1. Introduction
Today’s information security engineers are facing with the problem of building a trustworthy system from untrustworthy components. Security experts claim that the only workable solutions demand some minimal number of trustworthy components to date. For ensuring the security of an overall system, these trustworthy components are required to provide some services such as authentication, encryption/decryption, cryptographic tokens and so on. Typically, the security of an overall system is provided at the level of softwares (cryptographic algorithms). Traditional cryptographic protocol designs assume that input and output messages are available to attackers, but other information about keys remains unknown. During the last two decades a new class of attacks against cryptographic devices have become public. These attacks exploit easily accessible side-channel information like input-output behavior under malfunctions, power consumption, running time, and can be mounted by anyone using low-cost equipments [1-4]. These side-channel attacks amplify and evaluate leaked information with the help of statistical methods, and are often much more powerful than classical cryptanalysis [5-9], especially in the Internet of Things. As a representative of the informationization tide, the Internet of Things has been playing a vital part in the daily activities of human society, such as intelligent transportation, modern logistics, food safety, environmental monitoring, etc. However, the traditional cryptographic algorithms are not suitable for solving the increasingly prominent security problems of the Internet of Things, since the application components used in the Internet of Things, such as RFID, smart cards and other highly-constrained devices, are mainly microprocessing equipments with weak computing ability and limited storage capacity. In this case, the lightweight cryptographic algorithms and the related side channel attacks have been widely applied to security analysis of the Internet of Things.
The TWINE is a new lightweight cryptosystem to provide security for the highly--constrained devices in the Internet of Things [10]. Its block size is 64 bits, and the supported key sizes are 80 bits in the TWINE-80 and 128 bits in the TWINE-128, respectively. It repeats 36 rounds and every round consists of the 4-bit to 4-bit S-boxes and the linear transformations. Since its introduction, the TWINE has been the target of classical cryptanalytic efforts. The designers of the TWINE, focus on the impossible differential and saturation attacks, which are regarded as the most critical attacks to the TWINE[10]. Then the biclique cryptanalysis of the TWINE has been proposed in [11-12]. Later M. Coban et al make use of the slow diffusion of both the encryption and the key schedule to describe the mutidimensional meet-in-the-middle attacks on the reduced round of the TWINE [13].
Different from the classical cryptanalysis, differential fault analysis, also called DFA, is one type of side-channel attacks in the Internet of Things [14-15]. It was proposed on the DES cryptosystem by E. Biham and A. Shamir for its strong attacking ability, fast speed, simple implementation and other characteristics [16]. The similar attacks have been applied to AES [17-21], IDEA [22], and ARIA [23] etc. The DFA attack is based on deriving information about the secret key by examining the differences between a cipher resulting from a correct operation and a cipher of the same initial message resulting from a faulty operation.
In the literature, little research has been devoted to the security of the TWINE against the DFA. The TWINE takes the generalized Feistel-based structure, and has neither a bit permutation nor a Galois-Field matrix. Its basic components include the 4-bit S-boxes, the XOR and the 4-bit-wise permutation (shuffle). And the diffusion layer is smaller than other ciphers with the same structure. Thus, it has a rather long diffusion path and maximizes the avalanche effect of the linear transformation. This kind of designing strengthens the security of the TWINE against the DFA attack. It makes the path of fault propagation more difficult to be analyzed. Thus, it is difficult to derive the relationship between the fault and the secret key of the TWINE.
We thus propose an effective DFA method to recover the secret key of the TWINE. It adopts the 4-bit fault model. In the DFA attack, the attackers could induce a random error into the 64-bit layer of the encryption, and thus obtain a faulty ciphertext. By differential analysis, the last subkey could be recovered. Then the attackers could decrypt the right ciphertext to obtain the input of the last round, which is the output of the penultimate round. They repeat the above procedure to recover more subkeys until the secret key is obtained by the key schedule. On this fault model and attacking procedure, our method can recover the secret key of the TWINE. The experiments show that using 8 errors and 18 faults on average could recover the 80-bit and 128-bit secret keys, respectively. To the best of our knowledge, it is the first work that a differential fault attack on the TWINE has been successfully put into practice. Compared with the classical cryptanalysis, the differential fault attack on the TWINE has a good performance in data complexity, time complexity and memory complexity, as Table 1 shows.
Table 1.Cryptanalysis of the TWINE
This paper is organized as follows. Section 2 briefly introduces the TWINE. The next section describes the fault model and basic assumption, and proposes our DFA analysis to recover the secret key. Section 4 and 5 summarize the attacking complexity and the experimental results. Finally section 6 concludes the paper.
2. Description of the TWINE
The TWINE is a 64-bit lightweight block cipher with two primary instances taking 80-bit and 128-bit secret keys. It has 36 rounds and is composed of the encryption, the decryption and the key schedule as Fig. 1 shows [10].
Fig. 1.The structure of the TWINE
2.1 Encryption
The encryption algorithm of the TWINE-80 and the TWINE-128 is described as Table 2 shows.
Table 2.The encryption of the TWINE
Let P ∈ ({0,1}4)16 be the plaintext and C ∈ ({0,1}4)16 be the ciphertext, respectively. Let RK ∈ ({0,1}32)36 represent the concentration of 36 subkeys, and RKi ∈ ({0,1}4)8 represent the i-th subkey from the secret key K, with 1 ≤ i ≤ 36, respectively. Let Xij ∈ {0,1}4 denote the j-th 4-bit input value in the i-th round, with 1 ≤ i ≤ 36 and 0 ≤ j ≤ 15.
The round function consists of a substitution layer S using 8 4×4 S-boxes and a diffusion layer π permuting 16 blocks.
2.2 Decryption
The decryption is the same as the encryption, including the subkeys with the reverse order.
2.3 Key schedule
The secret key K is the input of a key schedule to produce the subkeys for every round. It divides an 80-bit secret key and a 128-bit secret key into 36 subkeys as Table 3 and Table 4 show, where CONr and represent 3-bit constants with 1≤ r ≤ 35.
Table 3.The key schedule for the TWINE-80
Table 4.The key schedule for the TWINE-128
3. Differential Fault Analysis on the TWINE
3.1 Notations
The following notations are used to describe the TWINE and its analysis.
Let C* ∈ ({0,1}4)16 and ΔC ∈ ({0,1}4)16 be the faulty ciphertext and the ciphertext difference, respectively.
Let ΔXij ∈ ({0,1}4) represent the j-th 4-bit input difference in the i-th round, with 1 ≤ i ≤ 36 and 0 ≤ j ≤ 15.
Let Aij, Bij, ΔAij and ΔBij denote the j-th 4-bit input, output, input difference and output difference of the substitution layer in the i-th round with 1 ≤ i ≤ 36 and 0 ≤ j ≤ 7, respectively.
For the substitution layers, the relationships between the input differences and output differences of the S-box layers are defined as follows:
where 1 ≤ i ≤ 36 and 0 ≤ j ≤ 7.
3.2 Fault model and basic assumption
The DFA analysis exploits the differences between a normal ciphertext and a faulty ciphertext stemming from encryptions of the same plaintext. Our proposed fault model includes the following two assumptions: the attackers have the capability to choose one plaintext to encrypt and obtain the corresponding right and faulty ciphertexts (Chosen Plaintext Attack, CPA). Furthermore, the attackers could induce a 4-bit error to one round of the encryption. In fact, the attackers could assume that the error is one bit or half a byte, and one bit is a special case of half a byte. It does not influence the attacking procedure. Both the value and the location of the error in this round are random. As for the attack, they could analyze a fault occurring near the end of the algorithm and assume the general random fault model where the fault modifies the processed data in a random way.
The attacking procedure is as follows: the right ciphertext is obtained when a plaintext is encrypted with a secret key. The attackers induce a random error in some round of the encryption and thus obtain a faulty ciphertext. The faults could be injected by either using the simulation in software implementation, or using radiation, X-ray and micro-probe in hardware implementation. By differential fault analysis, the value of the last subkey can be recovered. Then the attackers could decrypt the right ciphertext to obtain the input of the last round, which is the output of the penultimate round. At last they repeat the above procedure to deduce more subkeys until the secret key is obtained by the key schedule.
3.3 Attacking Procedure
In this subsection, we apply the above basic idea and propose a novel differential fault analysis to recover the secret keys of the TWINE-80 and the TWINE-128. The analysis is split into the following successive steps for the TWINE.
Step 1. A ciphertext C is derived when an arbitrary plaintext P is encrypted with a secret key K.
Step 2. This step aims at recovering the last subkey RK36. A fault may be induced on either the input or the output of F function in the 31st round whereas the approach is identical in either case. Assume that the error is induced in the first F function in this round. Note that any modification of one 4-bit error provokes the XOR-differences These alter the original ciphertext C into the faulty ciphertext C*. There is no diffusion layer in the last round, so the input and output difference of the S-boxes in this round can be calculated as follows:
where j ∈ {0,1,5,6}.The above equations, in conjunction with a pair of right faulty ciphertexts, allow to infer the relationship between input differences and output differences of the S-boxes. Thus, the differential transformation of S-boxes in the last round has
where j ∈ {0,1,5,6}.The j-th 4-bit value of A36 satisfies
Then the attackers do brute-force search for the value of to deduce where j ∈ {0,1,5,6}. This procedure leads to a list of candidates and the value of could be deduced as follows:
where j ∈ {0,1,5,6}. Then the attackers could choose the inputs of other F functions in the 31st round to induce errors. So other values of the last subkey could be deduced by the similar method. Table 5 lists the relationship between the fault locations of the j’-th F function in the 31st round and the affected j-th 4-bit values in the last two subkeys, with 0 ≤ j’ ≤ 7 and 0 ≤ j ≤ 7 .
Table 5.The relationship between the fault locations and the affected 4-bit values in the last two rounds.
Step 3. In this step, there are no errors induced. The attackers could make advantage of the errors in the previous step to deduce the penultimate subkey. They could decrypt the right ciphertext by the last subkey to obtain the output of the penultimate round. The input and output differences of the S-boxes in the penultimate round could be derived as follows:
and the value of satisfies
where j ∈ {0,5,6}. The attackers do brute-force search for the value of to deduce the input of S-boxes in the penultimate round. The values of could be deduced as below:
where j ≤ {0,5,6}. So other values of the penultimate subkeys could be deduced by the similar method. Table 5 lists the relationship between the fault locations of the j’-th F function in the 31st round and the affected j-th 4-bit values in the penultimate subkey with 0 ≤ j’ ≤ 7 and 0 ≤ j ≤ 7 . If the key size is 80 bits, then the attacking procedure jumps step 5; else it jumps step 4.
Step 4. The attackers could make advantage of the previous two steps to derive the output of the 34th round, and induce faults the similar locations into the 29th round. After computing the input differences and output differences of the S-boxes, all bytes of RK34 and RK33 could be deduced.
Step 5. As for the TWINE-80, the last two subkeys could be recovered as follows:
So the remaining 16 bits of WK5||WK7||WK8||WK17 could be derived by the brute-force search. The 80-bit secret key is calculated by
As for the TWINE-128, the attackers could derive the last four subkeys as follows:
So the remaining 8 bits of WK1||WK15 could only be derived by the brute-force search. Eventually the 128-bit secret key is calculated by
4. Attacking Complexity
We summarize the attacking procedure to select subkey candidates for a secret key. The time complexity of brute-force search for one fault injection is
where σ denotes the size of the substitution layer and ω denotes the input size of one S-box. In addition, an estimation of the number of faults necessary for the attack to be successful is vital. In the attacking procedure, the number of faulty ciphertexts to recover a subkey depends on the fault location and the fault model.
We take the derivation of RK36 as an example. On the definition of an S-function, if A36 is a candidate, A36 ⊕ ΔA36 may be another subkey candidate. In other words, if the input candidates set of S-boxes is not null, the input A36 may have several candidates. It indicates RK36 may have some possible elements.
In the fault model, a random error could be induced at any round of the encryption. If the fault occurs in the last round, only 4 bits in the input of the S-box will change, which could recover at most 4 bits of the last subkey by DFA. To recover the last subkey, it is necessary to induce many errors into different F functions.
If the fault is induced at an ideal location before the last round, then the input difference and output difference of the S-boxes in this round contain only one nonzero 4-bit value. However, the output difference of π has multibytes owing to the diffusion of linear transformation. Thus, the input difference of the S-boxes in the last round contains multibytes after the computation of the last several rounds. The above idea is applied in the attacking procedure to improve the efficiency of fault injection.
Since at least two faults can make one element in the intersection of RK36, the attackers continue deriving intersection of subkey candidates sets until the intersection has only one element. Thus, at least two faulty ciphertexts are required to derive multibytes of one subkey. The theoretical minimum number of faulty ciphertexts to recover one subkey is defined as
where σ represents the size of the substitution layer, and τ represents the maximum number of bits in a subkey derived by two faulty ciphertexts. To derive the subkey, the value of τ equals the number of bits in the nonzero output difference of the nonlinear transformation in this round. If τ = 0 , then there is no bits of a subkey derived and thus ϕ = 0 .
To recover a secret key, the time complexity is
the data complexity is
chosen plaintext-ciphertext pairs, and the memory complexity is
where δ denotes the number of subkeys to recover a secret key, σ represents the size of the substitution layer, ω denotes the input size of one S-box, τ represents the maximum number of bits in a subkey derived by two faulty ciphertexts, v denotes the size of the secret key, and η represents the number of bits in the secret key derived by the DFA. If τ = 0 , then there is no bits of a subkey derived and thus η = 0 .
To recover the 80-bit secret key in theory, the time complexity is 216.59, the data complexity is 23.17 chosen plaintext-ciphertext pairs, and the memory complexity is 216.01 , where ω=4, σ = 64, τ = 16, δ=2, η=64, v=80 and ϕ=8. To recover the 128-bit secret key in theory, the time complexity is 216.01, the data complexity is 24.09 chosen plaintext-ciphertext pairs, and the memory complexity is 28.98, where ω=4, σ=64, τ=16, δ=4, η=120, v=128 and ϕ=8.
5. Experimental Results
We implemented our attack on a PC using Visual C++ 8.0 Compiler on a 2.53 GHz celeron with 2GB memory. The fault induction was simulated by computer software. In this situation, we ran the attacking algorithm to 1000 encryption units with different random generated keys. The experiments are divided as 5 groups in average, denoted as G1, G2, G3, G4 and G5.
Fig. 2 and Fig. 3 show the number of bits recovered in the 80-bit and 128-bit versions in intersections of candidates to recover the secret keys. The x-coordinate represents the number of experiments and the y-coordinate represents the number of the recovered bits of the secret key. In Fig. 2, the colored lines denote the number of the recovered bits of the secret key in the 3rd, 6th, 9th and 12th intersections of TWINE-80, respectively. In Fig. 3, the colored lines denote the number of the recovered bits of the secret key in the 3rd, 6th, 9th, 12th, 15th, 18th, 21st and 24th intersections of TWINE-128, respectively. We define accuracy, reliability and latency for evaluating the experimental results in detail.
Fig. 2.Number of bits recovered in TWINE–80
Fig. 3.Number of bits recovered in TWINE-128
Accuracy is a metric that defines how close the number of the secret key is to the true number of subkey candidates. Basically, the closer the experimental number of the secret key candidates is to the true number, the more accurate the experiment is. Thus, we consider the Root Mean-Square Error (RMSE) to measure the accuracy, where RMSE is given by
where N denotes the number of experiments in a set, e represents the index of the experiment, htrue denotes the number of bits in the secret key, and hmeasured represents the number of bits recovered in the secret key candidates. As we know, the values of htrue are 64 bits for the 80-bit version and 120 bits for the 128-bit version. The closer the RMSE value is to 0, the more accurate the experiments are. The RMSE values for every intersections of subkey candidates are shown in Table 6 and Table 7, where N=200, e∈{1, …, 1000} and htrue∈{64,120}. For example, to compute the RMSE value of G1 in the 3rd intersection, it is observed that hmeasured (e) represents the values of the red line shown in Fig. 2, N=200, e∈{1, …, 200} and htrue=64. Thus,the RMSE value of G1 in the 3rd intersection is 5.57. In the same way, all values of RMSE could be derived in Table 6. Eventually, the values of RMSE in 12th intersection for the 80-bit version and in the 24th intersection for the 128-bit version are both zero, so we could derive the secret keys in the corresponding intersections. That is, at most 13 and 25 faulty ciphertexts are required to recover secret keys for the two versions, respectively. Furthermore, the accuracy in every group for the same interaction is similar or equal.
Table 6.Accuracy by RMSE for the the TWINE–80
Table 7.Accuracy by RMSE for the the TWINE–128
Reliability is the ratio of successful experiments out of all experiments made. If the attackers could derive only one secret key, we consider that the experiment is successful. Referring to Table 8 and Table 9, one can observe the ratios of successful experiments in every intersection for the 80-bit and the 128-bit versions. The experimental results show that 12 intersections are enough to recover the secret key for the 80-bits version and 24 intersections are enough for the 128-bits version. That is, the reliability is 100% if the attackers induce at most 13 and 25 random faults to break a secret key for the two versions, respectively. Furthermore, the reliability in every group for the same interaction is similar or equal.
Table 8.Reliability for the the TWINE–80
Table 9.Reliability for the the TWINE–128
Latency is the time to the recovery the secret key in our software simulation. It is measured in seconds for the 80-bit version and in 0.01 seconds for the 128-bit version. Fig. 4 and Fig. 5 show the time of 1000 experiments. The DFA could break the TWINE by recovering 64 bits of the 80-bit secret key and 120 bits of the 128-bit secret key, respectively. The brute-force search could be applied in deriving the remaining 16 bits of the 80-bit secret key and the remaining 8 bits of the 128-bit secret key, respectively. According to the experiment results, the whole attacking procedure requires 4.4s and 0.046s on average to recover the secret keys. The time in the brute-force search of the remaining 16 bits is more than that of the remaining 8 bits. Thus, the whole time of breaking the TWINE-80 is more than that of breaking the TWINE-128.
Fig. 4.Latency in attacking the TWINE–80
Fig. 5.Latency in attacking the TWINE–128
Referring to the experimental results, breaking the TWINE-80 requires at least 6 faulty ciphertexts and at most 13 faulty ciphertexts. The average number of the faulty ciphertexts of the TWINE-80 is 8. And breaking the TWINE-128 requires at least 12 ciphertexts and at most 25 faulty ciphertexts. The average number of the faulty ciphertexts of the TWINE-128 is 18.
On the basis of the number of faulty ciphertexts in our simulated experiments, the overall time complexities are
and
to break the TWINE-80 and TWINE-128, respectively.
The data complexities in practice are
and
chosen plaintext-cipertext pairs to break the TWINE-80 and TWINE-128 by the DFA, respectively.
The memory complexities in practice are
and
to break the TWINE-80 and TWINE-128 by the DFA, respectively.
6. Conclusion
As for the fault analysis on lightweight block ciphers, current studies have been published regarding mathematical analysis on cryptographic algorithms, fault injection on cryptographic algorithm in software implementation, fault injection on cryptographic algorithm in hardware implementation. This paper examines fault injection on the TWINE in software implementation. It shows that the TWINE is vulnerable to the differential fault analysis. In the 4-bit fault model, only 8 and 18 ciphertexts on average is required to obtain the 80-bit and 128-bit secret keys of the TWINE, respectively. Our work provides a new reference to fault analysis on other lightweight cryptosystems.
In consequence, we are working on fault injection and detection on the TWINE in hardware implementation. Furthermore, future analysis should be able to support more fault locations of the TWINE, such as the key schedule.
References
- P. Kocher, "Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems," in Proc. of 16th Annual Int. Cryptology Conf., pp. 104-113, August 18-22, 1996.
- P. Kocher, J. Jaffe and B. Jun, "Differential power analysis," in Proc. of 19th Annual Int. Cryptology Conf., pp. 388-397, August 15-19, 1999.
- H. C. Kim and J.-J. Quisquater, "Faults, injection methods, and fault attacks," IEEE Des. Test Comput., vol. 24, no. 6, pp. 544-545, November-December, 2007. https://doi.org/10.1109/MDT.2007.186
- M. Joye, J. J. Quisquater, S. M. Yen and M. Yung, "Observability analysis-detecting when improved cryptosystems fail," in Proc. of Cryptographer's Track RSA Conf., pp. 17-29, February 18-22, 2002.
- I. C. Lin and C. C. Chang, "Security enhancement for digital signature schemes with fault tolerance in RSA," Inform. Sciences, vol. 177, no. 19, pp. 4031-4039, February, 2007. https://doi.org/10.1016/j.ins.2007.03.035
- J. Kelsey, B. Schneier, D. Wagner and C. Hall, "Side channel cryptanalysis of product ciphers," in Proc. of 5th European Symp. Research Comp. Security, pp. 97-110, September 16-18, 1998.
- W. Erich and G. Johann, "An 8-bit AVR-based elliptic curve cryptographic RISC processor for the internet of things," in Proc. of 45th Annual Int. Symposium on Microarchitecture, pp. 39-46, December 1-5, 2012.
- K. Zhang, L. Ding and J. Li, "Real time related key attack on Hummingbird-2," KSII T. Internet Inf., vol. 6, no. 8, pp. 1946-1963, August 25, 2012.
- T. Cui and C. Jin, "Finding impossible differentials for Rijndael-like and 3D-like Structures," KSII T. Internet Inf., vol. 7, no. 3, pp. 509-521, March 31, 2013.
- T. Suzaki, K. Minematsu, S. Morioka and E. Kobayashi, "TWINE: a lightweight block cipher for multiple platforms," in Proc. of 19th Int. Conf. Selected Areas in Cryptography, pp. 339-354, August 15-16, 2012.
- F. Karako, H. Demirci and A. E. Harmanc, "Biclique cryptanalysis of LBlock and TWINE," Infor. Processing Letters, vol. 113, no. 12, pp. 423-429, June 30, 2013. https://doi.org/10.1016/j.ipl.2013.03.011
- M. Coban, F. Karako and O. Boztas, "Biclique cryptanalysis of TWINE," in Proc. of 11th Int. Conf. Cryptology Network Security, pp. 43-45, December 12-14, 2012.
- M. Coban, F. Karako and O. Boztas, "Multidimensional meet-in-the-middle attacks on reduced-round TWINE-128," in Proc. of 2nd Int. Workshop on Lightweight Cryptography for Security and Privacy, pp. 55-67, May 6-7, 2013.
- D. Boneh, R. A. DeMillo and R. J. Lipton, "On the importance of checking cryptographic protocols for faults," in Proc. of Int. Conf. Theory Application Cryptographic Techniques, pp. 37-51, May 11-15, 1997.
- D. Boneh, R. A. DeMillo and R. J. Lipton, "On the importance of eliminating errors in cryptographic computations," J. CRYPTOL., vol. 14, no. 2, pp. 101-119, March, 2001. https://doi.org/10.1007/s001450010016
- E. Biham and A. Shamir, "Differential fault analysis of secret key cryptosystems," in Proc. of 17th Annual Int. Cryptology Conf., pp. 513-525, August 15-19, 1997.
- G. Bertoni, L. Breveglieri, I. Koren, P. Maistri and V. Piuri, "Error analysis and detection procedures for a hardware implementation of the Advanced Encryption Standard," IEEE T. Comput., vol. 52, no. 4, pp. 492-505, April 2, 2003. https://doi.org/10.1109/TC.2003.1190590
- P. Dusart, G. Letourneux and O. Vivolo, "Differential fault analysis on A.E.S," in Proc. of 1st Int. Conf. Applied Cryptography and Network Security, pp. 293-306, October 16-19, 2003.
- C. Giraud, "DFA on AES," in Proc. of 4th Int. Conf. Advanced Encryption Standard, pp. 27-41, May 10-12, 2004.
- A. Moradi, M. T. M. Shalmani and M. Salmasizadeh, "A generalized method of differential fault attack against AES cryptosystem," in Proc. of 8th Int. Workshop on Cryptographic Hardware and Embedded Systems, pp. 91-100, October 10-13, 2006.
- P. Gilles and J. J. Quisquater, "A differential fault attack technique against SPN structures, with application to the AES and KHAZAD," in Proc. of 5th Int. Workshop on Cryptographic Hardware and Embedded Systems, pp. 77-88, September 8-10, 2003.
- C. Christophe, G. Benedikt and V. Ingrid, "Fault analysis study of IDEA," in Proc. of Cryptographers' Track at the RSA Conf., pp. 247-287, April 8-11, 2008.
- W. Li, D. Gu and J. Li, "Differential fault analysis on the ARIA algorithm," Inform. Sciences, vol. 178, no. 19, pp. 3727-3737, October 1, 2008. https://doi.org/10.1016/j.ins.2008.05.031
Cited by
- Security Analysis of the Khudra Lightweight Cryptosystem in the Vehicular Ad-hoc Networks vol.12, pp.7, 2015, https://doi.org/10.3837/tiis.2018.07.023