Rulemaking in Super-RTAs: Implications for China and India. Bruegel Working Paper 2014/03, March 2014

The faltering Doha round has led to a renewed focus on large regional trade agreements. There are two super-RTAs in the making in the Asia-Pacific and one in the Atlantic, all with rather ambitious negotiation targets, and presented as alternate means to reset global trade rules and take the multilateral trade liberalisation agenda forward. So what does this development mean for large emerging markets such as China and India that are on the fringes of these regional trade negotiations? Can these agreements become alternate means of pressuring these Asian economies to follow new trade rules set by industrialised countries, especially given the progressive erosion of the policy dominance of industrialised countries and the strong dissenting voice of developing countries in the Doha Round? This paper examines how super-RTAs may emerge as game changers in the multilateral trading system as promulgated by the WTO, and the implications for China and India. The paper analyses the new economic governance system that is likely to emerge given the renewed interest in regionalism, and argues that while the super-RTAs will not be entirely benign in their impact on China and India, rather than forcing these economies to accept the higher new regulatory standards enshrined in the super-RTAs, a distinct possibility in the medium-term is the emergence and entrenchment of a dual regulatory regime in these economies

Automation, AI and the Future of Work in India

This research contributes to current debates on automation and the future of work, a much-hyped but under researched area, in emerging economies through a particular focus on India. It assesses the national strategy on Artificial Intelligence and explores the impact of automation on the Indian labour market, work and employment to inform policy. The study shows that technology is not free from the wider dynamics that surround the world of work. The adoption of new technologies is likely to occur in niches in the manufacturing and services sectors, while its impact on employment and the labour market more broadly, and in addressing societal inequalities will be limited. The national strategy, however, does not take into account the nature of capital accumulation and structural inequalities that stem from a large informal economy and surplus labour context with limited upskilling opportunities. This raises doubts about the effectiveness of the current policy. This study is the first to examine the impact of automation on work and employment in India. It provides a critical intervention in current debates on future of work from the point of view of an important emerging economy defined by labour surplus and a large informal economy

A practical key-recovery attack on LWE-based key-encapsulation mechanism schemes using Rowhammer

Physical attacks are serious threats to cryptosystems deployed in the real world. In this work, we propose a microarchitectural end-to-end attack methodology on generic lattice-based post-quantum key encapsulation mechanisms to recover the long-term secret key. Our attack targets a critical component of a Fujisaki-Okamoto transform that is used in the construction of almost all lattice-based key encapsulation mechanisms. We demonstrate our attack model on practical schemes such as Kyber and Saber by using Rowhammer. We show that our attack is highly practical and imposes little preconditions on the attacker to succeed. As an additional contribution, we propose an improved version of the plaintext checking oracle, which is used by almost all physical attack strategies on lattice-based key-encapsulation mechanisms. Our improvement reduces the number of queries to the plaintext checking oracle by as much as $39\%$ for Saber and approximately $23\%$ for Kyber768. This can be of independent interest and can also be used to reduce the complexity of other attacks

On the Masking-Friendly Designs for Post-Quantum Cryptography

Masking is a well-known and provably secure countermeasure against side-channel attacks. However, due to additional redundant computations, integrating masking schemes is expensive in terms of performance. The performance overhead of integrating masking countermeasures is heavily influenced by the design choices of a cryptographic algorithm and is often not considered during the design phase. In this work, we deliberate on the effect of design choices on integrating masking techniques into lattice-based cryptography. We select Scabbard, a suite of three lattice-based post-quantum key-encapsulation mechanisms (KEM), namely Florete, Espada, and Sable. We provide arbitrary-order masked implementations of all the constituent KEMs of the Scabbard suite by exploiting their specific design elements. We show that the masked implementations of Florete, Espada, and Sable outperform the masked implementations of Kyber in terms of speed for any order masking. Masked Florete exhibits a $73\%$, $71\%$, and $70\%$ performance improvement over masked Kyber corresponding to the first-, second-, and third-order. Similarly, Espada exhibits $56\%$, $59\%$, and $60\%$ and Sable exhibits $75\%$, $74\%$, and $73\%$ enhanced performance for first-, second-, and third-order masking compared to Kyber respectively. Our results show that the design decisions have a significant impact on the efficiency of integrating masking countermeasures into lattice-based cryptography

A practical key-recovery attack on LWE-based key- encapsulation mechanism schemes using Rowhammer

Physical attacks are serious threats to cryptosystems deployed in the real world. In this work, we propose a microarchitectural end-to-end attack methodology on generic lattice-based post-quantum key encapsulation mechanisms to recover the long-term secret key. Our attack targets a critical component of a Fujisaki-Okamoto transform that is used in the construction of almost all lattice-based key encapsulation mechanisms. We demonstrate our attack model on practical schemes such as Kyber and Saber by using Rowhammer. We show that our attack is highly practical and imposes little preconditions on the attacker to succeed. As an additional contribution, we propose an improved version of the plaintext checking oracle, which is used by almost all physical attack strategies on lattice-based key-encapsulation mechanisms. Our improvement reduces the number of queries to the plaintext checking oracle by as much as 39% for Saber and approximately 23% for Kyber768. This can be of independent interest and can also be used to reduce the complexity of other attacks

Higher-order masked Saber

Side-channel attacks are formidable threats to the cryptosystems deployed in the real world. An effective and provably secure countermeasure against side-channel attacks is masking. In this work, we present a detailed study of higher-order masking techniques for the key-encapsulation mechanism Saber. Saber is one of the lattice-based finalist candidates in the National Institute of Standards of Technology\u27s post-quantum standardization procedure. We provide a detailed analysis of different masking algorithms proposed for Saber in the recent past and propose an optimized implementation of higher-order masked Saber. Our proposed techniques for first-, second-, and third-order masked Saber have performance overheads of 2.7x, 5x, and 7.7x respectively compared to the unmasked Saber. We show that compared to Kyber which is another lattice-based finalist scheme, Saber\u27s performance degrades less with an increase in the order of masking. We also show that higher-order masked Saber needs fewer random bytes than higher-order masked Kyber. Additionally, we adapt our masked implementation to uSaber, a variant of Saber that was specifically designed to allow an efficient masked implementation. We present the first masked implementation of uSaber, showing that it indeed outperforms masked Saber by at least 12% for any order. We provide optimized implementations of all our proposed masking schemes on ARM Cortex-M4 microcontrollers

Carry Your Fault: A Fault Propagation Attack on Side-Channel Protected LWE-based KEM

Post-quantum cryptographic (PQC) algorithms, especially those based on the learning with errors (LWE) problem, have been subjected to several physical attacks in the recent past. Although the attacks broadly belong to two classes -- passive side-channel attacks and active fault attacks, the attack strategies vary significantly due to the inherent complexities of such algorithms. Exploring further attack surfaces is, therefore, an important step for eventually securing the deployment of these algorithms. Also, it is important to test the robustness of the already proposed countermeasures in this regard. In this work, we propose a new fault attack on side-channel secure masked implementation of LWE-based key-encapsulation mechanisms (KEMs) exploiting fault propagation. The attack typically originates due to an algorithmic modification widely used to enable masking, namely the Arithmetic-to-Boolean ($\mathtt{A2B}$) conversion. We exploit the data dependency of the adder carry chain in $\mathtt{A2B}$ and extract sensitive information, albeit masking (of arbitrary order) being present. As a practical demonstration of the exploitability of this information leakage, we show key recovery attacks of Kyber, although the leakage also exists for other schemes like Saber. The attack on Kyber targets the decapsulation module and utilizes Belief Propagation (BP) for key recovery. To the best of our knowledge, it is the first attack exploiting an algorithmic component introduced to ease masking rather than only exploiting the randomness introduced by masking to obtain desired faults (as done by Delvaux). Finally, we performed both simulated and electromagnetic (EM) fault-based practical validation of the attack for an open-source first-order secure Kyber implementation running on an STM32 platform

Prospects for regulatory convergence under TTIP. Bruegel Policy Contribution 2013/15, October 2013

An ambitious, comprehensive and high-standard trade and investment agreement between the European Union and the United States is feasible, but a key concern is whether the transatlantic trade partners will succeed in creating a meaningful agreement within the tight timeline of the Transatlantic Trade and Investment Partnership (TTIP) negotiations. The target of a ratified pact before a new European Commission takes office in November 2014 is an objective that is likely to conflict with the level of ambition on the substance. Regulatory congruence would require the unilateral and unconditional recognition by the TTIP partners of each other’s standards, procedures and conformity assessment tests. The way forward is to create a ‘living’ (or progressive commitment) agreement on regulatory cooperation with a horizontal template for coherence and conformity assessment and a detailed monitoring mechanism, with implementation starting immediately for a few selected sectors. Regulatory harmonisation under TTIP may not lead to emerging markets automatically upgrading to the higher TTIP standards. Domestic priorities and the high demand from a rising price-sensitive group of consumers will likely result in a dual regulatory regime in emerging markets in the medium-term