Ruhr-Universität Bochum (RUB): Open Journal Systems
Not a member yet
4280 research outputs found
Sort by
dCTIDH: Fast & Deterministic CTIDH
This paper presents dCTIDH, a CSIDH implementation that combines two recent developments into a novel state-of-the-art deterministic implementation. We combine the approach of deterministic variants of CSIDH with the batching strategy of CTIDH, which shows that the full potential of this key space has not yet been explored. This high-level adjustment in itself leads to a significant speed-up. To achieve an effective deterministic evaluation in constant time, we introduce WOMBats, a new approach to performing isogenies in batches, specifically tailored to the behavior required for deterministic CSIDH using CTIDH batching. Furthermore, we explore the two-dimensional space of optimal primes for dCTIDH, with regard to both the performance of dCTIDH in terms of finite-field operations per prime and the efficiency of finite-field operations, determined by the prime shape, in terms of cycles. This allows us to optimize both for choice of prime and scheme parameters simultaneously. Lastly, we implement and benchmark constant-time, deterministic dCTIDH. Our results show that dCTIDH not only outperforms state-of-the-art deterministic CSIDH, but even non-deterministic CTIDH: dCTIDH-2048 is faster than CTIDH-2048 by 17%, and is almost five times faster than dCSIDH-2048
Primitive-Level vs. Implementation-Level DPA Security: a Certified Case Study: (Pleading for Standardized Leakage-Resilient Cryptography)
Implementation-level countermeasures like masking can be applied to any cryptographic algorithm in order to mitigate Differential Power Analysis (DPA). Leveraging re-keying with a Leakage-Resilient PRF (LR-PRF) is an alternative countermeasure that requires a change of primitive. Both options rely on different security mechanisms: signal-to-noise ratio amplification for masking, signal reduction for LRPRFs. This makes their general comparison difficult and suggests the investigation of relevant case studies to identify when to use one or the other as an interesting research direction. In this paper, we provide such a case study and compare the security that can be obtained by using an unprotected hardware coprocessor, to be integrated into a leakage-resilient PRF, and a certified one, protected with implementation-level countermeasures. Both are available on “commercial off-the-shelf” devices and could be used for lightweight IoT applications. We first perform an in-depth analysis of these targets. It allows us to put forward the different evaluation challenges that they raise, and the similar to slightly better cost vs. security tradeoff that the leakage-resilient PRF offers in our experiments. We then discuss the advantages and limitations of both types of countermeasures. While there are contexts where the higher flexibility of masking is needed, we conclude that there are also applications that would strongly benefit from the simplicity of the LR-PRF’s design and evaluation. Positing that the lack of standards is the main impediment to their more widespread deployment, we therefore hope that our results can motivate such standardization efforts
Deep brain stimulation for psychiatric versus neurological disorders: A call for nuance
In Neuroethics: Agency in the Age of Brain Science (2023), Joshua May arrives at a cautiously optimistic appraisal of deep brain stimulation (DBS) for brain-based disorders. May does not, however, distinguish between disorders that are properly considered neurological and those that are properly considered psychiatric (or psychopathological). After motivating this distinction, I argue that May’s discussion of DBS fails to account for the added complexities and potential ethical harms of DBS for psychiatric conditions
Nuanced clinical neuroethics: A commentary on Joshua May’s Neuroethics: Agency in the age of brain science
In this commentary on Joshua May\u27s Neuroethics: Agency in the Age of Brain Science, I consider some of the implications of May\u27s analysis for clinical neuroethics. In particular, in view of May\u27s appeal to the power of valid consent to deal with some of the issues raised by neuro-interventions, I begin by highlighting that clinical neuroethicists often have to navigate a number of complexities in seeking to facilitate the valid consent of individuals who are potentially subject to various forms of vulnerability. I go on to consider whether May\u27s claim that neuro-interventions can elicit transformative experiences raises any problems for his appeal to consent in this context. In the latter half of the commentary, I consider May\u27s analysis of mental disorder and raise some potential areas of contrast between the concepts of responsibility in criminal justice and autonomy in the medical context. I conclude by suggesting that \u27nuanced neuroethics\u27 should not only be vigilant about the sources of empirical evidence it relies upon, it should also attend to the nuances of the particular contexts in which neuroethical arguments are made, and neuroethical concepts deployed
Review: Cantone, Katja F. / Olfert, Helena / Di Venanzio, Laura / Wolf-Farré, Patrick / Schroedler, Tobias / Gürsoy, Erkan (2024): Spracherhalt und Mehrsprachigkeit. Eine Einführung.
Rezension: Cantone, Katja F. / Olfert, Helena / Di Venanzio, Laura / Wolf-Farré, Patrick / Schroedler, Tobias / Gürsoy, Erkan (2024): Spracherhalt und Mehrsprachigkeit. Eine Einführung.Review: Cantone, Katja F. / Olfert, Helena / Di Venanzio, Laura / Wolf-Farré, Patrick / Schroedler, Tobias / Gürsoy, Erkan (2024): Spracherhalt und Mehrsprachigkeit. Eine Einführung
An Analysis of HMB-based SSD Rowhammer
Rowhammer has been shown to be an extensive attack vector. In the years since its discovery, numerous exploits have been shown, attacking a wide range of targets from kernels, through web browsers to machine learning models. These attacks were not always mounted from code running on the CPU of a system. Various devices peripheral to the CPU, like GPUs or networks cards can cause Rowhammer bit flips through DMA accesses to the main memory.
In this work, we take a look at solid state drives (SSDs) and if they can be exploited as confused deputies to perform Rowhammer attacks. With the introduction of NVMe, a standardized protocol that allows SSDs to communicate directly over PCIe with the CPU, SSDs have reached performance numbers of a million input/output operations per second. PCIe also enables SSDs to use DMA for direct accesses to the main memory. This lead to the introduction of the host memory buffer (HMB) feature, that allows SSDs to use a small fraction of the host DRAM. We are the first that reverse engineer how different SSDs utilize this host memory buffer and answer the question if the accesses from the SSD to the HMB are a potential attack vector to cause Rowhammer bit flips.
Our analysis of three SSDs shows, that bit flips in the HMB cause the SSDs to lock up, which results in a denial of service or, even worse, data loss. We also show how we can cause frequent accesses from the SSD to the HMB on all three SSDs. On one SSD, we reach 5000 DRAM accesses per refresh interval. We measure the Rowhammer impact of these accesses and show that they are effectively hammering the DRAM. However, 5000 DRAM accesses are not enough to cause Rowhammer bit flips, even on modern, highly vulnerable DRAM
Dialga: A Family of Low-Latency Tweakable Block Ciphers Using Multiple Linear Layers
In this paper, we propose Dialga, a family of low-latency tweakable block ciphers designed to support 128/256-bit tweaks and 256-bit keys. Dialga achieves significantly small latency by leveraging multiple novel strategies. These include the use of multiple linear layers with efficient cell permutations, which enhance security against differential and linear attacks with negligible hardware overhead. We also identify the optimal choice of S-boxes for these permutations using state-ofthe- art evaluation methods by SAT, enabling us to further reduce the delay of the round function. Besides, we design a reflection tweakey schedule that ensures strong security in the related-tweak setting and allows for encryption and decryption without delay overhead, reducing the circuit area. We conducted comprehensive hardware benchmarks involving Dialga and other primitives. As a result, Dialga achieves nearly half the delay of QARMAv2, while achieving approximately a 40% reduction in area, with the same claimed security
On the Plaintext Awareness of AEAD Schemes
Plaintext-awareness of AEAD schemes is one of the more obscure and easily misunderstood notions. Originally proposed by Andreeva et al., Mennink and Talnikar showed in 2025 that the original definitions are vague and leave too much room for interpretation. They presented new definitions and analyzed the three main AEAD compositions relative to the new definitions. In particular, they showed that MAC-then-Encrypt (MtE) is not plaintext-aware. However, they showed that an SIV-style variant is indeed plaintext-aware. In this work, we first show that their analysis contains a gap, voiding their proof. We show this by showing several attacks; against their choice of extractor, with trivial complexity, and against any extractor, with birthday-bound complexity. Next, we re-establish their results by designing a new extractor that captures their intended goal and prove a tight PA1 security bound. We also show that the result is not dependent on the encryption scheme used, by showing that an extractor can also be designed for sMtE[ΘCB3], a variant where the encryption step is done by an ΘCB3-like scheme. Afterwards, we strengthen their results, by revisiting other compositions. In particular, we show that Encrypt-then-MAC (EtM) is in fact PA2-secure. Furthermore, we show that SIV-style MtE cannot be PA2-secure. Additionally, we show that Encode-then-Encipher is also PA2-secure, but not beyond the first successful forgery. More importantly, we show that up to some necessary assumptions, PA2 and RAE are equivalent. This result, while positive, holds only up to the first successful forgery. This indicates that the PA2 formalization maybe too strong for practical schemes, since we believe RAE sufficient for intuitive security.Last but not least, we investigate the value of the notion of plaintext awareness. We look deeper into the relation between plaintext awareness and confidentiality. We show that the problem of confidentiality in the presence of release of unverified plaintext can be seen as a confidentiality-with-leakage problem in the simulatable leakage framework. In this regard, we start, by showing that PA1 security cannot imply confidentiality with leakage. Similarly, we compare our results to the AERUP notion of TOSC 2019. We show that a scheme can be AERUP secure but not secure against a somewhat straightforward left-or-right attack in the same model. This puts into question the meaning and relevance of the PA1 and AERUP security notions. Results based on these notions can be seen as providing security in a two-phase game, where the adversary does not observe any leakage after the first challenge query, as we argue in the paper. On the positive side, we show that if a scheme achieves IND-CPA, INT-RUP and PA2, then it achieves confidentiality with leakage for the appropriate leakage function. This closes a gap in the literature on the relation between confidentiality with leakage and RUP notions
Generic Attacks on Double Block Length Sponge Hashing
The sponge construction is one of the main modes of operation for hash functions. Using a permutation of width b = r + c, the sponge construction with rate r and capacity c is indifferentiable up to Ω(2c/2) permutation calls. In this paper we study variants of the sponge construction that use two permutations in parallel in order to increase the state size: the XOR combiner, and the double sponge construction of Lefevre and Mennink. We focus on the indifferentiability security, and we obtain new distinguishers on these constructions based on a variant of the 4-sum problem that we denote the multiple 4-sum problem.First, we show that the XOR combiner does not increase the indifferentiability bound when applied to sponge hash functions, with a tight generic attack with complexity ˜Õ(2c/2). This improves over folklore results that require ˜Õ(2b/2) operations to find internal state collisions, and justifies the more involved double sponge construction. Indeed, by mixing the two internal states after every permutation call, the double sponge achieves security beyond the birthday bound, with a security proof up to Ω(22c/3) permutation calls. However, the proof is not tight: the best generic attack has complexity O(2c+r/2), and Lefevre and Mennink show a simulator-specific attack with complexity O(22c/3+r/3). We reduce this gap by showing a dedicated attack against the double sponge, with complexity O(2c) in general, and O(max(23c/4, 2c−r/3)) with the specific mixing matrix used by Lefevre and Mennink. In particular, we observe that the complexity of our attack decreases with r (for a fixed c), while previous attacks have a complexity that increases with r
Designing diverse Grammar Education: Considerations on the Alignment of Learning Content and Heterogeneous Learning Requirements from Psycholinguistic, Cognitive Psychological, and (Special) Educational Perspective
Die Frage danach, wie heterogene Lernvoraussetzungen im Unterricht adäquat berücksichtigt und aufgegriffen werden können, ist ein zentrales Thema der deutschdidaktischen Forschung – und stellt sich auch für die Gestaltung von Grammatikunterricht. Unser Beitrag untersucht, wie eine stärkere interdisziplinäre Betrachtung des Grammatikunterrichts zu seiner heterogenitätssensiblen Ausrichtung beitragen kann. Dazu nehmen wir gezielt unterschiedliche Perspektiven ein: Auf Grundlage psycholinguistischer, kognitionspsychologischer und (sonder)pädagogischer Erkenntnisse wird eruiert, welchen Beitrag diese Disziplinen für einen heterogenitätssensiblen Grammatikunterricht leisten können. Darauf aufbauend werden grammatikdidaktische Implikationen und Potenziale skizziert. Diese ergänzen sich und zeigen die Notwendigkeit, curriculare Vorgaben kritisch zu hinterfragen und Unterrichtsziele stärker an die Bedürfnisse heterogener Lerngruppen anzupassen.The question of how to adequately address and respond to heterogeneous learning prerequisites in the classroom is a central issue in language education research, and particularly relevant for the teaching of grammar as well. This paper explores the potential of an interdisciplinary perspective on grammar education to support a heterogeneity-sensitive planning and implementation of instruction. To this end, we deliberately adopt an interdisciplinary lens: Drawing on insights from psycholinguistics, cognitive psychology, and (special) education, we examine how these disciplines can contribute to a heterogeneity-sensitive grammar education. Based on this, we outline implications and potentials for grammar didactics. The implications derived from these three different perspectives complement one another and highlight the need to critically reflect on curricular requirements and to adapt instructional goals more closely to the needs of diverse learner groups