XTR and Tori

At the turn of the century, 80-bit security was the standard. When considering discrete-log based cryptosystems, it could be achieved using either subgroups of 1024-bit finite fields or using (hyper)elliptic curves. The latter would allow more compact and efficient arithmetic, until Lenstra and Verheul invented XTR. Here XTR stands for \u27ECSTR\u27, itself an abbreviation for Efficient and Compact Subgroup Trace Representation. XTR exploits algebraic properties of the cyclotomic subgroup of sixth degree extension fields, allowing representation only a third of their regular size, making finite field DLP-based systems competitive with elliptic curve ones. Subsequent developments, such as the move to 128-bit security and improvements in finite field DLP, rendered the original XTR and closely related torus-based cryptosystems no longer competitive with elliptic curves. Yet, some of the techniques related to XTR are still relevant for certain pairing-based cryptosystems. This chapter describes the past and the present of XTR and other methods for efficient and compact subgroup arithmetic

Tightness Subtleties for Multi-user PKE Notions

Public key encryption schemes are increasingly being studied concretely, with an emphasis on tight bounds even in a multi-user setting. Here, two types of formalization have emerged, one with a single challenge bit and one with multiple challenge bits. Another modelling choice is whether to allow key corruptions or not. How tightly the various notions relate to each other has hitherto not been studied in detail. We show that in the absence of corruptions, single-bit left-or-right indistinguishability is the preferred notion, as it tightly implies the other (corruption-less) notions. However, in the presence of corruptions, this implication no longer holds; we suggest the use of a more general notion that tightly implies both existing options. Furthermore, for completeness we study how the relationship between left-or-right versus real-or-random evolves in the multi-user PKE setting

Eutetrarhynchid trypanorhynchs (Cestoda) from elasmobranchs off Argentina, including the description of Dollfusiella taminii sp. n. and Parachristianella damiani sp. n., and amended description of Dollfusiella vooremi (São Clemente et Gomes, 1989)

During a parasitological survey of teleosts and elasmobranchs in the Argentine Sea, 3 species of eutetrarhynchids were collected from the batoids Myliobatis goodei Garman and Psammobatis bergi Marini, and the shark Mustelus schmitti Springer. The specimens collected from Mu. schmitti were identified as Dollfusiela vooremi (São Clemente et Gomes, 1989), whereas the specimens from My. goodei and Ps. bergi resulted in new species of Dollfusiella Campbell et Beveridge, 1994 and Parachristianella Dollfus, 1946, respectively. Dollfusiella taminii sp. n. from Ps. bergi is characterised by a distinct basal armature with basal swelling and a heteroacanthous homeomorphous metabasal armature with 7–9 falcate hooks per principal row. Parachristianella damiani sp. n. from My. goodei lacks a distinct basal armature, having 2–3 initial rows of uncinate hooks, a heteroacanthous heteromorphous metabasal armature with the first principal row of small hooks, followed by rows with 10–14 large hooks. This is the first record of Parachristianella in the southwestern Atlantic. The amended description of D. vooremi includes the detailed description of the tentacular armature, including SEM micrographs of all tentacular surfaces. This species is characterised by a basal armature consisting of rows of uncinate and falcate hooks, a basal swelling and a metabasal armature with billhooks on the antibothrial surface and uncinate hooks on the bothrial surface. The scolex peduncle of D. vooremi is covered with enlarged spinitriches. This species is restricted to carcharhiniform sharks, since the report of D. vooremi in Sympterygia bonapartii Müller et Henle off Bahía Blanca (Argentina) is dubious.Fil: Menoret, Adriana. Consejo Nacional de Investigaciones Científicas y Técnicas. Oficina de Coordinación Administrativa Ciudad Universitaria. Instituto de Biodiversidad y Biología Experimental y Aplicada. Universidad de Buenos Aires. Facultad de Ciencias Exactas y Naturales. Instituto de Biodiversidad y Biología Experimental y Aplicada; ArgentinaFil: Ivanov, Veronica Adriana. Consejo Nacional de Investigaciones Científicas y Técnicas. Oficina de Coordinación Administrativa Ciudad Universitaria. Instituto de Biodiversidad y Biología Experimental y Aplicada. Universidad de Buenos Aires. Facultad de Ciencias Exactas y Naturales. Instituto de Biodiversidad y Biología Experimental y Aplicada; Argentin

Dynamic Security Aspects of Onion Routing

An anonymous communication network (ACN) is designed to protect the identities of two parties communicating through it, even if an adversary controls or observes parts of the network. Among the ACNs, Tor represents a practical trade-off between offering a reasonable level of anonymity and, simultaneously, an acceptable transmission delay. Due to its practical impact, there is abundant literature on the performance of Tor concerning both communication and security aspects. Recently, a static framework was suggested for evaluating and comparing, in a quantifiable way, the effect of different scenarios (attacks, defence mechanisms, and other protocol changes). Although a static model is useful, many scenarios involve parameters and stochastic variables that change or evolve over time, or that may be influenced by active and malicious adversaries. In this paper, we propose a dynamic framework for evaluating such scenarios. We identify several scenarios where this framework is applicable, and illustrate our framework by considering the guard node mechanism in Tor. We evaluate and compare variations on the guard node concept suggested in the literature with respect to relevant performance metrics and, using the framework, support our evaluation with a theoretical analysis

The preimage security of double-block-length compression functions

We give improved bounds on the preimage security of the three ``classical\u27\u27 double-block-length, double-call, blockcipher-based compression functions, these being Abreast-DM, Tandem-DM and Hirose\u27s scheme. For Hirose\u27s scheme, we show that an adversary must make at least $2^{2n-5}$ blockcipher queries to achieve chance $0.5$ of inverting a randomly chosen point in the range. For Abreast-DM and Tandem-DM we show that at least $2^{2n-10}$ queries are necessary. These bounds improve upon the previous best bounds of $\Omega(2^n)$ queries, and are optimal up to a constant factor since the compression functions in question have range of size $2^{2n}$

Efficient Hashing Using the AES Instruction Set

In this work, we provide a software benchmark for a large range of 256-bit blockcipher-based hash functions. We instantiate the underlying blockcipher with AES, which allows us to exploit the recent AES instruction set (AESNI). Since AES itself only outputs 128 bits, we consider double-block-length constructions, as well as (single-block-length) constructions based on RIJNDAEL-256. Although we primarily target architectures supporting AES-NI, our framework has much broader applications by estimating the performance of these hash functions on any (micro-)architecture given AES-benchmark results. As far as we are aware, this is the first comprehensive performance comparison of multiblock- length hash functions in software

Obfuscation for Cryptographic Purposes

Loosely speaking, an obfuscation O of a function f should satisfy two requirements: firstly, using O, it should be possible to evaluate f; secondly, O should not reveal anything about f that cannot be learnt from oracle access to f alone. Several definitions for obfuscation exist. However, most of them are very hard to satisfy, even when focusing on specific applications such as obfuscating a point function (e.g., for authentication purposes)

An Analysis of the Blockcipher-Based Hash Functions from PGV

Preneel, Govaerts, and Vandewalle (1993) considered the 64 most basic ways to construct a hash function H: {0, 1}*->{0, 1}(n) from a blockcipher E: {0, 1}(n) x {0, 1}(n)->{0,1}(n). They regarded 12 of these 64 schemes as secure, though no proofs or formal claims were given. Here we provide a proof-based treatment of the PGV schemes. We show that, in the ideal-cipher model, the 12 schemes considered secure by PGV really are secure: we give tight upper and lower bounds on their collision resistance. Furthermore, by stepping outside of the Merkle-Damgard approach to analysis, we show that an additional 8 of the PGV schemes are just as collision resistant (up to a constant). Nonetheless, we are able to differentiate among the 20 collision-resistant schemes by considering their preimage resistance: only the 12 initial schemes enjoy optimal preimage resistance. Our work demonstrates that proving ideal-cipher-model bounds is a feasible and useful step for understanding the security of blockcipher-based hash-function constructions

Fly, you fool! Faster Frodo for the ARM Cortex-M4

We present an efficient implementation of FrodoKEM-640 on an ARM Cortex-M4 core. We leverage the single instruction, multiple data paradigm, available in the instruction set of the ARM Cortex-M4, together with a careful analysis of the memory layout of matrices to considerably speed up matrix multiplications. Our implementations take up to 79.4% less cycles than the reference. Moreover, we challenge the usage of a cryptographically secure pseudorandom number generator for the generation of the large public matrix involved. We argue that statistically good pseudorandomness is enough to achieve the same security goal. Therefore, we propose to use xoshiro128** as a PRNG instead: its structure can be easily integrated in FrodoKEM-640, it passes all known statistical tests and greatly outperforms previous choices. By using xoshiro128** we improve the generation of the large public matrix, which is a considerable bottleneck for embedded devices, by up to 96%

How low can you go? Using side-channel data to enhance brute-force key recovery

Side-channel analysis techniques can be used to construct key recovery attacks by observing a side-channel medium such as the power consumption or electromagnetic radiation of a device while is it performing cryptographic operations. These attack results can be used as auxiliary information in an enhanced brute-force key recovery attack, enabling the adversary to \emph{enumerate} the most likely keys first. We use algorithmic and implementation techniques to implement a time- and memory-efficient key \emph{enumeration} algorithm, and in tandem identify how to optimise throughput when bulk-verifying quantities of candidate AES-128 keys. We then explore how to best distribute the workload so that it can be deployed across a significant number of CPU cores and executed in parallel, giving an adversary the capability to enumerate a very large number of candidate keys. We introduce the tool \textsc{labynkyr}, developed in C++11, that can be deployed across any number of CPUs and workstations to enumerate keys in parallel. We conclude by demonstrating the effectiveness of our tool by successfully enumerating $2^{48}$ AES-128 keys in approximately 30 hours using a modest number of CPU cores, at an expected cost of only 700 USD using a popular cloud provider