Bilinear-type conversion is to translate a cryptographic scheme designed over symmetric bilinear groups into one that works over asymmetric bilinear groups with small overhead regarding the size of objects concerned in the target scheme. In this paper, we address scalability for converting complex cryptographic schemes. Our contribution is threefold. Investigating complexity of bilinear-type conversion. We show that there exists no polynomial-time algorithm for worst-case inputs under standard complexity assumption. It means that bilinear-type conversion in general is an inherently difficult problem. Presenting a new scalable conversion method. Nevertheless, we show that large-scale conversion is indeed possible in practice when the target schemes are built from smaller building blocks with some structure. We present a novel conversion method, called IPConv, that uses 0-1 Integer Programming instantiated with a widely available IP solver. It instantly converts schemes containing more than a thousand of variables and hundreds of pairings. Application to computer-aided design. Our conversion method is also useful in modular design of middle to large scale cryptographic applications; first construct over simpler symmetric bilinear groups and run over efficient asymmetric groups. Thus one can avoid complication of manually allocating variables over asymmetric bilinear groups. We demonstrate its usefulness by somewhat counter-intuitive examples where converted DLIN-based Groth-Sahai proofs are more compact than manually built SXDH-based proofs. Though the early purpose of bilinear-type conversion is to save existing schemes from attacks against symmetric bilinear groups, our new scalable conversion method will find more applications beyond the original goal. Indeed, the above computer-aided design can be seen as a step toward automated modular design of cryptographic schemes.

This paper describes a design methodology for process variation aware D-Flip-Flop (DFF) using regression analysis. We propose to use a regression analysis to model the worst-case delay characteristics of a DFF under process variation. We utilize the regression equation for transistor width tuning of the DFF to improve its worst-case delay performance. Regression analysis can not only identify the performance-critical transistors inside the DFF, but also shows these impacts on DFF delay performance in quantitative form. Proposed design methodology is verified using Monte-Carlo simulation. The result shows the proposed method achieves to design a DFF which has similar or better delay characteristics in comparison with the DFF designed by an experienced cell designer.

A design-for-testability method and an electrical interconnect test method are proposed to detect open defects occurring at interconnects among dies and input/output pins in 3D stacked ICs. As part of the design method, an nMOS and a diode are added to each input interconnect. The test method is based on measuring the quiescent current that is made to flow through an interconnect to be tested. The testability is examined both by SPICE simulation and by experimentation. The test method enabled the detection of open defects occurring at the newly designed interconnects of dies at experiments test speed of 1MHz. The simulation results reveal that an open defect generating additional delay of 279psec is detectable by the test method at a test speed of 200MHz beside of open defects that generate no logical errors.

By interleaving known Z-periodic complementary (ZPC) sequence set, a new ZPC sequence set is constructed with multiple ZPC sequence subsets based on an orthogonal matrix in this work. For this novel ZPC sequence set, which refer to as asymmetric ZPC (AZPC) sequence set, its inter-subset zero cross-correlation zone (ZCCZ) is larger than intra-subset zero correlation zone (ZCZ). In particular, if select a periodic perfect complementary (PC) sequence or PC sequence set and a discrete Fourier transform (DFT) matrix, the resultant sequence set is an inter-group complementary (IGC) sequence set. When a suitable shift sequence is chosen, the obtained IGC sequence set will be optimal in terms of the corresponding theoretical bound. Compared with the existing constructions of IGC sequence sets, the proposed method can provide not only flexible ZCZ width but also flexible choice of basic sequences, which works well in both synchronous and asynchronous operational modes. The proposed AZPC sequence sets are suitable for multiuser environments.

The issue of robust multi-input multi-output (MIMO) radar waveform design is investigated in the presence of imperfect clutter prior knowledge to improve the worst-case detection performance of space-time adaptive processing (STAP). Robust design is needed because waveform design is often sensitive to uncertainties in the initial parameter estimates. Following the min-max approach, a robust waveform covariance matrix (WCM) design is formulated in this work with the criterion of maximization of the worst-case output signal-interference-noise-ratio (SINR) under the constraint of the initial parameter estimation errors to ease this sensitivity systematically and thus improve the robustness of the detection performance to the uncertainties in the initial parameter estimates. To tackle the resultant complicated and nonlinear robust waveform optimization issue, a new diagonal loading (DL) based iterative approach is developed, in which the inner and outer optimization problems can be relaxed to convex problems by using DL method, and hence both of them can be solved very effectively. As compared to the non-robust method and uncorrelated waveforms, numerical simulations show that the proposed method can improve the robustness of the detection performance of STAP.

We consider device-to-device (D2D) direct communication underlying cellular networks where the D2D link reuses the frequency resources of the cellular downlink. In this paper, we propose a linear precoder design scheme for a base station (BS) and D2D transmitter using the weighted sum-rate of the cellular downlink and D2D link as a cost function. Because the weighted sum-rate maximization problem is not convex on the precoding matrices of BS and D2D transmitters, an equivalent mean-squared error (MSE) minimization problem which is convex on the precoding matrices is proposed by introducing auxiliary matrices. We show that the two optimization problems have the same optimal solution for the precoding matrices. Then, an iterative algorithm for solving the equivalent MSE minimization problem is presented. Through a computer simulation, we show that the proposed scheme offers better weighted sum-rate performance that a conventional scheme.

At FSE 2014, Grosso et al. proposed LS-designs which are a family of bitslice ciphers aiming at efficient masked implementations against side-channel analysis. They also presented two specific LS-designs, namely the non-involutive cipher Fantomas and the involutive cipher Robin. The designers claimed that the longest impossible differentials of these two ciphers only span 3 rounds. In this paper, for the two ciphers, we construct 4-round impossible differentials which are one round more than the longest impossible differentials found by the designers. Furthermore, with the 4-round impossible differentials, we propose impossible differential attacks on Fantomas and Robin reduced to 6 rounds (out of the full 12/16 rounds). Both of the attacks need 2119 chosen plaintexts and 2101.81 6-round encryptions.

In the past decade, real-time systems (RTSs), which must maintain time constraints to avoid catastrophic consequences, have been widely introduced into various embedded systems and Internet of Things (IoTs). The RTSs are required to be energy efficient as they are used in embedded devices in which battery life is important. In this study, we investigated the RTS energy efficiency by analyzing the ability of body bias (BB) in providing a satisfying tradeoff between performance and energy. We propose a practical and realistic model that includes the BB energy and timing overhead in addition to idle region analysis. This study was conducted using accurate parameters extracted from a real chip using silicon on thin box (SOTB) technology. By using the BB control based on the proposed model, about 34% energy reduction was achieved.

SIMON is a lightweight block cipher designed by NSA in 2013. NSA presented the specification and the implementation efficiency, but they did not provide detailed security analysis nor the design rationale. The original SIMON has rotation constants of (1,8,2), and Kölbl et al. regarded the constants as a parameter (a,b,c), and analyzed the security of SIMON block cipher variants against differential and linear attacks for all the choices of (a,b,c). This paper complements the result of Kölbl et al. by considering integral and impossible differential attacks. First, we search the number of rounds of integral distinguishers by using a supercomputer. Our search algorithm follows the previous approach by Wang et al., however, we introduce a new choice of the set of plaintexts satisfying the integral property. We show that the new choice indeed extends the number of rounds for several parameters. We also search the number of rounds of impossible differential characteristics based on the miss-in-the-middle approach. Finally, we make a comparison of all parameters from our results and the observations by Kölbl et al. Interesting observations are obtained, for instance we find that the optimal parameters with respect to the resistance against differential attacks are not stronger than the original parameter with respect to integral and impossible differential attacks. Furthermore, we consider the security against differential attacks by considering differentials. From the result, we obtain a parameter that is potential to be better than the original parameter with respect to security against these four attacks.

This paper discusses design challenges and possible solutions for 3D NAND. A 3D NAND array inherently has a larger parasitic capacitance and thereby critical area in terms of product yield. To mitigate such issues associated with 3D NAND technology, array control and divided array architecture for improving reliability and yield and for reducing area overhead, program time, energy per bit and array noise are proposed.

Key predistribution schemes (KPSs) have played an important role in security of wireless sensor networks (WSNs). Due to comprehensive and simple structures, various types of combinatorial designs are used to construct KPSs. In general, compared to random KPSs, combinatorial KPSs have higher local connectivity but lower resilience against a node capture attack. In this paper, we apply two methods based on hash chains on KPSs based on transversal designs (TDs) to improve the resilience and the expressions for the metrics of the resulting schemes are derived.

Automatic design of analog circuits using a programmed algorithm is in great demand because optimal analog circuit design in a short time is required due to the limited development time. Although an automatic design using equation-based method can design simple circuits fast and accurately, it cannot solve complex circuits. On the other hand, an automatic design using optimization algorithm such as Ant Colony Optimization, Genetic Algorithm, and so on, can design complex circuits. However, because these algorithms are based on the stochastic optimization technique and determine the circuit parameters at random, a lot of circuits which do not operate in principle are generated and simulated to find the circuit which meets specifications. In this paper, to reduce the search space and the redundant simulations, automatic design using both equation-based method and a genetic algorithm is proposed. The proposed method optimizes the bias circuit blocks using the equation-based method and signal processing blocks using Genetic Algorithm. Simulation results indicate that the evaluation value which considers the trade-off of the circuit specification is larger than the conventional method and the proposed method can design 1.4 times more circuits which satisfy the minimum requirements than the conventional method.

A TM010 cavity power combiner is presented, which achieves direct interface to microstrip lines via magnetic field coupling. A prototype is fabricated and its S-matrix measured. From the S-parameters we calculate that it shows less than 0.85 dB insertion loss over 250 MHz bandwidth at X-band. The return power to the input ports is less than -15 dB over this bandwidth. We verify the insertion loss estimation using S-matrix, by measuring transmission S-parameter of a concatenated 2-port divider-combiner network. Similarly analyzed is the case of performance of power combiner when one of the input fails. We find that we can achieve graceful degradation provided we ensure some particular reflection phase at the degraded port.

Sponsored search is a mechanism that shows the appropriate advertisements (ads) according to search queries. The orders and payments of ads are determined by the auction. However, the externalities which give effects to CTR and haven't been considered in some existing works because the mechanism with externalities has high computational cost. In addition, some algorithms which can calculate the approximated solution considering the externalities within the polynomial-time are proposed, however, it assumed that one bidder can propose only a single ad. In this paper, we propose the approximation allocation algorithm that one bidder can offer many ads considering externalities. The proposed algorithm employs the concept of the combinatorial auction in order to consider the combinational bids. In addition, the proposed algorithm can find the approximated allocation by the dynamic programming. Moreover, we prove the computational complexity and the monotonicity of the proposed mechanism, and demonstrate computational costs and efficiency ratios by changing the number of ads, slots and maximum bids. The experimental results show that the proposed algorithm can calculate 0.7-approximation solution even though the full search can't find solutions in the limited times.

Massive amounts of computation involved in real-time evaluation of deep neural networks pose a serious challenge in battery-powered systems, and neuromorphic systems specialized in neural networks have been developed. This paper first shows the portion of active neurons at a time dwindles as going toward the output layer in recent large-scale deep convolutional neural networks. Spike-based, asynchronous neuromorphic systems take advantage of the sparse activation and reduce dynamic power consumption, while synchronous systems may waste much dynamic power even for the sparse activation due to clocks. We thus propose a clock gating-based dynamic power reduction method that exploits the sparse activation for synchronous neuromorphic systems. We apply the proposed method to a building block of a recently proposed synchronous neuromorphic computing system and demonstrate up to 79% dynamic power saving at a negligible overhead.

An inter-subset uncorrelated zero-correlation zone (ZCZ) sequence pair set is one consisting of multiple ZCZ sequence pair subsets. What's more, two arbitrary sequence pairs which belong to different subsets should be uncorrelated sequence pairs in this set, i.e., the cross-correlation function (CCF) between arbitrary sequence pairs in different subsets are zeros at everywhere. Meanwhile, each subset is a typical ZCZ sequence pair set. First, a class of uncorrelated ZCZ (U-ZCZ) sequence pair sets is proposed from interleaving perfect sequence pairs. An U-ZCZ sequence pair set is a type of ZCZ sequence pair set, which of most important property is that the CCF between two arbitrary sequence pairs is zero at any shift. Then, a type of inter-subset uncorrelated ZCZ sequence pair set is obtained by interleaving proposed U-ZCZ sequence pair set. In particular, the novel inter-subset uncorrelated ZCZ sequence pair sets are expected to be useful for designing spreading codes for QS-CDMA systems.

In our previous work, we introduced new concepts of secure scan design; shift register equivalent circuits (SR-equivalents, for short) and strongly secure circuits, and also introduced generalized shift registers (GSRs, for short) to apply them to secure scan design. In this paper, we combine both concepts of SR-equivalents and strongly secure circuits and apply them to GSRs, and consider the synthesis problem of strongly secure SR-equivalents using GSRs. We also consider the enumeration problem of GSRs that are strongly secure and SR-equivalent, i.e., the cardinality of the class of strongly secure SR-equivalent GSRs to clarify the security level of the secure scan architecture.

This paper presents a system for the automatic generation of Galois-field (GF) arithmetic circuits, named the GF Arithmetic Module Generator (GF-AMG). The proposed system employs a graph-based circuit description called the GF Arithmetic Circuit Graph (GF-ACG). First, we present an extension of the GF-ACG to handle GF(pm) (p≥3) arithmetic circuits, which can be efficiently implemented by multiple-valued logic circuits in addition to the conventional binary circuits. We then show the validity of the generation system through the experimental design of GF(pm) multipliers for different p-values. In addition, we evaluate the performance of three types of GF(2m) multipliers and typical GF(pm) multipliers (p≥3) empirically generated by our system. We confirm from the results that the proposed system can generate a variety of GF parallel multipliers, including practical multipliers over GF(pm) having extension degrees greater than 128.

Index generation functions model content-addressable memory, and are useful in virus detectors and routers. Linear decompositions yield simpler circuits that realize index generation functions. This paper proposes a balanced decision tree based heuristic to efficiently design linear decompositions for index generation functions. The proposed heuristic finds a good linear decomposition of an index generation function by using appropriate cost functions and a constraint to construct a balanced tree. Since the proposed heuristic is fast and requires a small amount of memory, it is applicable even to large index generation functions that cannot be solved in a reasonable time by existing heuristics. This paper shows time and space complexities of the proposed heuristic, and experimental results using some large examples to show its efficiency.

This paper presents an automatic hierarchical formal verification method for arithmetic circuits over Galois fields (GFs) which are dedicated digital circuits for GF arithmetic operations used in cryptographic processors. The proposed verification method is based on a combination of a word-level computer algebra procedure with a bit-level PPRM (Positive Polarity Reed-Muller) expansion procedure. While the application of the proposed verification method is not limited to cryptographic processors, these processors are our important targets because complicated implementation techniques, such as field conversions, are frequently used for side-channel resistant, compact and low power design. In the proposed method, the correctness of entire datapath is verified over GF(2m) level, or word-level. A datapath implementation is represented hierarchically as a set of components' functional descriptions over GF(2m) and their wiring connections. We verify that the implementation satisfies a given total-functional specification over GF(2m), by using an automatic algebraic method based on the Gröbner basis and a polynomial reduction. Then, in order to verify whether each component circuit is correctly implemented by combination of GF(2) operations, i.e. logic gates in bit-level, we use our fast PPRM expansion procedure which is customized for handling large-scale Boolean expressions with many variables. We have applied the proposed method to a complicated AES (Advanced Encryption Standard) circuit with a masking countermeasure against side-channel attack. The results show that the proposed method can verify such practical circuit automatically within 4 minutes, while any single conventional verification methods fail within a day or even more.