Sumio Morioka

\textnormal{\textsc{TWINE}}: A Lightweight Block Cipher for Multiple Platforms

This paper presents a 64-bit lightweight block cipher (textnormal{textsc{TWINE}}) supporting 80 and 128-bit keys. (textnormal{textsc{TWINE}}) realizes quite small hardware implementation similar to the previous lightweight block cipher proposals, yet enables efficient software implementations on various CPUs, from micro-controllers to high-end CPUs. This characteristic is obtained by the use of generalized Feistel combined with an improved block shuffle, introduced at FSE 2010.

CLOC: Authenticated Encryption for Short Input

We define and analyze the security of a blockcipher mode of operation, (mathrm {CLOC}), for provably secure authenticated encryption with associated data. The design of (mathrm {CLOC}) aims at optimizing previous schemes, CCM, EAX, and EAX-prime, in terms of the implementation overhead beyond the blockcipher, the precomputation complexity, and the memory requirement. With these features, (mathrm {CLOC}) is suitable for handling short input data, say 16 bytes, without needing precomputation nor large memory. This property is especially beneficial to small microprocessors, where the word size is typically 8 bits or 16 bits, and there are significant restrictions in the size and the number of registers. (mathrm {CLOC}) uses a variant of CFB mode in its encryption part and a variant of CBC MAC in the authentication part. We introduce various design techniques in order to achieve the above mentioned design goals. We prove (mathrm {CLOC}) secure, in a reduction-based provable security paradigm, under the assumption that the blockcipher is a pseudorandom permutation. We also present our preliminary implementation results.

Flexible architecture optimization and ASIC implementation of group signature algorithm using a customized HLS methodology

Group signature is one of the main theme in recent digital signature studies. Typical signature algorithm is a combination of more than 70 elliptic curve (ECC), modular (RSA), long-bit integer and hash arithmetic functions. A full H/W IP core is strongly desired for the use of group signature in SoCs in slow-clock and low-power mobile devices and embedded systems. Flexible adjustment of H/W speed and size, depending on different systems and LSI process technologies, is also required. However, for designing and verifying H/W, the group signature algorithm is too complicated to use a standard RTL (Register Transfer Level) design methodology nor any recent HLS (High Level Synthesis). Therefore, we incorporated a two-level behavioral synthesis approach, where an optimized macro-architecture is explored by a custom-made scheduler, after a database of multiple number of microarchitectures are effectively constructed by conventional HLS. We implemented the signature algorithm on a low-cost 0.25um gate-array. The H/W size is approximately 1M gates and our chip can compute a group signature at the equivalent speed (0.135 seconds@100MHz clock) with 3GHz PC S/W, while the power consumption is two orders of magnitude lower (425mW@100MHz).

A High Throughput/Gate AES Hardware Architecture by Compressing Encryption and Decryption Datapaths

This paper proposes a highly efficient AES hardware architecture that supports both encryption and decryption for the CBC mode. Some conventional AES architectures employ pipelining techniques to enhance the throughput and efficiency. However, such pipelined architectures are frequently unfit because many practical cryptographic applications work in the CBC mode, where block-wise parallelism is not available for encryption. In this paper, we present an efficient AES encryption/decryption hardware design suitable for such block-chaining modes. In particular, new operation-reordering and register-retiming techniques allow us to unify the inversion circuits for encryption and decryption (i.e., SubBytes and InvSubBytes) without any delay overhead. A new unification technique for linear mappings further reduces both the area and critical delay in total. Our design employs a common loop architecture and can therefore efficiently perform even in the CBC mode. We also present a shared key scheduling datapath that can work on-the-fly in the proposed architecture. To the best of our knowledge, the proposed architecture has the shortest critical path delay and is the most efficient in terms of throughput per area among conventional AES encryption/decryption architectures with tower-field S-boxes. We evaluate the performance of the proposed and some conventional datapaths by logic synthesis results with the TSMC 65-nm standard-cell library and NanGate 45- and 15-nm open-cell libraries. As a result, we confirm that our proposed architecture achieves approximately 53–72 % higher efficiency (i.e., a higher bps/GE) than any other conventional counterpart.

A hierarchical formal approach to verifying side-channel resistant cryptographic processors

This paper presents a hierarchical formal verification method for cryptographic processors based on a combination of a word-level computer algebra procedure and a bit-level decision procedure using PPRM (Positive Polarity Reed-Muller) expansion. In the proposed method, the entire datapath structure of a cryptographic processor is described in the form of a hierarchical graph . The correctness of the entire circuit function is verified on this graph representation, by the algebraic method, and the function of each component is verified by the PPRM method, respectively. We have applied the proposed verification method to a complicated AES (Advanced Encryption Standard) circuit with a masking countermeasure against side-channel attack. The results show that the proposed method can verify such practical circuit automatically within 4 minutes while the conventional methods fail.

Automatic generation of formally-proven tamper-resistant Galois-field multipliers based on generalized masking scheme

In this study, we propose a formal design system for tamper-resistant cryptographic hardwares based on Generalized Masking Scheme (GMS). The masking scheme, which is a state-of-the-art masking-based countermeasure against higher-order differential power analyses (DPAs), can securely construct any kind of Galois-field (GF) arithmetic circuits at the register transfer level (RTL) description, while most other ones require specific physical design. In this study, we first present a formal design methodology of GMS-based GF arithmetic circuits based on a hierarchical dataflow graph, called GF arithmetic circuit graph (GF-ACG), and present a formal verification method for both functionality and security property based on Gröbner basis. In addition, we propose an automatic generation system for GMS-based GF multipliers, which can synthesize a fifth-order 256-bit multiplier (whose input bit-length is 256 × 77) within 15 min.