From Private Simultaneous Messages to Zero-Information Arthur–Merlin Protocols and Back

Göös et al. (ITCS, 2015) have recently introduced the notion of Zero-Information Arthur–Merlin Protocols (\(\mathsf {ZAM}\)). In this model, which can be viewed as a private version of the standard Arthur–Merlin communication complexity game, Alice and Bob are holding a pair of inputs x and y, respectively, and Merlin, the prover, attempts to convince them that some public function f evaluates to 1 on (x, y). In addition to standard completeness and soundness, Göös et al., require a “zero-knowledge” property which asserts that on each yes-input, the distribution of Merlin’s proof leaks no information about the inputs (x, y) to an external observer. In this paper, we relate this new notion to the well-studied model of Private Simultaneous Messages (\(\mathsf {PSM}\)) that was originally suggested by Feige et al. (STOC, 1994). Roughly speaking, we show that the randomness complexity of \(\mathsf {ZAM}\) corresponds to the communication complexity of \(\mathsf {PSM}\) and that the communication complexity of \(\mathsf {ZAM}\) corresponds to the randomness complexity of \(\mathsf {PSM}\). This relation works in both directions where different variants of \(\mathsf {PSM}\) are being used. As a secondary contribution, we reveal new connections between different variants of \(\mathsf {PSM} \) protocols which we believe to be of independent interest. Our results give rise to better \(\mathsf {ZAM}\) protocols based on existing \(\mathsf {PSM}\) protocols, and to better protocols for conditional disclosure of secrets (a variant of \(\mathsf {PSM}\)) from existing \(\mathsf {ZAM} \)s.     

Key-Recovery Attacks on <Emphasis FontCategory="SansSerif">ASASA</Emphasis>

The \(\mathsf {ASASA}\) construction is a new design scheme introduced at Asiacrypt 2014 by Biryukov, Bouillaguet and Khovratovich. Its versatility was illustrated by building two public-key encryption schemes, a secret-key scheme, as well as super S-box subcomponents of a white-box scheme. However, one of the two public-key cryptosystems was recently broken at Crypto 2015 by Gilbert, Plût and Treger. As our main contribution, we propose a new algebraic key-recovery attack able to break at once the secret-key scheme as well as the remaining public-key scheme, in time complexity \(2^{63}\) and \(2^{39}\), respectively (the security parameter is 128 bits in both cases). Furthermore, we present a second attack of independent interest on the same public-key scheme, which heuristically reduces the problem of breaking the scheme to an \(\mathsf {LPN}\) instance with tractable parameters. This allows key recovery in time complexity \(2^{56}\). Finally, as a side result, we outline a very efficient heuristic attack on the white-box scheme, which breaks instances claiming 64 bits of security under one minute on a laptop computer.     

New Efficient Algorithms for Multiplication Over Fields of Characteristic Three

In this paper, we first present an enhancement of the well-known Karatsuba 2-way and 3-way algorithms for characteristic three fields, denoted by \(\mathbb {F}_{3^{n}}\) where n≥1. We then derive a 3-way polynomial multiplication algorithm with five 1/3 sized multiplications that use interpolation in \(\mathbb {F}_{9}\). Following the computation of the arithmetic and delay complexity of the proposed algorithm, we provide the results of our hardware implementation of polynomial multiplications over \(\mathbb {F}_{3}\) and \(\mathbb {F}_{9}\). The final proposal is a new 3-way polynomial multiplication algorithm over \(\mathbb {F}_{3}\) that uses three polynomial multiplications of 1/3 of the original size over \(\mathbb {F}_{3}\) and one polynomial multiplication of 1/3 of the original size over \(\mathbb {F}_{9}\). We show that this algorithm represents about 15% reduction of the complexity over previous algorithms for the polynomial multiplications whose sizes are of practical interest.     

A 3.1–10.6 GHz UWB LNA Based on Self Cascode Technique for Improved Bandwidth and High Gain

In this work, we present a self cascode based ultra-wide band (UWB) low noise amplifier (LNA) with improved bandwidth and gain for 3.1–10.6 GHz wireless applications. The self cascode (SC) or split-length compensation technique is employed to improve the bandwidth and gain of the proposed LNA. The improvement in the bandwidth of SC based structure is around 1.22 GHz as compared to simple one. The significant enhancement in the characteristics of the introduced circuit is found without extra passive components. The SC based CS–CG structure in the proposed LNA uses the same DC current for operating first stage transistors. In the designed UWB LNA, a common source (CS) stage is used in the second stage to enhance the overall gain in the high frequency regime. With a standard 90 nm CMOS technology, the presented UWB LNA results in a gain \(\hbox {S}_{21}\) of \(20.10 \pm 1.65\,\hbox {dB}\) across the 3.1–10.6 GHz frequency range, and dissipating 11.52 mW power from a 1 V supply voltage. However, input reflection, \(\hbox {S}_{11}\), lies below \(-\,10\) dB from 4.9–9.1 GHz frequency. Moreover, the output reflection (\(\hbox {S}_{22}\)) and reverse isolation (\(\hbox {S}_{12}\)), is below \(-\,10\) and \(-\,48\) dB, respectively for the ultra-wide band region. Apart from this, the minimum noise figure (\(\hbox {NF}_{min}\)) value of the proposed UWB LNA exists in the range of 2.1–3 dB for 3.1–10.6 GHz frequency range with a a small variation of \(\pm \,0.45\,\hbox {dB}\) in its \(\hbox {NF}_{min}\) characteristics. Linearity of the designed LNA is analysed in terms of third order input intercept point (IIP3) whose value is \(-\,4.22\) dBm, when a two tone signal is applied at 6 GHz with a spacing of 10 MHz. The other important benefits of the proposed circuit are its group-delay variation and gain variation of \(\pm \,115\,\hbox {ps}\) and \(\pm \,1.65\,\hbox {dB}\), respectively.     

Function-Private Functional Encryption in the Private-Key Setting

Functional encryption supports restricted decryption keys that allow users to learn specific functions of the encrypted messages. Although the vast majority of research on functional encryption has so far focused on the privacy of the encrypted messages, in many realistic scenarios it is crucial to offer privacy also for the functions for which decryption keys are provided. Whereas function privacy is inherently limited in the public-key setting, in the private-key setting it has a tremendous potential. Specifically, one can hope to construct schemes where encryptions of messages \(\mathsf{m}_1, \ldots , \mathsf{m}_T\) together with decryption keys corresponding to functions \(f_1, \ldots , f_T\), reveal essentially no information other than the values \(\{ f_i(\mathsf{m}_j)\}_{i,j\in [T]}\). Despite its great potential, the known function-private private-key schemes either support rather limited families of functions (such as inner products) or offer somewhat weak notions of function privacy. We present a generic transformation that yields a function-private functional encryption scheme, starting with any non-function-private scheme for a sufficiently rich function class. Our transformation preserves the message privacy of the underlying scheme and can be instantiated using a variety of existing schemes. Plugging in known constructions of functional encryption schemes, we obtain function-private schemes based either on the learning with errors assumption, on obfuscation assumptions, on simple multilinear-maps assumptions, and even on the existence of any one-way function (offering various trade-offs between security and efficiency).     

The $$\mathbb {}$$-curve Construction for Endomorphism-Accelerated Elliptic Curves

We give a detailed account of the use of \(\mathbb {Q}\)-curve reductions to construct elliptic curves over \(\mathbb {F}_{p^2}\) with efficiently computable endomorphisms, which can be used to accelerate elliptic curve-based cryptosystems in the same way as Gallant–Lambert–Vanstone (GLV) and Galbraith–Lin–Scott (GLS) endomorphisms. Like GLS (which is a degenerate case of our construction), we offer the advantage over GLV of selecting from a much wider range of curves and thus finding secure group orders when \(p\) is fixed for efficient implementation. Unlike GLS, we also offer the possibility of constructing twist-secure curves. We construct several one-parameter families of elliptic curves over \(\mathbb {F}_{p^2}\) equipped with efficient endomorphisms for every \(p > 3\), and exhibit examples of twist-secure curves over \(\mathbb {F}_{p^2}\) for the efficient Mersenne prime \(p = 2^{127}-1\).     

Secret-Sharing for NP

A computational secret-sharing scheme is a method that enables a dealer, that has a secret, to distribute this secret among a set of parties such that a “qualified” subset of parties can efficiently reconstruct the secret while any “unqualified” subset of parties cannot efficiently learn anything about the secret. The collection of “qualified” subsets is defined by a monotone Boolean function. It has been a major open problem to understand which (monotone) functions can be realized by a computational secret-sharing scheme. Yao suggested a method for secret-sharing for any function that has a polynomial-size monotone circuit (a class which is strictly smaller than the class of monotone functions in \({\mathsf {P}}\)). Around 1990 Rudich raised the possibility of obtaining secret-sharing for all monotone functions in \({\mathsf {NP}}\): in order to reconstruct the secret a set of parties must be “qualified” and provide a witness attesting to this fact. Recently, Garg et al. (Symposium on theory of computing conference, STOC, pp 467–476, 2013) put forward the concept of witness encryption, where the goal is to encrypt a message relative to a statement \(x\in L\) for a language \(L\in {\mathsf {NP}}\) such that anyone holding a witness to the statement can decrypt the message; however, if \(x\notin L\), then it is computationally hard to decrypt. Garg et al. showed how to construct several cryptographic primitives from witness encryption and gave a candidate construction. One can show that computational secret-sharing implies witness encryption for the same language. Our main result is the converse: we give a construction of a computational secret-sharing scheme for any monotone function in \({\mathsf {NP}}\) assuming witness encryption for \({\mathsf {NP}}\) and one-way functions. As a consequence we get a completeness theorem for secret-sharing: computational secret-sharing scheme for any single monotone \({\mathsf {NP}}\)-complete function implies a computational secret-sharing scheme for every monotone function in \({\mathsf {NP}}\).     

Error performance of optically preamplified hybrid BPSK-PPM systems with transmitter and receiver imperfections

In this paper, we investigate the impact of the transmitter finite extinction ratio and the receiver carrier recovery phase offset on the error performance of two optically preamplified hybrid M-ary pulse position modulation (PPM) systems with coherent detection. The first system, referred to as PB-mPPM, combines polarization division multiplexing (PDM) with binary phase-shift keying and M-ary PPM, and the other system, referred to as PQ-mPPM, combines PDM with quadrature phase-shift keying and M-ary PPM. We provide new expressions for the probability of bit error for PB-mPPM and PQ-mPPM under finite extinction ratios and phase offset. The extinction ratio study indicates that the coherent systems PB-mPPM and PQ-mPPM outperform the direct-detection ones. It also shows that at \(P_b=10^{-9}\) PB-mPPM has a slight advantage over PQ-mPPM. For example, for a symbol size \(M=16\) and extinction ratio \(r=30\) dB, PB-mPPM requires 0.6 dB less SNR per bit than PQ-mPPM to achieve \(P_b=10^{-9}\). This investigation demonstrates that PB-mPPM is less complex and less sensitive to the variations of the offset angle \(\theta \) than PQ-mPPM. For instance, for \(M=16\), \(r=30\) dB, and \(\theta =10^{\circ }\) PB-mPPM requires 1.6 dB less than PQ-mPPM to achieve \(P_b=10^{-9}\). However, PB-mPPM enhanced robustness to phase offset comes at the expense of a reduced bandwidth efficiency when compared to PQ-mPPM. For example, for \(M=2\) its bandwidth efficiency is 60 % that of PQ-mPPM and \(\approx 86\,\%\) for \(M=1024\). For these reasons, PB-mPPM can be considered a reasonable design trade-off for M-ary PPM systems.     

Design and Performance Study of Dynamic Fractors in Any of the Four Quadrants

A fractor is a simple fractional-order system. Its transfer function is \(1/Fs^{\alpha }\); the coefficient, F, is called the fractance, and \(\alpha \) is called the exponent of the fractor. This paper presents how a fractor can be realized, using RC ladder circuit, meeting the predefined specifications on both F and \(\alpha \). Besides, commonly reported fractors have \(\alpha \) between 0 and 1. So, their constant phase angles (CPA) are always restricted between \(0^{\circ }\) and \(-90^{\circ }\). This work has employed GIC topology to realize fractors from any of the four quadrants, which means fractors with \(\alpha \) between \(-\)2 and +2. Hence, one can achieve any desired CPA between \(+180^{\circ }\) and \(-180^{\circ }\). The paper also exhibits how these GIC parameters can be used to tune the fractance of emulated fractors in real time, thus realizing dynamic fractors. In this work, a number of fractors are developed as per proposed technique, their impedance characteristics are studied, and fractance values are tuned experimentally.     

Study on the Effect of Mn,Zn, and Sb on Undercooling Behavior of Sn-Ag-Cu Alloys Using Differential Thermal Analysis

Differential thermal analysis (DTA) has been conducted on directionally solidified near-eutectic Sn-3.0 wt.%Ag-0.5 wt.%Cu (SAC), SAC \(+\) 0.2 wt.%Sb, SAC \(+\) 0.2 wt.%Mn, and SAC \(+\) 0.2 wt.%Zn. Laser ablation inductively coupled plasma mass spectroscopy was used to study element partitioning behavior and estimate DTA sample compositions. Mn and Zn additives reduced the undercooling of SAC from 20.4\(^\circ \hbox {C}\) to \(4.9^\circ \hbox {C}\) and \(2^\circ \hbox {C}\), respectively. Measurements were performed at cooling rate of \(10^\circ \hbox {C}\) per minute. After introducing 200 ppm \(\hbox {O}_2\) into the DTA, this undercooling reduction ceased for SAC \(+\) Mn but persisted for SAC \(+\) Zn.     

Ultra-Fast Current Mode Sense Amplifier for Small $$I_{\mathrm{CELL}}$$ SRAM in FinFET with Improved Offset Tolerance

In this paper, a novel, high-performance and robust sense amplifier (SA) design is presented for small \(I_\mathrm{CELLl}\) SRAM, using fin-shaped field effect transistors (FinFET) in 22-nm technology. The technique offers data-line-isolated current sensing approach. Compared with the conventional CSA (CCSA) and hybrid SA (HSA), the proposed current feed-SA (CF-SA) demonstrates 2.15\(\times \) and 3.02\(\times \) higher differential current, respectively, for \({V}_{\mathrm{DD}}\) of 0.6 V. Our results indicate that even at the worst corner, CF-SA can provide 2.23\(\times \) and 1.7\(\times \) higher data-line differential voltage compared with CCSA and HSA, respectively. Further, 66.89 and 31.47 % reductions in the cell access time are achieved compared to the CCSA and HSA, respectively, under similar \(I_\mathrm{CELLl}\) and bit-line and data-line capacitance. Statistical simulations have proved that the CF-SA provides high read yield with 32.39 and 22.24 % less \(\upsigma _{\mathrm{Delay}}\). It also offers a much better read effectiveness and robustness against the data-line capacitance as well as \({V}_{\mathrm{DD}}\) variation. Furthermore, the CF-SA is able to tolerate a large offset of the input devices, up to 80 mV at \({V}_{\mathrm{DD}}=0.6\hbox {V}\).     

The Relation Between the Refractive Index of the Equatorial Ionospheric F2 Region and Long-Term Solar Indices

Ionospheric refractive index is especially important in the reflection and propagation of HF (3–30 MHz) waves from the ionosphere. For this reason, in this study, the relation between the real parts (μ\(_{0}^{2}\), μ\(_{x}^{2}\) and μ\(_{p}^{2}\)) of the refractive index computed as based on the direction of the Earth’s magnetic field for 300 km altitude in the equatorial ionospheric F2 region and the long-term solar indices (Sunspot Number-R12, Solar Flux at 10.7 cm -F10.7, Coronal Mass Ejection-CME) has been examined by using the multiple regression model. As a result of the examinations, it has been determined that there is a very strong relation between the three refractive index values and solar indices. While it was determined that the R12 and F10.7 indices have a very strong relation, it was also determined that CME did not have a statistically significant relation. This insignificant situation may only be explained with the magnetic field of the Earth acting like a shield.     

Correction to: A subthreshold low-power CMOS LC-VCO with high immunity to PVT variations

This paper presents a capacitor-free low dropout (LDO) linear regulator based on a dual loop topology. The regulator utilizes two feedback loops to satisfy the challenges of hearing aid devices, which include fast transient performance and small voltage spikes under rapid load-current changes. The proposed design works without the need of a decoupling capacitor connected at the output and operates with a 0–100 pF capacitive load. The design has been taped out in a \(0.18\,\upmu \hbox {m}\) CMOS process. The proposed regulator has a low component count, area of \(0.012\, \hbox {mm}^2\) and is suitable for system-on-chip integration. It regulates the output voltage at 0.9 V from a 1.0–1.4 V supply. The measured results for a current step load from 250 to 500 \(\upmu \hbox {A}\) with a rise and fall time of \(1.5\,\upmu \hbox {s}\) are an overshoot of 26 mV and undershoot of 26 mV with a settling time of \(3.5\,\upmu \hbox {s}\) when \({C_L}\) between 0 and 100 pF. The proposed LDO regulator consumes a quiescent current of only \(10.5\,\upmu \hbox {A}\). The design is suitable for application with a current step edge time of 1 ns while maintaining \(\Delta V_{out}\) of 64 mV.     

Application of photonic crystal ring resonator nonlinear response for full-optical tunable add–drop filtering

In this paper, we investigate the application of Kerr-like nonlinear photonic crystal (PhC) ring resonator (PCRR) for realizing a tunable full-optical add–drop filter. We used silicon (Si) nano-crystal as the nonlinear material in pillar-based square lattice of a 2DPhC. The nonlinear section of PCRR is studied under three different scenarios: (1) first only the inner rods of PCRR are made of nonlinear materials, (2) only outer rods of PCRR have nonlinear response, and (3) both of inner and outer rods are made of nonlinear material. The simulation results indicate that optical power required to switch the state of PCRR from turn-on to turn-off, for the nonlinearity applied to inner PCRR, is at least \(2000\, \hbox {mW}{/}\upmu \hbox {m}^{2}\) and, for the nonlinearity applied to outer PCRR, is at least \(3000\, \hbox {mW}{/}\upmu \hbox {m}^{2}\) which corresponds to refractive index change of \(\Delta n_\mathrm{NL }= 0.085\) and \(\Delta n_\mathrm{NL }= 0.15\), respectively. For nonlinear tuning of add–drop filter, the minimum power required to 1 nm redshift the center operating wavelength \((\lambda _{0} = 1550\, \hbox {nm})\) for the inner PCRR scenario is \(125\, \hbox {mW}{/}\upmu \hbox {m}^{2}\) (refractive index change of \(\Delta n_\mathrm{NL}= 0.005)\). Maximum allowed refractive index change for inner and outer scenarios before switch goes to saturation is \(\Delta n_\mathrm{NL }= 0.04\) (maximum tune-ability 8 nm) and \(\Delta n_\mathrm{NL }= 0.012\) (maximum tune-ability of 24 nm), respectively. Performance of add–drop filter is replicated by means of finite-difference time-domain method, and simulations displayed an ultra-compact size device with ultra-fast tune-ability speed.     

Two-channel perfect reconstruction (PR) quadrature mirror filter (QMF) bank design using logarithmic window function and spline function

In this work, two-channel perfect reconstruction quadrature mirror filter (QMF) bank has been proposed based on the prototype filter using windowing method. A novel window function based on logarithmic function along with the spline function is utilized for the design of prototype filter. The proposed window has a variable parameter ‘\(\alpha \)’, which varies the peak side lobe level and rate of fall-off side lobe level which in turn affects the peak reconstruction error (PRE) and amplitude distortion (\(e_{am}\)) of the QMF bank . The transition width of the prototype is controlled by the spline function using the parameter ‘\(\mu \)’. The perfect reconstruction condition is satisfied by setting the cutoff frequency (\(\omega _{c}\)) of the prototype low-pass filter at ‘\(\pi /2\)’. The performance of the proposed design method has been evaluated in terms of mean square error in the pass band, mean square error in the stop band, first side lobe attenuation (\(A_{1}\)), peak reconstruction error (PRE) and amplitude error (\(e_{am}\)) for different values of ‘\(\alpha \)’ and ‘\(\mu \)’. The results are provided and compared with the existing methods.     

$$\ell _{1/2,1}$$ group sparse regularization for compressive sensing

Recently, the design of group sparse regularization has drawn much attention in group sparse signal recovery problem. Two of the most popular group sparsity-inducing regularization models are \(\ell _{1,2}\) and \(\ell _{1,\infty }\) regularization. Nevertheless, they do not promote the intra-group sparsity. For example, Huang and Zhang (Ann Stat 38:1978–2004, 2010) claimed that the \(\ell _{1,2}\) regularization is superior to the \(\ell _1\) regularization only for strongly group sparse signals. This means the sparsity of intra-group is useless for \(\ell _{1,2}\) regularization. Our experiments show that recovering signals with intra-group sparse needs more measurements than those without, by the \(\ell _{1,\infty }\) regularization. In this paper, we propose a novel group sparsity-inducing regularization defined as a mixture of the \(\ell _{1/2}\) norm and the \(\ell _{1}\) norm, referred to as \(\ell _{1/2,1}\) regularization, which can overcome these shortcomings of \(\ell _{1,2}\) and \(\ell _{1,\infty }\) regularization. We define a new null space property for \(\ell _{1/2,1}\) regularization and apply it to establish a recoverability theory for both intra-group and inter-group sparse signals. In addition, we introduce an iteratively reweighted algorithm to solve this model and analyze its convergence. Comprehensive experiments on simulated data show that the proposed \(\ell _{1/2,1}\) regularization is superior to \(\ell _{1,2}\) and \(\ell _{1,\infty }\) regularization.     

Locally Computable UOWHF with Linear Shrinkage

We study the problem of constructing locally computable universal one-way hash functions (UOWHFs) \(\mathcal {H}:\{0,1\}^n \rightarrow \{0,1\}^m\). A construction with constant output locality, where every bit of the output depends only on a constant number of bits of the input, was established by Applebaum et al. (SIAM J Comput 36(4):845–888, 2006). However, this construction suffers from two limitations: (1) it can only achieve a sublinear shrinkage of \(n-m=n^{1-\epsilon }\) and (2) it has a super-constant input locality, i.e., some inputs influence a large super-constant number of outputs. This leaves open the question of realizing UOWHFs with constant output locality and linear shrinkage of \(n-m= \epsilon n\), or UOWHFs with constant input locality and minimal shrinkage of \(n-m=1\). We settle both questions simultaneously by providing the first construction of UOWHFs with linear shrinkage, constant input locality and constant output locality. Our construction is based on the one-wayness of “random” local functions—a variant of an assumption made by Goldreich (Studies in Complexity and Cryptography, 76–87, 2011; ECCC 2010). Using a transformation of Ishai et al. (STOC, 2008), our UOWHFs give rise to a digital signature scheme with a minimal additive complexity overhead: signing n-bit messages with security parameter \(\kappa \) takes only \(O(n+\kappa )\) time instead of \(O(n\kappa )\) as in typical constructions. Previously, such signatures were only known to exist under an exponential hardness assumption. As an additional contribution, we obtain new locally computable hardness amplification procedures for UOWHFs that preserve linear shrinkage.     

Secret-Sharing Schemes for Very Dense Graphs

A secret-sharing scheme realizes a graph if every two vertices connected by an edge can reconstruct the secret while every independent set in the graph does not get any information on the secret. Similar to secret-sharing schemes for general access structures, there are gaps between the known lower bounds and upper bounds on the share size for graphs. Motivated by the question of what makes a graph “hard” for secret-sharing schemes (that is, they require large shares), we study very dense graphs, that is, graphs whose complement contains few edges. We show that if a graph with \(n\) vertices contains \(\left( {\begin{array}{c}n\\ 2\end{array}}\right) -n^{1+\beta }\) edges for some constant \(0 \le \beta <1\), then there is a scheme realizing the graph with total share size of \(\tilde{O}(n^{5/4+3\beta /4})\). This should be compared to \(O(n^2/\log (n))\), the best upper bound known for the total share size in general graphs. Thus, if a graph is “hard,” then the graph and its complement should have many edges. We generalize these results to nearly complete \(k\)-homogeneous access structures for a constant \(k\). To complement our results, we prove lower bounds on the total share size for secret-sharing schemes realizing very dense graphs, e.g., for linear secret-sharing schemes, we prove a lower bound of \(\Omega (n^{1+\beta /2})\) for a graph with \(\left( {\begin{array}{c}n\\ 2\end{array}}\right) -n^{1+\beta }\) edges.     

Efficient Slide Attacks

The slide attack, presented by Biryukov and Wagner, has already become a classical tool in cryptanalysis of block ciphers. While it was used to mount practical attacks on a few cryptosystems, its practical applicability is limited, as typically, its time complexity is lower bounded by \(2^n\) (where n is the block size). There are only a few known scenarios in which the slide attack performs better than the \(2^n\) bound. In this paper, we concentrate on efficient slide attacks, whose time complexity is less than \(2^n\). We present a number of new attacks that apply in scenarios in which previously known slide attacks are either inapplicable, or require at least \(2^n\) operations. In particular, we present the first known slide attack on a Feistel construction with a 3-round self-similarity, and an attack with practical time complexity of \(2^{40}\) on a 128-bit key variant of the GOST block cipher with unknown S-boxes. The best previously known attack on the same variant, with known S-boxes (by Courtois), has time complexity of \(2^{91}\).