Information Bounds and Convergence Rates for Side-Channel Security Evaluators

Current side-channel evaluation methodologies exhibit a gap between inefficient tools offering strong theoretical guarantees and efficient tools only offering heuristic (sometimes case-specific) guarantees. Profiled attacks based on the empirical leakage distribution correspond to the first category. Bronchain et al. showed at Crypto 2019 that they allow bounding the worst-case security level of an implementation, but the bounds become loose as the leakage dimensionality increases. Template attacks and machine learning models are examples of the second category. In view of the increasing popularity of such parametric tools in the literature, a natural question is whether the information they can extract can be bounded. In this paper, we first show that a metric conjectured to be useful for this purpose, the hypothetical information, does not offer such a general bound. It only does when the assumptions exploited by a parametric model match the true leakage distribution. We therefore introduce a new metric, the training information, that provides the guarantees that were conjectured for the hypothetical information for practically-relevant models. We next initiate a study of the convergence rates of profiled side-channel distinguishers which clarifies, to the best of our knowledge for the first time, the parameters that influence the complexity of a profiling. On the one hand, the latter has practical consequences for evaluators as it can guide them in choosing the appropriate modeling tool depending on the implementation (e.g., protected or not) and contexts (e.g., granting them access to the countermeasures’ randomness or not). It also allows anticipating the amount of measurements needed to guarantee a sufficient model quality. On the other hand, our results connect and exhibit differences between side-channel analysis and statistical learning theory

Evolution of and additional functionalities to the city energy planning platform MEU

The MEU GIS-enabled web-platform has been developed in close collaboration with four Swiss cities: it enables detailed monitoring and planning for both energy demand and supply at individual building and neighborhood level (http://meu.epfl.ch). Whereas the first version of the MEU platform allowed launching calculations for only up to several hundreds of buildings at a time, the refactored version presently gives access to entire cities comprising several thousands of buildings with the same level of detail. On one hand, the code architecture has been thoroughly revised and consolidated while, on the other hand, the databases for the four partner cities are being completed, checked, corrected and eventually made completely available for several years. A large test campaign is thus underway on the refactored version of the MEU platform. In the upcoming months, the latter will present all the functionalities of the prototype version, i.e. include the construction and evaluation of complex energy scenarios. New functionalities are concomitantly being added to the MEU platform, in particular at the level of the energy networks. Indeed, in the prototype version, the latter were only displayed but no network attributes (except geo-referencing) were neither introduced nor used in calculations. The envisioned new functionalities will enable to start filling this important usability gap by adding network detailed attributes to the database structure and by allowing pre-dimensioning calculations based on selected energy scenarios and including the networks characteristics (available power, temperatures/pressures, limiting dimensions, aso.). The energy supply side aspects will thus be quantitatively be taken into account, along with the implications in terms of network extension/densification precisely determined. The natural gas network, which is – and shall continue to be - broadly present in all four partner cities, representing up to 30 % of the overall final territorial energy consumption, will be used as the first test case, in close collaboration with local multi-energy utilities

Découverte d’une statue celtique en ronde-bosse sur le sanctuaire de Couan/Cobannus (Saint-Aubin-des-Chaumes, Nièvre)

Le sanctuaire et la petite agglomération antique de Couan se situent à environ 7 km au sud-ouest du bourg de Vézelay (Yonne), sur la commune de Saint-Aubin-des-Chaumes (Nièvre). Ils se sont développés au pied occidental d’une butte résiduelle, à un point de passage assez important, point de franchissement de la voie dite « de la cuesta oxfordienne » qui permet la relation, depuis l’époque laténienne, entre le Bassin ligérien moyen et la vallée de la Meuse (VENAULT, NOUVEL dir., 2015). Ce comp..

Randomness Generation for Secure Hardware Masking - Unrolled Trivium to the Rescue

Masking is a prominent strategy to protect cryptographic implementations against side-channel analysis. Its popularity arises from the exponential security gains that can be achieved for (approximately) quadratic resource utilization. Many variants of the countermeasure tailored for different optimization goals have been proposed over the past decades. The common denominator among all of them is the implicit demand for robust and high entropy randomness. Simply assuming that uniformly distributed random bits are available, without taking the cost of their generation into account, leads to a poor understanding of the efficiency and performance of secure implementations. This is especially relevant in case of hardware masking schemes which are known to consume large amounts of random bits per cycle due to parallelism. Currently, there seems to be no consensus on how to most efficiently derive many pseudo-random bits per clock cycle from an initial seed and with properties suitable for masked hardware implementations. In this work, we evaluate a number of building blocks for this purpose and find that hardware-oriented stream ciphers like Trivium and its reduced-security variant Bivium B outperform all competitors when implemented in an unrolled fashion. Unrolled implementations of these primitives enable the flexible generation of many bits per cycle while maintaining high performance, which is crucial for satisfying the large randomness demands of state-of-the-art masking schemes. According to our analysis, only Linear Feedback Shift Registers (LFSRs), when also unrolled, are capable of producing long non-repetitive sequences of random-looking bits at a high rate per cycle even more efficiently than Trivium and Bivium B. Yet, these instances do not provide black-box security as they generate only linear outputs. We experimentally demonstrate that using multiple output bits from an LFSR in the same masked implementation can violate probing security and even lead to harmful randomness cancellations. Circumventing these problems, and enabling an independent analysis of randomness generation and masking scheme, requires the use of cryptographically stronger primitives like stream ciphers. As a result of our studies, we provide an evidence-based estimate for the cost of securely generating n fresh random bits per cycle. Depending on the desired level of black-box security and operating frequency, this cost can be as low as 20n to 30n ASIC gate equivalents (GE) or 3n to 4n FPGA look-up tables (LUTs), where n is the number of random bits required. Our results demonstrate that the cost per bit is (sometimes significantly) lower than estimated in previous works, incentivizing parallelism whenever exploitable and potentially moving low randomness usage in hardware masking research from a primary to secondary design goal

Leaf metabolic traits reveal hidden dimensions of plant form and function

International audienceThe metabolome is the biochemical basis of plant form and function, but we know little about its macroecological variation across the plant kingdom. Here, we used the plant functional trait concept to interpret leaf metabolome variation among 457 tropical and 339 temperate plant species. Distilling metabolite chemistry into five metabolic functional traits reveals that plants vary on two major axes of leaf metabolic specialization—a leaf chemical defense spectrum and an expression of leaf longevity. Axes are similar for tropical and temperate species, with many trait combinations being viable. However, metabolic traits vary orthogonally to life-history strategies described by widely used functional traits. The metabolome thus expands the functional trait concept by providing additional axes of metabolic specialization for examining plant form and function

Leaf metabolic traits reveal hidden dimensions of plant form and function

The metabolome is the biochemical basis of plant form and function, but we know little about its macroecological variation across the plant kingdom. Here, we used the plant functional trait concept to interpret leaf metabolome variation among 457 tropical and 339 temperate plant species. Distilling metabolite chemistry into five metabolic functional traits reveals that plants vary on two major axes of leaf metabolic specialization—a leaf chemical defense spectrum and an expression of leaf longevity. Axes are similar for tropical and temperate species, with many trait combinations being viable. However, metabolic traits vary orthogonally to life-history strategies described by widely used functional traits. The metabolome thus expands the functional trait concept by providing additional axes of metabolic specialization for examining plant form and function

Association of the PHACTR1/EDN1 genetic locus with spontaneous coronary artery dissection

Background: Spontaneous coronary artery dissection (SCAD) is an increasingly recognized cause of acute coronary syndromes (ACS) afflicting predominantly younger to middle-aged women. Observational studies have reported a high prevalence of extracoronary vascular anomalies, especially fibromuscular dysplasia (FMD) and a low prevalence of coincidental cases of atherosclerosis. PHACTR1/EDN1 is a genetic risk locus for several vascular diseases, including FMD and coronary artery disease, with the putative causal noncoding variant at the rs9349379 locus acting as a potential enhancer for the endothelin-1 (EDN1) gene. Objectives: This study sought to test the association between the rs9349379 genotype and SCAD. Methods: Results from case control studies from France, United Kingdom, United States, and Australia were analyzed to test the association with SCAD risk, including age at first event, pregnancy-associated SCAD (P-SCAD), and recurrent SCAD. Results: The previously reported risk allele for FMD (rs9349379-A) was associated with a higher risk of SCAD in all studies. In a meta-analysis of 1,055 SCAD patients and 7,190 controls, the odds ratio (OR) was 1.67 (95% confidence interval [CI]: 1.50 to 1.86) per copy of rs9349379-A. In a subset of 491 SCAD patients, the OR estimate was found to be higher for the association with SCAD in patients without FMD (OR: 1.89; 95% CI: 1.53 to 2.33) than in SCAD cases with FMD (OR: 1.60; 95% CI: 1.28 to 1.99). There was no effect of genotype on age at first event, P-SCAD, or recurrence. Conclusions: The first genetic risk factor for SCAD was identified in the largest study conducted to date for this condition. This genetic link may contribute to the clinical overlap between SCAD and FMD