Kaoru MASADA Ryohei NAKAYAMA Makoto IKEDA
BLS signature is an elliptic curve cryptography with an attractive feature that signatures can be aggregated and shortened. We have designed two ASIC architectures for hashing to the elliptic curve and pairing to minimize the latency. Also, the designs are optimized for BLS12-381, a relatively new and safe curve.
Motoharu SASAKI Mitsuki NAKAMURA Nobuaki KUNO Wataru YAMADA Naoki KITA Takeshi ONIZAWA Yasushi TAKATORI Hiroyuki NAKAMURA Minoru INOMATA Koshiro KITAO Tetsuro IMAI
Path loss in high frequency bands above 6GHz is the most fundamental and significant propagation characteristic of IMT-2020. To develop and evaluate such high frequency bands, ITU-R SG5 WP5D recently released channel models applicable up to 100GHz. The channel models include path loss models applicable to 0.5-100GHz. A path loss model is used for cell design and the evaluation of the radio technologies, which is the main purpose of WP5D. Prediction accuracy in various locations, Tx positions, frequency bands, and other parameters are significant in cell design. This article presents the prediction accuracy of UMa path loss models which are detailed in Report ITU-R M.2412 for IMT-2020. We also propose UMa_A' as an extension model of UMa_A. While UMa_A applies different equations to the bands below and above 6GHz to predict path loss, UMa_A' covers all bands by using the equations of UMa_A below 6GHz. By using the UMa_A' model, we can predict path loss by taking various parameters (such as BS antenna height) into account over a wide frequency range (0.5-100GHz). This is useful for considering the deployment of BS antennas at various positions with a wide frequency band. We verify model accuracy by extensive measurements in the frequency bands from 2 to 66GHz, distances up to 1600 m, and an UMa environment with three Tx antenna heights. The UMa_A' extension model can predict path loss with the low RMSE of about 7dB at 2-26.4GHz, which is more accurate than the UMa_A and UMa_B models. Although the applicability of the UMa_A' model at 66GHz is unclear and needs further verification, the evaluation results for 66GHz demonstrate that the antenna height may affect the prediction accuracy at 66GHz.
Yuhei WATANABE Hideki YAMAMOTO Hirotaka YOSHIDA
As Internet-connected service is emerged, there has been a need for use cases where a lightweight cryptographic primitive meets both of a constrained hardware implementation requirement and a constrained embedded software requirement. One of the examples of these use cases is the PKES (Passive Keyless Entry and Start) system in an automotive domain. From the perspective on these use cases, one interesting direction is to investigate how small the memory (RAM/ROM) requirement of ARM-implementations of hardware-oriented stream ciphers can be. In this paper, we propose implementation techniques for memory-optimized implementations of lightweight hardware-oriented stream ciphers including Grain-128a specified in ISO/IEC 29167-13 for RFID protocols. Our techniques include data-dependency analysis to take a close look at how and in which timing certain variables are updated and also the way taking into account the structure of registers on the target micro-controller. In order to minimize RAM size, we reduce the number of general purpose registers for computation of Grain-128a's update and pre-output values. We present results of our memory-optimized implementations of Grain-128a, one of which requires 84 RAM bytes on ARM Cortex-M3.
A new method is proposed for the construction of pairing-friendly elliptic curves. For any fixed embedding degree, it can transform the problem to solving equation systems instead of exhaustive searching, thus it's more targeted and efficient. Via this method, we obtain various families including complete families, complete families with variable discriminant and sparse families. Specifically, we generate a complete family with important application prospects which has never been given before as far as we know.
Mohamed TOLBA Ahmed ABDELKHALEK Amr M. YOUSSEF
Midori128 is a lightweight block cipher proposed at ASIACRYPT 2015 to achieve low energy consumption per bit. Currently, the best published impossible differential attack on Midori128 covers 10 rounds without the pre-whitening key. By exploiting the special structure of the S-boxes and the binary linear transformation layer in Midori128, we present impossible differential distinguishers that cover 7 full rounds including the mix column operations. Then, we exploit four of these distinguishers to launch multiple impossible differential attack against 11 rounds of the cipher with the pre-whitening and post-whitening keys.
Hiroaki MIZUNO Keisuke IWAI Hidema TANAKA Takakazu KUROKAWA
This paper presents a new information-theoretical evaluation method, for the resistance of cryptographic implementation against side-channel attacks. In conventional methods, the results of actual attacks have been often used empirically. However, these experimental methods have some problems. In the proposed method, a side-channel attack is regarded as a communication channel model. Then, a new evaluation index “the amount of leakage information” can be defined. The upper-bound of this index is estimated as the channel capacity. The proposed evaluation using this index can avoid the problems of conventional methods. Consequently, the proposed method provides some benefits: (1) It provides rationale for evaluation; (2) It enables execution of numerical evaluation and mutual evaluation among several kinds of countermeasures. This research achieves a unification of evaluation indexes for resistance against side-channel attack. This paper applies the proposed method to correlation power analysis against implementations of stream cipher Enocoro-128 v2. As a result, we confirmed its effectiveness.
This paper presents differential-based distinguishers against double-branch compression functions and applies them to ISO standard hash functions RIPEMD-128 and RIPEMD-160. A double-branch compression function computes two branch functions to update a chaining variable and then merges their outputs. For such a compression function, we observe that second-order differential paths will be constructed by finding a sub-path in each branch independently. This leads to 4-sum attacks on 47 steps (out of 64 steps) of RIPEMD-128 and 40 steps (out of 80 steps) of RIPEMD-160. Then new properties called a (partial) 2-dimension sum and a q-multi-second-order collision are considered. The partial 2-dimension sum is generated on 48 steps of RIPEMD-128 and 42 steps of RIPEMD-160, with complexities of 235 and 236, respectively. Theoretically, the 2-dimension sum is generated faster than the brute force attack up to 52 steps of RIPEMD-128 and 51 steps of RIPEMD-160, with complexities of 2101 and 2158, respectively. The results on RIPEMD-128 can also be viewed as q-multi-second-order collision attacks. The practical attacks have been implemented and examples are presented. We stress that our results do not impact to the security of full RIPEMD-128 and RIPEMD-160 hash functions.
Shugo MIKAMI Hirotaka YOSHIDA Dai WATANABE Kazuo SAKIYAMA
Enocoro-128v2 is a lightweight stream cipher submitted to Cryptography Research and Evaluation Committees (CRYPTREC). In this paper, we first describe a side channel attack on Enocoro-128v2. We show that all secret key bytes of Enocoro-128v2 can be recovered by correlation power analysis, and it is shown by an experiment that around 6000 traces are needed to recover the secret key on SASEBO-GII (Side-channel Attack Standard Evaluation Board). We second propose a countermeasure with threshold implementation technique, which allows Enocoro-128v2 to be resistant against correlation power analysis as long as less than 105 traces are used.
Chiaki OHTAHARA Yu SASAKI Takeshi SHIMOYAMA
In this paper, we present the first results on the preimage resistance against step-reduced versions of ISO standard hash functions RIPEMD-128 and RIPEMD-160, which were designed as strengthened versions of RIPEMD. While preimage attacks on the first 33 steps and intermediate 35 steps of RIPEMD (48 steps in total) are known, no preimage attack exists on RIPEMD-128 (64 steps) or RIPEMD-160 (80 steps). This paper shows three variations of preimage attacks of RIPEMD-128; the first 33 steps, intermediate 35 steps, and the last 32 steps. Because of the large security margin, full RIPEMD-128 is still enough secure, however, it is interesting that the number of attacked steps for RIPEMD-128 reaches the same level as for RIPEMD. We also show that our approach can be applied to RIPEMD-160, and present preimage attacks on the first 30 steps and the last 31 steps.
Cognitive radio is an emerging technology to further improve the efficiency of spectrum use. Due to the nature of the technology, it has many facets, including its enabling technologies, its implementation issues and its regulatory implications. In ITU-R (International Telecommunications Union – Radiocommunication sector), cognitive radio systems are currently being studied so that ITU-R can have a clear picture on this new technology and its potential regulatory implications, from a viewpoint of global spectrum management. This paper introduces the recent results of the ITU-R studies on cognitive radio on both regulatory and technical aspects. This paper represents a personal opinion of the author, but not an official view of the ITU-R.
Lei WANG Yu SASAKI Wataru KOMATSUBARA Kazuo SAKIYAMA Kazuo OHTA
Even though meet-in-the-middle preimage attack framework has been successfully applied to attack most of narrow-pipe hash functions, it seems difficult to apply this framework to attack double-branch hash functions. Only few results have been published on this research. This paper proposes a refined strategy of applying meet-in-the-middle attack framework to double-branch hash functions. The main novelty is a new local-collision approach named one-message-word local collision. We have applied our strategy to two double-branch hash functions RIPEMD and RIPEMD-128, and obtain the following results.·On RIPEMD. We find a pseudo-preimage attack on 47-step compression function, where the full version has 48 steps, with a complexity of 2119. It can be converted to a second preimage attack on 47-step hash function with a complexity of 2124.5. Moreover, we also improve previous preimage attacks on (intermediate) 35-step RIPEMD, and reduce the complexity from 2113 to 296. ·On RIPEMD-128. We find a pseudo-preimage on (intermediate) 36-step compression function, where the full version has 64 steps, with a complexity of 2123. It canl be converted to a preimage attack on (intermediate) 36-step hash function with a complexity of 2126.5. Both RIPEMD and RIPEMD-128 produce 128-bit digests. Therefore our attacks are faster than the brute-force attack, which means that our attacks break the theoretical security bound of the above step-reduced variants of those two hash functions in the sense of (second) preimage resistance. The maximum number of the attacked steps on both those two hash functions is 35 among previous works based to our best knowledge. Therefore we have successfully increased the number of the attacked steps. We stress that our attacks does not break the security of full-version RIPEMD and RIPEMD-128. But the security mergin of RIPEMD becomes very narrow. On the other hand, RIPEMD-128 still has enough security margin.
Meiqin WANG Xiaoyun WANG Kam Pui CHOW Lucas Chi Kwong HUI
CAST-128 is a block cipher used in a number of products, notably as the default cipher in some versions of GPG and PGP. It has been approved for Canadian government use by the Communications Security Establishment. Haruki Seki et al. found 2-round differential characteristics and they can attack 5-round CAST-128. In this paper, we studied the properties of round functions F1 and F3 in CAST-128, and identified differential characteristics for F1 round function and F3 round function. So we identified a 6-round differential characteristic with probability 2-53 under 2-23.8 of the total key space. Then based on 6-round differential characteristic, we can attack 8-round CAST-128 with key sizes greater than or equal to 72 bits and 9-round CAST-128 with key sizes greater than or equal to 104 bits. We give the summary of attacks on reduced-round CAST-128 in Table 10.
Masaaki SHIRASE Yukinori MIYAZAKI Tsuyoshi TAKAGI Dong-Guk HAN Dooho CHOI
Pairing-based cryptography provides us many novel cryptographic applications such as ID-based cryptosystems and efficient broadcast encryptions. The security problems in ubiquitous sensor networks have been discussed in many papers, and pairing-based cryptography is a crucial technique to solve them. Due to the limited resources in the current sensor node, it is challenged to optimize the implementation of pairings on sensor nodes. In this paper we present an efficient implementation of pairing over MICAz, which is widely used as a sensor node for ubiquitous sensor network. We improved the speed of ηT pairing by using a new efficient multiplication specialized for ATmega128L, called the block comb method and several optimization techniques to save the number of data load/store operations. The timing of ηT pairing over GF(2239) achieves about 1.93 sec, which is the fastest implementation of pairing over MICAz to the best of our knowledge. From our dramatic improvement, we now have much high possibility to make pairing-based cryptography for ubiquitous sensor networks practical.
Ching-Lung CHR Szu-Lin SU Shao-Wei WU
Similar to algebraic decoding schemes, the (23, 12, 7) Golay code can be decoded by applying the step-by-step decoding algorithm. In this work, a modified step-by-step algorithm for decoding the Golay code is presented. Logical analysis yielded a simple rule for directly determining whether a bit in the received word is correct. The computational complexity can be reduced significantly using this scheme.
Yutaka NAITO Tomoya ITO Ryo YAMAZAKI Junya SEKIKAWA Takayoshi KUBONO
In order to study the growth of transferred pips, we operated Ag/SnO212 wt% contacts mounted on an electromagnetic relay in a DC14 V-21 A the resistive circuit as make-only contacts, and took photographs of the transferred pips formed on a cathode surface. In this experiment, the pip shape was different depending on whether the movable contact was the cathode or anode. When the movable contact was the cathode, pip grew high, and became 0.7 mm height at maximum. Sometimes, the pip collapsed. Sticking occurred, when the pip shape became H/Dr0.5 and H/Ga0.5, where H is pip height, Dr is diameter of pip root, and Ga is gap length of open contacts. Judging from this result, we can predict that when a pip grows to H/Dr0.5 and H/Ga0.5, sticking will easily the occur. When the movable contact was the anode, no tall pip was formed, because of pip breakages. Sticking occurred for three samples although the pips grew to H/Dr0.5 and H/Ga0.5. In this case we could not obtain a numerical relationship between of the pip shape and the occurrence of sticking.
Takeo YAMADA Hao-Shen ZHOU Hidekazu UCHIDA Masato TOMITA Yuko UENO Keisuke ASAI Itaru HONMA Teruaki KATSUBE
The mesoporous materials from the self-assembled organic-inorganic compound materials have great possibilities for a variety of applications. However, to make use of these kinds of materials effectively, they must be controlled. In this paper, we are succeeded in powder state pore size control and in significantly fabrication film state for device application use.
Tetsuji UCHIYAMA Zhen WANG Ienari IGUCHI
We have fabricated a novel type of intrinsic Josephson junctions with superconducting Bi2Sr2CaCu2O8+y (Bi-2212)/YBa2Cu3O7-x(YBCO) bilayer thin films deposited on MgO(100) substrates. We used the 4th harmonics of a Nd:YAG pulsed laser ablation. Furthermore, we studied the transport properties of a 25 µm 25 µm Bi-2212/YBCO mesa-type junction. The zero resistance temperature was around 50 K. The current-voltage characteristics showed flux-flow-like behavior and a supercurrent of about 2 mA at 4.2 K. Shapiro steps were observed when microwave was irradiated to the mesa junction. These Shapiro steps are attributed to the Josephson junction formed at the interface between the Bi-2212 and YBCO layers in the mesa structure and not to the intrinsic Josephson junctions in the Bi-2212 layer or the micro-grains within the films.
Seiya UCHIDA Kiichi GOTO Akira TACHIKAWA Keiji IRAMINA Shoogo UENO
The purpose of our study is to estimate the imaging of ischemic myocardial muscles in rats. The magnetocardiograms (MCG) of rats were measured by a 12-channel high resolution gradiometer, which consisted of 5 mm diameter pick-up coils with a 7.5 mm distance between each coil. MCGs of seven male rats were measured in a magnetically shielded room pre and post coronary artery occlusion. The source imaging was estimated by minimum norm estimation (MNE). Changes of the current source imaging pre- and post coronary artery occlusion were clarified. As a result, in the ST segment, the current distribution significantly increased at the ischemic area. In the T wave, the direction of the current distribution clearly shifted to the left thorax. We proved that the increased area of the current distribution in the ST segment was related to the ischemic area of the ventricular muscles.
Mitsuhiko OGIHARA Takatoku SHIMIZU Masumi TANINAKA Yukio NAKAMURA Ichimatsu ABIKO
We developed a 1200 dots-per-inch light emitting diode array (1200 dpi LED array) chip using a GaAs0.8 P0.2 epitaxial substrate for the first time. One LED array chip consists of 256 LEDs. In general, LED arrays are fabricated by vapor-phase zinc diffusion. From the viewpoint that shallow junctions should be formed to fabricate a very high-density LED array, solid-phase diffusion seems to be more suitable. We fabricated the LED array using selectively-masked solid-phase zinc diffusion, and the diffusion depth was controlled at 1 µm. The diffusion depth was uniform under the diffusion window. The ratio of the length of lateral diffusion to the diffusion depth was about 1.7. These features imply that Zn diffusion was well controlled. In the Zn diffusion, the carrier concentration in the Zn diffusion region was high enough and the sheet resistance of the diffusion region with a diffusion depth of 1 µm was low enough to obtain a sufficient level of emitted light power. The results of performance tests showed that the characteristics of the LED array chip are satisfactory for application in optical printer print heads, because of the array's highly-resolved near-field pattern characteristic, ample emitted light power, low emitted-light-power deviation, and long life.
Shiro SAKIYAMA George HAYASHI Shiro DOSHO Masakatsu MARUYAMA Seizo INAGAKI Masatoshi MATSUSHITA Kouji MOCHIZUKI
This paper describes an oversampling analog-to-digital converter (ADC) suitable for PCM codes. Non-linear 5-level quantizer is implemented to noise-shaping modulator. This ADC meets the specifications of ITU-T G.712, in spite of using first order delta-sigma modulator, and realizes low power operation. This chip is fabricated in 0.8 µm double-poly and double-metal CMOS process and occupies a chip area of 15 mm2. Maximum power consumption is 12.8 mW with a single +3 V power supply including DAC and TONE generator.