The residue number system (RNS) is a method for representing an integer x as an n-tuple of its residues with respect to a given set of moduli. In RNS, addition, subtraction, and multiplication can be carried out by independent operations with respect to each modulus. Therefore, an n-fold speedup can be achieved by parallel processing. The main disadvantage of RNS is that we cannot efficiently compare the magnitude of two integers or determine the sign of an integer. Two general methods of comparison are to transform a number in RNS to a mixed-radix system or to a radix representation using the Chinese remainder theorem (CRT). We used the CRT to derive an equation approximating a value of x relative to M, the product of moduli. Then, we propose two algorithms that efficiently evaluate the equation and output a sign bit. The expected number of steps of these algorithms is of order n. The algorithms use a lookup table that is (n+3) times as large as M, which is reasonably small for most applications including cryptography.

Correlation power analysis (CPA) is a well-known attack against cryptographic modules with which an attacker evaluates the correlation between the power consumption and the sensitive data candidates calculated from a guessed sub-key and known data such as plaintexts and ciphertexts. This paper enhances CPA to propose a new general power analysis, built-in determined sub-key CPA (BS-CPA), which finds a new sub-key by using the previously determined sub-keys recursively to compute the sensitive data candidates and to increase the signal-to-noise ratio in its analysis. BS-CPA also reuses the power traces in the repetitions of finding sub-keys to decrease the total number of the required traces for determining the all sub-keys. BS-CPA is powerful and effective when the multiple sensitive data blocks such as sbox outputs are processed simultaneously as in the hardware implementation. We apply BS-CPA to the power traces provided at the DPA contest and succeed in finding a DES key using fewer traces than the original CPA does.

We extend the theorem by Hong et al. which gives the upper bounds of the maximum average differential and linear hull probabilities (MADP and MALHP) for SPN block cipher with optimal or quasi-optimal diffusion layers, to the case of nested SPN (NSPN) cipher. Applying the extended theorem to two NSPN ciphers, Hierocrypt-3 of 128-bit block and Hierocrypt-L1 of 64-bit block, we estimated that MADP and MALHP for 2-round Hierocrypt-3 are bounded by 2-96, and that those for 2-round Hierocrypt-L1 are bounded by 2-48. The extended theorem is also applied to AES, and found that MADP and MALHP are bounded by 2-96 for its 4-round reduced model. The last result outperforms the best previous result 2-92 for 10-round by Keliher et al.