Ruhr-Universität Bochum (RUB): Open Journal Systems
Not a member yet
4280 research outputs found
Sort by
Revisiting Vector-Input MACs
At Eurocrypt 2006, Rogaway and Shrimpton (RS06) presented the idea of vector-input MAC that accepts a vector consisting of variable-length bit strings. A vector-input MAC could be built on a conventional (bit) string-input MAC, e.g., CMAC, with an injective encoding. RS06 pointed out an efficiency loss in this method and presented a general construction S2V that is more efficient than the encodingbased method. RS06 made significant scientific and practical impacts on the field of mode constructions, in particular for the invention of deterministic authenticated encryption. However, despite its potential, their work on vector-input MAC has been largely overlooked for more than 18 years. We revisit RS06’s treatment of vector-input MAC and show that the topic is more subtle than initially considered. We first formally define the problem of vector-input MAC and propose a natural efficiency goal for vector-input MACs as a counterpart of what has been considered for string-input MACs. Since S2V with any string-input MAC mode never achieves this efficiency goal, we propose a family of new MAC modes, VecMAC, that achieves this goal. VecMAC has a similarity to the popular PMAC, in particular its idea of tweak. However, the purpose of introducing tweak is different from PMAC and tweak is tailored to handle vectors without redundant block cipher calls. We also provide implementation results that show an advantage over the conventional method
Efficient and Compact Full-Domain Functional Bootstrapping via Subring Folding
Functional bootstrapping has emerged as a powerful tool in fully homomorphic encryption (FHE), integrating noise reduction and function evaluation. FHEW/TFHE-based functional bootstrapping has demonstrated high efficiency in evaluating arbitrary non-linear functions, such as typical activation functions in neural networks. Due to the algebraic properties of coefficient embedding over power-of-two cyclotomics, early constructions were limited to evaluating either a negacyclic function under full-domain encoding or an arbitrary function under half-domain encoding. To combine the advantages of arbitrary function evaluation and full-domain encoding, recent works have introduced various techniques to address the challenges posed by negacyclicity. Among these efforts, Xia et al. (TCC 2024) recently showed that this limitation can be entirely circumvented by evaluating the so-called equality test function. However, the substantial noise overhead in their theoretical framework presents a significant challenge toward concretely efficient implementations.In this work, we propose a new full-domain functional bootstrapping algorithm by refining the framework of Xia et al. Our approach introduces a new homomorphic equality test and incorporates several key insights into the Blind Rotation procedure (Chillotti et al., J. Cryptol. 2020), leveraging algebraic properties of power-of-two cyclotomics and their subrings. The resulting algorithm offers the following notable improvements over previous works: (1) one of the most compact bootstrapping key sizes due to significantly reduced noise growth, (2) the most efficient with parallelism enabled by the independence of all involved Blind Rotations, and (3) the ability to evaluate an unbounded number of functions over the same input ciphertext with minimal additional computational cost. Notably, our proof-of-concept implementation under IND-CPAD-secure parameters with multi-threaded CPU execution demonstrates that our new algorithm achieves a 1.4−1.6x speedup compared to the state-of-the-art, alongside a 1.5−2.1x reduction in key size for plaintext precision of 4−6 bits. Our method provides a promising pathway toward parallel-friendly fulldomain functional bootstrapping, with considerable potential for further acceleration on hardware platforms such as GPUs, FPGAs, and ASICs
Rejected Signatures’ Challenges Pose New Challenges: Key Recovery of CRYSTALS-Dilithium via Side-Channel Attacks
Rejection sampling is a crucial security mechanism in lattice-based signature schemes that follow the Fiat-Shamir with aborts paradigm, such as MLDSA/ CRYSTALS-Dilithium. This technique transforms secret-dependent signature samples into ones that are statistically close to a secret-independent distribution (in the random oracle model). While many side-channel attacks have directly targeted sensitive data such as nonces, secret keys, and decomposed commitments, fewer studies have explored the potential leakage associated with rejection sampling. Notably, at HOST 2021, Karabulut et al. showed that leakage from rejected signatures’ challenges can undermine, but not entirely break, the security of the Dilithium scheme.Motivated by the above, we convert the problem of key recovery (from the leakage of rejection sampling) to an integer linear programming problem (ILP), where rejected responses of unique Hamming weights set upper/lower constraints of the product between the challenge and the private key. We formally study the worst-case complexity of the problem as well as empirically confirm the practicality of the rejected signature’s challenge attack. For all three security levels of Dilithium-2/3/5, our attack recovers the private key in seconds or minutes with a 100% Success Rate (SR).Our attack leverages knowledge of the rejected signature’s challenge and response, and thus we propose methods to extract this information by exploiting single-trace sidechannel leakage from Number Theoretic Transform (NTT) operations and functions associated with the response generation procedure. We demonstrate the practicality of this rejected signature’s challenge attack by using real power consumption on an ARM Cortex-M4 microcontroller. To the best of our knowledge, it is the first practical and efficient side-channel key recovery attack on ML-DSA/Dilithium that targets the rejection sampling procedure. Furthermore, we discuss some countermeasures to mitigate this security issue
Efficient Homomorphic Integer Computer from CKKS
As Fully Homomorphic Encryption (FHE) enables computation over encrypted data, it is a natural question of how efficiently it handles standard integer computations like 64-bit arithmetic. It has long been believed that the CGGI/DM family or the BGV/BFV family are the best options, depending on the size of the parallelism. The discrete variant of CKKS, suggested by Drucker et al. [J.Cryptol.’24], provides an interesting alternative for integer computations. Notably, the modular reduction framework proposed by Kim and Noh [CiC’25] built on top of the CKKSstyle functional bootstrapping by Bae et al. [Asiacrypt’24] gives an efficient arithmetic modulo small integers.In this work, we propose a novel homomorphic computer for unsigned integer computations. We represent a large integer (e.g. 64-bit) as a vector of smaller chunks (e.g. 4-bit) and construct arithmetic operations relying on discrete CKKS. The proposed scheme supports many of the operations supported in TFHE-rs while outperforming it in terms of amortized running time. Notably, our homomorphic 64-bit multiplication takes 8.85ms per slot, which is more than three orders of magnitude faster than TFHE-rs
TESLA: Trusted Execution Support for Legacy Embedded Applications
Legacy applications continue to be widely used in embedded systems, despite high maintenance costs, primarily due to the challenges involved in modifying them. Traditional Trusted Execution Environments (TEEs), though valuable for securing sensitive computations, fall short in supporting these legacy workloads. Most existing TEEs require significant application modifications, or incur high system call overheads. Additionally, TEEs often enforce fixed enclave sizes failing to accommodate the dynamic memory needs of applications. Many do not consider the security of I/O operations, and those that do, expand the Trusted Computing Base (TCB) significantly, weakening the TEE.We present TESLA, a novel TEE architecture designed to natively support the execution of unmodified legacy applications on embedded systems. TESLA introduces Fluid Enclaves, which dynamically adjust enclave sizes based on the application’s runtime memory requirements. To minimize system call overheads, TESLA introduces Enclave Windows that permit an untrusted Operating System temporary access to system call parameters within the enclave. TESLA also ensures confidentiality and integrity of I/O data exchanged between enclaves and peripherals. We have implemented a prototype of TESLA on a RISC-V processor running the Linux kernel, synthesizing it on an FPGA to demonstrate its feasibility. The evaluation quantifies the hardware and runtime performance overheads, demonstrating TESLA’s practicality and effectiveness in overcoming key limitations of existing TEEs
Fault Attacks on ECC Signature Verification
Signature verification operations used in secure boot or firmware updates are the foundation of trusted devices. ECC-based signature schemes are preferred for these applications due to their smaller key and signature sizes. Despite their widespread use, we would like to highlight that there is no research available that analyzes the resilience of ECC-based signature verification operations against fault attacks. Therefore, we thoroughly investigate the feasibility of fault attacks on ECC-based signature verification. We cover both theoretical and implementation-specific attacks. We demonstrate that faults in elliptic curve points and parameters allow an adversary to forge signatures in ECGDSA and ECSDSA, while ECDSA and EdDSA remain resilient. The weakness lies in the Weierstraß curves used in the affected schemes. This allows an adversary to perform cryptographic operations on much weaker curves by corrupting at least a single bit. To assess the severity in practice, we evaluate two open-source secure boot implementations—MCUboot and wolfBoot—that use fault injection hardening. Interestingly, these examples do not employ any hardening within the underlying cryptographic libraries. We discovered several attacks on the implementation of the ECDSA and EdDSA verification algorithms. Here, a single instruction skip is sufficient to accept trivially forged signatures. To improve these and future implementations, we propose effective and efficient countermeasures. Our work fills a critical gap to motivate further research for more resilient cryptographic implementations
Estratègies de traducció d\u27esdeveniments de moviment adlatius amb encreuament de límits
This article analyzes the translation strategies for adlative motion events with boundary crossing, focusing on the manner and path in satellite-framed (S) and verb-framed (V) languages. Building on Leonard Talmy’s lexicalization theory and Slobin’s ‘thinking-for-translating’ framework, the study examines the translations of the novel The Hunger Games from English (S-language) into German (S-language), Spanish, and Catalan (V-languages). The analysis highlights how the typological differences of each language affect the representation of these events, revealing significant variations in the strategies employed by translators. The findings offer deeper insights into the relationship between linguistic typology and the translation of motion events, emphasizing the cognitive-linguistic implications for translators.This article analyzes the translation strategies for adlative motion events with boundary crossing, focusing on the manner and path in satellite-framed (S) and verb-framed (V) languages. Building on Leonard Talmy’s lexicalization theory and Slobin’s ‘thinking-for-translating’ framework, the study examines the translations of the novel The Hunger Games from English (S-language) into German (S-language), Spanish, and Catalan (V-languages). The analysis highlights how the typological differences of each language affect the representation of these events, revealing significant variations in the strategies employed by translators. The findings offer deeper insights into the relationship between linguistic typology and the translation of motion events, emphasizing the cognitive-linguistic implications for translators
Ucraïna, mon amour de Carles Torner o la (auto)traducció com un acte d\u27amor
This article aims to analyze Ucraïna, mon amour (Torner, 2023), a novel featuring the Catalan translator of I. B. Singer as a paradigmatic example of the so-called «transfiction». Singer’s presence, also portrayed as a character within the fiction, allows for a profound reflection on the intimate link between writing and translation, concurrently connecting the various 20th-century exiles with the current war in Ukraine. The analysis focuses on the multiple meanings and metaphors associated with translation, such as cultural bridge, journey, exile, survival, resistance, and, above all, love. Through the literary motif of translation, the intertextual dialogues with the works of the writer in Yiddish and other authors, including Carles Torner, will be explored. The article also examines different translation scenes that unfold throughout the novel.This article aims to analyze Ucraïna, mon amour (Torner, 2023), a novel featuring the Catalan translator of I. B. Singer as a paradigmatic example of the so-called «transfiction». Singer’s presence, also portrayed as a character within the fiction, allows for a profound reflection on the intimate link between writing and translation, concurrently connecting the various 20th-century exiles with the current war in Ukraine. The analysis focuses on the multiple meanings and metaphors associated with translation, such as cultural bridge, journey, exile, survival, resistance, and, above all, love. Through the literary motif of translation, the intertextual dialogues with the works of the writer in Yiddish and other authors, including Carles Torner, will be explored. The article also examines different translation scenes that unfold throughout the novel
A Preliminary Look into the Profiles of Adult Learners of Chinese as a Foreign Language in GermanSpeaking Countries
Die europäische Regierung und viele Regierungen ihrer (ehemaligen) Mitgliedsstaaten fordern mehr China-Kompetenz, einschließlich chinesischer Sprachkenntnisse. Die Förderung des Chinesischunterrichts erfordert ein gründliches Verständnis der Zielgruppe der Lernenden. Ziel dieses Artikels ist es, die Grundlage für eine systematische und umfassende Analyse des Profils zumindest einer Untergruppe von Chinesischlernenden, nämlich der erwachsenen Lernenden an Hochschulen im deutschsprachigen Raum, zu schaffen. Er stellt die Ergebnisse einer vorläufigen Metastudie vor, die die Daten von 217 Chinesischlernenden umfasst. Zu den Informationen, die aus verschiedenen Studien extrahiert werden können, gehören persönliche Daten (Alter, Geschlecht, Studienrichtung, Art der Bildungseinrichtung, Erst- und gegebenenfalls Zweitsprache) und Daten zur individuellen Lernbiografie (Anzahl der bisher erlernten Sprachen, welche Sprachen bisher erlernt wurden, Einsatz von Lernstrategien und Grad des Sprachbewusstseins). Die Ergebnisse zeigen, dass diese Lernenden im Durchschnitt eine vergleichbare Anzahl von zuvor erlernten Fremdsprachen haben, es aber mehr mehrsprachige Sprecher gibt als z. B. Spanischlernende. Erfahrene Lernende haben nach den aktuellen L3-Erwerbstheorien bestimmte Voraussetzungen und Bedürfnisse, die beim Unterrichten von Chinesisch als Fremdsprache besonders beachtet werden sollten. Es werden einige Vorschläge gemacht, wie Transfer in den Chinesischunterricht integriert werden kann.The European Government and many governments of its (former) membership states demand more China expertise, including Chinese language skills. Fostering Chinese language education requires a thorough understanding of the target group of learners. The purpose of this article is to lay the foundation for a systematic and comprehensive analysis of the profile of at least one subgroup of learners of Chinese, adult learners at tertiary educational institutions in German-speaking countries. It presents the results of a preliminary meta-study, including the data of 217 learners of Chinese. Among the information that can be extracted from different studies figure personal data (age, sex, field of study, type of institution, native language(s)) and data on the individual learning biography (the number of previously learned languages, which languages were previously learned, the use of learning strategies, and the level of language awareness). Results show that these learners have, on average, a comparable number of previously studied foreign languages but more multilingual speakers, compared to learners of Spanish. As experienced learners, they have certain preconditions and needs according to current L3 acquisition theories, which should be paid special attention to in teaching Chinese as a foreign language. Some suggestions are put forward on how to integrate transfer into the teaching of Chinese. 
Sartre on imaginative presence
The question as to whether imaginative experience involves phenomenal presence is increasingly a subject of philosophical debate. In contrast to many contemporary thinkers who hold that waking imaginative experience and dreaming involve a feeling of presence, Jean-Paul Sartre (1940/2004, 1936/2012) argues that the phenomenology of presence accompanies perception only. Sartre thus rejects both that there is such a thing as “imaginative presence” and that dreaming involves the phenomenology of presence or a sense of immersion in a spatiotemporal dreamscape. This position puts him at odds with Amy Kind (2018) who holds that the imagination furnishes a sense of “presence in absence,” and Jennifer Windt (2018) and Michael Barkasi (2021), among others, who hold that dreaming involves a feeling of immersion in an imagined spatiotemporal dreamscape. I argue that Sartre’s position on presence emerges from his theory of perception that shares key objectives with contemporary naïve realism, and that his rejection of imaginative presence is consistent with the reasons why a contemporary naïve realist or relationalist would also reject the concept. This paper explains Sartre’s theory of phenomenal presence in the context of his theory of perception and contrasts his position on why a dreamer lacks a true sense of immersion in a dreamscape with the views of Windt and Barkasi