TEMPEST
Maresa Martone
ISSC 361
Professor Janelle Davis
June 15, 2015

Table of Contents Abstract 3 Introduction 4 Brief History 4 TEMPEST Technologies 5 Electromagnetic Analysis Attacks 5 Simple and Differential Power Analysis 6 Higher-order DPA attack 10 Other Technologies 11 TEMPEST Companies 12 Regulatory Issues Surrounding TEMPEST 12 Future Trends 14 Countermeasures 15 Global Implications for the TEMPEST 16 Conclusion 17 References 19

Abstract
TEMPEST is a standard for evaluating and testing an electronic device before being released into the market. The term, christened by the US government, has been synonymous with the unintentional emissions of electrical and electromagnetic energy from a cryptographic device. TEMPEST dates back to the late 19th century when the telephone was invented and during the First World War when “crosstalk”, conversation through single-wire cables of the telegraph, was exploited by spies to reveal the intelligence of the enemy. In particular, what is being tested is the resistivity of the device component and cryptographic system against cryptanalysis. In other words, the TEMPEST evaluation tests the sensitivity of the device component toward power and electromagnetic analysis attacks. The possibility that someone can intercept and interpret those electromagnetic radiations to reconstruct the exact information poses a serious security issue because it jeopardizes confidentiality and secrecy. An attacker usually employs statistical analysis, signal processing, and artificial intelligence techniques to decipher the ciphertext and to reveal the arithmetic implementations of the cryptographic algorithm. Only accredited laboratories are allowed to test electronic products. The US government, NATO military organizations, NSA, and NIST, as well as contractors of the US government regulate the manufacturers of CMOS component.

TEMPEST
Introduction
TEMPEST, a term synonymous with compromising emanations, owes its origin to a top secret program run by the United States government and the US military to combat the superfluous electric and electronic energy coming out of electronic devices, such as computers and communication equipment, during the functioning of those devices (Meynard, 2012). The emitted electromagnetic energy carries data processed by the source and information about the internal execution of the cryptographic algorithm, and such data can be sensitive and confidential. Someone can possibly intercept those superfluous emanations by using a sensor, such as a Radio Frequency receiver, which weeds out background noise from data processed by the source, and then interpret and process the relevant data using complex methods and techniques of statistical analysis. Such an action constitutes eavesdropping and poses a serious threat to national security. For that reason, TEMPEST was, and remains, classified by the US government. TEMPEST, as a standard for evaluating superfluous signals and protecting against spying, remains an operation of the National Security Agency (NSA) (Meynard, 2012).
Brief History
The issue of compromising electromagnetic emanations dates back to the late 1800s when the telephone was invented and during World War I (Meynard, 2012). Single-wire lines connected the telephone network, enabling one to send message, but the ground returned the receiver’s message. One problem of such a single-wire cable design was that one could easily tap telephone conversations or “crosstalk” by using ground spikes, which create loops for eavesdropping. Enemies employed this method to tap conversations during the World War I (Mulder, 2010). Since telex cables emit energy, enemies could exploit the superfluous emissions to decipher an encrypted data transmitted over the telex cables. Such was the case with the British spies who used a broad-band radio-frequency receiver to intercept superfluous signals over telegraphic cables of the French Embassy in London (Meynard, 2012).
TEMPEST Technologies
Electromagnetic Analysis Attacks
When current flows through the various components of the device, coupling occurs between those components, enabling one component to cause emanations in the other. Coupling can either be radiative or conductive. If the system transmits interference through a physical platform, then conductive coupling occurs (Meynard, 2012; Mulder, 2010). If components create a loop, then radiative coupling occurs. Since the geometry of the device significantly determines such coupling, an unintentional modulation of signal occurs when frequency increases. “Square-wave” clocks and signals produce data signals modulated through amplitude or angle modulation via a carrier signal. These carrier signals are excellent propagators, and an attacker can exploit such propagation to reveal the correlation between power consumption and the associated electromagnetic field (Wang, 2012). These emanations are more related to the baseband signals than to the clock frequency. The correlative relationship between the baseband signals and the unintentionally modulated signals of high frequencies can be exploited to reveal processing of any plaintext data by the device (Meynard, 2012).
Differential mode radiation arises when a conductor transmits common-mode currents, which return to the source of the current through different conductors. Since both digital signal and power supply occur differentially, loops, which parts of the printed circuit and ribbon cables form, produce radiation. The different parts create an antenna for radiative coupling. Alternatively, radiation can arise if a pair of common-mode currents flowing in the same direction do not negate each other during the fluctuations of internal voltage in the ground loop. Since a cryptographic module creates an antenna owing to its interconnection with the peripheral circuits, plaintext data are propagated by the voltage drops (Meynard, 2012).
Simple and Differential Power Analysis
EM traces and power traces bear similar information, but EM traces are richer. Hence, power analysis are just as applicable as electromagnetic analysis. Serial fluctuations of power may arise because of computation operations, microprocessor commands, and storage and retrieval of registry values. If the cryptographic implementation is dependent on data, a simple analysis of the current models of a cryptographic device can reveal a series of different executable commands, which cause large-scale fluctuations in the power traces that are markedly different (Wang, 2012; Lash, 2000). Power traces give values of power consumption during the operation of a cryptographic device. The attacker measures parameters such as the current of power supply. Different batteries of instruction elicit different profiles of power in algorithmic implementations in processors, which run software. However, if the executions are purely hardware-based, then there would be a variation in the consumption of power by the different cryptographic modules. The physical attributes of the device cause the internal arithmetic operations to change into variable power consumption, which the attacker records in the traces and stores the waveform directly or indirectly using an oscilloscope (Wang, 2012). Such a technique filters data of noise power consumption, minimizing the likelihood of errors in making bit decisions. Such a simple analysis can break any cryptographic implementation, making DES particularly vulnerable (Lash, 2000). The attacker is particularly interested in revealing the internal arithmetic operations and the processed data of the cryptographic device (Wang, 2012).
For one, an attacker can break even a mathematically robust implementation of a key-scheduling algorithm of a DES cipher in the internal path by using a simple power analysis to reveal the signature of power consumption, which requires rotation of registers of the 28-bit-key (Lash, 2000). The bit-keys bearing “1s” have a conditional branch, which is conspicuously different from that of the bit-keys bearing “0s”. These conditional branches execute different paths because each conditional branch has a unique attribute. The secret bit-keys control the exponentiation operations in some executions of RSA. One can directly restore the secret bit-key if he or she knows the branching direction (Wang, 2012). Second, the attacker can effortlessly monitor the operations of permutations of bit-keys bearing “1s” and “0s”, exposing the relationship between power traces and permutations of those bit-keys, which are at the core of DES cipher.
Third, given that conditional branching and comparison of memories are related, significant fluctuations of power would arise. Fourth, given that the correlative relationship between an implementation of a multiplier algorithm and its Hamming weights and operands is high, an attacker can easily know about the internal workings of the cryptographic device. Finally, the Hamming weights of the operands for the workings of square and multiply algorithm implementations significantly determine their modular exponentiators. An attacker can expose the exponent by evaluating the attributes of the multiplication and branch operations. Evidently, with just a typical digital multimeter, one can perform simple power analysis (SPA), and thus it is an inexpensive and computationally simple method (Lash, 2000). However, SPA is ineffective when signal levels are too weak and when variations in power traces are mild; hence, an attacker would require a sampler of higher sensitivity and higher rate of sampling. He or she would to perform differential power analysis (DPA).
Unnecessary background noise and large-scale signals during measurement tend to cloud the infinitesimal variations in the power associated with the internal operations of the device, making it difficult for SPA techniques to detect (Wang, 2012). DPA employs statistical techniques to remove the unnecessary noise and other signal interferences, which suppress the relevant subtle signals. The attacker focuses on a particular internal state caused by the cryptographic operation, which is either ciphertext-specific or plaintext-specific, and on the bit of the secret key. By focusing on the key bit, the attacker is able to make the search space smaller. Such an attack-specific approach reveals how the state affects power consumption; hence, reveals a lead to the secret key. The rate of sampling is high; hence, samples for statistical analysis are adequate. One can guess the possible values of the secret key in the limited seach space by using the multiple samples of power traces to test the guess (Wang, 2012).
Since an internal value of power consumption is dependent upon the statistical function of selection for DPA, knowing such data values would help reveal the correlation between the signatures of power consumption. Thus, one can statistically construct the data of the effects associated with variation in the power consumption of the cryptographic device. By augmenting DPA with techniques of statistical analysis and digital signal processing, an attacker can sample a very large number of signals of power consumption, leveraging the large number to reduce noise and to amplify the mild and variable signal (Reddy, 2011). The degree of freedom for selection functions for a particular implementation is large because those functions select unique inputs or ciphertexts.
So, a DPA attack is based solely on ciphertexts with enough plaintexts. Given that correlation values range between -1 and +1, a correlation value approaching +1 implies the bits are correctly calculated; hence, power signatures are correlated. On the other hand, power signatures are uncorrelated if the calculation of bits is incorrect with correlation values approaching zero. Errors in measurement and noise interference make the attainment of absolute values of 0 or 1 impossible. Electromagnetic radiation, quantizaton errors, heat noise, and mis-synchronizations in the device contribute to noise. The figure below is a model constructed by Lash (2000) that shows how a DPA attack can be mounted on DES.
Let L be an intermediate step of DES and C be the system input or output, which can either be ciphertext or plaintext, respectively, whose 16th round begins with L (Lash, 2000; Wang, 2012). Let S be the box corresponding to the b’th bit. The chosen internal state is b or binary bit. Ks is the secret key byte. Thus, 0≤Ks≤26 is the relationship between the secret key byte, the chosen state, and the input or output of the system C. Hence, the selection function would be S (C, “b”, Ks), and is the value of b. Let m be the number of executions by an encryption algorithm, reflected by T1..m [1..k] power traces where k is the number of samples corresponding to C1..m ciphertexts or inputs. One must be cognizant that C values correspond to each T value of power trace. One can hypothesize the possible values of Ks in the reduced search space and evaluate the validity of his or her own hypotheses. One systematically classifies every power trace either as 1- or 0-trace as a consequence of selection function. If one subtracts the average power trace whose value of selection function for DPA equals zero from the average power trace whose value of selection function for DPA equals one, then the difference ∆D[1..k]is an attack. Therefore,
∆DJ=II=1mDPA(Ci,b,Ks)Ti[J]I=1mDPACi,b,Ks-I=1m1-DPACi,b,KsTi[J]I=1m(1-DPA(Ci,b, Ks))…………….. (1)
So, DPA ()=1 contributes to the first term and DPA ()=0 contributes to the second term. Hence, ∆D[J]~2(I=1mDPACi,b,KsTiJI=1mDPACi,b,Ks-I=1mTiJm)…………………………….. (2)
There would be a correlation between the b’th bit value and the selection function for DPA if Ks is chosen correctly, so that the b’th bit value is equal to the selection function of DPA. There would be no correlation between the selection function and the cryptographic device if Ks is chosen wrongly, so that the b’th bit value for about half as much of the ciphertexts Ci differs from the value of the bit obtained from computing the selection function for DPA (Lash, 2000).
48 bits
48 bits
E
E
R (32 bits)
R (32 bits)
Figure 1. A diagrammatic depiction of DPA attack on DES cipher

+
+
K (48 bits)
K (48 bits)

Ks8
Ks8
Ks7
Ks7
Ks6
Ks6
Ks5
Ks5
Ks4
Ks4
Ks3
Ks3
Ks2
Ks2
Ks1
Ks1

S8
S8
S7
S7
S6
S6
S5
S5
S3
S3
S2
S2
S1
S1
S4
S4

bit b bit b
P
P

K (48 bits)
K (48 bits)

Source: Lash (2000)
Higher-order DPA attack Cipher-specific selection functions do not work when mounting a higher-order DPA attack because DPA assumes that there is correlation between the transitional value of the chosen internal state and the consumption of power (Wang, 2012). Higher-order assumes that the internal state affects power consumption on multiple fronts. If b=1 corresponds to 1-trace and b=0 corresponds to 0-trace, then the difference between the average power traces of 1-trace and 0-trace in equation (1) becomes ∆T=1M1i=1M1Ti|b=1-1M0j=1M0Tj|b=0……………………….. (3) Where M0 and M1 represent 0-and 1-traces of power, respectively. So, 0-and 1-traces would be categorized correctly if the hypothesis of all possible Ks values is correct. The averages of the 0-and 1-traces of power should average out the noise in those traces and should simultaneously maintain the error arising from b (Lash, 2000). Subsequently, the differences between the power traces would remove the shared signals, which are irrelevant to b. Hence, ∆T is the value of power fluctuations because of variations in b. 0-and 1-traces would be categorized wrongly and ∆T would be nearly 0 if the hypothesis of the possible Ks values is incorrect. The testing of guesses on all possible values of Ks is done in the search space. The hypothesis is likely to be correct if ∆T, whose corresponding key value adequately differs from 0 (Wang, 2012). The rate of sampling is higher than that of first-order DPA, and the computation of the value of power trace requires numerous samples per power trace. If the attacker computes statistics shared by different power signatures at different parts of the encryption code, then nature of DPA attack is second-order. Thus, higher-order DPA requires more memory and processing. Signal processing techniques for SPA and DPA are applicable to higher-order DPA, but the latter requires a more advanced post-processing facility. In addition, an attacker would need to be familiar not only with the algorithm of an encryption, but also with the specific execution of that algorithm (Lash, 2000). Unlike higher-order DPA, an attacker mounting a first order DPA attack does not need to know the details of implementation of the algorithm (Reddy, 2011).
Other Technologies Alternatively, one can mount an attack by computing the key bits of a private key and by examining the aspects of timing of an exponentiation operation of a simple cryptographic module, which executes R=yXmod n, where X is the private key. Knowledge of the key bits of private keys of addresses with those bits helps to reduce the search space of those addresses. In addition, an attacker can easily break the cryptographic algorithm of a device whose clock speed lies in the radio frequency and microwave region of the electromagnetic spectrum. An AM radio can easily intercept such waves (Lash, 2000).
TEMPEST Companies The National Institute of Science and Technology (NIST), the NSA, the NATO military organizations, the US government, NATO agencies, and the contractors of the US government are the key players in the TEMPEST. However, companies that manufacture and supply COTS components and systems are indirectly involved because they are regulated by the TEMPEST standards (Anderson & Kuhn, 1999).
Regulatory Issues Surrounding TEMPEST The US government defines and publishes the TEMPEST certification standards, which were codenamed “FS222” and “NAG1A” during the 1950s through 1960s. Today, the standards consider the separation between the eavesdropper and the cryptographic device, and thus adding three security levels. The first and the topmost protection is levels A and one of the “NATO SDIP-27” and “USA NSTISSAM, respectively, and are for equipment functioning within zone zero of the NATO where the minimum separation is one meter. Second, levels B and two of the “NATO SDIP-27” and “USA NSTISSAM”, respectively, are for equipment functioning within zone one of the NATO where the minimum separation is 20 meters. Third, levels C and three of the “NATO SDIP-27” and “’USA NASTISSAM”, respectively, are for equipment functioning within zone two of the NATO where the minimum lines of attenuation and of sight through building are 100 meters or equivalent (Meynard, 2012). The US government has released “NATO SDIP-29”, a more recent standard, which specifies the ground and cable distance requirements for installing an equipment processing classified information. Another standard “AMSG-799B” specifies a procedure for zoning within the NATO areas, which are classified into zones zero, one, and two. However, the US government continues to classify those standards and nothing is known about the evaluation procedures and the limits of real emission. NATO agencies define and publish the list of equipment, which comply with the TEMPEST standards. Before launching a new electronic product into the market, manufacturers must comply with the TEMPEST standards and certification tests defined by the United States and NATO because electronic products can potentially interfere with other products. Whether an algorithm is mathematically robust does not matter, an accredited lab must test the algorithmic implementation against the field programmable gate array (FGPA) and the digital signal processor (DSP) to assess its vulnerability (Meynard, 2012). Also, TEMPEST standards guard against flaws in design and implementation, which are responsible for information leakage. Research indicates that no company, whether big or small, is immune from making bad decisions on system design and architecture based on incorrect assumptions and on inadequate threat models. The developers are more likely to err when designing low-level implementations because the design of the latter involve are increasingly detailed and complex methods. Such low-level implementations require keen attention to detail because there are millions code lines involved here. This is further complicated by the fact that many developers with different skill levels are involved; hence, the probability of making errors is very high (Wang, 2012). In Europe, the EMC Directive 2004/108/EC regulates majority of electronic products and ensures that they are compatible with each in regards to TEMPEST issues (Mulder, 2010). The Directive regulates compromising emanations from every electronic device, irrespective of whether simple diode and transistors constitute it or whether a complex aggregation of microchips constitutes it. Because of flawed design and architecture of a system, unintended emissions of electromagnetic energy would inevitably arise. The EMC also regulates how the logic bus of an electronic device is shielded and how circuits are isolated by guarding power supply and ground lines against unneccessary coupling and looping. For example, the EMC Directive specifies the distance between the circuits and between the shield and the circuits of the equipment, which handle ciphertexts (Red) and the plaintexts (Black). The red and black wires must closely comply with quality control measures and TEMPEST certification procedures, as the TEMPEST could be invalidated by even with the slightest alteration of a single wire. Only accredited laboratories conduct those certification tests, which take into account not only a single component, but also the whole system, given that an unprotected component can drastically change the attributes of the radio frequency with simple connection (Meynard, 2012).
Future Trends As encryption technologies shift from DES ciphers to Advanced Encryption Standard (AES) ciphers, because of the apparent vulnerabilities of DES to attacks, attackers are expected to up their game, too. Attackers are likely to use advanced operations, including machine learning and identification of reoccurrences. Machine learning can “reverse engineer” the cipher implementation by recognizing power signatures and comparing them against signatures of known ciphers (Lash, 2000). These techniques are helpful if the implementation of a cipher is unknown. Cryptanalysts are likely to shift away from the statistical-based techniques toward advanced techniques of signal processing and artificial intelligence and thus revolutionize SPA and DPA. Attackers are likely to use those methods to process not just audio signals, but also digital signals. A momentary Fourier analysis can process signatures of power consumption as one-dimensional streams of data. The computational value of a plot of Fast Fourier Transform (FFT) for power consumption might reveal the signature attributes, which time domain cannot. They are likely to use data-whiteners, including “secret splitting”, because the frequency range easily decomposes those whiteners. By identifying analogous algorithm pipelines in the frequency range, an attacker can reveal corresponding operations by filtering the trace of power consumption. Other methods include software-balancing, such as insertion of no-op and operations of operand complement. Other techniques such as neural networks can identify long-term keys in power signatures. These run-time algorithms identify repetitions in a stream of data by artificially recognizing reoccurrences, which statistical techniques cannot necessarily obtain (Lash, 2000). The National Institute of Science and Technology (NIST) and NSA are likely to play an instrumental role in looking for newer ways securing ciphers. As cryptographers increase layer of protection against power and electromagnetic cryptanalysis, key mixing seems to be a viable option for protecting the implementation of cryptographic algorithms.
Countermeasures
Countermeasures aim at maintaining constancy, masking dependence, and randomizing. One has to be painstakingly conversant with the algorithm, techniques of side-channel attacks, and compromising emanations. One has to insert countermeasures at the protocol, algorithm, architecture, and circuit levels of abstraction when designing flow (Wang, 2012). Ephemeral or session key insertion is effective against DPA and higher-order DPA at protocol level because it would task the attacker with measuring many samples to construct correlation spikes; hence, the secret key. Even if the attacker obtains the key, that secret would not last for long. In addition, one can hide the dependency between intermediate values and the information leakage by implementing random process interrupts (RPIs). Alternatively, one can increase noise levels to hide information-bearing power signature (Lash, 2000). The cipher would only interleave a valid algorithmic implementation with “dummy” commands to mask the consumption of power by valid operations. Thus, it would require an attacker to perform an enormous task of reducing the differential spikes over a Gaussian distribution (Lash, 2000). One can also mask the intermediate values by breaking the bond between them in the algorithm and in the device. By randomly implementing “no-op” commands, such an action would cause random consumption of power in the command queue. One can balance power signatures of functions dependent on data by working the operand complements. Hence, superfluous emanations would be independent of the original intermediate values (Wang, 2012). Alternatively, one can retrieve memory to obtain valid and complementary values. One can also “decouple” a device from consuming power. With two-capacitor system separated by a bridge of diode between device components and power supply, one can regulate the voltage flowing into the components with a switch control. While one capacitor gets charged, the other supplies charges to the components. When the other capacitor is completely discharged, the other fully-charged capacitor switches automatically toward “feeding” the device components while the other gets charged. So, an attacker cannot directly measure power consumption because of the reverse-biased diode, which causes capacitor switching (Lash, 2000). One countermeasure cannot be a panacea for other attacks. For example, countermeasures for first-order DPA, such as “duplication” and “splitting”, which randomize the power signature of a device by encrypting simultaneously and asynchronously, would be ineffective for higher-order DPA attacks.
Global Implications for the TEMPEST Electromagnetic analysis attacks have a greater latitude of measuring power consumption than power analysis attacks. Such a big latitude requires one to measure large amounts of data given that one has to test the resistivity of each coordinate against cryptanalysis. Thus, research has focused on ways to designing algorithms to eliminate the need for testing the sensitivity of all coordinates towards side-channel analysis, although no algorithm has been benchmarked against similar algorithms and standards. The radio frequency range of interest for an attacker and the corresponding signal processing techniques have not been explored adequately. So far, trial-and-error analysis are often used, but an analytical approach, though difficult to construct, would offer a better strategy for public measurement (Mulder, 2010). Even though cryptographers continue to add layers of security against possible attacks, such an action does not guarantee security, and cryptographic systems remain vulnerable, for research indicates that attackers can crack even a mathematically strong implementation of a cryptographic algorithm (Zhou & Feng, n.d.). Ways to mount an attack are unlimited, and such limitless possibilities make the task of designing corresponding countermeasures and predicting a possible attack extraordinarily difficult. Cryptographers have uncovered very few cryptanalysis attacks so far; hence, many cryptanalysis attacks remain unknown. In addition, the techniques for provoking emanations are unknown and there is no theoretically sufficient explanation for these emanations (Meynard, 2012). Hence, research opportunity in detecting superfluous and modulated emanations is huge. Therefore, cryptographers face an immense challenge of designing an algorithm with minimal implementation flaws. Such a design must take into account the potential loopholes that can be exploited by an attacker and all the aspects of hardware, software, and architecture. Hence, cryptographers should correctly evaluate the resistivity of cryptographic modules against cryptanalysis attacks when testing the security of those modules in the laboratory (Zhou & Feng, n.d.). In addition, many cryptographers have sketchy knowledge of the stringent models of security against cryptanalysis, and the scope for implementing formal and complex computation methods and techniques is considerable. Researchers should examine the relationship between various systemic parameters, for there is no unitary theory and the related tools and techniques to assist the cryptographer. In a nutshell, cryptographers should use theory to support their practice (Zhou & Feng, n.d.).
Conclusion
One must embed countermeasures into every level of abstraction to prevent cryptanalysis. Cryptanalysis often target the implementation of the cryptographic algorithm and the variation in power consumption of the cryptographic device. Attackers usually employ statistical methods to analyze power variations and compromising emanations, but there has been a recent shift toward adopting more advanced methods such as artificial intelligence and signal processing. There are countless possibilities of attack many of which cryptographers are unaware.

References
Anderson, R. J., & Kuhn, M. G. (1999, October 25-27). Soft Tempest-an opportunity for NATO. NATO Meeting Proceedings 27 on Protecting NATO Information Systems in the 21st Century, IST Symposium, Washington DC, USA. Retrieved from citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.31.2110
Lash, T. (2000, December 10). Power analysis in cryptography. A Study of DPA and SPA. Retrieved from teal.gmu.edu/courses/ECE543/project/reports_2000/lash_report.pdf Meynard, O. (2012). Characterization and use of the EM radiation to enhance side channel attacks. Telecom ParisTech. Retrieved from https://tel.archives-ouvertes.fr/pastel-00850528/document Mulder, E. D. (2010, November 24 ). Electromagnetic techniques and probes for side-channel analysis on cryptographic devices. Doctoral Dissertation. Retrieved from https://www.cosic.esat.kuleuven.be/publications/thesis-182.pdf Reddy, E. K. (2011). Elliptic curve cryptosystems and side-channel attacks. International Journal of Network Security, 12(3), 151-158.
Wang, Z. (2012, November ). Information leakage due to cache and processor architectures. Doctoral Dissertation. Retrieved from palms.ee.princeton.edu/.../Dissertation_ZhenghongWang+-+singlespaced... Zhou, Y., & Feng, D. (2005). Side-channel attacks: Ten years after its publication and the impacts on cryptographic module security testing. Retrieved from
http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.100.8856