Parallel SAT Framework to Find Clustering of Differential Characteristics and Its Applications

The most crucial but time-consuming task for differential cryptanalysis is to find a differential with a high probability. To tackle this task, we propose a new SAT-based automatic search framework to efficiently figure out a differential with the highest probability under a specified condition. As the previous SAT methods (e.g., the Sun et al’s method proposed at ToSC 2021(1)) focused on accelerating the search for an optimal single differential characteristic, these are not optimized for evaluating a clustering effect to obtain a tighter differential probability of differentials. In contrast, our framework takes advantage of a method to solve incremental SAT problems in parallel using a multi-threading technique, and consequently, it offers the following advantages compared with the previous methods: (1) speedy identification of a differential with the highest probability under the specified conditions; (2) efficient construction of the truncated differential with the highest probability from the obtained multiple differentials; and (3) applicability to a wide class of symmetric-key primitives. To demonstrate the effectiveness of our framework, we apply it to the block cipher PRINCE and the tweakable block cipher QARMA. We successfully figure out the tight differential bounds for all variants of PRINCE and QARMA within the practical time, thereby identifying the longest distinguisher for all the variants, which improves existing ones by one to four more rounds. Besides, we uncover notable differences between PRINCE and QARMA in the behavior of differential, especially for the clustering effect. We believe that our findings shed light on new structural properties of these important primitives. In the context of key recovery attacks, our framework allows us to derive the key-recovery-friendly truncated differentials for all variants of QARMA. Consequently, we report key recovery attacks based on (truncated) differential cryptanalysis on QARMA for the first time and show these key recovery attacks are competitive with existing other attacks

Predictive value of heterogeneously enhanced MRI findings with CT evidence of calcification for severe motor deficits in spinal meningioma

OBJECTIVE: Spinal meningioma is mostly benign, but they can exhibit neurological deficit. The relationship between neurological impairment and its radiographic findings, including intratumor magnetic resonance imaging (MRI) gadolinium enhancement and calcification in computed tomography (CT) scan, has not been studied. The purpose of this study was to investigate the association of preoperative image findings with neurological status in spinal meningioma. METHODS: Patients histologically diagnosed with spinal meningioma (n = 24), with an average age of 65.4 years, were included. The patients were classified into 2 groups, the homogeneous and heterogeneous groups, based on the contrast-enhanced T1-weighted MRI findings. Further, baseline demographics (age, sex, presence of preoperative paralysis [manual muscle testing 3 or worse neurological deficit in upper and/or lower limbs], tumor level, tumor length, and tumor occupation ratio), histological findings (Ki-67 index and histological subtypes), and CT findings (presence of intratumor calcification and Hounsfield unit [HU] value) were examined. RESULTS: Preoperative paralysis was observed in 33.3% (8 of 24) of the patients. These patients exhibited frequent heterogeneous contrast-enhanced MRI findings than those without preoperative paralysis (57.1% vs. 14.3%, p = 0.040). Further, preoperative paralysis did not associate with tumor level, tumor length, tumor-occupied ratio, Ki-67 index, and histological subtypes. The heterogeneous group showed 100% intratumor calcification and higher maximum HU than the homogeneous group (1, 109.8 vs. 379.2, p = 0.001). CONCLUSION: The heterogeneous contrast-induced MRI findings in the spinal meningioma were significantly associated with preoperative neurological impairment. Moreover, the intratumor contrast-deficient region in the heterogeneously enhanced tumors reflected marked calcification. The tumor hardness due to calcification may be related to preoperative neurological deficit

An Efficient Strategy to Construct a Better Differential on Multiple-Branch-Based Designs: Application to Orthros

As low-latency designs tend to have a small number of rounds to decrease latency, the differential-type cryptanalysis can become a significant threat to them. In particular, since a multiple-branch-based design, such as Orthros can have the strong clustering effect on differential attacks due to its large internal state, it is crucial to investigate the impact of the clustering effect in such a design. In this paper, we present a new SAT-based automatic search method for evaluating the clustering effect in the multiple-branch-based design. By exploiting an inherent trait of multiple-branch-based designs, our method enables highly efficient evaluations of clustering effects on this-type designs. % that a conventional method by automatic search tools. We apply our method to the low-latency PRF Orthros, and show a best differential distinguisher reaching up to 7 rounds of Orthros with $2^{116.806}$ time/data complexity and 9-round distinguisher for each underlying permutation which is 2 more rounds than known longest distinguishers. Besides, we update the designer\u27s security bound for differential attacks based on the lower bounds for the number of active S-boxes, and obtain the optimal differential characteristic of Orthros, Branch 1, and Branch 2 for the first time. Consequently, we improve the designer\u27s security bound from 9/12/12 to 7/10/10 rounds for Orthros/Branch 1/Branch 2 based on a single differential characteristic

Weak Keys in Reduced AEGIS and Tiaoxin

AEGIS-128 and Tiaoxin-346 (Tiaoxin for short) are two AES-based primitives submitted to the CAESAR competition. Among them, AEGIS-128 has been selected in the final portfolio for high-performance applications, while Tiaoxin is a third-round candidate. Although both primitives adopt a stream cipher based design, they are quite different from the well-known bit-oriented stream ciphers like Trivium and the Grain family. Their common feature consists in the round update function, where the state is divided into several 128-bit words and each word has the option to pass through an AES round or not. During the 6-year CAESAR competition, it is surprising that for both primitives there is no third-party cryptanalysis of the initialization phase. Due to the similarities in both primitives, we are motivated to investigate whether there is a common way to evaluate the security of their initialization phases. Our technical contribution is to write the expressions of the internal states in terms of the nonce and the key by treating a 128-bit word as a unit and then carefully study how to simplify these expressions by adding proper conditions. As a result, we find that there are several groups of weak keys with 296 keys each in 5-round AEGIS-128 and 8-round Tiaoxin, which allows us to construct integral distinguishers with time complexity 232 and data complexity 232. Based on the distinguisher, the time complexity to recover the weak key is 272 for 5-round AEGIS-128. However, the weak key recovery attack on 8-round Tiaoxin will require the usage of a weak constant occurring with probability 2−32. All the attacks reach half of the total number of initialization rounds. We expect that this work can advance the understanding of the designs similar to AEGIS and Tiaoxin

Contrasting life-history responses to climate variability in eastern and western North Pacific sardine populations

大洋の東西で異なるマイワシの環境応答 --耳石が示すグローバル生存戦略の鍵--. 京都大学プレスリリース. 2022-10-17.Massive populations of sardines inhabit both the western and eastern boundaries of the world’s subtropical ocean basins, supporting both commercial fisheries and populations of marine predators. Sardine populations in western and eastern boundary current systems have responded oppositely to decadal scale anomalies in ocean temperature, but the mechanism for differing variability has remained unclear. Here, based on otolith microstructure and high-resolution stable isotope analyses, we show that habitat temperature, early life growth rates, energy expenditure, metabolically optimal temperature, and, most importantly, the relationship between growth rate and temperature are remarkably different between the two subpopulations in the western and eastern North Pacific. Varying metabolic responses to environmental changes partly explain the contrasting growth responses. Consistent differences in the life-history traits are observed between subpopulations in the western and eastern boundary current systems around South Africa. These growth and survival characteristics can facilitate the contrasting responses of sardine populations to climate change

Bit-wise Cryptanalysis on AND-RX Permutation Friet-PC

This paper presents three attack vectors of bit-wise cryptanalysis including rotational, bit-wise differential, and zero-sum distinguishing attacks on the AND-RX permutation Friet-PC, which is implemented in a lightweight authenticated encryption scheme Friet. First, we propose a generic procedure for a rotational attack on AND-RX cipher with round constants. By applying the proposed attack to Friet-PC, we can construct an 8-round rotational distinguisher with a time complexity of 2^{102}. Next, we explore single- and dual-bit differential biases, which are inspired by the existing study on Salsa and ChaCha, and observe the best bit-wise differential bias with 2^{−9.552}. This bias allows us to practically construct a 9-round bit-wise differential distinguisher with a time complexity of 2^{20.044}. Finally, we construct 13-, 15-, 17-, and 30-round zero-sum distinguishers with time complexities of 2^{31}, 2^{63}, 2^{127}, and 2^{383}, respectively. To summarize our study, we apply three attack vectors of bit-wise cryptanalysis to Friet-PC and show their superiority as effective attacks on AND-RX ciphers

Rocca: An Efficient AES-based Encryption Scheme for Beyond 5G

In this paper, we present an AES-based authenticated-encryption with associated-data scheme called Rocca, with the purpose to reach the requirements on the speed and security in 6G systems. To achieve ultra-fast software implementations, the basic design strategy is to take full advantage of the AES-NI and SIMD instructions as that of the AEGIS family and Tiaoxin-346. Although Jean and Nikolić have generalized the way to construct efficient round functions using only one round of AES (aesenc) and 128-bit XOR operation and have found several efficient candidates, there still seems to exist potential to further improve it regarding speed and state size. In order to minimize the critical path of one round, we remove the case of applying both aesenc and XOR in a cascade way for one round. By introducing a cost-free block permutation in the round function, we are able to search for candidates in a larger space without sacrificing the performance. Consequently, we obtain more efficient constructions with a smaller state size than candidates by Jean and Nikolić. Based on the newly-discovered round function, we carefully design the corresponding AEAD scheme with 256-bit security by taking several reported attacks on the AEGIS family and Tiaxion-346 into account. Our AEAD scheme can reach 138Gbps which is 4 times faster than the AEAD scheme of SNOW-V. Rocca is also much faster than other efficient schemes with 256-bit key length, e.g. AEGIS-256 and AES-256-GCM. As far as we know, Rocca is the first dedicated cryptographic algorithm targeting 6 systems, i.e., 256-bit key length and the speed of more than 100 Gbps

Extracorporeal Shock Wave Lithotripsy (ESWL) without Endoscopic Lithotomy for Pancreatolithiasis : A Report of Two Cases

Extracorporeal shock wave lithotripsy (ESWL) without endoscopic sphincterotomy (EST) for pancreatic duct stones was performed in two patients with chronic pancreatitis. Case 1 was a 37-year-old man. Pancreatic stones were observed in the pancreatic head and tail region with a persistent pancreatic fistula. ESWL without EST for pancreatolithiasis was performed two times. Almost all the stones in the pancreatic head were disintegrated without any complications by ESWL (4700 shock waves at 24.0 KV) under fluoroscopic control using a lithotriptor (Dornier MLF 5000). Consequently, the fistula closed and the pancreatic exocrine function recovered. Case 2 was a 65-year-old woman suffering from chronic relapsing pancreatitis with calcified stones in the pancreatic head region. ESWL (5700 shock waves at 23.0 KV) without EST produced complete disintegration of the stones without any complications. Seven days later, almost all of the stones in the pancreatic head were diminished. Thereafter, we observed not only amelioration of the symptoms of pancreatitis but also improvement in pancreatic exocrine function. Thus, ESWL treatment without EST was a safe and effective method for pancreatolithiasis and should be considered a high-priority non-surgical treatment for pancreatolithiasis

Dasatinib cessation after deep molecular response exceeding 2 years and natural killer cell transition during dasatinib consolidation

Tyrosine kinase inhibitors (TKI) improve the prognosis of patients with chronic myelogenous leukemia (CML) by inducing substantial deep molecular responses (DMR); some patients have successfully discontinued TKI therapy after maintaining DMR for ≥1 year. In this cessation study, we investigated the optimal conditions for dasatinib discontinuation in patients who maintained DMR for ≥2 years. This study included 54 patients with CML who were enrolled in a D‐STOP multicenter prospective trial, had achieved DMR, and had discontinued dasatinib after 2‐year consolidation. Peripheral lymphocyte profiles were analyzed by flow cytometry. The estimated 12‐month treatment‐free survival (TFS) was 62.9% (95% confidence interval: 48.5%‐74.2%). During dasatinib consolidation, the percentage of total lymphocytes and numbers of CD3⁻ CD56⁺ natural killer (NK) cells, CD16⁺ CD56⁺ NK cells and CD56⁺ CD57⁺ NK‐large granular lymphocytes (LGL) were significantly higher in patients with molecular relapse after discontinuation but remained unchanged in patients without molecular relapse for >7 months. At the end of consolidation, patients whose total lymphocytes comprised <41% CD3⁻ CD56⁺ NK cells, <35% CD16⁺ CD56⁺ NK cells, or <27% CD56⁺ CD57⁺ NK‐LGL cells had higher TFS relative to other patients (77% vs 18%; P < .0008; 76% vs 10%; P < .0001; 84% vs 46%; P = .0059, respectively). The increase in the number of these NK cells occurred only during dasatinib consolidation. In patients with DMR, dasatinib discontinuation after 2‐year consolidation can lead to high TFS. This outcome depends significantly on a smaller increase in NK cells during dasatinib consolidation