Entanglement Induced Fluctuations of Cold Bosons

We show that due to entanglement, quantum fluctuations may differ significantly from statistical fluctuations. We calculate quantum fluctuations of the particle number and of the energy in a sub-volume of a system of bosons in a pure state, and briefly discuss the possibility of measuring them. We find that energy fluctuations have a non-extensive nature.Comment: Replaced with published version. Added calculations, explanations and clarifications, results unchange

A software approach to defeating side channels in last-level caches

We present a software approach to mitigate access-driven side-channel attacks that leverage last-level caches (LLCs) shared across cores to leak information between security domains (e.g., tenants in a cloud). Our approach dynamically manages physical memory pages shared between security domains to disable sharing of LLC lines, thus preventing "Flush-Reload" side channels via LLCs. It also manages cacheability of memory pages to thwart cross-tenant "Prime-Probe" attacks in LLCs. We have implemented our approach as a memory management subsystem called CacheBar within the Linux kernel to intervene on such side channels across container boundaries, as containers are a common method for enforcing tenant isolation in Platform-as-a-Service (PaaS) clouds. Through formal verification, principled analysis, and empirical evaluation, we show that CacheBar achieves strong security with small performance overheads for PaaS workloads

Bitcoin Crypto - bounties for quantum capable adversaries

With the advances in quantum computing taking place over the last few years, researchers have started considering the implications on cryptocurrencies. As most digital signature schemes would be impacted, it is somewhat reassuring that transition schemes to quantum resistant signatures are already being considered for Bitcoin. In this work, we stress the danger of public key reuse, as it prevents users from recovering their funds in the presence of a quantum enabled adversary despite any transition scheme the developers decide to implement. We emphasize this threat by quantifying the damage a functional quantum computer could inflict on Bitcoin (and Bitcoin Cash) by breaking exposed public keys

Using subthreshold events to characterize the functional architecture of the electrically coupled inferior olive network

The electrical connectivity in the inferior olive (IO) nucleus plays an important role in generating well-timed spiking activity. Here we combined electrophysiological and computational approaches to assess the functional organization of the IO nucleus in mice. Spontaneous fast and slow subthreshold events were commonly encountered during in vitro recordings. We show that whereas the fast events represent intrinsic regenerative activity, the slow events reflect the electrical connectivity between neurons ('spikelets'). Recordings from cell pairs revealed the synchronized occurrence of distinct groups of spikelets; their rate and distribution enabled an accurate estimation of the number of connected cells and is suggestive of a clustered organization. This study thus provides a new perspective on the functional and structural organization of the olivary nucleus and a novel experimental and theoretical approach to study electrically coupled networks

SoK: Design Tools for Side-Channel-Aware Implementations

Side-channel attacks that leak sensitive information through a computing device's interaction with its physical environment have proven to be a severe threat to devices' security, particularly when adversaries have unfettered physical access to the device. Traditional approaches for leakage detection measure the physical properties of the device. Hence, they cannot be used during the design process and fail to provide root cause analysis. An alternative approach that is gaining traction is to automate leakage detection by modeling the device. The demand to understand the scope, benefits, and limitations of the proposed tools intensifies with the increase in the number of proposals. In this SoK, we classify approaches to automated leakage detection based on the model's source of truth. We classify the existing tools on two main parameters: whether the model includes measurements from a concrete device and the abstraction level of the device specification used for constructing the model. We survey the proposed tools to determine the current knowledge level across the domain and identify open problems. In particular, we highlight the absence of evaluation methodologies and metrics that would compare proposals' effectiveness from across the domain. We believe that our results help practitioners who want to use automated leakage detection and researchers interested in advancing the knowledge and improving automated leakage detection

TrustShadow: Secure Execution of Unmodified Applications with ARM TrustZone

The rapid evolution of Internet-of-Things (IoT) technologies has led to an emerging need to make it smarter. A variety of applications now run simultaneously on an ARM-based processor. For example, devices on the edge of the Internet are provided with higher horsepower to be entrusted with storing, processing and analyzing data collected from IoT devices. This significantly improves efficiency and reduces the amount of data that needs to be transported to the cloud for data processing, analysis and storage. However, commodity OSes are prone to compromise. Once they are exploited, attackers can access the data on these devices. Since the data stored and processed on the devices can be sensitive, left untackled, this is particularly disconcerting. In this paper, we propose a new system, TrustShadow that shields legacy applications from untrusted OSes. TrustShadow takes advantage of ARM TrustZone technology and partitions resources into the secure and normal worlds. In the secure world, TrustShadow constructs a trusted execution environment for security-critical applications. This trusted environment is maintained by a lightweight runtime system that coordinates the communication between applications and the ordinary OS running in the normal world. The runtime system does not provide system services itself. Rather, it forwards requests for system services to the ordinary OS, and verifies the correctness of the responses. To demonstrate the efficiency of this design, we prototyped TrustShadow on a real chip board with ARM TrustZone support, and evaluated its performance using both microbenchmarks and real-world applications. We showed TrustShadow introduces only negligible overhead to real-world applications.Comment: MobiSys 201

May the fourth be with you: a microarchitectural side channel attack on several real-world applications of Curve25519

Session D3: Logical Side ChannelsIn recent years, applications increasingly adopt security primitives designed with better countermeasures against side channel attacks. A concrete example is Libgcrypt’s implementation of ECDH encryption with Curve25519. The implementation employs the Montgomery ladder scalar-by-point multiplication, uses the unified, branchless Montgomery double-and-add formula and implements a constant-time argument swap within the ladder. However, Libgcrypt’s field arithmetic operations are not implemented in a constant-time side-channel-resistant fashion. Based on the secure design of Curve25519, users of the curve are advised that there is no need to perform validation of input points. In this work we demonstrate that when this recommendation is followed, the mathematical structure of Curve25519 facilitates the exploitation of side-channel weaknesses. We demonstrate the effect of this vulnerability on three software applications—encrypted git, email and messaging—that use Libgcrypt. In each case, we show how to craft malicious OpenPGP files that use the Curve25519 point of order 4 as a chosen ciphertext to the ECDH encryption scheme. We find that the resulting interactions of the point at infinity, order-2, and order-4 elements in the Montgomery ladder scalar-by-point multiplication routine create side channel leakage that allows us to recover the private key in as few as 11 attempts to access such malicious files.Daniel Genkin, Luke Valenta, Yuval Yaro

Prediction of Maximal Heart Rate in Children and Adolescents.

OBJECTIVE: To identify a method to predict the maximal heart rate (MHR) in children and adolescents, as available prediction equations developed for adults have a low accuracy in children. We hypothesized that MHR may be influenced by resting heart rate, anthropometric factors, or fitness level. DESIGN: Cross-sectional study. SETTING: Sports medicine center in primary care. PARTICIPANTS: Data from 627 treadmill maximal exercise tests performed by 433 pediatric athletes (age 13.7 ± 2.1 years, 70% males) were analyzed. INDEPENDENT VARIABLES: Age, sex, sport type, stature, body mass, BMI, body fat, fitness level, resting, and MHR were recorded. MAIN OUTCOME MEASURES: To develop a prediction equation for MHR in youth, using stepwise multivariate linear regression and linear mixed model. To determine correlations between existing prediction equations and pediatric MHR. RESULTS: Observed MHR was 197 ± 8.6 b·min. Regression analysis revealed that resting heart rate, fitness, body mass, and fat percent were predictors of MHR (R = 0.25, P < 0.001), whereas age was not. Resting heart rate explained 15.6% of MHR variance, body mass added 5.7%, fat percent added 2.4%, and fitness added 1.2%. Existing adult equations had low correlations with observed MHR in children and adolescents (r = -0.03-0.34). CONCLUSIONS: A new equation to predict MHR in children and adolescents was developed, but was found to have low predictive ability, a finding similar to adult equations applied to children. CLINICAL RELEVANCE: Considering the narrow range of MHR in youth, we propose using 197 b·min as the mean MHR in children and adolescents, with 180 b·min the minimal threshold value (-2 standard deviations)

To BLISS-B or not to be - Attacking strongSwan’s implementation of post-quantum signatures

Session I1: Post-QuantumIn the search for post-quantum secure alternatives to RSA and ECC, lattice-based cryptography appears to be an attractive and efficient option. A particularly interesting lattice-based signature scheme is BLISS, offering key and signature sizes in the range of RSA moduli. A range of works on efficient implementations of BLISS is available, and the scheme has seen a first real-world adoption in strongSwan, an IPsec-based VPN suite. In contrast, the implementation-security aspects of BLISS, and lattice-based cryptography in general, are still largely unexplored. At CHES 2016, Groot Bruinderink et al. presented the first side-channel attack on BLISS, thus proving that this topic cannot be neglected. Nevertheless, their attack has some limitations. First, the technique is demonstrated via a proof-of-concept experiment that was not performed under realistic attack settings. Furthermore, the attack does not apply to BLISS-B, an improved variant of BLISS and also the default option in strongSwan. This problem also applies to later works on implementation security of BLISS. In this work, we solve both of the above problems. We present a new side-channel key-recovery algorithm against both the original BLISS and the BLISS-B variant. Our key-recovery algorithm draws on a wide array of techniques, including learning-parity with noise, integer programs, maximimum likelihood tests, and a lattice-basis reduction. With each application of a technique, we reveal additional information on the secret key culminating in a complete key recovery. Finally, we show that cache attacks on post-quantum cryptography are not only possible, but also practical. We mount an asynchronous cache attack on the production-grade BLISS-B implementation of strongSwan. The attack recovers the secret signing key after observing roughly 6000 signature generations.Peter Pessl, Leon Groot Bruinderink, Yuval Yaro

Row, Row, Row Your Boat: How to Not Find Weak Keys in Pilsung

OnlinePublThe Pilsung cipher is part of the North Korean Red Star operating system, which was leaked to the West in 2014. Initial analysis by Kryptos Logic reported a possibility of a class of weak keys due to the use of pseudo-random diffusion. Following this lead, we analyzed the cipher and identified a small class of such weak keys. We developed techniques for searching for a key that belongs to the class. After spending thousands of CPU hours, we found a supposedly weak key for a slightly weaker version of Pilsung, but the key did not behave as we expected. On further investigation we found out a crucial misunderstanding in a critical part of the cipher and that no such class of weak keys exists in Pilsung. Thus, this paper makes two main contributions to the art of cryptanalysis. First, it identifies and shows how to investigate a potential weakness in randomizing diffusion, which although does not exist in Pilsung, may affect future designs. Second, it highlights the need for early verification of results in order to identify errors before expending significant resources.Chitchanok Chuengsatiansup, Eyal Ronen, Gregory G. Rose, and Yuval Yaro