In this paper we first demonstrate that effective selection functions in power analysis attacks change depending on circuit architectures of a block cipher. We then conclude that the most resistant architecture on its own, in the case of the loop architecture, has two data registers have separate roles: one for storing the plaintext and ciphertext, and the other for storing intermediate values. There, the pre-whitening operation is placed at the output of the former register. The architecture allows the narrowest range of selection functions and thereby has resistance against ordinary CPA. Thus, we can easily defend against attacks by ordinary CPA at the architectural level, whereas we cannot against DPA. Secondly, we propose a new technique called "self-templates" in order to raise the accuracy of evaluation of DPA-based attacks. Self-templates enable to differentiate meaningful selection functions for DPA-based attacks without any strong assumption as in the template attack. We also present the results of attacks to an AES co-processor on an ASIC and demonstrate the effectiveness of the proposed technique.

Since the Merkle-Damgård hash function (denoted by MDFH) that uses a fixed input length random oracle as a compression function is not indifferentiable from a random oracle (denoted by RO) due to the extension attack, there is no guarantee for the security of cryptosystems, which are secure in the RO model, when RO is instantiated with MDHF. This fact motivates us to establish a criteria methodology for confirming cryptosystems security when RO is instantiated with MDHF. In this paper, we confirm cryptosystems security by using the following approach: 1.Find a weakened random oracle (denoted by WRO) which leaks values needed to realize the extension attack. 2.Prove that MDHF is indifferentiable from WRO. 3.Prove cryptosystems security in the WRO model. The indifferentiability framework of Maurer, Renner and Holenstein guarantees that we can securely use the cryptosystem when WRO is instantiated with MDHF. Thus we concentrate on such finding WRO. We propose Traceable Random Oracle (denoted by TRO) which leaks values enough to permit the extension attack. By using TRO, we can easily confirm the security of OAEP encryption scheme and variants of OAEP encryption scheme. However, there are several practical cryptosystems whose security cannot be confirmed by TRO (e.g. RSA-KEM). This is because TRO leaks values that are irrelevant to the extension attack. Therefore, we propose another WRO, Extension Attack Simulatable Random Oracle (denoted by ERO), which leaks just the value needed for the extension attack. Fortunately, ERO is necessary and sufficient to confirm the security of cryptosystems under MDHF. This means that the security of any cryptosystem under MDHF is equivalent to that under the ERO model. We prove that RSA-KEM is secure in the ERO model.

This paper presents a systemic analysis for phase noise performances of differential cross-coupled LC oscillators by using Hajimiri and Lee's model. The effective impulse sensitivity functions (ISF) for each noise source in the oscillator is mathematically derived. According to these effective ISFs, the phase noise contribution from each device is figured out, and phase noise contributions from the device noise in the vicinity of the integer multiples of the resonant frequency, weighted by the Fourier coefficients of the effective ISF, are also calculated. The explicit closed-form expression for phase noise of the oscillator is definitely determined. The validity of the phase noise analysis is verified by good simulation agreement.

CAST-128 is a block cipher used in a number of products, notably as the default cipher in some versions of GPG and PGP. It has been approved for Canadian government use by the Communications Security Establishment. Haruki Seki et al. found 2-round differential characteristics and they can attack 5-round CAST-128. In this paper, we studied the properties of round functions F1 and F3 in CAST-128, and identified differential characteristics for F1 round function and F3 round function. So we identified a 6-round differential characteristic with probability 2-53 under 2-23.8 of the total key space. Then based on 6-round differential characteristic, we can attack 8-round CAST-128 with key sizes greater than or equal to 72 bits and 9-round CAST-128 with key sizes greater than or equal to 104 bits. We give the summary of attacks on reduced-round CAST-128 in Table 10.

A design methodology of Random Switching Logic (RSL) using CMOS standard cell libraries is proposed to counter power analysis attacks against cryptographic hardware modules. The original RSL proposed in 2004 requires a unique RSL-gate for random data masking and glitch suppression to prevent secret information leakage through power traces. In contrast, our new methodology enables to use general logic gates supported by standard cell libraries. In order to evaluate its practical performance in hardware size and speed as well as resistance against power analysis attacks, an AES circuit with the RSL technique was implemented as a cryptographic LSI using 130-nm and 90-nm CMOS standard cell library. From the results of attack experiments that used a million traces, we confirmed that the RSL-AES circuit has very high DPA and CPA resistance thanks to the contributions of both the masking function and the glitch suppressing function.

For over 40-Gbps optical communication systems, phase coded modulation formats, like differential phase shift keying (DPSK) and quadrature phase shift keying (QPSK), are very important for signal frequency efficiency and long-reach transmission. In such systems, differential receivers which regenerate phase signals are key components. Dual Photo Diodes (dual PDs) are key semiconductor devices which determine the receiver performance. Each PD of the dual PDs should realize high speed performance, high responsibility and high input power operation capability. Highly symmetrical characteristics between the two PDs should be also realized, thus the dual PDs are desired to be monolithically integrated to one chip. In this paper, we describe the design, fabrication, characteristics and reliability of monolithically integrated dual evanescently coupled waveguide photodiodes (EC-WG-PDs) for the purpose described above. The structure of the EC-WG-PDs offers the attractive advantages of high speed performance, high responsivity and high input power operation. Furthermore, their fabrication process is suitable for the integration of two PDs on one ship. First, the optimization was done for high products of 3-dB bandwidth and responsivity for 43-Gbps DPSK receivers. Excellent characteristics (50 GHz bandwidth with a responsivity of 0.95 A/W), and high reliability were demonstrated. The other type of optimization was done for ultra high speed operation up to 100-Gbps. The fabricated PDs exhibited the 3 dB-bandwidth of 80 GHz with a responsivity of 0.25 A/W. Furthermore, 43-Gbps RZ-DPSK receivers including the dual EC-WG-PDs based on the former optimization and differential transimpedance amplifiers (TIAs) newly developed for the purpose were also presented. Clear and symmetrical eye openings were observed for both ports. The OSNR characteristics exhibited 14.3 dB at a bit error rate of 10-3 that is able to be recovery with FEC. These performances are enough for practical use in 43-Gbps RZ-DPSK systems.

A cognitive radio will have to sense and discover the spectral environments where it would not cause primary radios to interfere. Because the primary radios have the right to use the frequency, the cognitive radios as the secondary radios must detect radio signals before use. However, the secondary radios also need identifying the primary and other secondary radios where the primary radios are vulnerable to interference. In this paper, a method of simultaneously identifying signals of primary and secondary radios is proposed. The proposed bandwidth differentiation assumes the primary and secondary radios use orthogonal frequency division multiplexing (OFDM), and the secondary radios use at the lower number of subcarriers than the primary radios. The false alarm and detection probabilities are analytically evaluated using the characteristic function method. Numerical evaluations are also conducted on the assumption the primary radio is digital terrestrial television broadcasting. Result showed the proposed method could achieve the false alarm probability of 0.1 and the detection probability of 0.9 where the primary and secondary radio powers were 2.5 dB and 3.6 dB higher than the noise power. In the evaluation, the reception signals were averaged over the successive 32 snapshots, and the both the primary and secondary radios used QPSK. The power ratios were 4.7 dB and 8.4 dB where both the primary and secondary radios used 64QAM.

We investigate binary sequence pairs with two-level correlation in terms of their corresponding cyclic difference pairs (CDPs). We define multipliers of a cyclic difference pair and present an existence theorem for multipliers, which could be applied to check the existence/nonexistence of certain hypothetical cyclic difference pairs. Then, we focus on the ideal case where all the out-of-phase correlation coefficients are zero. It is known that such an ideal binary sequence pair exists for length υ = 4u for every u ≥ 1. Using the techniques developed here on the theory of multipliers of a CDP and some exhaustive search, we are able to determine that, for lengths υ ≤ 30, (1) there does not exist "any other" ideal/ binary sequence pair and (2) every example in this range is equivalent to the one of length υ = 4u above. We conjecture that if there is a binary sequence pair with an ideal two-level correlation then its in-phase correlation must be 4. This implies so called the circulant Hadamard matrix conjecture.

In this paper, we propose two new chosen-ciphertext (CCA) secure schemes from the computational Diffie-Hellman (CDH) and bilinear computational Diffie-Hellman (BCDH) assumptions. Our first scheme from the CDH assumption is constructed by extending Cash-Kiltz-Shoup scheme. This scheme yields the same ciphertext as that of Hanaoka-Kurosawa scheme (and thus Cramer-Shoup scheme) with cheaper computational cost for encryption. However, key size is still the same as that of Hanaoka-Kurosawa scheme. Our second scheme from the BCDH assumption is constructed by extending Boyen-Mei-Waters scheme. Though this scheme requires a stronger underlying assumption than the CDH assumption, it yields significantly shorter key size for both public and secret keys. Furthermore, ciphertext length of our second scheme is the same as that of the original Boyen-Mei-Waters scheme.

Binary sequence pairs as a class of mismatched filtering of binary sequences can be applied in radar, sonar, and spread spectrum communication system. Binary sequence pairs with two-level periodic autocorrelation function (BSPT) are considered as the extension of usual binary sequences with two-level periodic autocorrelation function. Each of BSPT consists of two binary sequences of which all out-phase periodic crosscorrelation functions, also called periodic autocorrelation functions of sequence pairs, are the same constant. BSPT have an equivalent relationship with difference set pairs (DSP), a new concept of combinatorial mathematics, which means that difference set pairs can be used to research BSPT as a kind of important tool. Based on the equivalent relationship between BSPT and DSP, several families of BSPT including perfect binary sequence pairs are constructed by recursively constructing DSP on the integer ring. The discrete Fourier transform spectrum property of BSPT reveals a necessary condition of BSPT. By interleaving perfect binary sequence pairs and Hadamard matrix, a new family of binary sequence pairs with zero correlation zone used in quasi-synchronous code multiple division address is constructed, which is close to the upper theoretical bound with sequence length increasing.

Variable-weight optical orthogonal code (OOC) was introduced by G-C Yang for multimedia optical CDMA systems with multiple quality of service (QoS) requirement. In this paper, a construction for optimal (υ, {3,4}, 1, {s/(s+1), 1/(s+1)})-OOCs is given. For s=2, it is proved that for each prime υ≡ 1(mod 24), there exists a (υ, {3,4}, 1, {2/3, 1/3})-OOC. A recursive construction for cyclic difference family is also presented. By using these constructions, a number of new infinite classes of optimal (υ, {3,4}, 1, Q)-OOCs for Q = {1/2, 1/2} and {2/3, 1/3} are constructed.

This paper proposes a ternary subset difference method (SD method) that is resistant to coalition attacks. In order to realize a secure ternary SD method, we design a new cover-finding algorithm, label assignment algorithm and encryption algorithm. These algorithms are required to revoke one or two subtrees simultaneously while maintaining resistance against coalition attacks. We realize this two-way revocation mechanism by creatively using labels and hashed labels. Then, we evaluate the efficiency and security of the ternary SD method. We show that the number of labels on each client device can be reduced by about 20.4 percent. The simulation results show that the proposed scheme reduces the average header length by up to 15.0 percent in case where the total number of devices is 65,536. On the other hand, the computational cost imposed on a client device stays within O(log n). Finally, we prove that the ternary SD method is secure against coalition attacks.

In this paper, we introduce the intermediate hashed Diffie-Hellman (IHDH) assumption which is weaker than the hashed DH (HDH) assumption (and thus the decisional DH assumption), and is stronger than the computational DH assumption. We then present two public key encryption schemes with short ciphertexts which are both chosen-ciphertext secure under this assumption. The short-message scheme has smaller size of ciphertexts than Kurosawa-Desmedt (KD) scheme, and the long-message scheme is a KD-size scheme (with arbitrary plaintext length) which is based on a weaker assumption than the HDH assumption.

This paper describes a least complex, high speed decoding method named multi-stage threshold decoding (MTD-DR). Each stage of MTD-DR is formed by the traditional threshold decoder with a special shift register, called difference register (DR). After flipping each information bit, DR helps to shorten the Hamming and the Euclidian distance between a received word and the decoded codeword for hard and soft decoding, respectively. However, the MTD-DR with self-orthogonal convolutional codes (SOCCs), type 1 in this paper, makes an unavoidable error group, which depends on the tap connection patterns in the encoder, and limits the error performance. This paper introduces a class of SOCCs type 2 which can breakdown that error group, as a result, MTD-DR gives better error performance. For a shorter code (code length = 4200), hard and soft decoding MTD-DR achieves 4.7 dB and 6.5 dB coding gain over the additive white Gaussian noise (AWGN) channel at the bit error rate (BER) 10-5, respectively. In addition, hard and soft decoding MTD-DR for a longer code (code length = 80000) give 5.3 dB and 7.1 dB coding gain under the same condition, respectively. The hard and the soft decoding MTD-DR experiences error flooring at high Eb/N0 region. For improving overall error performance of MTD-DR, this paper proposes parity check codes concatenation with soft decoding MTD-DR as well.

This letter presents results showing improved field uniformity in a reverberation chamber using quadratic residue diffusers. The optimal occupying ratio of the diffusers on one side wall of the chamber is presented. A reverberation chamber is an alternative to the semi-anechoic chamber, which is widely used for the analysis and measurement of electromagnetic interference and immunity. To analyze the field characteristics, quadratic residue diffusers were designed for the 1-3 GHz frequency band, and the FDTD method was used. At 1-3 GHz, the standard deviation of the test volume in the reverberation chamber was investigated. The reverberation chamber had good field uniformity when quadratic residue diffusers occupy 37.5-50% of one side wall of the reverberation chamber; the field uniformity saturated at the diffuser occupancy rate of 75%.

This paper proposes a novel metamaterial structure, which equivalently indicates negative permittivity, for the purpose of applying it to a near-field imaging and/or diagnostics of electromagnetic properties by using a surface plasmon in microwave frequency range. The proposed structure consists of a conducting wire lattice with conducting spheres embedded at the mid-point of the wire. It is shown that a spatial dispersion of the wire lattice can be reduced significantly by the sphere. It is also shown that this structure can successfully be applied to an excitation of the surface plasmon in the microwave frequency range by adequately cutting into a thin slab.

An algorithm is formulated for reconstructing a dielectric cylinder with the use of the T-matrix and the singular value decomposition (SVD) and is discussed through numerical examples under noisy conditions. The algorithm consists of two stages. At the first stage the measured data of scattered waves is transformed into the T-matrix. At the second stage we reconstruct the cylinder from the T-matrix. The singular value decomposition is applied in order to separate the radiating and the nonradiating currents, and the radiating current is directly obtained from the T-matrix. The nonradiating current and the object are reconstructed by decreasing a residual error of the current in the least square approximation, where linear equations are solved repeatedly. Some techniques are used in order to reduce the calculation time and to reduce the effects of noise. Numerical examples show us that the presented approach is simple and numerically feasible, and enables us to reconstruct a large object in a short time.

Design of high gain and high efficiency antennas is one of the key challenges in antenna engineering and especially in millimeter wave communication systems. Various types of planar waveguide arrays with series-fed traveling wave operation have been developed in Tokyo Tech with the special focus upon efficiency enhancement as well as reduction of fabrication cost. In this review, four kinds of single layer waveguide arrays characterized with the series fed travelling wave operation are surveyed first. To cope with the bandwidth narrowing effects due to long line effects associated with the series fed operation, authors have introduced partially corporate feed embedded in the single layer waveguide. They further extended the study to cover fully corporate feed arrays with multiple layer waveguide as well; a new fabrication technique of diffusion bonding of laminated thin plates has the potential to realize the low cost mass production of multi-layer structures for the millimeter wave application. Secondly, the novel methods for loss evaluation of copper plate substrate are established for the design of post-wall waveguide arrays where dielectric loss and conductor loss is determined in wide range of millimeter wave band, by using the Whispering gallery mode resonator. This enables us to design the planar arrays with the loss taken into account. Finally, the planar arrays are now applied to two kinds of systems in the Tokyo Tech millimeter wave project; the indoor short range file-transfer systems and the outdoor communication systems for the medium range backhaul links. The latter has been field-tested in the model network built in Tokyo Tech Ookayama campus. Early stage progress of the project including unique propagation data is also reported.

Introducing diffusion bonding of laminated thin metal plates to the fabrication of slotted waveguide arrays enlightens the high potential and the feasibility of multi-layer antennas with high-performance. It is a promising process with low cost even for a double-layer antenna, because the number of etching patterns for thin metal plates is only five. In this paper, a double-layer antenna for broadband characteristics is designed in 39 GHz band as demonstration. A 20 20-element antenna is composed of 2 2 sub-arrays by installing a partially-corporate feed circuit in the bottom layer underneath radiating waveguides in the top layer. The five-element sub-arrays in both the feeding and radiating parts are designed first. A new structure for the last slot coupler with shortened termination is also proposed to avoid an extra slot-free region when assembling the neighbor sub-arrays. As the simulation results by HFSS, the maximum gain of 34.55 dBi with the antenna efficiency of 85.5% is estimated at 38.5 GHz. The test antenna is fabricated by the diffusion bonding of thin copper plates. As the measurement results, a very high aperture efficiency of 83.2% with the directivity of 34.5 dBi is realized at the center frequency of 38.75 GHz, where the antenna gain of 34.4 dBi with the high antenna efficiency of 81.4% is achieved. The bandwidth of 5.0% defined as 1 dB down from the maximum gain is achieved.

This paper proposes methods for accelerating DPA by using the CPU and the GPU in a parallel manner. The overhead of naive DPA evaluation software increases excessively as the number of points in a trace or the number of traces is enlarged due to the rapid increase of file I/O overhead. This paper presents some techniques, with respect to DPA-arithmetic and file handling, which can make the overhead of DPA software become not extreme but gradual as the increase of the amount of trace data to be processed. Through generic experiments, we show that the software, equipped with the proposed methods, using both CPU and GPU can shorten the time for evaluating the DPA resistance of devices by almost half.