Ising machines can find optimum or quasi-optimum solutions of combinatorial optimization problems efficiently and effectively. The graph coloring problem, which is one of the difficult combinatorial optimization problems, is to assign a color to each vertex of a graph such that no two vertices connected by an edge have the same color. Although methods to map the graph coloring problem onto the Ising model or quadratic unconstrained binary optimization (QUBO) model are proposed, none of them considers minimizing the number of colors. In addition, there is no Ising-machine-based method considering additional constraints in order to apply to practical problems. In this paper, we propose a mapping method of the graph coloring problem including minimizing the number of colors and additional constraints to the QUBO model. As well as the constraint terms for the graph coloring problem, we firstly propose an objective function term that can minimize the number of colors so that the number of used spins cannot increase exponentially. Secondly, we propose two additional constraint terms: One is that specific vertices have to be colored with specified colors; The other is that specific colors cannot be used more than the number of times given in advance. We theoretically prove that, if the energy of the proposed QUBO mapping is minimized, all the constraints are satisfied and the objective function is minimized. The result of the experiment using an Ising machine showed that the proposed method reduces the number of used colors by up to 75.1% on average compared to the existing baseline method when additional constraints are not considered. Considering the additional constraints, the proposed method can effectively find feasible solutions satisfying all the constraints.

Three-dimensional integrated circuits (3D ICs) that employ through-silicon vias (TSVs) integrating multiple dies vertically have opened up the potential of highly improved circuit designs. However, various types of TSV defects may occur during the assembly process, especially the clustered TSV faults because of the winding level of thinned wafer, the surface roughness and cleanness of silicon dies,inducing TSV yield reduction greatly. To tackle this fault clustering problem, router-based and ring-based TSV redundancy architectures were previously proposed. However, these schemes either require too much area overhead or have limited reparability to tolerant clustered TSV faults. Furthermore, the repairing lengths of these schemes are too long to be ignored, leading to additional delay overhead, which may cause timing violation. In this paper, we propose a region-based TSV redundancy design to achieve relatively high reparability as well as low additional delay overhead. Simulation results show that for a given number of TSVs (8*8) and TSV failure rate (1%), our design achieves 11.27% and 20.79% reduction of delay overhead as compared with router-based design and ring-based scheme, respectively. In addition, the reparability of our proposed scheme is much better than ring-based design by 30.84%, while it is close to that of the router-based scheme. More importantly, the overall TSV yield of our design achieves 99.88%, which is slightly higher than that of both router-based method (99.53%) and ring-based design (99.00%).

A method of round addition attack on substitution-permutation network (SPN) block ciphers using differential fault analysis (DFA) is presented. For the 128-bit advanced encryption standard (AES), we show that secret keys can be extracted using one correct ciphertext and two faulty ciphertexts. Furthermore, we evaluate the success rate of a round addition DFA attack, experimentally. The proposed method can also be applied to lightweight SPN block cipher such as KLEIN and LED.

We present a round addition differential fault analysis (DFA) for some lightweight 80-bit block ciphers. It is shown that only one correct ciphertext and two faulty ciphertexts are required to reconstruct secret keys in 80-bit Piccolo and TWINE, and the reconstructions are easier than 128-bit CLEFIA.

This article presents a differential fault analysis (DFA) technique using round addition for a generalized Feistel network (GFN) including CLEFIA and RC6. Here the term “round addition” means that the round operation executes twice using the same round key. The proposed DFA needs bypassing of an operation to count the number of rounds such as increment or decrement. To verify the feasibility of our proposal, we implement several operations, including increment and decrement, on a microcontroller and experimentally confirm the operation bypassing. The proposed round addition technique works effectively for the generalized Feistel network with a partial whitening operation after the last round. In the case of a 128-bit CLEFIA, we show a procedure to reconstruct the round keys or a secret key using one correct ciphertext and two faulty ciphertexts. Our DFA also works for DES and RC6.

The main benefit of HECC is that it has much smaller parameter sizes and offers equivalent security as ECC and RSA. However, there are still more researches on ECC than on HECC. One of the reasons is that the computation of scalar multiplication cannot catch up. The Kummer surface can speed up the scalar multiplication in genus two curves. In this paper, we find that the scalar multiplication formulas of Duquesne in characteristic p > 3 on the Kummer surface are not correct. We verify and revise the formulas with mathematical software. The operation counts become 29M + 2S for new pseudo-addition formulas and 30M + 10S for doubling ones. And then we speed up the scalar multiplication on the Kummer surface with Euclidean addition chains.

Evaluation of addition coefficients introduced by the addition theorems for vector spherical harmonics is one of the most intractable problems in electromagnetic scattering by multi-sphere systems. The derivation of the analytical expressions for the addition coefficients is lengthy and complex while the computation of the addition coefficients is annoyingly time-consuming even with the reasonably fast computers available nowadays. This paper presents an efficient algorithm for calculating addition coefficients which is based on the recursive relations of scalar addition coefficients. Numerical results from the formulation derived in this paper agree with those of previous published results but the algorithm proposed here reduces the computational time considerably. This paper also discusses the strengths and limitations of other formulations and numerical techniques found in the literature.

T-function is a kind of cryptographic function which is shown to be useful in various applications. It is known that any function f on F2n or Z2n automatically deduces a unique polynomial fF ∈ F2n[x] with degree ≤ 2n-1. In this letter, we study an algebraic property of fF while f is a T-function. We prove that for a single cycle T-function f on F2n or Z2n, deg fF=2n-2 which is optimal for a permutation. We also consider a kind of widely used T-function in many cryptographic algorithms, namely the modular addition function Ab(x)=x+b ∈ Z2n[x]. We demonstrate how to calculate deg Ab F from the constant value b. These results can facilitate us to evaluate the immunity of the T-function based cryptosystem against some known attacks such as interpolation attack and integral attack.

As a candidate for the transmission technology of next generation mobile communication systems, time-domain spreading MC-CDMA systems have begun to attract much attention. In these systems, data and pilot symbols are spread in the time domain and code-multiplexed. To combat fading issues, we need to conduct channel estimation by using the code-multiplexed pilot symbols. Especially in next generation systems, frequency bands higher than those of current systems, which raise the maximum Doppler frequency, are expected to be used, so that a more powerful channel estimation method is expected. Considering this, we propose a channel estimation method for highly accurate channel estimation; it is a combination of a two-dimensional channel estimation method and an impulse response-based channel estimation method. We evaluate the proposed method by computer simulations.

This paper presents an algorithm-level interpretation of fast adder structures in binary/multiple-valued logic. The key idea is to employ a unified representation of addition algorithms called Counter Tree Diagrams (CTDs). The use of CTDs makes it possible to describe and analyze addition algorithms at various levels of abstraction. A high-level CTD represents a network of coarse-grained components associated with multiple-valued logic devices, while a low-level CTD represents a network of primitive components directly mapped onto binary logic devices. The level of abstraction in circuit representation can be changed by decomposition of CTDs. We can derive possible variations of adder structures by decomposing a high-level CTD into low-level CTDs. This paper demonstrates the interpretation of redundant arithmetic adders based on CTDs. We first introduce an extension of CTDs to represent possible redundant arithmetic adders with limited carry propagation. Using the extended version of CTDs, we can classify the conventional adder structures including those using emerging devices into three types in a systematic way.

Some statistical analyses of modulo-2 added binary sequences are generalized to modulo-p added p-ary sequences. First, we theoretically evaluate statistics of sequences obtained by modulo-p addition of two general p-ary random variables. Next, we consider statistics of modulo-p added chaotic p-ary sequences generated by a class of one-dimensional chaotic maps.

This paper gives an efficient algorithm to compute addition in Jacobian of C34 curves, aiming at C34 curve cryptosystems. Using C34 curves for cryptosystems has two advantages. The first is safety and the second is the short size of the base field. In the paper, we modify the addition algorithm of for Cab curves in the specific manner to C34 curves. We classify all of the forms of the Groebner bases of ideals involved in the algorithm and eliminate the use of Buchberger algorithm from it. Our resulting algorithm computes the addition in Jacobian of C34 curves in about 3 times amount of computation of the one in elliptic curves, when the sizes of groups are set to be the same.

In this paper, we present the condition for the effective wire addition in Look-Up-Table-based (LUT-based) field programmable gate array (FPGA) circuits, and an optimization procedure utilizing the effective wire addition. Each wire has different characteristics, such as delay and power dissipation. Therefore, the replacement of one critical wire for the circuit performance with many non-critical ones, i.e., many-addition-for-one-removal (m-for-1) is sufficiently useful. However, the conventional logic optimization methods based on sets of pairs of functions to be distinguished (SPFDs) for LUT-based FPGA circuits do not make use of the m-for-1 manipulation, and perform only simple replacement and removal, i.e., the one-addition-for-one-removal (1-for-1) manipulation and the no-addition-for-one-removal (0-for-1) manipulation, respectively. Since each LUT can realize an arbitrary internal function with respect to a specified number of input variables, there is no sufficient condition at the logic design level for simple wire addition. Moreover, in general, simple addition of a wire has no effects for removal of another wire, and it is important to derive the condition for non-simple and effective wire addition. We found the SPFD-based condition that wire addition is likely to make another wire redundant or replaceable, and developed an optimization procedure utilizing this effective wire addition. According to the experimental results, when we focused on the delay reduction of LUT-based FPGA circuits, our method reduced the delay by 24.2% from the initial circuits, while the conventional SPFD-based logic optimization and the enhanced global rewiring reduced it by 14.2% and 18.0%, respectively. Thus, our method presented in this paper is sufficiently practical, and is expected to improve the circuit performance.

Genus 3 hyperelliptic curve cryptosystems are capable of fast-encryption on a 64-bit CPU, because a 56-bit field is enough for their definition fields. Recently, Kuroki et al. proposed an extension of the Harley algorithm, which had been known as the fastest addition algorithm of divisor classes on genus 2 hyperelliptic curves, on genus 3 hyperelliptic curves and Pelzl et al. improved the algorithm. This paper shows an improvement of the Harley algorithm on genus 3 hyperelliptic curves using Toom's multiplication. The proposed algorithm takes only I + 70M for an addition and I + 71M for a doubling instead of I + 76M and I + 74M respectively, which are the best possible of the previous works, where I and M denote the required time for an inversion and a multiplication over the definition field respectively. This paper also shows 2 variations of the proposed algorithm in order to adapt the algorithm to various platforms. Moreover this paper discusses finite field arithmetic suitable for genus 3 hyperelliptic curve cryptosystems and shows implementation results of the proposed algorithms on a 64-bit CPU. The implementation results show a 160-bit scalar multiplication can be done within 172 µs on a 64-bit CPU Alpha EV68 1.25 GHz.

Differential power analysis (DPA) might break implementations of elliptic curve cryptosystem (ECC) on memory constraint devices. Goubin proposed a variant of DPA using a point (0,y), which is not randomized in Jacobian coordinates or in an isomorphic class. This point often exists in standardized elliptic curves, and we have to care this attack. In this paper, we propose zero-value register attack as an extension of Goubin's attack. Note that even if a point has no zero-value coordinate, auxiliary registers might take zero value. We investigate these zero-value registers that cannot be randomized by the above randomization. Indeed, we have found several points P = (x,y) which cause the zero-value registers, e.g., (1) 3x2 + a = 0,(2) 5x4 + 2ax2 - 4bx + a2 = 0,(3) P is y-coordinate self-collision point, etc. We demonstrate the elliptic curves recommended in SECG that have these points. Interestingly, some conditions required for zero-value register attack depend on explicit implementation of addition formulae -- in order to resist this type of attacks, we have to care how to implement the addition formulae. Finally, we note that Goubin's attack and the proposed attack assume that a base point P can be chosen by attackers and a secret scalar d is fixed, so that they are not applicable to ECDSA.

In the formerly proposed theory for sub-linear (linear in a changed addition rule) systems, we developed a sub-linear mathematical theory and demonstrated its capability in several sub-linear systems. In this paper, we assert that we can further construct hybrid systems useful in engineering by combining sub-linear systems with linear systems, and as an example, we show the construction of a divergence-free electrodynamics. Since the energy of photon fields in engineering is tending upward, it would be desirable for us to get rid of the divergence difficulties encountered in the conventional high energy electrodynamics. The most important result is the recognition that Nature herself has a hybrid system composed of sub-linear photon fields and linear electron fields. Mathematically, our electrodynamics is formulated by only one point correction (the insertion of tanh into the electromagnetic energy density) in the conventional electrodynamics of photons and electrons (including positrons).

Modulo-2 addition (or exclusive-OR) is one of fundamental operations for binary variables. In this paper, we discuss statistical properties of sequences obtained by modulo-2 addition of two binary sequences. Firstly, we theoretically evaluate statistics of sequences obtained by modulo-2 addition of two general binary random variables. Secondly, we consider statistics of modulo-2 added chaotic binary sequences generated by a class of one-dimensional chaotic maps. Furthermore, we consider synthesis of an aperiodic binary sequence and a periodic one by modulo-2 addition with the purpose of generating aperiodic sequences with good statistical properties. We also perform computer experiments about such sequences.

We show that a randomized addition-sub-traction chains countermeasure against side channel attacks is vulnerable to an SPA attack, which is a kind of side channel attack, under distinguishability between addition and doubling. The side channel attack takes advantage of information leaked during execution of a cryptographic procedure. The randomized addition-subtraction chains countermeasure was proposed by Oswald-Aigner, and is based on a random decision inserted into computations. However, the question of its immunity to side channel attacks is still controversial. The randomized addition-subtraction chains countermeasure has security flaw in timing attacks, another kind of side channel attack. We have implemented the proposed attack algorithm, whose input is a set of AD sequences, which consist of the characters "A" and "D" to indicate addition and doubling, respectively. Our program has clarified the effectiveness of the attack. The attack algorithm could actually detect secret scalars for given AD sequences. The average time to detect a 160-bit scalar was about 6 milliseconds, and only 30 AD sequences were enough to detect such a scalar. Compared with other countermeasures against side channel attacks, the randomized addition-subtraction chains countermeasure is much slower.

In this letter, we propose high-speed binary to residue converters for moduli 2n, 2n 1 without using look-up table. For integration of residue arithmetic circuit using a signed-digit (SD) number representation with ordinary binary system, the proposed circuits carry out the efficient conversion. Using SD adders instead of ordinary adders that are used in conventional binary to residue converter, the high-speed conversion without the carry propagation can be achieved. Thus, the proposed converter is independent of the size of modulus and can speed up the binary to residue conversion. On the simulation, the conversion delay times are 1.78 ns for modulus 210-1 and 1.73 ns for modulus 210+1 under the condition of 0.6 µm CMOS technology, respectively. The active area of the proposed converter for moduli 210 1 is 335 µm325 µm.

This work provides a generalization of structural logic optimization methods to general boolean networks. This generalization is based on a functional description of the nodes in the network. Therefore, this approach is no longer restricted to networks that consist of simple gates. Within this framework, we present necessary and sufficient conditions to identify all the possible functional expansions of a node that allow to eliminate a wire elsewhere in the network. These conditions are also given for the case of multiple variable expansion, providing an incremental mechanism to perform functional transformations involving any number of variables that can be applied in a very efficient manner. On the other hand, we will show in this paper that relevant simplifications can be obtained when this framework is applied to the particular case of AND-OR-NOT networks, resulting in important savings in the computational effort. When compared to previous approaches, the experimental results show an important reduction in the number of computations required.