Verified Correctness and Security of mbedTLS HMAC-DRBG

We have formalized the functional specification of HMAC-DRBG (NIST 800-90A), and we have proved its cryptographic security--that its output is pseudorandom--using a hybrid game-based proof. We have also proved that the mbedTLS implementation (C program) correctly implements this functional specification. That proof composes with an existing C compiler correctness proof to guarantee, end-to-end, that the machine language program gives strong pseudorandomness. All proofs (hybrid games, C program verification, compiler, and their composition) are machine-checked in the Coq proof assistant. Our proofs are modular: the hybrid game proof holds on any implementation of HMAC-DRBG that satisfies our functional specification. Therefore, our functional specification can serve as a high-assurance reference.Comment: Appearing in CCS '1

The Flow of Family Transitions of Australian Families

Family structure disruption has been linked to negative child educational and health outcomes (Perales et al. 2016). Australia has relatively stable families, but income disparities between Australians are widening, and single-parent families make up a large proportion of families living in poverty. Cohabitation is also common in Australia with approximately three-quarters of marriages preceded by cohabitation. If substantial family structure churning affects Australian children this may expose a need for special policy interventions aimed at family creation and dissolution to ameliorate the negative effects of such stressful experiences. To highlight family structures and transitions Australian children experience, we use Sankey flow diagrams charting data from ‘Growing Up in Australia: The Longitudinal Study of Australian Children (LSAC)’ (Gilding 2001). We track children from birth to 11 years old using waves 1-6 and population weights to represent 183,521 children born into Australian families

Reassessing the cardiac box: A comprehensive evaluation of the relationship between thoracic gunshot wounds and cardiac injury

Background: High energy missiles can cause cardiac injury regardless of entrance site. This study assesses the adequacy of the anatomic borders of the current “cardiac box” to predict cardiac injury. Methods: Retrospective autopsy review was performed to identify patients with penetrating torso gunshot wounds 2011-2013. Using a circumferential grid system around the thorax, logistic regression analysis was performed to detect differences in rates of cardiac injury from entrance/exit wounds in the “cardiac box” vs. the same for entrance/exit wounds outside the box. Analysis was repeated to identify regions to compare risk of cardiac injury between the current cardiac box and other regions of the thorax. Results: Over the study period, 263 patients (89% male, mean age = 34 years, median injuries/person = 2) sustained 735 wounds [80% gunshot wounds (GSWs], and 239 patients with 620 GSWs were identified for study. Of these, 95 (34%) injured the heart. Of the 257 GSWs entering the cardiac box, 31% caused cardiac injury while 21% GSWs outside the cardiac box (n = 67) penetrated the heart, suggesting that the current “cardiac box” is a poor predictor of cardiac injury relative to the thoracic non-"cardiac box" regions [Relative Risk (RR) 0.96; p=0.82]. The regions from the anterior to posterior midline of the left thorax provided the highest positive predictive value (41%) with high sensitivity (90%) while minimizing false positives making this region the most statistically significant discriminator of cardiac injury (RR 2.9; p=0.01). Conclusion: For GSWs, the current cardiac box is inadequate to discriminate whether a gunshot wound will cause a cardiac injury. As expected, entrance wounds nearest to the heart are the most likely to result in cardiac injury, but, from a clinical standpoint, it is best to think outside the “box” for GSWs to the thorax

Elliptic Curve Cryptography in Practice

In this paper, we perform a review of elliptic curve cryptography (ECC), as it is used in practice today, in order to reveal unique mistakes and vulnerabilities that arise in implementations of ECC. We study four popular protocols that make use of this type of public-key cryptography: Bitcoin, secure shell (SSH), transport layer security (TLS), and the Austrian e-ID card. We are pleased to observe that about 1 in 10 systems support ECC across the TLS and SSH protocols. However, we find that despite the high stakes of money, access and resources protected by ECC, implementations suffer from vulnerabilities similar to those that plague previous cryptographic systems

Uncertainty quantification for phase-space boundary integral models of ray propagation

Vibrational and acoustic energy distributions of wave fields in the high-frequency regime are often modeled using flow transport equations. This study concerns the case when the flow of rays or non-interacting particles is driven by an uncertain force or velocity field and the dynamics are determined only up to a degree of uncertainty. A boundary integral equation description of wave energy flow along uncertain trajectories in finite two-dimensional domains is presented, which is based on the truncated normal distribution, and interpolates between a deterministic and a completely random description of the trajectory propagation. The properties of the Gaussian probability density function appearing in the model are applied to derive expressions for the variance of a propagated initial Gaussian density in the weak noise case. Numerical experiments are performed to illustrate these findings and to study the properties of the stationary density, which is obtained in the limit of infinitely many reflections at the boundary

Nonlinear Differential Equations Satisfied by Certain Classical Modular Forms

A unified treatment is given of low-weight modular forms on \Gamma_0(N), N=2,3,4, that have Eisenstein series representations. For each N, certain weight-1 forms are shown to satisfy a coupled system of nonlinear differential equations, which yields a single nonlinear third-order equation, called a generalized Chazy equation. As byproducts, a table of divisor function and theta identities is generated by means of q-expansions, and a transformation law under \Gamma_0(4) for the second complete elliptic integral is derived. More generally, it is shown how Picard-Fuchs equations of triangle subgroups of PSL(2,R) which are hypergeometric equations, yield systems of nonlinear equations for weight-1 forms, and generalized Chazy equations. Each triangle group commensurable with \Gamma(1) is treated.Comment: 40 pages, final version, accepted by Manuscripta Mathematic

Sugar maple (Acer saccharum March.) growth is influenced by close conspecifics and skid trait proximity following selection harvest

In this study, we quantified the effects of local neighbourhood competition, light availability, and proximity to skid trails on the growth of sugar maple (Acer saccharum Marsh.) trees following selection harvest. We hypothesized that growth would increase with decreasing competition and increasing light availability, but that proximity to skid trails would negatively affect growth. A total of 300 sugar maples were sampled 10 years after selection harvesting in 18 stands in Témiscamingue (Québec, Canada). Detailed tree and skid trail maps were obtained in one 0.4 ha plot per stand. Square-root transformed radial growth data were fitted to a linear mixed model that included tree diameter, crown position, a neighbourhood competition index, light availability (estimated using the SORTIE light model), and distance to the nearest skid trail as explanatory variables. We considered various distance-dependent or -independent indices based on neighbourhood radii ranging from 6 to 12 m. The competition index that provided the best fit to the data was a distance-dependent index computed in a 6 m search radius, but a\ud distance-independent version of the competition index provided an almost equivalent fit to data. Models corresponding to all combinations of main effects were fit to data using maximum likelihood, and weighted averages of parameter estimates were obtained usingmultimodel inference. All predictors had\ud an influence on growth, with the exception of light. Radial growth decreased with increasing tree diameter, level of competition and proximity to skid trails, and varied among crown positions with trees in suppressed and intermediate positions having lower growth rates than codominants and dominants. Our results indicate that in selection managed stands, the radial growth of sugarmaple trees depends on\ud competition from close (6 m) conspecific neighbours, and is still affected by proximity to skid trails 10 years after harvesting. Such results underscore the importance of minimizing the extent of skid trail networks by careful pre-harvest planning of trail layout. We also conclude that the impact of heterogeneity among individual-tree neighbourhoods, such as those resulting from alternative spatial patterns of harvest, can usefully be integrated into models of post-harvest tree growth

Measuring small subgroup attacks against Diffie-Hellman

Several recent standards, including NIST SP 800- 56A and RFC 5114, advocate the use of “DSA” parameters for Diffie-Hellman key exchange. While it is possible to use such parameters securely, additional validation checks are necessary to prevent well-known and potentially devastating attacks. In this paper, we observe that many Diffie-Hellman implementations do not properly validate key exchange inputs. Combined with other protocol properties and implementation choices, this can radically decrease security. We measure the prevalence of these parameter choices in the wild for HTTPS, POP3S, SMTP with STARTTLS, SSH, IKEv1, and IKEv2, finding millions of hosts using DSA and other non-“safe” primes for Diffie-Hellman key exchange, many of them in combination with potentially vulnerable behaviors. We examine over 20 open-source cryptographic libraries and applications and observe that until January 2016, not a single one validated subgroup orders by default. We found feasible full or partial key recovery vulnerabilities in OpenSSL, the Exim mail server, the Unbound DNS client, and Amazon’s load balancer, as well as susceptibility to weaker attacks in many other applications