Tornado: Automatic Generation of Probing-Secure Masked Bitsliced Implementations

International audienceCryptographic implementations deployed in real world devices often aim at (provable) security against the powerful class of side-channel attacks while keeping reasonable performances. Last year at Asiacrypt, a new formal verification tool named tightPROVE was put forward to exactly determine whether a masked implementation is secure in the well-deployed probing security model for any given security order t. Also recently, a compiler named Usuba was proposed to automatically generate bitsliced implementations of cryptographic primitives.This paper goes one step further in the security and performances achievements with a new automatic tool named Tornado. In a nutshell, from the high-level description of a cryptographic primitive, Tornado produces a functionally equivalent bitsliced masked implementation at any desired order proven secure in the probing model, but additionally in the so-called register probing model which much better fits the reality of software implementations. This framework is obtained by the integration of Usuba with tightPROVE+, which extends tightPROVE with the ability to verify the security of implementations in the register probing model and to fix them with inserting refresh gadgets at carefully chosen locations accordingly.We demonstrate Tornado on the lightweight cryptographic primitives selected to the second round of the NIST competition and which somehow claimed to be masking friendly. It advantageously displays performances of the resulting masked implementations for several masking orders and prove their security in the register probing model

ESA's wind Lidar mission ADM-AEOLUS; on-going scientific activities related to calibration, retrieval and instrument operation

The Earth Explorer Atmospheric Dynamics Mission (ADM-Aeolus) of ESA will be the first-ever satellite to provide global observations of wind profiles from space. Its single payload, namely the Atmospheric Laser Doppler Instrument (ALADIN) is a directdetection high spectral resolution Doppler Wind Lidar (DWL), operating at 355 nm, with a fringe-imaging receiver (analysing aerosol and cloud backscatter) and a double-edge receiver (analysing molecular backscatter). In order to meet the stringent mission requirements on wind retrieval, ESA is conducting various science support activities for the consolidation of the on-ground data processing, calibration and sampling strategies. Results from a recent laboratory experiment to study Rayleigh-Brillouin scattering and improve the characterisation of the molecular lidar backscatter signal detected by the ALADIN double-edge Fabry- Perot receiver will be presented in this paper. The experiment produced the most accurate ever-measured Rayleigh-Brillouin scattering profiles for a range of temperature, pressure and gases, representative of Earth’s atmosphere. The measurements were used to validate the Tenti S6 model, which is implemented in the ADM-Aeolus ground processor. First results from the on-going Vertical Aeolus Measurement Positioning (VAMP) study will be also reported. This second study aims at the optimisation of the ADM-Aeolus vertical sampling in order to maximise the information content of the retrieved winds, taking into account the atmospheric dynamical and optical heterogeneity. The impact of the Aeolus wind profiles on Numerical Weather Prediction (NWP) and stratospheric circulation modelling for the different vertical sampling strategies is also being estimated

Review and assessment of latent and sensible heat flux accuracy over the global oceans

For over a decade, several research groups have been developing air-sea heat flux information over the global ocean, including latent (LHF) and sensible (SHF) heat fluxes over the global ocean. This paper aims to provide new insight into the quality and error characteristics of turbulent heat flux estimates at various spatial and temporal scales (from daily upwards). The study is performed within the European Space Agency (ESA) Ocean Heat Flux (OHF) project. One of the main objectives of the OHF project is to meet the recommendations and requirements expressed by various international programs such as the World Research Climate Program (WCRP) and Climate and Ocean Variability, Predictability, and Change (CLIVAR), recognizing the need for better characterization of existing flux errors with respect to the input bulk variables (e.g. surface wind, air and sea surface temperatures, air and surface specific humidities), and to the atmospheric and oceanic conditions (e.g. wind conditions and sea state). The analysis is based on the use of daily averaged LHF and SHF and the asso- ciated bulk variables derived from major satellite-based and atmospheric reanalysis products. Inter-comparisons of heat flux products indicate that all of them exhibit similar space and time patterns. However, they also reveal significant differences in magnitude in some specific regions such as the western ocean boundaries during the Northern Hemisphere winter season, and the high southern latitudes. The differences tend to be closely related to large differences in surface wind speed and/or specific air humidity (for LHF) and to air and sea temperature differences (for SHF). Further quality investigations are performed through comprehensive comparisons with daily-averaged LHF and SHF estimated from moorings. The resulting statistics are used to assess the error of each OHF product. Consideration of error correlation between products and observations (e.g., by their assimilation) is also given. This reveals generally high noise variance in all products and a weak signal in common with in situ observations, with some products only slightly better than others. The OHF LHF and SHF products, and their associated error characteristics, are used to compute daily OHF multiproduct-ensemble (OHF/MPE) estimates of LHF and SHF over the ice-free global ocean on a 0.25° × 0.25° grid. The accuracy of this heat multiproduct, determined from comparisons with mooring data, is greater than for any individual product. It is used as a reference for the anomaly characterization of each individual OHF product

Expression and trans-specific polymorphism of self-incompatibility RNases in Coffea (Rubiaceae)

Self-incompatibility (SI) is widespread in the angiosperms, but identifying the biochemical components of SI mechanisms has proven to be difficult in most lineages. Coffea (coffee; Rubiaceae) is a genus of old-world tropical understory trees in which the vast majority of diploid species utilize a mechanism of gametophytic self-incompatibility (GSI). The S-RNase GSI system was one of the first SI mechanisms to be biochemically characterized, and likely represents the ancestral Eudicot condition as evidenced by its functional characterization in both asterid (Solanaceae, Plantaginaceae) and rosid (Rosaceae) lineages. The S-RNase GSI mechanism employs the activity of class III RNase T2 proteins to terminate the growth of "self" pollen tubes. Here, we investigate the mechanism of Coffea GSI and specifically examine the potential for homology to S-RNase GSI by sequencing class III RNase T2 genes in populations of 14 African and Madagascan Coffea species and the closely related self-compatible species Psilanthus ebracteolatus. Phylogenetic analyses of these sequences aligned to a diverse sample of plant RNase T2 genes show that the Coffea genome contains at least three class III RNase T2 genes. Patterns of tissue-specific gene expression identify one of these RNase T2 genes as the putative Coffea S-RNase gene. We show that populations of SI Coffea are remarkably polymorphic for putative S-RNase alleles, and exhibit a persistent pattern of trans-specific polymorphism characteristic of all S-RNase genes previously isolated from GSI Eudicot lineages. We thus conclude that Coffea GSI is most likely homologous to the classic Eudicot S-RNase system, which was retained since the divergence of the Rubiaceae lineage from an ancient SI Eudicot ancestor, nearly 90 million years ago.United States National Science Foundation [0849186]; Society of Systematic Biologists; American Society of Plant Taxonomists; Duke University Graduate Schoolinfo:eu-repo/semantics/publishedVersio

Two philosophies for solving non-linear equations in algebraic cryptanalysis

Algebraic Cryptanalysis [45] is concerned with solving of particular systems of multivariate non-linear equations which occur in cryptanalysis. Many different methods for solving such problems have been proposed in cryptanalytic literature: XL and XSL method, Gröbner bases, SAT solvers, as well as many other. In this paper we survey these methods and point out that the main working principle in all of them is essentially the same. One quantity grows faster than another quantity which leads to a “phase transition” and the problem becomes efficiently solvable. We illustrate this with examples from both symmetric and asymmetric cryptanalysis. In this paper we point out that there exists a second (more) general way of formulating algebraic attacks through dedicated coding techniques which involve redundancy with addition of new variables. This opens numerous new possibilities for the attackers and leads to interesting optimization problems where the existence of interesting equations may be somewhat deliberately engineered by the attacker

Calibration of Traffic Simulation Models using SPSA

Εθνικό Μετσόβιο Πολυτεχνείο--Μεταπτυχιακή Εργασία. Διεπιστημονικό-Διατμηματικό Πρόγραμμα Μεταπτυχιακών Σπουδών (Δ.Π.Μ.Σ.) “Γεωπληροφορική

Distal radius fractures in children: substantial difference in stability between buckle and greenstick fractures

Background and purpose Numerous follow-up visits for wrist fractures in children are performed without therapeutic consequences. We investigated the degree to which the follow-up visits reveal complications and lead to change in management. The stability of greenstick and buckle fractures of the distal radius was assessed by comparing the lateral angulation radiographically

Changing of the Guards: a simple and efficient method for achieving uniformity in threshold sharing

Since they were first proposed as a countermeasure against differential power analysis (DPA) in 2006, threshold schemes have attracted a lot of attention from the community concentrating on cryptographic implementations. What makes threshold schemes so attractive from an academic point of view is that they come with an information-theoretic proof of resistance against a specific subset of side-channel attacks: first-order DPA. From an industrial point of view they are attractive as a careful threshold implementation forces adversaries to DPA of higher order, with all its problems such a noise amplification. A threshold scheme that offers the mentioned provable security must exhibit three properties: correctness, incompleteness and uniformity. A threshold scheme becomes more expensive with the number of shares that must be implemented and the required number of shares is lower bound by the algebraic degree of the function being shared plus 1. Defining a correct and incomplete sharing of a function of degree d in d+1 shares is straightforward. However, up to now there is no generic method to achieve uniformity and finding uniform sharings of degree-d functions with d+1 shares is an active research area. In this paper we present a simple and relatively cheap method to find a correct, incomplete and uniform d+1-share threshold scheme for any S-box layer consisting of degree-d invertible S-boxes. The uniformity is not implemented in the sharings of the individual S-boxes but rather at the S-box layer level by the use of feed-forward and some expansion of shares. When applied to the Keccak-p nonlinear step Chi, its cost is very small