We have realized a design automation platform of hardware accelerator for pairing operation over multiple elliptic curve parameters. Pairing operation is one of the fundamental operations to realize functional encryption. However, known as a computational complexity-heavy algorithm. Also because there have been not yet identified standard parameters, we need to choose curve parameters based on the required security level and affordable hardware resources. To explore this design optimization for each curve parameter is essential. In this research, we have realized an automated design platform for pairing hardware for such purposes. Optimization results show almost equivalent to those prior-art designs by hand.

Multivariate public key cryptosystems (MPKC) are constructed based on the problem of solving multivariate quadratic equations (MQ problem). Among various multivariate schemes, UOV is an important signature scheme since it is underlying some signature schemes such as MAYO, QR-UOV, and Rainbow which was a finalist of NIST PQC standardization project. To analyze the security of a multivariate scheme, it is necessary to analyze the first fall degree or solving degree for the system of polynomial equations used in specific attacks. It is known that the first fall degree or solving degree often relates to the Hilbert series of the ideal generated by the system. In this paper, we study the Hilbert series of the UOV scheme, and more specifically, we study the Hilbert series of ideals generated by quadratic polynomials used in the central map of UOV. In particular, we derive a prediction formula of the Hilbert series by using some experimental results. Moreover, we apply it to the analysis of the reconciliation attack for MAYO.

This paper proposes a novel application of coded apertures (CAs) for visual information hiding. CA is one of the representative computational photography techniques, in which a patterned mask is attached to a camera as an alternative to a conventional circular aperture. With image processing in the post-processing phase, various functions such as omnifocal image capturing and depth estimation can be performed. In general, a watermark embedded as high-frequency components is difficult to extract if captured outside the focal length, and defocus blur occurs. Installation of a CA into the camera is a simple solution to mitigate the difficulty, and several attempts are conducted to make a better design for stable extraction. On the contrary, our motivation is to design a specific CA as well as an information hiding scheme; the secret information can only be decoded if an image with hidden information is captured with the key aperture at a certain distance outside the focus range. The proposed technique designs the key aperture patterns and information hiding scheme through evolutionary multi-objective optimization so as to minimize the decryption error of a hidden image when using the key aperture while minimizing the accuracy when using other apertures. During the optimization process, solution candidates, i.e., key aperture patterns and information hiding schemes, are evaluated on actual devices to account for disturbances that cannot be considered in optical simulations. Experimental results have shown that decoding can be performed with the designed key aperture and similar ones, that decrypted image quality deteriorates as the similarity between the key and the aperture used for decryption decreases, and that the proposed information hiding technique works on actual devices.

In this paper, the notion of 2-tuples distribution matrices of the rotation symmetric orbits is proposed, by using the properties of the 2-tuples distribution matrix, a new characterization of 2-resilient rotation symmetric Boolean functions is demonstrated. Based on the new characterization of 2-resilient rotation symmetric Boolean functions, constructions of 2-resilient rotation symmetric Boolean functions (RSBFs) are further studied, and new 2-resilient rotation symmetric Boolean functions with prime variables are constructed.

Let f be a Boolean function in n variables. The Möbius transform and its converse of f can describe the transformation behaviors between the truth table of f and the coefficients of the monomials in the algebraic normal form representation of f. In this letter, we develop the Möbius transform and its converse into a more generalized form, which also includes the known result given by Reed in 1954. We hope that our new result can be used in the design of decoding schemes for linear codes and the cryptanalysis for symmetric cryptography. We also apply our new result to verify the basic idea of the cube attack in a very simple way, in which the cube attack is a powerful technique on the cryptanalysis for symmetric cryptography.

Hardware oriented security and trust of semiconductor integrated circuit (IC) chips have been highly demanded. This paper outlines the requirements and recent developments in circuits and packaging systems of IC chips for security applications, with the particular emphasis on protections against physical implementation attacks. Power side channels are of undesired presence to crypto circuits once a crypto algorithm is implemented in Silicon, over power delivery networks (PDNs) on the frontside of a chip or even through the backside of a Si substrate, in the form of power voltage variation and electromagnetic wave emanation. Preventive measures have been exploited with circuit design and packaging technologies, and partly demonstrated with Si test vehicles.

BLS signature is an elliptic curve cryptography with an attractive feature that signatures can be aggregated and shortened. We have designed two ASIC architectures for hashing to the elliptic curve and pairing to minimize the latency. Also, the designs are optimized for BLS12-381, a relatively new and safe curve.

The hardness of the syndrome decoding problem (SDP) is the primary evidence for the security of code-based cryptosystems, which are one of the finalists in a project to standardize post-quantum cryptography conducted by the U.S. National Institute of Standards and Technology (NIST-PQC). Information set decoding (ISD) is a general term for algorithms that solve SDP efficiently. In this paper, we conducted a concrete analysis of the time complexity of the latest ISD algorithms under the limitation of memory using the syndrome decoding estimator proposed by Esser et al. As a result, we present that theoretically nonoptimal ISDs, such as May-Meurer-Thomae (MMT) and May-Ozerov, have lower time complexity than other ISDs in some actual SDP instances. Based on these facts, we further studied the possibility of multiple parallelization for these ISDs and proposed the first GPU algorithm for MMT, the multiparallel MMT algorithm. In the experiments, we show that the multiparallel MMT algorithm is faster than existing ISD algorithms. In addition, we report the first successful attempts to solve the 510-, 530-, 540- and 550-dimensional SDP instances in the Decoding Challenge contest using the multiparallel MMT.

In card-based cryptography, a deck of physical cards is used to achieve secure computation. A shuffle, which randomly permutes a card-sequence along with some probability distribution, ensures the security of a card-based protocol. The authors proposed a new class of shuffles called graph shuffles, which randomly permutes a card-sequence by an automorphism of a directed graph (New Generation Computing 2022). For a directed graph G with n vertices and m edges, such a shuffle could be implemented with pile-scramble shuffles with 2(n + m) cards. In this paper, we study graph shuffles and give an implementation, an application, and a slight generalization. First, we propose a new protocol for graph shuffles with 2n + m cards. Second, as a new application of graph shuffles, we show that any cyclic group shuffle, which is a shuffle over a cyclic group, is a graph shuffle associated with some graph. Third, we define a hypergraph shuffle, which is a shuffle by an automorphism of a hypergraph, and show that any hypergraph shuffle can also be implemented with pile-scramble shuffles.

Construction of resilient Boolean functions in odd variables having strictly almost optimal (SAO) nonlinearity appears to be a rather difficult task in stream cipher and coding theory. In this paper, based on the modified High-Meets-Low technique, a general construction to obtain odd-variable SAO resilient Boolean functions without directly using PW functions or KY functions is presented. It is shown that the new class of functions possess higher resiliency order than the known functions while keeping higher SAO nonlinearity, and in addition the resiliency order increases rapidly with the variable number n.

Supersingular isogeny Diffie-Hellman (SIDH) is attractive for its relatively small public key size, but it is still unsatisfactory due to its efficiency, compared to other post-quantum proposals. In this paper, we focus on the performance of SIDH when the starting curve is E6 : y2 = x3 + 6x2 + x, which is fixed in Round-3 SIKE implementation. Inspired by previous works [1], [2], we present several tricks to accelerate key generation of SIDH and each process of SIKE. Our experimental results show that the performance of this work is at least 6.09% faster than that of the SIKE implementation, and we can further improve the performance when large storage is available.

We introduce a new type of exponentiation algorithm in GF(2m) using Euclidean inversion. Our approach is based on the fact that Euclidean inversion cost much less logic gates than ordinary multiplication in GF(2m). By applying signed binary form of the exponent instead of classic binary form, the proposed algorithm can reduce the number of operations further compared with the classic algorithms.

The NIST post-quantum project intends to standardize cryptographic systems that are secure against attacks by both quantum and classical computers. One of these cryptographic systems is NewHope that is a RING-LWE based key exchange scheme. The NewHope Key Encapsulation Method (KEM) allows to establish an encapsulated (secret) key shared by two participants. This scheme defines a private key that is used to encipher a random shared secret and the private key enables the deciphering. This paper presents Fault Information Leakage attacks, using conventional personal computers, if the attacked participant, say Bob, reuses his public key. This assumption is not so strong since reusing the pair (secret, public) keys saves Bob's device computing cost when the public global parameter is not changed. With our result we can conclude that, to prevent leakage, Bob should not reuse his NewHope secret and public keys because Bob's secret key can be retrieved with only 2 communications. We also found that Bob's secret keys can be retrieved for NewHopeToy2, NewHopeToy1 and NewHopeLudicrous with 1, 2, and 3 communications, respectively.

In this paper, we present a scheme to compute either AB or AB2 multiplications over GF(2m) and propose a bit-parallel systolic architecture based on the proposed algorithm. The AB multiplication algorithm is derived in the same form as the formula of AB2 multiplication algorithm, and an architecture that can perform AB multiplication by adding very little extra hardware to AB2 multiplier is designed. Therefore, the proposed architecture can be effectively applied to hardware constrained applications that cannot deploy AB2 multiplier and AB multiplier separately.

In this paper, by using the properties of the cyclic Hadamard matrices of order 4t, an infinite class of (4t-1)-variable 2-resilient rotation symmetric Boolean functions is constructed, and the nonlinearity of the constructed functions are also studied. To the best of our knowledge, this is the first class of direct constructions of 2-resilient rotation symmetric Boolean functions. The spirit of this method is different from the known methods depending on the solutions of an equation system proposed by Du Jiao, et al. Several situations are examined, as the direct corollaries, three classes of (4t-1)-variable 2-resilient rotation symmetric Boolean functions are proposed based on the corresponding sequences, such as m sequences, Legendre sequences, and twin primes sequences respectively.

Multisignatures enable multiple users to sign a message interactively. Many instantiations are proposed for multisignatures, however, most of them are quantum-insecure, because these are based on the integer factoring assumption or the discrete logarithm assumption. Although there exist some constructions based on the lattice problems, which are believed to be quantum-secure, their security reductions are loose. In this paper, we aim to improve the security reduction of lattice-based multisignature schemes concerning tightness. Our basic strategy is combining the multisignature scheme proposed by El Bansarkhani and Sturm with the lattice-based signature scheme by Abdalla, Fouque, Lyubashevsky, and Tibouchi which has a tight security reduction from the Ring-LWE (Ring Learning with Errors) assumption. Our result shows that proof techniques for standard signature schemes can be applied to multisignature schemes, then we can improve the polynomial loss factor concerning the Ring-LWE assumption. Our second result is to address the problem of security proofs of existing lattice-based multisignature schemes pointed out by Damgård, Orlandi, Takahashi, and Tibouchi. We employ a new cryptographic assumption called the Rejected-Ring-LWE assumption, to complete the security proof.

Elliptic curve cryptography (ECC), one of the asymmetric cryptography, is widely used in practical security applications, especially in the Internet of Things (IoT) applications. This paper presents a low-power reconfigurable architecture for ECC, which is capable of resisting simple power analysis attacks (SPA) and can be configured to support all of point operations and modular operations on 160/192/224/256-bit field orders over GF(p). Point multiplication (PM) is the most complex and time-consuming operation of ECC, while modular multiplication (MM) and modular division (MD) have high computational complexity among modular operations. For decreasing power dissipation and increasing reconfigurable capability, a Reconfigurable Modular Multiplication Algorithm and Reconfigurable Modular Division Algorithm are proposed, and MM and MD are implemented by two adder units. Combining with the optimization of operation scheduling of PM, on 55 nm CMOS ASIC platform, the proposed architecture takes 0.96, 1.37, 1.87, 2.44 ms and consumes 8.29, 11.86, 16.20, 21.13 uJ to perform one PM on 160-bit, 192-bit, 224-bit, 256-bit field orders. It occupies 56.03 k gate area and has a power of 8.66 mW. The implementation results demonstrate that the proposed architecture outperforms the other contemporary designs reported in the literature in terms of area and configurability.

We propose a new lattice-based digital signature scheme MLWRSign by modifying Dilithium, which is one of the second-round candidates of NIST's call for post-quantum cryptographic standards. To the best of our knowledge, our scheme MLWRSign is the first signature scheme whose security is based on the (module) learning with rounding (LWR) problem. Due to the simplicity of the LWR, the secret key size is reduced by approximately 30% in our scheme compared to Dilithium, while achieving the same level of security. Moreover, we implemented MLWRSign and observed that the running time of our scheme is comparable to that of Dilithium.

The extended visual cryptography scheme (EVCS) proposed by Ateniese et al. is one of variations of the visual cryptography scheme such that a secret image is recovered by superimposition of certain qualified collections of shares, where cover images are visible on respective shares. In this paper, we give a new definition of the EVCS for improving visibility of the recovered secret image as well as the cover images. We formulate the problem to construct the basis matrices of the EVCS with the minimum pixel expansion as an integer programming problem. We solve the integer programming problem for general access structures with less than or equal to five participants and show that basis matrices with a smaller pixel expansion can be obtained for certain cases. We also analyze security of the EVCS meeting the new definition from an information-theoretic viewpoint. We give a condition under which any forbidden collection of shares does not reveal any additional information on not only a secret image but also the cover images that are not visible on the other shares.

Isogeny-based cryptography, such as commutative supersingular isogeny Diffie-Hellman (CSIDH), have been shown to be promising candidates for post-quantum cryptography. However, their speeds have remained unremarkable. This study focuses on computing odd-degree isogeny between Montgomery curves, which is a dominant computation in CSIDH. Our proposed “2-ADD-Skip method” technique reduces the required number of points to be computed during isogeny computation. A novel algorithm for isogeny computation is also proposed to efficiently utilize the 2-ADD-Skip method. Our proposed algorithm with the optimized parameter reduces computational cost by approximately 12% compared with the algorithm proposed by Meyer and Reith. Further, individual experiments for each degree of isogeny ℓ show that the proposed algorithm is the fastest for 19≤ℓ≤373 among previous studies focusing on isogeny computation including the Õ(√ℓ) algorithm proposed by Bernstein et al. The experimental results also show that the proposed algorithm achieves the fastest on CSIDH-512. For CSIDH-1024, the proposed algorithm is faster than the algorithm by Meyer and Reith although it is slower than the algorithm by Bernstein et al.