SQUARE is an 8-round SPN structure block cipher and its round function and key schedule have been slightly modified to design building blocks of Rijndael. Key schedule of SQUARE is simple and efficient but fully affine, so we apply a related-key attack on it. We find a 3-round related-key differential trail with probability 2^-28, which has zero differences both on its input and output states, which is called local collision in [6]. By extending of this related-key differential, we construct a successful attack on full rounds of SQUARE. In this paper, we present a key recovery attack on full rounds of SQUARE using a related-key boomerang distinguisher. We construct a 7-round related-key boomerang distinguisher with probability 2^-119 by finding local collision, and calculate its probability using ladder switch and multiple path estimation techniques. As a result, one round on top of the distinguisher is added to construct an attack on full rounds of SQUARE which recovers 16-bit key information with 2¹²³ encryptions and 2¹²¹ data.

Conventional class of weak keys on RC4 stream cipher is defined as a specific case that combinations of the first three bytes of secret key satisfy two relational equations. This paper expands and generalizes the classes of weak keys using generalized relational equations and special classes of the internal state (called predictive state). We derive the probability that generalized classes of weak keys leak the information of bytes of the secret key. Furthermore, we enumerate the generalized classes of weak keys and show that most of them leak more information of the secret key than Roos' one.

CRT-RSA is a variant of RSA, which uses integers d_p = d mod (p-1) and d_q = d mod (q-1) (CRT-exponents), where d, p, q are the secret keys of RSA. May proposed a method to obtain the secret key in polynomial time if a CRT-exponent is small, moreover Bleichenbacher and May improved this method. On the other hand, Takagi's RSA is a variant of CRT-RSA, whose public key N is of the form p^rq for a given positive integer r. In this paper, we extend the May's method and the Bleichenbacher-May's method to Takagi's RSA, and we show that we obtain p in polynomial time if by the extended May's method, and if by the extended Bleichenbacher-May's method, when d_q is arbitrary small. If r=1, these upper bounds conform to May's and Bleichenbacher-May's results respectively. Moreover, we also show that the upper bound of p^r increase with an increase in r. Since these attacks are heuristic algorithms, we provide several experiments which show that we can obtain the secret key in practice.

Spatial encryption is one of the generalized identity based encryption proposed by Boneh and Hamburg in 2008. Spatial encryption provides a framework for generating many identity based cryptosystems such as broadcast encryption, forward secure encryption or ring signature. While this may appear to be an attractive feature, all existing spatial encryption schemes are only selectively secure. In this paper, we present a fully secure spatial encryption scheme based on the three composite order bilinear groups.

In proxy re-encryption schemes, a semi-trusted entity called a proxy can convert a ciphertext encrypted for Alice into a new ciphertext for Bob without seeing the underlying plaintext. Several proxy re-encryption schemes have been proposed, however, only two schemes which enables the conversion of IBE ciphertexts to PKE ciphertexts has been proposed. One of schemes has some drawbacks such that the size of the re-encrypted ciphertext increases and Bob must be aware of existence of the proxy, which means Bob cannot decrypt a re-encrypted ciphertext with same PKE decryption algorithm. The other one achieves security under Selective-ID model. We propose a new, efficient scheme that enables the conversion of IBE ciphertexts to PKE ciphertexts, and prove full-ID CPA security in the standard model. In our scheme, the size of the re-encrypted ciphertext is optimal and Bob should not aware of existence of the proxy. As far as we know, this is the first IBE-PKE type scheme that holds the above properties.

We propose an anonymous Hierarchical Identity-Based Encryption (anonymous HIBE) scheme with short ciphertexts. Prior to our work, most anonymous HIBE schemes have long ciphertexts increased according to the hierarchical depth of recipient. The size of the ciphertext in our scheme does not depend on the depth of the hierarchy. Moreover, our scheme achieves the lowest computational cost because during the decryption phase the computational cost of decryption is constant. The security can be proven under reasonable assumptions without using random oracles. Our scheme achieves selective-ID security notion.

Since the Merkle-Damgård hash function (denoted by MDFH) that uses a fixed input length random oracle as a compression function is not indifferentiable from a random oracle (denoted by RO) due to the extension attack, there is no guarantee for the security of cryptosystems, which are secure in the RO model, when RO is instantiated with MDHF. This fact motivates us to establish a criteria methodology for confirming cryptosystems security when RO is instantiated with MDHF. In this paper, we confirm cryptosystems security by using the following approach: 1.Find a weakened random oracle (denoted by WRO) which leaks values needed to realize the extension attack. 2.Prove that MDHF is indifferentiable from WRO. 3.Prove cryptosystems security in the WRO model. The indifferentiability framework of Maurer, Renner and Holenstein guarantees that we can securely use the cryptosystem when WRO is instantiated with MDHF. Thus we concentrate on such finding WRO. We propose Traceable Random Oracle (denoted by TRO) which leaks values enough to permit the extension attack. By using TRO, we can easily confirm the security of OAEP encryption scheme and variants of OAEP encryption scheme. However, there are several practical cryptosystems whose security cannot be confirmed by TRO (e.g. RSA-KEM). This is because TRO leaks values that are irrelevant to the extension attack. Therefore, we propose another WRO, Extension Attack Simulatable Random Oracle (denoted by ERO), which leaks just the value needed for the extension attack. Fortunately, ERO is necessary and sufficient to confirm the security of cryptosystems under MDHF. This means that the security of any cryptosystem under MDHF is equivalent to that under the ERO model. We prove that RSA-KEM is secure in the ERO model.

Undeniable signatures, introduced by Chaum and van Antwerpen, require a verifier to interact with the signer to verify a signature, and hence allow the signer to control the verifiability of his signatures. Convertible undeniable signatures, introduced by Boyar, Chaum, Damgård, and Pedersen, furthermore allow the signer to convert signatures to publicly verifiable ones by publicizing a verification token, either for individual signatures or for all signatures universally. In addition, the original definition allows the signer to delegate the ability to prove validity and convert signatures to a semi-trusted third party by providing a verification key. While this functionality is implemented by the early convertible undeniable signature schemes, most recent schemes do not consider this form of delegation despite its practical appeal. In this paper we present an updated definition and security model for schemes allowing delegation, and furthermore highlight a new essential security property, token soundness, which is not formally treated in the previous security models for convertible undeniable signatures. We then propose a new convertible undeniable signature scheme. The scheme allows delegation of verification and is provably secure in the standard model assuming the computational co-Diffie-Hellman problem, a closely related problem, and the decisional linear problem are hard. Furthermore, unlike the recently proposed schemes by Phong et al. and Huang et al., our scheme provably fulfills all security requirements while providing short signatures.

We revisit the double-pipe construction introduced by Lucks at Asiacrypt 2005. Lucks originally studied the construction for iterated hash functions and showed that the approach is effective in improving security against various types of collision and (second-)preimage attacks. Instead, in this paper we apply the construction to the secret-key setting, where the underlying FIL (fixed-input-length) compression function is equipped with a dedicated key input. We make some adjustments to Lucks' original design so that now the new mode works with a single key and operates as a domain extension of MACs (message authentication codes). Though more than twice as slow as the Merkle-Damgård construction, the double-piped mode enjoys security strengthened beyond the birthday bound. More specifically, when iterating an FIL-MAC whose output size is n-bit, the new double-piped mode yields an AIL-(arbitrary-input-length-)MAC with security up to O(2ⁿ) query complexity. This bound contrasts sharply with the birthday bound of O(2^n/2), which was the best MAC security accomplished by earlier constructions.

We present a new methodology for constructing an efficient identification scheme, and based on it, we propose a lightweight identification scheme whose computational and storage costs are sufficiently low even for cheap devices such as RFID tags. First, we point out that the efficiency of a scheme with statistical zero-knowledgeness can be significantly improved by enhancing its zero-knowledgeness to perfect zero-knowledge. Then, we apply this technique to the Girault-Poupard-Stern (GPS) scheme which has been standardized by ISO/IEC. The resulting scheme shows a perfect balance between communication cost, storage cost, and circuit size (computational cost), which are crucial factors for implementation on RFID tags. Compared to GPS, the communication and storage costs are reduced, while the computational cost is kept sufficiently low so that it is implementable on a circuit nearly as small as GPS. Under standard parameters, the prover's response is shortened 80 bits from 275 bits to 195 bits and in application using coupons, storage for one coupon is also reduced 80 bits, whereas the circuit size is estimated to be larger by only 335 gates. Hence, we believe that the new scheme is a perfect solution for fast authentication of RFID tags.

As old as TANDEM-DM, the compression function ABREAST-DM is one of the most well-known constructions for double block length compression functions. In this paper, we give a security proof for ABREAST-DM in terms of collision resistance and preimage resistance. The bounds on the number of queries for collision resistance and preimage resistance are given by Ω(2ⁿ). Based on a novel technique using query-response cycles, our security proof is simpler than those for MDC-2 and TANDEM-DM. We also present a wide class of ABREAST-DM variants that enjoy a birthday-type security guarantee with a simple proof^*.

This paper evaluates the preimage resistance of the Tiger hash function. To our best knowledge, the maximum number of the attacked steps is 17 among previous preimage attacks on Tiger, where the full version has 24 steps. Our attack will extend the number of the attacked steps to 23. The main contribution is a pseudo-preimage attack on the compression function up to 23 steps with a complexity of 2¹⁸¹ following the meet-in-the-middle approach. This attack can be converted to a preimage attack on 23-step Tiger hash function with a complexity of 2^187.5. The memory requirement of our attack is 2²² words. A Tiger digest has 192 bits. Therefore, our attacks are faster than the exhaustive search.

We present cryptanalyses of the original version of AURORA-512 hash function, which is a round-1 SHA-3 candidate. Our attack exploits weaknesses in a narrow-pipe mode of operation of AURORA-512 named "Double-Mix Merkle-Damgård (DMMD)." The current best collision attack proposed by Joux and Lucks only gives rough complexity estimations. We first evaluate its precise complexity and show its optimization. Secondly, we point out that the current best second-preimage attack proposed by Ferguson and Lucks does not work with the claimed complexity of 2²⁹¹. We then evaluate a complexity so that the attack can work with a high success probability. We also show that the second-preimage attack can be used to attack the randomized hashing scheme. Finally, we present a key-recovery attack on HMAC-AURORA-512, which reveals 512-bit secret keys with 2²⁵⁷ queries, 2²⁵⁹ AURORA-512 operations, and negligible memory. The universal forgery on HMAC-AURORA-384 is also possible by combining the second-preimage and inner-key-recovery attacks.

In this paper, we propose two authenticated key exchange(AKE) protocols and prove their security in the extended Canetti-Krawczyk model. The first protocol, called NAXOS+, is obtained by slightly modifying the NAXOS protocol proposed by LaMacchia, Lauter and Mityagin [15]. We prove its security under the Computational Diffie-Hellman (CDH) assumption by using the trapdoor test introduced in [6]. To the authors' knowledge, this is the first AKE protocol which is secure under the CDH assumption in the eCK model. The second protocol, called NETS, enjoys a simple and tight security reduction compared to existing schemes including HMQV and CMQV without using the Forking Lemma. Since each session of the NETS protocol requires only three exponentiations per party, its efficiency is also comparable to MQV, HMQV and CMQV.

On-line secret sharing scheme, introduced by Cachin, is a computational variation of secret sharing scheme. It supports dynamic changing of access structures and reusable shares, by grace of public bulletin board. In this paper, first we introduce a formal model of on-line secret sharing scheme, and analyze existing on-line secret sharing schemes. As a result, it is shown that they are all vulnerable by giving concrete attacks. Next, we propose a novel on-line secret sharing scheme which is provably secure.

Pairing-based cryptosystems are generally constructed using many functions such as pairing computation, arithmetic in finite fields, and arithmetic on elliptic curves. MapToPoint, which is a hashing algorithm onto an elliptic curve point, is one of the functions for constructing pairing-based cryptosystems. There are two MapToPoint algorithms on supersingular elliptic curves in characteristic three, which is used by η_T pairing. The first is computed by using a square root computation in F_3^m, and the computational cost of this algorithm is O(log m) multiplications in F_3^m. The second is computed by using an (m-1)(m-1) matrix over F₃. It can be computed by O(1) multiplications in F_3^m. However, this algorithm needs the off-line memory to store about m F_3^m-elements. In this paper, we propose an efficient MapToPoint algorithm on the supersingular elliptic curves in characteristic three by using 1/3-trace over F_3^m. We propose 1/3-trace over F_3^m, which can compute solution x of x³ -x = c by using no multiplication in F_3^m. The proposed algorithm is computed by O(1) multiplications in F_3^m, and it requires less than m F₃-elements to be stored in the off-line memory to efficiently compute trace over F_3^m. Moreover, in our software implementation of F_3⁵⁰⁹, the proposed MapToPoint algorithm is approximately 35% faster than the conventional MapToPoint algorithm using the square root computation on an AMD Opteron processor (2.2 GHz).

It is necessary to perform arithmetic in F_p¹² to use an Ate pairing on a Barreto-Naehrig (BN) curve, where p is a prime given by p(z)=36z⁴+36z³+24z²+6z+1 for some integer z. In many implementations of Ate pairings, F_p¹² has been regarded as a 6th degree extension of F_p², and it has been constructed by F_p¹²=F_p²[v]/(v⁶-ξ) for an element ξ ∈ F_p² such that v⁶-ξ is irreducible in F_p²[v]. Such a ξ depends on the value of p, and we may use a mathematical software package to find ξ. In this paper it is shown that when z ≡ 7,11 (mod 12), we can universally construct F_p¹² as F_p¹²=F_p²[v]/(v⁶-u-1), where F_p²=F_p[u]/(u²+1).

In this paper, we constructed six infinite classes of balanced Boolean functions. These six classes of Boolean functions achieved optimal algebraic degree, optimal algebraic immunity and high nonlinearity. Furthermore, we gave the proof of the lower bound of the nonlinearities of these balanced Boolean functions and proved the better lower bound of nonlinearity for Carlet-Feng's Boolean function.

Recently, pairing-based cryptographic application sch-emes have attracted much attentions. In order to make the schemes more efficient, not only pairing algorithm but also arithmetic operations in extension field need to be efficient. For this purpose, the authors have proposed a series of cyclic vector multiplication algorithms (CVMAs) corresponding to the adopted bases such as type-I optimal normal basis (ONB). Note here that every basis adapted for the conventional CVMAs are just special classes of Gauss period normal bases (GNBs). In general, GNB is characterized with a certain positive integer h in addition to characteristic p and extension degree m, namely type-⟨h.m⟩ GNB in extension field F_p^m. The parameter h needs to satisfy some conditions and such a positive integer h infinitely exists. From the viewpoint of the calculation cost of CVMA, it is preferred to be small. Thus, the minimal one denoted by h_min will be adapted. This paper focuses on two remaining problems: 1) CVMA has not been expanded for general GNBs yet and 2) the minimal h_min sometimes becomes large and it causes an inefficient case. First, this paper expands CVMA for general GNBs. It will improve some critical cases with large h_min reported in the conventional works. After that, this paper shows a theorem that, for a fixed prime number r, other prime numbers modulo r uniformly distribute between 1 to r-1. Then, based on this theorem, the existence probability of type-⟨h_min,m⟩ GNB in F_p^m and also the expected value of h_min are explicitly given.

A novel random number generation method based on chaotic sampling of regular waveform is proposed. A high speed IC truly random number generator based on this method is also presented. Simulation and experimental results, verifying the feasibility of the circuit, are given. Numerical binary data obtained according to the proposed method pass the four basic tests of FIPS-140-2, while experimental data pass the full NIST-800-22 random number test suite without post-processing.

This paper shows two power analysis attacks against a software implementation of a first-order DPA resistant S-box algorithm that is based on the discrete Fourier Transform (DFT). The DPA resistant S-box algorithm based on DFT was proposed by Prouff et al. in 2006 and improved by Coron et al. in 2008, respectively. In our attacks against the improved one, we pre-process the power traces by separating them into two subgroups, so that each has a biased mask. For the separated power traces, two post analysis methods are proposed to identify the key. One is based on DPA attack against one subgroup, and the other utilizes the difference of means for two subgroups and a pattern matching. Finally, we compare these two attack methods and propose an algorithm-level countermeasure to enhance the security of S-box calculation based on the DFT.

In this paper we first demonstrate that effective selection functions in power analysis attacks change depending on circuit architectures of a block cipher. We then conclude that the most resistant architecture on its own, in the case of the loop architecture, has two data registers have separate roles: one for storing the plaintext and ciphertext, and the other for storing intermediate values. There, the pre-whitening operation is placed at the output of the former register. The architecture allows the narrowest range of selection functions and thereby has resistance against ordinary CPA. Thus, we can easily defend against attacks by ordinary CPA at the architectural level, whereas we cannot against DPA. Secondly, we propose a new technique called "self-templates" in order to raise the accuracy of evaluation of DPA-based attacks. Self-templates enable to differentiate meaningful selection functions for DPA-based attacks without any strong assumption as in the template attack. We also present the results of attacks to an AES co-processor on an ASIC and demonstrate the effectiveness of the proposed technique.

This paper describes a modular exponentiation processing method and circuit architecture that can exhibit the maximum performance of FPGA resources. The modular exponentiation architecture proposed by us comprises three main techniques. The first one is to improve the Montgomery multiplication algorithm in order to maximize the performance of the multiplication unit in an FPGA. The second one is to balance and improve the circuit delay. The third one is to ensure scalability of the circuit. Our architecture can perform fast operations using small-scale resources; in particular, it can complete a 512-bit modular exponentiation as fast as in 0.26 ms with the smallest Virtex-4 FPGA, XC4VF12-10SF363. In fact the number of SLICEs used is approx. 4200, which proves the compactness of our design. Moreover, the scalability of our design also allows 1024-, 1536-, and 2048-bit modular exponentiations to be processed in the same circuit.

In this paper we unveil basic properties of a code Γ_q for digital fingerprinting based on a projective plane of order q. We consider a situation where a coalition of malicious users generates a pirated digital content in which a binary sequence w is embedded subject to the marking assumption. Here, the size of the coalition is assumed to be less than or equal to a known constant c ≥ 2. We evaluate the number of candidates of the coalition that can also generate w subject to the marking assumption. It is shown that the number of such candidates is completely determined as a function of w for the case of c = 2. In addition, we give a sufficient condition under which all the malicious users are correctly identified from w for the case of c ≥ 3. Relationships between Γ_q and other existing classes of codes are discussed as well.

Biometric authentication has attracted attention because of its high security and convenience. However, biometric feature such as fingerprint can not be revoked like passwords. Thus once the biometric data of a user stored in the system has been compromised, it can not be used for authentication securely for his/her whole life long. To address this issue, an authentication scheme called cancelable biometrics has been studied. However, there remains a major challenge to achieve both strong security and practical accuracy. In this paper, we propose a novel and fundamental algorithm for cancelable biometrics called correlation-invariant random filtering (CIRF) with provable security. Then we construct a method for generating cancelable fingerprint templates based on the chip matching algorithm and the CIRF. Experimental evaluation shows that our method has almost the same accuracy as the conventional fingerprint verification based on the chip matching algorithm.

In recent years, the number of spam emails has been dramatically increasing and spam is recognized as a serious internet threat. Most recent spam emails are being sent by bots which often operate with others in the form of a botnet, and skillful spammers try to conceal their activities from spam analyzers and spam detection technology. In addition, most spam messages contain URLs that lure spam receivers to malicious Web servers for the purpose of carrying out various cyber attacks such as malware infection, phishing attacks, etc. In order to cope with spam based attacks, there have been many efforts made towards the clustering of spam emails based on similarities between them. The spam clusters obtained from the clustering of spam emails can be used to identify the infrastructure of spam sending systems and malicious Web servers, and how they are grouped and correlate with each other, and to minimize the time needed for analyzing Web pages. Therefore, it is very important to improve the accuracy of the spam clustering as much as possible so as to analyze spam based attacks more accurately. In this paper, we present an optimized spam clustering method, called O-means, based on the K-means clustering method, which is one of the most widely used clustering methods. By examining three weeks of spam gathered in our SMTP server, we observed that the accuracy of the O-means clustering method is about 87% which is superior to the previous clustering methods. In addition, we define 12 statistical features to compare similarity between spam emails, and we determined a set of optimized features which makes the O-means clustering method more effective.

Those host-based intrusion detection models like VPStatic first construct a model of acceptable behaviors for each monitored program via static analysis, and then perform intrusion detection by comparing them with programs' runtime behaviors. These models usually share the highly desirable feature that they do not produce false alarms but face the conflicts between accuracy and efficiency. For instance, the high accuracy of the VPStatic model is at the cost of high space complexity. In this paper, we use a statically-constructed state transition table (STT), which records expected transitions among system calls as well as their stack states (return address lists), as a behavior model to perform context-sensitive intrusion detection. According to our analysis, our STT model improves the space efficiency of the VPStatic model without decreasing its high precision and time efficiency. Experiments show that for three test programs, memory uses of our STT models are all much less than half of the VPStatic models'. Thereby, we alleviate the conflicts between the accuracy and the efficiency.

Constructing degree-optimized resilient Boolean functions with high nonlinearity is a significant study area in Boolean functions. In this letter, we provide a construction of degree-optimized n-variable (n odd and n ≥ 35) resilient Boolean functions, and it is shown that the resultant functions achieve the currently best known nonlinearity.

Recently, Jin, Wen, and Du proposed an identity-based signcryption scheme in the standard model. In this letter, we show that their scheme does not have the indistinguishability against adaptive chosen ciphertext attacks and existential unforgeability against adaptive chosen messages attacks.

This paper introduces a novel type of digital watermarking, which is mainly designed for embededing information into cryptographic data such as keys, ciphertexts, and signatures. We focus on a mathematical structure of the recent major cryptosystems called pairing-based schemes. We present a detection-type watermarking scheme by which a watermark is visible by anyone but unremovable without secret trapdoor. The important feature is that both correctness and security of cryptographic data remain satisfied even if the trapdoor is published.

An improvement of estimating sound power spectra located in a particular 2-dimensional area is proposed. We previously proposed a conventional method that estimates sound power spectra using multiple fixed beamformings in order to emphasize speech located in a particular 2-dimensional area. However, the method has one drawback that the number of areas where the active sound sources are located must be restricted. This restriction makes the method less effective when many noise source located in different areas are simultaneously active. In this paper, we reveal the cause of this restriction and determine the maximum number of areas for which the method is able to simultaneously estimate sound power spectra. Then we also introduce a procedure for investigating areas that include active sound sources to reduce the number of unknown power spectra to be estimated. The effectiveness of the proposed method is examined by experimental evaluation applied to sounds recorded in a practical environment.

We have applied the open-plus-closed-loop control method, recently devised by Grosu et al., to chaos-based communications. In our method, a message is handled as if it were part of a parameter mismatch between the chaotic oscillators installed on a drive and a response system. In the drive system, the message is encrypted by adding it to a state variable of the oscillator as dynamical noise. In the response system, the message is decrypted by subtracting the chaotic signal reproduced by chaotic synchronization using the open-plus-closed-loop control method from the received signal, followed by differentiation with respect to time. When the oscillators have multiple parameter mismatches, multiple messages can be simultaneously encrypted and decrypted to achieve multiplex secure communications.

Field programmable gate arrays (FPGAs) are widely used in reliability-critical systems due to their reconfiguration ability. However, with the shrinking device feature size and increasing die area, nowadays FPGAs can be deeply affected by the errors induced by electromigration and radiation. To improve the reliability of FPGA-based reconfigurable systems, a permanent fault recovery approach using a domain partition model is proposed in this paper. In the proposed approach, the fault-tolerant FPGA recovery from faults is realized by reloading a proper configuration from a pool of multiple alternative configurations with overlaps. The overlaps are presented as a set of vectors in the domain partition model. To enhance the reliability, a technical procedure is also presented in which the set of vectors are heuristically filtered so that the corresponding small overlaps can be merged into big ones. Experimental results are provided to demonstrate the effectiveness of the proposed approach through applying it to several benchmark circuits. Compared with previous approaches, the proposed approach increased MTTF by up to 18.87%.

In this paper, an artificial sub-threshold oscillating spiking neuron is presented and its response phenomena to an input spike-train are analyzed. In addition, a dynamic parameter update rule of the neuron for achieving synchronizations to the input spike-train having various spike frequencies is presented. Using an analytical two-dimensional return map, local stability of the parameter update rule is analyzed. Furthermore, a pulse-coupled network of the neurons is presented and its basic self-organizing function is analyzed. Fundamental comparisons are also presented.

In UWB systems, data symbols are transmitted and received continuously. The Fast Fourier Transform (FFT) processor must be able to seamlessly process input/output data. This paper presents the design and implementation of a continuous data flow parallel memory-based FFT (CF-PMBFFT) processor without the use of input buffer for pre-loading the input data. The processor realizes a memory space of two N-words and multiple processing elements (PEs) to achieve the seamless data flow and meet the design requirement. The circuit has been fabricated in TSMC 0.18 µm 1P6M CMOS process with the supply voltage of 1.8 V. Measurement results of the test chip shows that the developed CF-PMBFFT processor takes a core area of 1.97 mm² with a power consumption of 62.12 mW for a throughput rate of 528 MS/s.

MIMO-OFDM performs signal detection on a subcarrier basis which requires high speed computation in MIMO detection due to its large computational cost. Conventional designs in a MIMO detector increase processing time in proportion to the number of subcarriers and have difficulty in real-time processing for large numbers of subcarriers. A complete pipeline MMSE MIMO detector presented in our previous work can provide high speed computation. However, it tends to be excessive in a circuit scale for small numbers of subcarriers. We propose a new scalable architecture to reduce circuit scale by adjusting the number of iterative operations according to various types of OFDM system. The proposed detector has reduced circuit area to about 1/2 to 1/7 in the previous design with providing acceptable latency time.

The earlier the stage where we perform low power design, the higher the dynamic power reduction we achieve. In this paper, we focus on reducing switching activity in high-level synthesis, especially, in the problem of functional module binding, bus binding or register binding. We propose an effective low power bus binding algorithm based on the table decomposition method, to reduce switching activity. The proposed algorithm is based on the decomposition of the original problem into sub-problems by exploiting the optimal substructure. As a result, it finds an optimal or close-to-optimal binding solution with less computation time. Experimental results show the proposed method obtains a solution 2.3-22.2% closer to optimal solution than one with a conventional heuristic method, 8.0-479.2 times faster than the optimal one (at a threshold value of 1.0E+9).

Accelerator cores in low-power embedded processors have on-chip multiple memory modules to increase the data access speed and to enable parallel data access. When large functional units such as multipliers and dividers are used for addressing, a large power and chip area are consumed. Therefore, recent low-power processors use small functional units such as adders and counters to reduce the power and area. Such small functional units make it difficult to implement complex addressing patterns without duplicating data among multiple memory modules. The data duplication wastes the memory capacity and increases the data transfer time significantly. This paper proposes a method to reduce the memory duplication for window-based image processing, which is widely used in many applications. Evaluations using an accelerator core show that the proposed method reduces the data amount and data transfer time by more than 50%.

Device mismatch plays an important role in the design of accurate analog circuits. The common centroid structure is commonly employed to reduce device mismatches caused by symmetrical layouts and processing gradients. Among the candidate placements generated by the common centroid approach, however, whichever achieves better matching is generally difficult to be determined without performing the time-consuming yield evaluation process. In addition, this rule-based methodology makes it difficult to achieve acceptable matching between multiple capacitors and to handle an irregular layout area. Based on a spatial correlation model, this study proposed a design methodology for yield enhancement of analog circuits using switched-capacitor techniques. An efficient and effective placement generator is developed to derive a placement for a circuit to achieve the highest or near highest correlation coefficient and thus accomplishing a better yield performance. A simple yield analysis is also developed to evaluate the achieved yield performance of a derived placement. Results show that the proposed methodology derives a placement which achieves better yield performance than those generated by the common centroid approach.

In this paper, we explicitly construct a large class of symmetric Boolean functions on 2k variables with algebraic immunity not less than d, where integer k is given arbitrarily and d is a given suffix of k in binary representation. If let d = k, our constructed functions achieve the maximum algebraic immunity. Remarkably, 2^{⌊ log₂k ⌋ + 2} symmetric Boolean functions on 2k variables with maximum algebraic immunity are constructed, which are much more than the previous constructions. Based on our construction, a lower bound of symmetric Boolean functions with algebraic immunity not less than d is derived, which is 2^{⌊ log₂d ⌋ + 2(k-d+1)}. As far as we know, this is the first lower bound of this kind.

It is known that composable secure commitments, that is, concurrent non-malleable commitments exist in the plain model, based only on standard assumptions such as the existence of claw-free permutations or even one-way functions. Since being based on the plain model, the deniability of them is trivially satisfied, and especially the latter scheme satisfies also adaptivity, hence it is adaptive-deniable-concurrent non-malleable. However, those schemes cannot be said to be practically efficient. We show a practically efficient (string) adaptive-deniable-concurrent commitment scheme is possible under a global setup model, called the Global CRS-KR model.

A hash chain H for a hash function hash(·) is a sequence of hash values ⟨ x_n, x_n-1,..., x₀ ⟩, where x₀ is a secret value, x_i is generated by x_i = hash(x_i-1) for 1 ≤ i ≤ n, and x_n is a public value. Hash values of H are disclosed gradually from x_n-1 to x₀. The correctness of a disclosed hash value x_i can be verified by checking the equation x_n =? hash^n-i(x_i). To speed up the verification, Fischlin introduced a check-bit scheme at CT-RSA 2004. The basic idea of the check-bit scheme is to output some extra information cb, called a check-bit vector, in addition to the public value x_n, which allows each verifier to perform only a fraction of the original work according to his or her own security level. We revisit the Fischlin's check-bit scheme and show that the length of the check-bit vector cb can be reduced nearly by half. The reduced length of cb is close to the theoretic lower bound.

A sanitizable signature scheme is a signature scheme which, after the signer generates a valid signature of a message, allows a specific entity (sanitizer) to modify the message for hiding several parts. Existing sanitizable signature schemes require the message to be divided into pre-defined blocks before signing so that each block can be sanitized independently. However, there are cases where the parts of the message which are needed to be sanitized can not be determined in the time of signing. Thus, it is difficult to decide the partition of the blocks in such cases. Since the length of the signature is usually proportional to the number of blocks, signing every bit independently will make the signature too long. In this paper, we propose a solution by introducing a new concept called sequential bitwise sanitizable signature schemes, where any sequence of bits of the signed document can be made sanitizable without pre-defining them, and without increasing the length of signature. We also show that a one-way permutation suffices to get a secure construction, which is theoretically interesting in its own right, since all the other existing schemes are constructed using stronger assumptions.

This paper evaluates the performance of a pilot-assisted fine carrier frequency offset (CFO) estimation scheme for orthogonal frequency division multiplexing (OFDM) in time-varying channels. An analytical closed-form expression of the mean square error (MSE), of the post-FFT based CFO synchronization scheme, is presented in terms of time-variant fading channels. To verify our analysis in this paper, simulations are carried out within the framework of mobile WiMAX systems.

In this paper, we develop a VCASS substitution system (S-VCASS) using a personal mobile terminal in order to improve the effectiveness of VCASS in an environment comprising both VCASS and non-VCASS vehicles. We propose three new pedestrian state judgment algorithms that can be implemented on a personal mobile terminal for inter-vehicle communications. We evaluate the performances of the three proposed algorithms with real vehicles. Finally, we show that the proposed algorithms can recognize vehicles without VCASS.

In this paper, we introduce a new general construction of zero correlation zone (ZCZ) sequence set, which is based on two given ZCZ sequence sets. Compared with the two given sequence sets, the resultant sequence set not only has larger family size and longer period, but also provides more flexible choices of basic sequences, ZCZ length and family size.

In this letter, we propose a new observer error linearization approach that is called reduced-order dynamic observer error linearization (RDOEL), which is a modified version of dynamic observer error linearization (DOEL). We introduce the concepts and properties of RDOEL, and provide a complete solution to RDOEL with one integrator. Moreover, we show that it is also a complete solution to a simple case of DOEL.

This letter studies application of the growing PSO to the design of DC-AC inverters. In this application, each particle corresponds to a set of circuit parameters and moves to solve a multi-objective problem of the total harmonic distortion and desired average power. The problem is described by the hybrid fitness consisting of analog objective function, criterion and digital logic. The PSO has growing structure and dynamic acceleration parameters. Performing basic numerical experiments, we have confirmed the algorithm efficiency.

A neuro fuzzy method to design analog circuits is explained, where the universe of discourse of the fuzzy system is adjusted by means of a self-organized artificial neural network. As an example of this approach, an op-amp is optimized in order to hold a predetermined aim; where the unity gain bandwidth is an objective of design, and the restrictions of open-loop gain and margin phase are treated as objectives too. Firstly, the experience of the behavior of the circuit is obtained, hence an inference system is constructed and a neural network is applied to achieve a faster convergence into a desired solution. This approach is characterized by having a simple implementation, a very natural understanding and a better performance than static methods of fuzzy optimization.

In this letter, a new definition of two-stage spatiotemporal approach, called ICA-WFS (Independent-Component-Analysis-Weighted-Frequent-Substructure) is proposed. To facilitate capturing abnormal behavior across multiple networks and dimensionality reduction at a single Point of Presence (PoP), ICA is applied. With application of WFS, an complete graph is examined, unusual substructures of which are reported. Experiments are conducted and, together with application of backbone network (Internet2) Netflow data, show some positive results.

In this letter, we generalize the binary sequence introduced by Li et al. in [S. Q. Li et al., On the randomness generalized cyclotomic sequences of order two and length pq, IEICE Trans. Fund, vol. E90-A, no.9, pp.2037-2041, 2007] to sequence over arbitrary prime fields. Furthermore, the auto-correlation distribution and linear complexity of the proposed sequence are presented.

In order to reduce the convergence time in an iterative procedure, some gradient based preliminary processes are employed to eliminate outliers. The adaptive variable block size is also introduced to balance the accuracy and computational complexity. Moreover, the use of Canberra distance instead of Euclidean distance illustrates higher performance in measuring motion similarity.

In this letter, we propose a spatially adaptive noise removal algorithm using local statistics. The proposed algorithm consists of two stages: noise detection and removal. In order to solve the trade-off between the effective noise suppression and the over-smoothness of the reconstructed image, local statistics such as local maximum and the local weighted activity is defined. With the local statistics, the noise detection function is defined and a modified Gaussian filter is used to suppress the detected noise components. The experimental results demonstrate the effectiveness of the proposed algorithm.

We propose, in this letter, a new type of image denoising filter using a data analysis technique. We deal with pixels as data and extract the most dominant cluster from pixels in the filtering window. We output the centroid of the extracted cluster. We demonstrate that this graph-spectral filter can effectively reduce a mixture of Gaussian and random impulsive noise.

This letter proposes a dynamic phasor-based apparent impedance measuring method for a single-line-to-ground fault. Using the proposed method, the effects of the decaying DC components on the apparent impedance of a single-line-to-ground fault can be completely removed. Compared with previous works, the proposed method uses less computation to measure an accurate apparent impedance.

This letter presents integrating algorithms for affine constraints defined on a manifold. We first explain definition and geometric representation of affine constraints. Next, we derive integrating algorithms to calculate independent first integrals of affine constraints for the two cases where the they are completely integrable and partially nonintegrable. Moreover, we prove the existence of inverse functions in the algorithms. Some examples are also shown to verify our results.