51 research outputs found
Equivalence-Checking on Infinite-State Systems: Techniques and Results
The paper presents a selection of recently developed and/or used techniques
for equivalence-checking on infinite-state systems, and an up-to-date overview
of existing results (as of September 2004)
Deciding Semantic Finiteness of Pushdown Processes and First-Order Grammars w.r.t. Bisimulation Equivalence
The problem if a given configuration of a pushdown automaton (PDA) is
bisimilar with some (unspecified) finite-state process is shown to be
decidable. The decidability is proven in the framework of first-order grammars, which are given by finite sets of labelled rules that rewrite roots of first-order terms. The framework is equivalent to PDA where also deterministic popping epsilon-steps are allowed, i.e. to the model for which Senizergues showed an involved procedure deciding bisimilarity (FOCS 1998). Such a procedure is here used as a black-box part of the algorithm. For deterministic PDA the regularity problem was shown decidable by Valiant (JACM 1975) but the decidability question for nondeterministic PDA, answered positively here, had been open (as indicated, e.g., by Broadbent and Goeller, FSTTCS 2012)
Structural Liveness of Immediate Observation Petri Nets
We look in detail at the structural liveness problem (SLP) for subclasses of
Petri nets, namely immediate observation nets (IO nets) and their generalized
variant called branching immediate multi-observation nets (BIMO nets), that
were recently introduced by Esparza, Raskin, and Weil-Kennedy. We show that SLP
is PSPACE-hard for IO nets and in PSPACE for BIMO nets. In particular, we
discuss the (small) bounds on the token numbers in net places that are decisive
for a marking to be (non)live.Comment: Significantly extended w.r.t. the previous versio
Countdown games, and simulation on (succinct) one-counter nets
We answer an open complexity question by Hofman, Lasota, Mayr, Totzke (LMCS
2016) [HLMT16] for simulation preorder of succinct one-counter nets (i.e.,
one-counter automata with no zero tests where counter increments and decrements
are integers written in binary), by showing that all relations between
bisimulation equivalence and simulation preorder are EXPSPACE-hard for these
nets. We describe a reduction from reachability games whose
EXPSPACE-completeness in the case of succinct one-counter nets was shown by
Hunter [RP 2015], by using other results. We also provide a direct
self-contained EXPSPACE-completeness proof for a special case of such
reachability games, namely for a modification of countdown games that were
shown EXPTIME-complete by Jurdzinski, Sproston, Laroussinie [LMCS 2008]; in our
modification the initial counter value is not given but is freely chosen by the
first player. We also present a new simplified proof of the belt theorem that
gives a simple graphic presentation of simulation preorder on one-counter nets
and leads to a polynomial-space algorithm; it is an alternative to the proof
from [HLMT16].Comment: A part of this paper elaborates arxiv-paper 1801.01073 and the
related paper presented at Reachability Problems 201
Minerva: The curse of ECDSA nonces
We present our discovery of a group of side-channel vulnerabilities in implementations of the ECDSA signature algorithm in a widely used Atmel AT90SC FIPS 140-2 certified smartcard chip and five cryptographic libraries (libgcrypt, wolfSSL, MatrixSSL, SunEC/OpenJDK/Oracle JDK, Crypto++). Vulnerable implementations leak the bit-length of the scalar used in scalar multiplication via timing. Using leaked bit-length, we mount a lattice attack on a 256-bit curve, after observing enough signing operations. We propose two new methods to recover the full private key requiring just 500 signatures for simulated leakage data, 1200 for real cryptographic library data, and 2100 for smartcard data.
The number of signatures needed for a successful attack depends on the chosen method and its parameters as well as on the noise profile, influenced by the type of leakage and used computation platform. We use the set of vulnerabilities reported in this paper, together with the recently published TPM-FAIL vulnerability as a basis for real-world benchmark datasets to systematically compare our newly proposed methods and all previously published applicable lattice-based key recovery methods. The resulting exhaustive comparison highlights the methods\u27 sensitivity to its proper parametrization and demonstrates that our methods are more efficient in most cases. For the TPM-FAIL dataset, we decreased the number of required signatures from approximately 40 000 to mere 900
- …