We present a new keystream generator (KSG) MUGI, which is a variant of PANAMA proposed at FSE '98. MUGI has a 128-bit secret key and a 128-bit initial vector as parameters and generates a 64-bit string per round. The design is particularly suited for efficient hardware implementations, but the software performance of MUGI is excellent as well. A speed optimized implementation in hardware achieves about 3 Gbps with 26 Kgates, which is several times faster than AES. On the other hand, the security of MUGI has been evaluated by analyzing the applicability of re-synchronization attacks, related-key attacks, and attacks that exploit the linear correlation of an output sequence. Our analysis confirms that MUGI is a secure KSG.

Hirose, Kuwakado and Yoshida proposed a nonce-based authenticated encryption scheme Lae0 based on Lesamnta-LW in 2019. Lesamnta-LW is a block-cipher-based iterated hash function included in the ISO/IEC 29192-5 lightweight hash-function standard. They also showed that Lae0 satisfies both privacy and authenticity if the underlying block cipher is a pseudorandom permutation. Unfortunately, their result implies only about 64-bit security for instantiation with the dedicated block cipher of Lesamnta-LW. In this paper, we analyze the security of Lae0 in the ideal cipher model. Our result implies about 120-bit security for instantiation with the block cipher of Lesamnta-LW.

We revisit the design of Lesamnta-LW, which is one of the three lightweight hash functions specified in ISO/IEC 29192-5:2016. Firstly, we present some updates on the bounds of the number of active S-boxes for the underlying 64-round block cipher. While the designers showed that the Viterbi algorithm ensured 24 active S-boxes after 24 rounds, our tool based on Mixed Integer Linear Programming (MILP) in the framework of Mouha et al. ensures the same number of active S-boxes only after 18 rounds. The tool completely evaluates the tight bound of the number of active S-boxes, and it shows that the bound is 103 for full (64) rounds. We also analyze security of the Shuffle operation in the round function and resistance against linear cryptanalysis. Secondly, we present a new mode for a pseudorandom function (PRF) based on Lesamnta-LW. It is twice as efficient as the previous PRF modes based on Lesamnta-LW. We prove its security both in the standard model and the ideal cipher model.

This paper proposes a new lightweight 256-bit hash function Lesamnta-LW. The security of Lesamnta-LW is reduced to that of the underlying AES-based block cipher and it is theoretically analyzed for an important application, namely the key-prefix mode. While most of recently proposed lightweight primitives are hardware-oriented with very small footprints, our main target with Lesamnta-LW is to achieve compact and fast hashing for lightweight application on a wider variety of environments ranging from inexpensive devices to high-end severs at the 2120 security level. As for performance, our primary target CPUs are 8-bit and it is shown that, for short message hashing, Lesamnta-LW offers better tradeoffs between speed and cost on an 8-bit CPU than SHA-256.

Cyber-physical systems, in which ICT systems and field devices are interconnected and interlocked, have become widespread. More threats need to be taken into consideration when designing the security of cyber-physical systems. Attackers may cause damage to the physical world by attacks which exploit vulnerabilities of ICT systems, while other attackers may use the weaknesses of physical boundaries to exploit ICT systems. Therefore, it is necessary to assess such risks of attacks properly. A direct-access attack in the field of automobiles is the latter type of attacks where an attacker connects unauthorized equipment to an in-vehicle network directly and attempts unauthorized access. But it has been considered as less realistic and evaluated less risky than other threats via network entry points by conventional risk assessment methods. We focused on reassessing threats via direct access attacks in proposing effective security design procedures for cyber-physical systems based on a guideline for automobiles, JASO TP15002. In this paper, we focus on “fitting to a specific area or viewpoint” of such a cyber-physical system, and devise a new risk quantification method, RSS-CWSS_CPS based on CWSS, which is also a vulnerability evaluation standard for ICT systems. It can quantify the characteristics of the physical boundaries in cyber-physical systems.

This paper describes a new single-unit underground radar for detecting underground buried pipes. The pipe depth can be calculated from the hyperbolic shape in the cross-sectional image of radar echoes. The edge contour of the image is extracted, and the buried depth is judged from the similarity between the extracted hyperbolic curve and the theoretical curve. A suitable amplification rate is estimated by choosing the best image from numerous cross-sectional images formed during one antenna movement repeated at different amplification rates. The best image has few pixels corresponding to weak and saturated signals. The new radar is very compact, so it can be operated by one person. Objects buried up to 2.0m deep can be detected.

As Internet-connected service is emerged, there has been a need for use cases where a lightweight cryptographic primitive meets both of a constrained hardware implementation requirement and a constrained embedded software requirement. One of the examples of these use cases is the PKES (Passive Keyless Entry and Start) system in an automotive domain. From the perspective on these use cases, one interesting direction is to investigate how small the memory (RAM/ROM) requirement of ARM-implementations of hardware-oriented stream ciphers can be. In this paper, we propose implementation techniques for memory-optimized implementations of lightweight hardware-oriented stream ciphers including Grain-128a specified in ISO/IEC 29167-13 for RFID protocols. Our techniques include data-dependency analysis to take a close look at how and in which timing certain variables are updated and also the way taking into account the structure of registers on the target micro-controller. In order to minimize RAM size, we reduce the number of general purpose registers for computation of Grain-128a's update and pre-output values. We present results of our memory-optimized implementations of Grain-128a, one of which requires 84 RAM bytes on ARM Cortex-M3.

Enocoro-128v2 is a lightweight stream cipher submitted to Cryptography Research and Evaluation Committees (CRYPTREC). In this paper, we first describe a side channel attack on Enocoro-128v2. We show that all secret key bytes of Enocoro-128v2 can be recovered by correlation power analysis, and it is shown by an experiment that around 6000 traces are needed to recover the secret key on SASEBO-GII (Side-channel Attack Standard Evaluation Board). We second propose a countermeasure with threshold implementation technique, which allows Enocoro-128v2 to be resistant against correlation power analysis as long as less than 105 traces are used.

This paper discusses a mode for pseudorandom functions (PRFs) based on the hashing mode of Lesamnta-LW and the domain extension called Merkle-Damgård with permutation (MDP). The hashing mode of Lesamnta-LW is a plain Merkle-Damgård iteration of a block cipher with its key size half of its block size. First, a PRF mode is presented which produces multiple independent PRFs with multiple permutations and initialization vectors if the underlying block cipher is a PRP. Then, two applications of the PRF mode are presented. One is a PRF with minimum padding. Here, padding is said to be minimum if the produced message blocks do not include message blocks only with the padded sequence for any non-empty input message. The other is a vector-input PRF using the PRFs with minimum padding.