National Institute of Standards and Technology における超伝導研究及び生活

Some readers know to play the game of nim well, fewer play a perfect annihilation game, and nobody knows whether there exists an opening move in chess that will guarantee a win for white. These games and many more, belong to the family of combinatorial games, by which we mean the set of all two-player perfect-information games without chance moves and with outcomes lose or win (and sometimes: dynamic tie). The motivation for ONAG may have been, and perhaps was-and I would like to think that it was-the attempt to bridge the theory gap between nim-like and chess-like games. Why is there a gap? Every combinatorial game can be described as a directed graph called game-graph, whose vertices are the game positions, and (u, v) is a directed edge if and only if there is a move from position u to position v. Denote by N the set of all positions from which the Next (first) player can force a win; by P the set of all positions from which the Previous (second) player can force a win; and by T the set of all (dynamic) Tie positions, which are positions from which no player can force a win and therefore both can avoid losing. In an acyclic game-graph there cannot be any tie positions. The N, P, T classification of any game graph R = (V, E) can be determined in 0(\V\ + \E\) steps [8]. For both nim and chess, a finite game-graph can be constructed and the N, P, T classification can be determined. So both games are solvable in principle. If we play nim with n piles, each pile containing at most k tokens, then the game-graph contains (k + \) vertices. Suppose that in (generalized) chess played on an « X « board there are k different pieces. If k is about n/2, then the game-graph of chess contains O (2") vertices. So both game-graphs have exponentially many vertices, and thus both games appear intractable in the usual sense of computational complexity [1, Chapter 10], [14, Chapter 9], namely a computation appears to be required which is asymptotically exponential. From a computational efficiency standpoint, the essential difference between nim and chess is that nim can be viewed as a disjunctive compound (sum) of independent games, namely the individual piles. A disjunctive

http://ieeexplore.ieee.org/iel5/5/31266/01455274.pdf

On numbers and games

Congestion control (CC) is the key to achieving ultra-low latency, high bandwidth and network stability in high-speed networks. From years of experience operating large-scale and high-speed RDMA networks, we find the existing high-speed CC schemes have inherent limitations for reaching these goals. In this paper, we present HPCC (High Precision Congestion Control), a new high-speed CC mechanism which achieves the three goals simultaneously. HPCC leverages in-network telemetry (INT) to obtain precise link load information and controls traffic precisely. By addressing challenges such as delayed INT information during congestion and overreac-tion to INT information, HPCC can quickly converge to utilize free bandwidth while avoiding congestion, and can maintain near-zero in-network queues for ultra-low latency. HPCC is also fair and easy to deploy in hardware. We implement HPCC with commodity programmable NICs and switches. In our evaluation, compared to DCQCN and TIMELY, HPCC shortens flow completion times by up to 95%, causing little congestion even under large-scale incasts.

https://dl.acm.org/doi/pdf/10.1145/3341302.3342085

HPCC: high precision congestion control

We propose two systematic methods to describe the differential property of an S-box with linear inequalities based on logical condition modelling and computational geometry respectively. In one method, inequalities are generated according to some conditional differential properties of the S-box; in the other method, inequalities are extracted from the H-representation of the convex hull of all possible differential patterns of the S-box. For the second method, we develop a greedy algorithm for selecting a given number of inequalities from the convex hull. Using these inequalities combined with Mixed-integer Linear Programming (MILP) technique, we propose an automatic method for evaluating the security of bit-oriented block ciphers against the (related-key) differential attack with several techniques for obtaining tighter security bounds, and a new tool for finding (related-key) differential characteristics automatically for bit-oriented block ciphers.

/pdf/automatic-security-evaluation-and-related-key-differential-5erle8kbwv.pdf

Automatic Security Evaluation and (Related-key) Differential Characteristic Search: Application to SIMON, PRESENT, LBlock, DES(L) and Other Bit-Oriented Block Ciphers

Evoked by the increasing need to integrate side-channel countermeasures into security-enabled commercial devices, evaluation labs are seeking a standard approach that enables a fast, reliable and robust evaluation of the side-channel vulnerability of the given products. To this end, standardization bodies such as NIST intend to establish a leakage assessment methodology fulfilling these demands. One of such proposals is the Welch’s t-test, which is being put forward by Cryptography Research Inc., and is able to relax the dependency between the evaluations and the device’s underlying architecture. In this work, we deeply study the theoretical background of the test’s different flavors, and present a roadmap which can be followed by the evaluation labs to efficiently and correctly conduct the tests. More precisely, we express a stable, robust and efficient way to perform the tests at higher orders. Further, we extend the test to multivariate settings, and provide details on how to efficiently and rapidly carry out such a multivariate higher-order test. Including a suggested methodology to collect the traces for these tests, we point out practical case studies where different types of t-tests can exhibit the leakage of supposedly secure designs.

/pdf/leakage-assessment-methodology-f0yjbgp6i4.pdf

Leakage Assessment Methodology

Modern datacenter networks provide very high capacity via redundant Clos topologies and low switch latency, but transport protocols rarely deliver matching performance. We present NDP, a novel data-center transport architecture that achieves near-optimal completion times for short transfers and high flow throughput in a wide range of scenarios, including incast. NDP switch buffers are very shallow and when they fill the switches trim packets to headers and priority forward the headers. This gives receivers a full view of instantaneous demand from all senders, and is the basis for our novel, high-performance, multipath-aware transport protocol that can deal gracefully with massive incast events and prioritize traffic from different senders on RTT timescales. We implemented NDP in Linux hosts with DPDK, in a software switch, in a NetFPGA-based hardware switch, and in P4. We evaluate NDP's performance in our implementations and in large-scale simulations, simultaneously demonstrating support for very low-latency and high throughput.

/pdf/re-architecting-datacenter-networks-and-stacks-for-low-52b8xzwdgd.pdf

Re-architecting datacenter networks and stacks for low latency and high performance

The development of a leakage detection testing methodology for the side-channel resistance of cryptographic devices is an issue that has received recent focus from standardisation bodies such as NIST. Statistical techniques such as hypothesis and significance testing appear to be ideally suited for this purpose. In this work we evaluate the candidacy of three such detection tests: a t-test proposed by Cryptography Research Inc., and two mutual information-based tests, one in which data is treated as continuous and one as discrete. Our evaluation investigates three particular areas: statistical power, the effectiveness of multiplicity corrections, and computational complexity. To facilitate a fair comparison we conduct a novel a priori statistical power analysis of the three tests in the context of side-channel analysis, finding surprisingly that the continuous mutual information and t-tests exhibit similar levels of power. We also show how the inherently parallel nature of the continuous mutual information test can be leveraged to reduce a large computational cost to insignificant levels. To complement the a priori statistical power analysis we include two real-world case studies of the tests applied to software and hardware implementations of the AES.

/pdf/does-my-device-leak-information-an-a-priori-statistical-402jck8lu1.pdf

Does My Device Leak Information? An a priori Statistical Power Analysis of Leakage Detection Tests

Time matters. In a networked world, we would like mobile devices to provide a crisp user experience and applications to instantaneously return results. Unfortunately, application performance does not depend solely on processing time, but also on a number of different components that are commonly counted in the overall system latency. Latency is more than just a nuisance to the user, poorly accounted-for, it degrades application performance. In fields such as high frequency trading, as well as in many data centers, latency translates easily to financial losses. Research to date has focused on specific contributions to latency: from improving latency within the network to latency control on the application level. This paper takes an holistic approach to latency, and aims to provide a break-down of end-to-end latency from the application level to the wire. Using a set of crafted experiments, we explore the many contributors to latency. We assert that more attention should be paid to the latency within the host, and show that there is no silver bullet to solve the end-to-end latency challenge in data centers. We believe that a better understanding of the key elements influencing data center latency can trigger a more focused research, improving the user’s quality of experience.

Where Has My Time Gone

Due to their performance and flexibility, FPGAs are an attractive platform for the execution of network functions. It has been a challenge for a long time though to make FPGA programming accessible to a large audience of developers. An appealing solution is to compile code from a general-purpose language to hardware using high-level synthesis. Unfortunately, current approaches to implement rich network functionality are insufficient because they lack: (i) libraries with abstractions for common network operations and data structures, (ii) bindings to the underlying "substrate" on the FPGA, and (iii) debugging and profiling support.

This paper describes Emu, a new standard library for an FPGA hardware compiler that enables developers to rapidly create and deploy network functionality. Emu allows for high-performance designs without being bound to particular packet processing paradigms. Furthermore, it supports running the same programs on CPUs, in Mininet, and on FPGAs, providing a better development environment that includes advanced debugging capabilities. We demonstrate that network functions implemented using Emu have only negligible resource and performance overheads compared with natively-written hardware versions.

/pdf/emu-rapid-prototyping-of-networking-services-48jbxquxd5.pdf

Emu: rapid prototyping of networking services

An increasing number of embedded security applications—which traditionally have been heavily reliant on secret and/or proprietary solutions—apply the principle of open evaluation. A recent example is the specification of an open security protocol stack for car immobilizer applications by Atmel, which has been presented at ESCAR 2010. This stack is primarily intended to be used in conjunction with automotive transponder chips of this manufacturer, but could in principle be deployed on any suitable type of transponder chip. In this paper we re-evaluate the security of this protocol stack. We were able to uncover a number of security vulnerabilities. We show that an attacker with a cheap standard reader close to such a car key can track it, lock sections of its EEPROM, and even render its immobilizer functionality completely useless. After eavesdropping on a genuine run of the authentication protocol between the car key and the car, an attacker is enabled to read and write the memory of the car key. Furthermore, we point out the threats of relay attacks and session hijacking, which require slightly more elaborate attack setups. For each of the indicated attacks we propose possible fixes and discuss their overhead.

/pdf/security-analysis-of-an-open-car-immobilizer-protocol-stack-4yg4hr1k8o.pdf

Marcin Wójcik

Papers

Re-architecting datacenter networks and stacks for low latency and high performance

Does My Device Leak Information? An a priori Statistical Power Analysis of Leakage Detection Tests

Where Has My Time Gone

Emu: rapid prototyping of networking services

Security Analysis of an Open Car Immobilizer Protocol Stack