Breaking The FF3 Format-Preserving Encryption Standard Over Small Domains

The National Institute of Standards and Technology (NIST) recently published a Format-Preserving Encryption standard accepting two Feistel structure based schemes called FF1 and FF3. Particularly, FF3 is a tweakable block cipher based on an 8-round Feistel network. In CCS~2016, Bellare et. al. gave an attack to break FF3 (and FF1) with time and data complexity $O(N^5\log(N))$, which is much larger than the code book (but using many tweaks), where $N^2$ is domain size to the Feistel network. In this work, we give a new practical total break attack to the FF3 scheme (also known as BPS scheme). Our FF3 attack requires $O(N^{\frac{11}{6}})$ chosen plaintexts with time complexity $O(N^{5})$. Our attack was successfully tested with $N\leq2^9$. It is a slide attack (using two tweaks) that exploits the bad domain separation of the FF3 design. Due to this weakness, we reduced the FF3 attack to an attack on 4-round Feistel network. Biryukov et. al. already gave a 4-round Feistel structure attack in SAC~2015. However, it works with chosen plaintexts and ciphertexts whereas we need a known-plaintext attack. Therefore, we developed a new generic known-plaintext attack to 4-round Feistel network that reconstructs the entire tables for all round functions. It works with $N^{\frac{3}{2}} \left( \frac{N}{2} \right)^{\frac{1}{6}}$ known plaintexts and time complexity $O(N^{3})$. Our 4-round attack is simple to extend to five and more rounds with complexity $N^{(r-5)N+o(N)}$. It shows that FF1 with $N=7$ and FF3 with $7\leq N\leq10$ do not offer a 128-bit security. Finally, we provide an easy and intuitive fix to prevent the FF3 scheme from our $O(N^{5})$ attack

Attacks Only Get Better: How to Break FF3 on Large Domains

We improve the attack of Durak and Vaudenay (CRYPTO\u2717) on NIST Format-Preserving Encryption standard FF3, reducing the running time from $O(N^5)$ to $O(N^{17/6})$ for domain $Z_N \times Z_N$. Concretely, DV\u27s attack needs about $2^{50}$ operations to recover encrypted 6-digit PINs, whereas ours only spends about $2^{30}$ operations. In realizing this goal, we provide a pedagogical example of how to use distinguishing attacks to speed up slide attacks. In addition, we improve the running time of DV\u27s known-plaintext attack on 4-round Feistel of domain $Z_N \times Z_N$ from $O(N^3)$ time to just $O(N^{5/3})$ time. We also generalize our attacks to a general domain $Z_M \times Z_N$, allowing one to recover encrypted SSNs using about $2^{50}$ operations. Finally, we provide some proof-of-concept implementations to empirically validate our results

Improvement of laboratory diagnostics of urogenital chlamydial infection in patients with impaired reproductive functions found to be infected with Chlamydia trachomatis

The dominant role in human infertility has been attributed to sexually transmitted infections (STIs) with a leading contribution of urogenital chlamydial infection (UGCI) caused by Chlamydia trachomatis (CT). the two variants of this pathogen are represented by the wild-type (wtCT) and new Swedish (nvCT) strains containing 377 bp deletion within the cryptic plasmid orf1 gene. Objective. The purpose of the study was investigation of the clinical specimens obtained from the urogenital tract of couples coping with infertility for the presence of genetic material of wtCT and nvCT. Material and methods. Clinical samples (scrapings from the urethra and cervix) obtained from 25 to 41 years old couples (n = 14) were tested for the presence of identifiable wtCT and nvCT chlamydia DNA by monoplex and duplex PCR, specific antigens C. trachomatis in elementary bodies by using immunofluorescence analysis (IFA), while detection of anti-chlamydia antibodies in sera was determined by immunoenzymatic assay (IEA). Results. The nvCT variant with typical deletion of 377 bp within the orf1 gene that belongs to the genovar e subtype E1 was detected in 100% of couples with infertility. The negative results of DNA testing for wtcT were registered in 87.5% of patients from this group, while one individual (12.5%) was likely coinfected with nvCT and wtCT of E1 and D genovars, respectively. The wtCT strains of genovar E (subtypes E1, E2, E6), g (subtypes G1, G2), F (subtypes F1), and K were identified in control group among patients with UGCI. The study revealed difficulties in detection of nvCT by nucleic acid amplification test (NAAT), IFA, and IEA; data on comparison of the efficacy of these methods are presented. Conclusion. Chronic UGCI in patients with reproductive dysfunctions can be caused by nvCT alone or as result of co-infection with nvCT and wtCT. The negative results in NAAT may not 100% correlate with the absence of UGCI that requires further confirmation in tests allowing detection of all known variants of C. trachomatis

Basic quantitative morphological methods applied to the central nervous system

Generating numbers has become an almost inevitable task associated with studies of the morphology of the nervous system. Numbers serve a desire for clarity and objectivity in the presentation of results and are a prerequisite for the statistical evaluation of experimental outcomes. Clarity, objectivity, and statistics make demands on the quality of the numbers that are not met by many methods. This review provides a refresher of problems associated with generating numbers that describe the nervous system in terms of the volumes, surfaces, lengths, and numbers of its components. An important aim is to provide comprehensible descriptions of the methods that address these problems. Collectively known as design-based stereology, these methods share two features critical to their application. First, they are firmly based in mathematics and its proofs. Second and critically underemphasized, an understanding of their mathematical background is not necessary for their informed and productive application. Understanding and applying estimators of volume, surface, length or number does not require more of an organizational mastermind than an immunohistochemical protocol. And when it comes to calculations, square roots are the gravest challenges to overcome. Sampling strategies that are combined with stereological probes are efficient and allow a rational assessment if the numbers that have been generated are "good enough." Much may be unfamiliar, but very little is difficult. These methods can no longer be scapegoats for discrepant results but faithfully produce numbers on the material that is assessed. They also faithfully reflect problems that associated with the histological material and the anatomically informed decisions needed to generate numbers that are not only valid in theory. It is within reach to generate practically useful numbers that must integrate with qualitative knowledge to understand the function of neural systems