Key-Recovery Attacks on <Emphasis FontCategory="SansSerif">ASASA</Emphasis>

The \(\mathsf {ASASA}\) construction is a new design scheme introduced at Asiacrypt 2014 by Biryukov, Bouillaguet and Khovratovich. Its versatility was illustrated by building two public-key encryption schemes, a secret-key scheme, as well as super S-box subcomponents of a white-box scheme. However, one of the two public-key cryptosystems was recently broken at Crypto 2015 by Gilbert, Plût and Treger. As our main contribution, we propose a new algebraic key-recovery attack able to break at once the secret-key scheme as well as the remaining public-key scheme, in time complexity \(2^{63}\) and \(2^{39}\), respectively (the security parameter is 128 bits in both cases). Furthermore, we present a second attack of independent interest on the same public-key scheme, which heuristically reduces the problem of breaking the scheme to an \(\mathsf {LPN}\) instance with tractable parameters. This allows key recovery in time complexity \(2^{56}\). Finally, as a side result, we outline a very efficient heuristic attack on the white-box scheme, which breaks instances claiming 64 bits of security under one minute on a laptop computer.     

Integral Cryptanalysis on Full MISTY1

MISTY1 is a block cipher designed by Matsui in 1997. It was well evaluated and standardized by projects, such as CRYPTREC, ISO/IEC, and NESSIE. In this paper, we propose a key recovery attack on the full MISTY1, i.e., we show that 8-round MISTY1 with 5 FL layers does not have 128-bit security. Many attacks against MISTY1 have been proposed, but there is no attack against the full MISTY1. Therefore, our attack is the first cryptanalysis against the full MISTY1. We construct a new integral characteristic by using the propagation characteristic of the division property, which was proposed in EUROCRYPT 2015. We first improve the division property by optimizing the division property for a public S-box and then construct a 6-round integral characteristic on MISTY1. Finally, we recover the secret key of the full MISTY1 with \(2^{63.58}\) chosen plaintexts and \(2^{121}\) time complexity. Moreover, if we use \(2^{63.994}\) chosen plaintexts, the time complexity for our attack is reduced to \(2^{108.3}\). Note that our cryptanalysis is a theoretical attack. Therefore, the practical use of MISTY1 will not be affected by our attack.     

Efficient Slide Attacks

The slide attack, presented by Biryukov and Wagner, has already become a classical tool in cryptanalysis of block ciphers. While it was used to mount practical attacks on a few cryptosystems, its practical applicability is limited, as typically, its time complexity is lower bounded by \(2^n\) (where n is the block size). There are only a few known scenarios in which the slide attack performs better than the \(2^n\) bound. In this paper, we concentrate on efficient slide attacks, whose time complexity is less than \(2^n\). We present a number of new attacks that apply in scenarios in which previously known slide attacks are either inapplicable, or require at least \(2^n\) operations. In particular, we present the first known slide attack on a Feistel construction with a 3-round self-similarity, and an attack with practical time complexity of \(2^{40}\) on a 128-bit key variant of the GOST block cipher with unknown S-boxes. The best previously known attack on the same variant, with known S-boxes (by Courtois), has time complexity of \(2^{91}\).     

Study on the Effect of Mn,Zn, and Sb on Undercooling Behavior of Sn-Ag-Cu Alloys Using Differential Thermal Analysis

Differential thermal analysis (DTA) has been conducted on directionally solidified near-eutectic Sn-3.0 wt.%Ag-0.5 wt.%Cu (SAC), SAC \(+\) 0.2 wt.%Sb, SAC \(+\) 0.2 wt.%Mn, and SAC \(+\) 0.2 wt.%Zn. Laser ablation inductively coupled plasma mass spectroscopy was used to study element partitioning behavior and estimate DTA sample compositions. Mn and Zn additives reduced the undercooling of SAC from 20.4\(^\circ \hbox {C}\) to \(4.9^\circ \hbox {C}\) and \(2^\circ \hbox {C}\), respectively. Measurements were performed at cooling rate of \(10^\circ \hbox {C}\) per minute. After introducing 200 ppm \(\hbox {O}_2\) into the DTA, this undercooling reduction ceased for SAC \(+\) Mn but persisted for SAC \(+\) Zn.     

Stream Ciphers: A Practical Solution for Efficient Homomorphic-Ciphertext Compression

In typical applications of homomorphic encryption, the first step consists for Alice of encrypting some plaintext m under Bob’s public key \(\mathsf {pk}\) and of sending the ciphertext \(c = \mathsf {HE}_{\mathsf {pk}}(m)\) to some third-party evaluator Charlie. This paper specifically considers that first step, i.e., the problem of transmitting c as efficiently as possible from Alice to Charlie. As others suggested before, a form of compression is achieved using hybrid encryption. Given a symmetric encryption scheme \(\mathsf {E}\), Alice picks a random key k and sends a much smaller ciphertext \(c' = (\mathsf {HE}_{\mathsf {pk}}(k), \mathsf {E}_k(m))\) that Charlie decompresses homomorphically into the original c using a decryption circuit \(\mathcal {C}_{{\mathsf {E}^{-1}}}\). In this paper, we revisit that paradigm in light of its concrete implementation constraints, in particular \(\mathsf {E}\) is chosen to be an additive IV-based stream cipher. We investigate the performances offered in this context by Trivium, which belongs to the eSTREAM portfolio, and we also propose a variant with 128-bit security: Kreyvium. We show that Trivium, whose security has been firmly established for over a decade, and the new variant Kreyvium has excellent performance. We also describe a second construction, based on exponentiation in binary fields, which is impractical but sets the lowest depth record to \(8\) for \(128\)-bit security.     

The Security of Tandem-DM in the Ideal Cipher Model

We prove that Tandem-DM, one of the two “classical” schemes for turning an n-bit blockcipher of 2n-bit key into a double-block-length hash function, has birthday-type collision resistance in the ideal cipher model. For \(n=128\), an adversary must make at least \(2^{120.87}\) blockcipher queries to achieve chance 0.5 of finding a collision. A collision resistance analysis for Tandem-DM achieving a similar birthday-type bound was already proposed by Fleischmann, Gorski and Lucks at FSE 2009. As we detail, however, the latter analysis is wrong, thus leaving the collision resistance of Tandem-DM as an open problem until now. Our analysis exhibits a novel feature in that we introduce a trick never used before in ideal cipher proofs. We also give an improved bound on the preimage security of Tandem-DM. For \(n=128\), we show that an adversary must make at least \(2^{245.99}\) blockcipher queries to achieve chance 0.5 of inverting a randomly chosen point in the range. Asymptotically, Tandem-DM is proved to be preimage resistant up to \(2^{2n}/n\) blockcipher queries. This bound improves upon the previous best bound of \({{\varOmega }}(2^n)\) queries and is optimal (ignoring log factors) since Tandem-DM has range of size \(2^{2n}\).     

New refractive index profiles of dispersion-flattened highly nonlinear fibers for future all-optical signal processing in wdm optical networks

In this paper, we demonstrate new dissimilar refractive index profiles for highly nonlinear ultra-flattened dispersion fibers with noteworthy effective area \((A_\mathrm{eff})\) for future optical signal processing. The newly proposed fibers named from Type 1 to Type 5 have a flattened dispersion over S, C, L and U bands. Predominantly, few-mode HNL-UFF fiber of Type 3 yields dispersion-flattened characteristics over a range of 250 nm of optical communication spectrum with a mere 0.2 ps/nm km variation in dispersion and a dispersion slope of \(0.0057\hbox { ps}/\hbox {nm}^{2}\) km due to the contribution of higher-order modes to the dispersion characteristics of the fiber. Moreover, it has a moderate nonlinear coefficient of \(8.03\hbox { W}^{-1}\,\hbox {km}^{-1}\). By modifying the refractive index profile of Type 3 fiber, Type 4 and Type 5 fibers are obtained in order to ensure single-mode operation, while the zero flattened dispersion characteristics of the fiber are compromised. Among the newly proposed fibers, Type 4 fiber offers a very low ITU-T cutoff wavelength of \(1.33~\upmu \hbox {m}\), whereas in the case of Type 5 fiber it is \(1.38~\upmu \hbox {m}\). Moreover, Type 4 and Type 5 fibers have good nonlinear coefficients of \(12.26\hbox { W}^{-1}\,\hbox {km}^{-1}\) and \(11.45\hbox { W}^{-1}\,\hbox {km}^{-1}\), respectively. By virtue of the proposed optimized index profile, an insensitive behavior toward bending is displayed by Type 3, Type 4 and Type 5 fibers. In addition, Type 4 fiber provides a better splice loss of 0.25 dB.     

The $$\mathbb {}$$-curve Construction for Endomorphism-Accelerated Elliptic Curves

We give a detailed account of the use of \(\mathbb {Q}\)-curve reductions to construct elliptic curves over \(\mathbb {F}_{p^2}\) with efficiently computable endomorphisms, which can be used to accelerate elliptic curve-based cryptosystems in the same way as Gallant–Lambert–Vanstone (GLV) and Galbraith–Lin–Scott (GLS) endomorphisms. Like GLS (which is a degenerate case of our construction), we offer the advantage over GLV of selecting from a much wider range of curves and thus finding secure group orders when \(p\) is fixed for efficient implementation. Unlike GLS, we also offer the possibility of constructing twist-secure curves. We construct several one-parameter families of elliptic curves over \(\mathbb {F}_{p^2}\) equipped with efficient endomorphisms for every \(p > 3\), and exhibit examples of twist-secure curves over \(\mathbb {F}_{p^2}\) for the efficient Mersenne prime \(p = 2^{127}-1\).     

Effects of Multiple Stacking Faults on the Electronic and Optical Properties of Armchair MoS$$_{}$$ Nanoribbons: First-Principles Calculations

The electronic and optical properties of armchair MoS\(_{2}\) nanoribbons with multiple stacking faults are investigated using first-principles calculations. It’s interesting that the band gaps approach zero for armchair MoS\(_{2}\) nanoribbons with two and four stacking faults. The gaps of armchair MoS\(_{2}\) nanoribbons with one stacking fault and three stacking faults are converged to 0.46 eV and 0.36 eV, respectively, which is smaller than perfect MoS\(_{2}\) nanoribbons. The partial charge density of armchair MoS\(_{2}\) nanoribbons with two stacking faults shows that the defect levels are originated from stacking faults. The frequency-dependent optical response (dielectric function, absorption, reflectance and electron energy loss spectra) is also presented. The optical results of monolayer MoS\(_{2}\) are in agreement with previous study. The peaks in the imaginary part of perfect armchair MoS\(_{2}\) nanoribbons are about 2.8 eV, 4.0 eV and 5.4 eV and the peaks of the imaginary part of armchair MoS\(_{2}\) nanoribbons with stacking faults are mainly 2.8 eV and 5.4 eV. They are independent of ribbon width. The peaks in electron energy loss spectra move toward larger wavelengths (redshift) due to the introduction of stacking faults.     

Intermittent Fault Diagnosability of Hyper Petersen Network

The problem of permanent fault diagnosis has been discussed widely, and the diagnosability of many well-known networks have been explored. Faults of a multiprocessor system generally include permanent and intermittent, with intermittent faults regarded as the most challenging to diagnose. In this paper, we investigate the intermittent fault diagnosability of hyper Petersen networks. First, we derive that an \(n\)-dimensional hyper Petersen network \(HP_{n}\) with fault-free edges is \((n - 1)_{i}\)-diagnosable under the PMC model. Then, we investigate the intermittent fault diagnosability of \(HP_{n}\) with faulty edges under the PMC model. Finally, we prove that an \(n\)-dimensional hyper Petersen network \(HP_{n}\) is \((n - 2)_{i}\)-diagnosable under the MM* model.     

Correction to: A subthreshold low-power CMOS LC-VCO with high immunity to PVT variations

This paper presents a capacitor-free low dropout (LDO) linear regulator based on a dual loop topology. The regulator utilizes two feedback loops to satisfy the challenges of hearing aid devices, which include fast transient performance and small voltage spikes under rapid load-current changes. The proposed design works without the need of a decoupling capacitor connected at the output and operates with a 0–100 pF capacitive load. The design has been taped out in a \(0.18\,\upmu \hbox {m}\) CMOS process. The proposed regulator has a low component count, area of \(0.012\, \hbox {mm}^2\) and is suitable for system-on-chip integration. It regulates the output voltage at 0.9 V from a 1.0–1.4 V supply. The measured results for a current step load from 250 to 500 \(\upmu \hbox {A}\) with a rise and fall time of \(1.5\,\upmu \hbox {s}\) are an overshoot of 26 mV and undershoot of 26 mV with a settling time of \(3.5\,\upmu \hbox {s}\) when \({C_L}\) between 0 and 100 pF. The proposed LDO regulator consumes a quiescent current of only \(10.5\,\upmu \hbox {A}\). The design is suitable for application with a current step edge time of 1 ns while maintaining \(\Delta V_{out}\) of 64 mV.     

Design and Performance Study of Dynamic Fractors in Any of the Four Quadrants

A fractor is a simple fractional-order system. Its transfer function is \(1/Fs^{\alpha }\); the coefficient, F, is called the fractance, and \(\alpha \) is called the exponent of the fractor. This paper presents how a fractor can be realized, using RC ladder circuit, meeting the predefined specifications on both F and \(\alpha \). Besides, commonly reported fractors have \(\alpha \) between 0 and 1. So, their constant phase angles (CPA) are always restricted between \(0^{\circ }\) and \(-90^{\circ }\). This work has employed GIC topology to realize fractors from any of the four quadrants, which means fractors with \(\alpha \) between \(-\)2 and +2. Hence, one can achieve any desired CPA between \(+180^{\circ }\) and \(-180^{\circ }\). The paper also exhibits how these GIC parameters can be used to tune the fractance of emulated fractors in real time, thus realizing dynamic fractors. In this work, a number of fractors are developed as per proposed technique, their impedance characteristics are studied, and fractance values are tuned experimentally.     

Error performance of optically preamplified hybrid BPSK-PPM systems with transmitter and receiver imperfections

In this paper, we investigate the impact of the transmitter finite extinction ratio and the receiver carrier recovery phase offset on the error performance of two optically preamplified hybrid M-ary pulse position modulation (PPM) systems with coherent detection. The first system, referred to as PB-mPPM, combines polarization division multiplexing (PDM) with binary phase-shift keying and M-ary PPM, and the other system, referred to as PQ-mPPM, combines PDM with quadrature phase-shift keying and M-ary PPM. We provide new expressions for the probability of bit error for PB-mPPM and PQ-mPPM under finite extinction ratios and phase offset. The extinction ratio study indicates that the coherent systems PB-mPPM and PQ-mPPM outperform the direct-detection ones. It also shows that at \(P_b=10^{-9}\) PB-mPPM has a slight advantage over PQ-mPPM. For example, for a symbol size \(M=16\) and extinction ratio \(r=30\) dB, PB-mPPM requires 0.6 dB less SNR per bit than PQ-mPPM to achieve \(P_b=10^{-9}\). This investigation demonstrates that PB-mPPM is less complex and less sensitive to the variations of the offset angle \(\theta \) than PQ-mPPM. For instance, for \(M=16\), \(r=30\) dB, and \(\theta =10^{\circ }\) PB-mPPM requires 1.6 dB less than PQ-mPPM to achieve \(P_b=10^{-9}\). However, PB-mPPM enhanced robustness to phase offset comes at the expense of a reduced bandwidth efficiency when compared to PQ-mPPM. For example, for \(M=2\) its bandwidth efficiency is 60 % that of PQ-mPPM and \(\approx 86\,\%\) for \(M=1024\). For these reasons, PB-mPPM can be considered a reasonable design trade-off for M-ary PPM systems.     

$$L_{1}$$-norm constrained normalized subband adaptive filter algorithm with variable norm-bound parameter and improved version

The \(L_{1}\)-norm constrained normalized subband adaptive filter with variable norm-bound parameter \((L_{1}\hbox {NCNSAF-V})\) algorithm and its variable step size version VSS-\(L_{1}\)NCNSAF-V are proposed in this paper, which are more superior to some existing algorithms in the sparse system. The proposed \(L_{1}\)NCNSAF-V is derived by using the Lagrange multiplier method, and the VSS-\(L_{1}\)NCNSAF-V is obtained by minimizing the statistical square of the Euclidean norm of the noise-free subband a posterior error vector. The simulation results demonstrate that the proposed algorithms achieve good performance.     

New Efficient Algorithms for Multiplication Over Fields of Characteristic Three

In this paper, we first present an enhancement of the well-known Karatsuba 2-way and 3-way algorithms for characteristic three fields, denoted by \(\mathbb {F}_{3^{n}}\) where n≥1. We then derive a 3-way polynomial multiplication algorithm with five 1/3 sized multiplications that use interpolation in \(\mathbb {F}_{9}\). Following the computation of the arithmetic and delay complexity of the proposed algorithm, we provide the results of our hardware implementation of polynomial multiplications over \(\mathbb {F}_{3}\) and \(\mathbb {F}_{9}\). The final proposal is a new 3-way polynomial multiplication algorithm over \(\mathbb {F}_{3}\) that uses three polynomial multiplications of 1/3 of the original size over \(\mathbb {F}_{3}\) and one polynomial multiplication of 1/3 of the original size over \(\mathbb {F}_{9}\). We show that this algorithm represents about 15% reduction of the complexity over previous algorithms for the polynomial multiplications whose sizes are of practical interest.     

A PAPR reduction scheme based on a new spreading code in optical direct detection OFDM system

In this paper, we propose and experimentally demonstrate a peak-to-average power ratio (PAPR) reduction scheme based on a new spreading code in direct detection optical orthogonal frequency division multiplexing (OFDM) system. The new spreading code with low cross correlation and high auto-correlation can support \(2N+1\) users. Thus, \(2N+1\) users or data symbols can be transmitted over only N subcarriers. The experimental results show that, after transmission over 70 km single-mode fiber, at the bit error rate of \(10^{-3}\), with fiber launch power of 2.75 dBm, the receiver sensitivity can be improved 2.1 dB by using the proposed scheme based on new spreading code. The PAPR can be reduced about 4.6 dB, compared with the original OFDM signal at a complementary cumulative distribution function of \(10^{-4}\).     

A Low-Voltage Fully Differential Pure Current Mode Current Operational Amplifier

In this paper a novel high-frequency fully differential pure current mode current operational amplifier (COA) is proposed that is, to the authors’ knowledge, the first pure MOSFET Current Mode Logic (MCML) COA in the world, so far. Doing fully current mode signal processing and avoiding high impedance nodes in the signal path grant the proposed COA such outstanding properties as high current gain, broad bandwidth, and low voltage and low-power consumption. The principle operation of the block is discussed and its outstanding properties are verified by HSPICE simulations using TSMC \(0.18\,\upmu \hbox {m}\) CMOS technology parameters. Pre-layout and Post-layout both plus Monte Carlo simulations are performed under supply voltages of \(\pm 0.75\,\hbox {V}\) to investigate its robust performance at the presence of fabrication non-idealities. The pre-layout plus Monte Carlo results are as; 93 dB current gain, \(8.2\,\hbox {MHz}\,\, f_{-3\,\text {dB}}, 89^{\circ }\) phase margin, 137 dB CMRR, 13 \(\Omega \) input impedance, \(89\,\hbox {M}\Omega \) output impedance and 1.37 mW consumed power. Also post-layout plus Monte Carlo simulation results (that are generally believed to be as reliable and practical as are measuring ones) are extracted that favorably show(in abovementioned order of pre-layout) 88 dB current gain, \(6.9\,\hbox {MHz} f_{-3\text {db}} , 131^{\circ }\) phase margin and 96 dB CMRR, \(22\,\Omega \) input impedance, \(33\,\hbox {M}\Omega \) output impedance and only 1.43 mW consumed power. These results altogether prove both excellent quality and well resistance of the proposed COA against technology and fabrication non-idealities.     

A 0.36 μW/channel recorder for external ambulatory ECG recorders

There is an increasing demand for long-term ECG monitoring applications which are very low power, small size and capable of wireless data transmission. This paper presents an analog front-end and also modulator for long-term ECG recording purpose. The fully integrated system features three independent channels and a modulator. The analog front-end includes a voltage-to-time conversion and a tunable modulator to achieve a very low power consumption for wireless transmission of the data without analog to digital converter. The proposed system is designed and simulated in a \(0.18\,\upmu \hbox {m}\) CMOS technology and occupies only \(0.245\,\mathrm{mm}^{2}\). It can record ECG signal with 9.2-bit resolution while consuming only \(0.36\,\upmu {\mathrm{W}}\) per channel from a 0.9 V supply. Also, it can transmit data consuming just \(0.72\,{\upmu }\mathrm{W}\) per channel from a 0.9 V supply. The input referred noise of the readout channel is \(2.01\,\upmu {\mathrm{V}}_{{{\rm rms}}}\).     

Capacity and Channel Coding for Wireless Point-to-Point <Emphasis Type="Italic">Z</Emphasis><Superscript>2</Superscript> Channel

In this paper, we derive the capacity of the asymmetric \({\text{Z}}^{2}\)-channel, which has been presented for the first time as an optimization problem. Similar to the Z-Channel, the proposed \({\text{Z}}^{2}\)-channel can be modelled as a practical interference wireless channel. In addition, the capacity behavior of \({\text{Z}}^{2}\)-channel is discussed and some examples and simulation results for the capacity is presented. Also a code plan has been applied for \({\text{Z}}^{2}\)-channel, based on repetition code to simulate its performance and compare it with the original Z-channel. In conclusion, simulation results show that the \({\text{Z}}^{2}\)-channel can be used widely for different operating points.