructions of related randomness secure encryption in the standard model furthermore reflect this; full security is only achieved for function families with a convenient algebraic structure. We additionally revisit the seemingly optimal random oracle model construction by Paterson et al. and highlight its limitations. To overcome this difficulty, we propose a new notion which we denote related refreshable randomness security. This notion captures a scenario in which an adversary has limited time to attack a system before new entropy is added. More specifically, the number of encryption queries with related randomness the adversary can make before the randomness is refreshed, is bounded, but the adversary is allowed to make an unbounded total number of queries. Furthermore, the adversary is allowed to influence how entropy is added to the system. In this setting, we construct an encryption scheme which remains secure in the standard model for arbitrary function families of size $2^p$ (where $p$ is polynomial in the security parameter) that satisfy certain collision-resistant and output-unpredictability properties. This captures a rich class of functions, which includes, as a special case, circuits of polynomial size. Our scheme makes use of a new construction of a (bounded) related-key attack secure pseudorandom function, which in turn is based on a new flavor of the leftover hash lemma. These technical results might be of independent interest

Time-to-explosion thermal initiation test for explosives

A controlled series of experiments have been performed in an attempt to evaluate the Henkin time-to-explosion test as a reactivity test and a quality assurance tool. This was done by comparing the Henkin results with those obtained with the presently used gas chromatograph chemical reactivity test, Two explosives, PBX 9404 and LX-04-1, were tested with four ``inerts``: sodium chloride, lead powder, Silastic Q-300030 and epoxy 633111. The experimental data from the two tests are given; a method for mathematically reducing the Henkin data is considered. The data from the two tests are not in complete agreement. Both predict that the epoxy is reactive with and that NaCl is unreactive with both explosives. However, the Henkin data indicated reactivity of lead powder and Silastic with LX-04-1; the gas chromatograph did not. For PBX 9404, the Henkin test indicated that the lead was borderline reactive and the Silastic unreactive, while the gas chromatograph predicted the opposite. DTA thermograms are included to help interpret the comparison test results. A section in the appendix is devoted to the experimental problems encountered in getting the Henkin test operational. All raw data generated during that time are included in the appendix. In addition, data obtained subsequently with a fairly wide variety of explosives (and propellants) are given; these indicate the present quality of data

An Efficient Convertible Undeniable Signature Scheme with Delegatable Verification

Undeniable signatures, introduced by Chaum and van Antwerpen, require a verifier to interact with the signer to verify a signature, and hence allow the signer to control the verifiability of his signatures. Convertible undeniable signatures, introduced by Boyar, Chaum, Damg\aa{}rd, and Pedersen, furthermore allow the signer to convert signatures to publicly verifiable ones by publicizing a verification token, either for individual signatures or for all signatures universally. In addition, the signer is able to delegate the ability to prove validity and convert signatures to a semi-trusted third party by providing a verification key. While the latter functionality is implemented by the early convertible undeniable signature schemes, most recent schemes do not consider this despite its practical appeal. In this paper we present an updated definition and security model for schemes allowing delegation, and highlight a new essential security property, token soundness, which is not formally treated in the previous security models for convertible undeniable signatures. We then propose a new convertible undeniable signature scheme. The scheme allows delegation of verification and is provably secure in the standard model assuming the computational co-Diffie-Hellman problem, a closely related problem, and the decisional linear problem are hard. Our scheme is, to the best of our knowledge, the currently most efficient convertible undeniable signature scheme which provably fulfills all security requirements in the standard model

Nanopore SimulatION – a raw data simulator for Nanopore Sequencing

Nanopore DNA sequencing enables the sequence determination of single DNA molecules up to 10,000 times longer than currently permitted by second-generation sequencing platforms. Nanopore sequencing gives real-time access to sequencing data and enables the detection of epigenetic modifications. This unique feature set is poised to foster the development of novel biomedical applications previously deemed unfeasible. Nanopore sequencing is based on picoampere scale measurement of current modulated by DNA or RNA polymers traveling through a nanometer opening between two compartments. Each of the five canonical nucleobases (A, T, G, C, U) has a characteristic electrical resistance, which ultimately enables the determination of the precise base sequence. However, a substantial computational effort is required to resolve the underlying sequence from a time-warped and noisy stream of digitized current measurements. Recently, a wide range of digital signal analysis and machine learning methods have been developed for Nanopore sequencing applications. Clinically relevant questions, such as the quantification of short repetitive DNA sequences remain an unresolved challenge to current generic, state-of-the-art nanopore data analysis methods. We believe realistic simulation of the signal stream can be instrumental in the development of tailored algorithms for such novel biomedical applications. Based on our work with the Oxford Nanopore Technologies MinION and PromethION platform, we have developed Nanopore SimulatION, a software package for the in silico generation of realistic, raw-signal-level data. Nanopore SimulatION starts from a reference genome in conjunction with a configuration and model file derived from real-world nanopore sequencing experiments as input. To validate our algorithm, we have sequenced custom synthetic DNA, and in so doing have generated a “ground-truth” data set potentially useful for downstream algorithm development. Additionally, we demonstrate Nanopore SimulatION` s utility for method development in typical clinical use cases

Statistical Attacks on Cookie Masking for RC4

Levillain et al. (AsiaCCS 2015) proposed two cookie masking methods, TLS Scramble and MCookies, to counter a class of attacks on SSL/TLS in which the attacker is able to exploit its ability to obtain many encryptions of a target HTTP cookie. In particular, the masking methods potentially make it viable to continue to use the RC4 algorithm in SSL/TLS. In this paper, we provide a detailed analysis of TLS Scramble and MCookies when used in conjunction with RC4 in SSL/TLS. We show that, in fact, both are vulnerable to variants of the known attacks against RC4 in SSL/TLS exploiting the Mantin biases (Mantin, EUROCRYPT 2005): * For the TLS Scramble mechanism, we provide a detailed statistical analysis coupled with extensive simulations that show that about $2^{37}$ encryptions of the cookie are sufficient to enable its recovery. * For the MCookies mechanism, our analysis is made more complex by the presence of a Base64 encoding step in the mechanism, which (unintentionally) acts like a classical block cipher S-box in the masking process. Despite this, we are able to develop a maximum likelihood analysis which provides a rigorous statistical procedure for estimating the unknown cookie. Based on simulations, we estimate that $2^{45}$ encryptions of the cookie are sufficient to enable its recovery. Taken together, our analyses show that the cookie masking mechanisms as proposed by Levillain et al. only moderately increase the security of RC4 in SSL/TLS

Spritz---a spongy RC4-like stream cipher and hash function.

This paper reconsiders the design of the stream cipher RC4, and proposes an improved variant, which we call ``Spritz\u27\u27 (since the output comes in fine drops rather than big blocks.) Our work leverages the considerable cryptanalytic work done on the original RC4 and its proposed variants. It also uses simulations extensively to search for biases and to guide the selection of intermediate expressions. We estimate that Spritz can produce output with about 24 cycles/byte of computation. Furthermore, our statistical tests suggest that about $2^{81}$ bytes of output are needed before one can reasonably distinguish Spritz output from random output; this is a marked improvement over RC4. [Footnote: However, see Appendix F for references to more recent work that suggest that our estimates of the work required to break Spritz may be optimistic.] In addition, we formulate Spritz as a ``sponge (or sponge-like) function,\u27\u27 (see Bertoni et al.), which can ``Absorb\u27\u27 new data at any time, and from which one can ``Squeeze\u27\u27 pseudorandom output sequences of arbitrary length. Spritz can thus be easily adapted for use as a cryptographic hash function, an encryption algorithm, or a message-authentication code generator. (However, in hash-function mode, Spritz is rather slow.