IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences 最新号

Faster CGL Hash Function via Reduced Backtracking Checks

The CGL hash function is an isogeny-based hash function that computes non-backtracking paths on a supersingular isogeny graph. Since one of the problems of the CGL hash function is its relatively slow computational time, many acceleration methods have been studied, including the use of the Legendre form, radical isogenies. An algorithm for computing the CGL hash function proposed at SAC’22 has achieved acceleration of several orders of magnitude, by using 2ⁿ-isogenies for an integer n = Θ(log p), where p is characteristic of the underlying field. In this algorithm, the backtracking 2-isogeny between two consecutive 2ⁿ-isogenies must be prevented to assure the security of the hash function, which is called backtracking checks. In this paper, we propose two algorithms to further accelerate the computation by reducing the overhead of backtracking checks. The first algorithm skips backtracking checks when unnecessary. The second one completely eliminates the need for these checks. Moreover, we implement our proposed algorithms. We perform a detailed and precise complexity analysis of our algorithms as well as previously proposed ones by programmatically counting the actual number of operations over the underlying finite field. We demonstrate that the first algorithm reduces the cost by 7.6%, 7.0%, 7.6%, 6.2% and second one by 18.9%, 17.8%, 16.7%, 16.1% compared to the original algorithm at SAC’22 for 256,512,1024,1536-bit primes, respectively. This paper is an extended version of [1]. We add the second algorithm without backtracking checks, which is faster than the first algorithm, and its efficiency is demonstrated by the implementation.

Improving the Efficiency of Odd Degree Isogeny Computations with the Domain as a Product of Elliptic Curves

Isogeny-based cryptography is one of post-quantum cryptography based on the difficulty of the isogeny problem. The central object is a one-dimensional isogeny, that is, an isogeny between elliptic curves. However, in recent years, not only one-dimensional isogenies but also two-dimensional isogenies have been used to isogeny-based cryptography. Such a two-dimensional isogeny is an isogeny between products of elliptic curves, and it is computed by decomposing to prime degree isogenies. The decomposed isogenies are called a chain of isogenies. Especially, for the decomposition, the first isogeny of the chain has the domain as a product of elliptic curves E₁ × E₂, and a point x to compute the image is of the form of x = (x⁽¹⁾, 0_E2)∈ E₁ × E₂ for x⁽¹⁾ ∈ E₁. In this paper, we focus on odd prime degree isogenies with the domain as a product of elliptic curves. For such an isogeny, we propose formulas and explicit algorithms based on the formulas. As a result, the computation of the image of a point (x⁽¹⁾, 0_E2) is improved compared to the existing method. For the application, when we compute an odd degree isogeny chain, this result allows efficient computation of the dominant isogeny in the chain by placing the isogeny with the largest prime degree first. In addition, we implemented the proposed algorithm in SageMath and confirmed its improved efficiency over the existing algorithm by comparing running times.

On Lattice Isomorphism Problems for Lattices from LCD Codes over Finite Rings

These days, post-quantum cryptography based on the lattice isomorphism problem has been proposed. Ducas-Gibbons introduced the hull attack, which solves the lattice isomorphism problem for lattices obtained by Construction A from an LCD code over a finite field. Using this attack, they showed that the lattice isomorphism problem for such lattices can be reduced to the lattice isomorphism problem with the trivial lattice ℤⁿ and the graph isomorphism problem. While the previous work by Ducas-Gibbons only considered lattices constructed by a code over a finite field, this paper considers lattices constructed by a code over a finite ring ℤ/kℤ, which is a more general case. In particular, when k is odd, an odd prime power, or not divisible by 4, we show that the lattice isomorphism problem can be reduced to the lattice isomorphism problem for ℤⁿ and the graph isomorphism problem.

Polynomial-Time Attacks on Two Post-Quantum Key Agreement Protocols

In this study, we propose a polynomial-time recovery attack on two post-quantum key agreement protocols. One of these protocols is the strongly asymmetric algorithm-5 (SAA-5), which is based on matrix operations over the finite field 𝔽_p. Our previous study showed that weak keys exist with high probability in SAA-5 and proposed an attack using the prime factorization of p - 1, the rank of the matrices used in the protocol, and the Chinese remainder theorem. However, the complexity of this attack depends on the rank of the key matrices, and certain keys remain robust against it. In this work, we refine the attack to ensure the recovery of the secret shared key in polynomial time in all cases. Numerical results obtained using Magma with the recommended parameters show that the secret shared key can be recovered significantly faster than with the previously proposed attack. Furthermore, the polynomial-time attack remains feasible even when the previously proposed attack is computationally impractical. The second key agreement protocol we analyze is Lizama’s noninvertible key exchange protocol (ni-KEP), which is based on modular arithmetic over the residue ring ℤ/4rℤ. It has been previously claimed that recovering a secret shared key requires an exhaustive search. However, we propose a polynomial-time recovery attack by leveraging the properties of modular arithmetic computations. Numerical experiments conducted on Lizama’s ni-KEP using Magma with recommended key sizes confirm that the secret shared key can be recovered within a short time. In both protocols, the secret shared key can be recovered in polynomial time by creating a system of linear equations on a residue ring obtained from public information.

Collision-Resistant and Pseudorandom Hashing Modes of Compression Functions

This paper presents two novel keyed hashing modes, KHC1 and KHC2, designed to construct hash functions that guarantee both collision resistance and pseudorandomness. These modes employ compression functions alongside unique encoding schemes, enabling efficient handling of variable-length inputs. The proposed constructions achieve collision resistance, provided that the underlying compression function satisfies the extended notion of collision resistance, which ensures that it is intractable to find distinct input pairs whose output difference falls within a small set. They are also proven to be secure pseudorandom functions (PRFs) under the assumption that the underlying compression function is a secure PRF under related-key attacks. They accept a 256-bit key as input and guarantee 128-bit security against quantum key recovery when instantiated with the SHA-256 compression function. Furthermore, we implemented KHC1 and KHC2 instantiated with the SHA-256 compression function and evaluated their performance. The results confirm that both constructions achieve the efficiency expected by the theoretical evaluation and outperform HMAC-SHA-256 for short messages.

Lyubashevsky’s Signature Has Multi-User Security under Adaptive Corruptions and Key Leakages

We consider the multi-user security under the adaptive corruptions and key leakages (MU^c&l security) for lattice-based signatures. There already exists an MU^c&l secure signature based on a number-theoretic assumption, or a leakage-resilient lattice-based signature in the single-user setting. However, MU^c&l secure lattice-based signature is not known. We examine the existing lattice-based signature schemes from the viewpoint of MU^c&l security. We find that the security of the Lyubashevsky’s signature, which is proven to have the ordinary single-user security only, can be extended to the multi-user security even if we take into account the adaptive corruptions and the key leakages. Our security proof in the multi-user setting makes use of the feature of the SIS problem so that a SIS instance is set to the public parameter and a reduction algorithm can set a public key with a secret key in order to answer a corruption query. We also show that the entropy of the secret key is kept under the bounded leakage with a high probability and then the leakage resilience of signature holds.

Efficient Accuracy Evaluation Methods for Lattice-Based Fuzzy Extractors and Fuzzy Signatures

Fuzzy Extractors (FEs) and Fuzzy Signatures (FSs) are promising primitives for realizing online biometric authentication with Biometric Template Protection (BTP). To realize better authentication accuracy, lattice-based FEs and FSs have been studied. To apply them to biometric authentication, one has to determine the lattice scale to an appropriate value because it affects accuracy as well as the threshold in ordinary matching schemes. To find such an appropriate scale, one has to evaluate accuracy at various scales using a dataset. A simple method might be to change the scale to various values and repeat the matching for all pairs, but it is inefficient. The matching process includes solving the Closest Vector Problem (CVP), so when we evaluate accuracy for k scales using the dataset including P pairs, the simple method has to solve CVP kP times. In this paper, we propose a method to obtain accuracy for almost all scales without solving CVP. The proposed method computes the distance induced by the Minkowski functional of the Voronoi region, which we call the lattice distance, for each pair only once. Furthermore, in the case of a triangular lattice, we give a Θ(n) time algorithm for computing the lattice distance. Experimental analysis for the triangular lattice shows that accuracy for almost all scales can be obtained by the proposed method in a shorter time than the time required for obtaining accuracy for one scale by the simple method. We also show that accuracy at the remaining scales can be obtained by additionally solving CVP only once for each pair.

On the Implications from Updatable Encryption to Public-Key Cryptographic Primitives

Updatable encryption (UE) is a special type of symmetric-key encryption (SKE) that allows a third party to update ciphertexts while protecting plaintexts. Alamati et al. (CRYPTO 2019) showed a curious connection between UE and public-key encryption (PKE) that PKE can be constructed from UE. This implication result is somewhat surprising since it is well-known that PKE cannot be constructed from (ordinary) SKE in a black-box manner. In this paper, we continue to study the relationships between UE and other cryptographic primitives to obtain further insights into the existence and power of UE, and assumptions required for it. More specifically, we introduce some security properties that are natural to consider for UE (and are indeed satisfied by some existing UE schemes), and then investigate what types of public-key cryptographic primitives can be constructed from UE with the additional properties. Specifically, we show the following results: (1) 2-round oblivious transfer (OT) can be constructed from UE that satisfies the oblivious samplability of original ciphertexts (i.e. those generated by the ordinary encryption algorithm, as opposed to those generated by the ciphertext-update algorithm) and the oblivious samplability of update tokens (that are used for updating ciphertexts), (2) 3-round OT can be constructed from UE with the oblivious samplability of updated ciphertexts (i.e. those generated by the ciphertext-update algorithm), (3) Lossy encryption and PKE secure against selective-opening attacks can be constructed from UE if it satisfies what we call statistical confidentiality of original ciphertexts, (4) IND-CPA secure PKE can be constructed from another variant of UE, ciphertext-dependent UE, if its algorithm to generate an update token is deterministic.

Updatable Encryption Secure against Randomness Compromise

Updatable encryption (UE) allows a third-party server to update outsourced encrypted data without exposing keys and plaintexts. The server can update ciphertexts to ones under a new key using an update token provided by the client. UE can realize efficient key rotation and is effective against key compromise. The standard security notions of UE capture the property that even if keys or update tokens are compromised, the confidentiality of messages is maintained by the key update and ciphertext update. In general, the randomnesses used in the encryption and ciphertext update algorithms must be kept secret in the same way as the keys. On the other hand, while key compromise is considered in existing security notions, randomness compromise is not. In this paper, we define a new security notion for UE, IND-UE-R security, that is resilient to the compromise of randomnesses used to generate or update ciphertexts. Furthermore, we prove that the UE construction RISE (EUROCRYPT’18) satisfies our proposed security notion.

Multi-Key Homomorphic Encryption with Threshold Re-Encryption via (Replicated) Additive Secret Sharing

Fully homomorphic encryption (FHE) is a cryptographic scheme that allows users to perform arbitrary arithmetic operations over plaintexts by operations (called homomorphic operations) on ciphertexts without decryption. A multi-key FHE (MK-FHE) can perform homomorphic operations on ciphertexts encrypted with different encryption keys. In MK-FHE schemes, to decrypt a ciphertext encrypted with different users’ keys, users having the corresponding decryption keys run a threshold decryption, which is a combination of each user’s partial decryption and merging of their results. However, it has a drawback that the merging process requires communication and hence these users must be online during the process. Moreover, the computation and communication costs grow when the number of involved users increases. There is a previous work to overcome this issue by applying the idea of proxy re-encryption (PRE), where a proxy can convert a multi-key ciphertext, using re-encryption keys given by the key holders, into a ciphertext decryptable by a single receiver’s decryption key. However, a collusion of only an adversarial receiver and the single proxy can reveal the original user’s decryption key. To resolve the issue, we propose a new framework of MK-FHE with threshold PRE. Here we introduce N proxies performing re-encryption in threshold manner; now the adversarial receiver needs to collude with all of the N proxies, which becomes more difficult than the previous single-proxy case. We also propose an instantiation based on the BFV scheme and prove its security. In addition, we implement our scheme and measure the running time of its algorithms.

Generic Construction of Forward-Secure Chameleon Hash Function

Chameleon Hash Function (CH) is a hash function with a public and secret key pair. CH is collision-resistant for users without a secret key, while users with a secret key can find collisions in hash values. Chameleon Hash has been used in various cryptographic schemes, including online/offline signatures by Shamir et al. and blockchain modification by Ateniese et al. However, once the secret key is exposed in CH, its collision resistance is lost, and the security of all existing CH-based methods cannot be guaranteed. In this paper, we propose a generic Forward-Secure CH scheme, capable of converting any given CH into a Forward-Secure CH (FSCH) through the implementation of forward-secure encryption techniques. The security of the proposed protocol is reduced to Forward-Secure collision resistance, meaning that even if the current secret key is compromised, it ensures that collisions involving past hash values cannot be exploited or detected.

Giant Footprint Sharing: A Memory-Efficient Decryption Implementation for Classic McEliece

Classic McEliece has gathered attention as a candidate in NIST post-quantum cryptography standardization. However, it suffers from high demands on the decryption algorithm, making it unsuitable for resource-constrained devices. In this paper, we propose a novel implementation method, named giant footprint sharing, that reduces memory size during decryption in Classic McEliece. The decryption algorithm processes a large number of intermediate variables computed from a secret key in memory. The giant footprint sharing identifies the largest variable among them and allocates a memory-sharing structure to store it, thereby reducing the overall memory size regardless of the implementation platform. The giant footprint sharing can also be combined with existing acceleration techniques, such as fast Fourier transformation. We evaluate Classic McEliece with the giant footprint sharing on the Arm Cortex-M33 CPU and show that it reduces memory size by up to 46% without significant degradation in computation time compared with the existing fast-implementation by Chen et al. (at TCHES 2021). Extensive experiments with the giant footprint sharing further reveal that it maintains a constant memory size regardless of the compiler optimization, and it also achieves an optimal balance in the trade-off between memory size and computation time. The giant footprint sharing is remarkable for any scheme, that contains a large-scale matrix computation and the life cycle for each variable is limited.

Advancing DFA on Ascon: A Practical Key-Recovery Attack Using Bit-Flip Faults

With the rapid expansion of the Internet of Things (IoT), ensuring robust security for resource-constrained devices has become essential. Many IoT devices operate in environments with significant security threats, necessitating lightweight yet effective cryptographic solutions. To address this need, the National Institute of Standards and Technology has selected Ascon as the standard for lightweight cryptography due to its efficient round-based processing. Since its introduction, extensive cryptanalysis and security evaluations have been conducted, including assessments of resistance to side-channel and fault attacks. Differential Fault Analysis has been applied to Ascon, with previous research introducing a two-step fault model that combines bit-flip and bit-set faults for key recovery. The previous study introduced a two-step fault model: the attacker first retrieves the lower 64 bits of the secret key with bit-flip faults and then uses bit-set/bit-reset faults to obtain the upper 64 bits of the key. However, in practice, we would not choose the bit-set or bit-reset fault depending on the target devices with a low precision in controlling the fault. In this regard, fault analysis based on bit-flip faults is preferable because it enables key-recovery attacks regardless of the bit-set or bit-reset fault. This paper proposes a new key-recovery fault attack that relies solely on bit-flip faults, eliminating the bit-set/reset fault assumptions. Additionally, we evaluate the theoretical relationship between the number of random bit-flips injected and the reduced keyspace using a probabilistic model based on the coupon collector problem. Through this approach, we assess the feasibility and complexity of our proposed attack, demonstrating its effectiveness against Ascon in a realistic adversarial setting.

Toward Cost-Effective Combined Countermeasures: Multiplicative Masked M&M

With the advancement of hardware security, combined attacks incorporating side-channel analysis (SCA) and fault analysis (FA) have driven the development of combined countermeasures. However, these countermeasures often incur significant overhead. In this paper, we propose a method to reduce the randomness requirement while maintaining security claims. We demonstrate the approach with Masks & Macs (M&M), a scheme that integrates Boolean masking and MAC tag redundancy to provide protection against SCA and differential fault analysis (DFA), addressing its substantial overhead, particularly the high randomness requirement. We introduce a novel multiplicative masking scheme to partially replace Boolean masked modules, achieving a reduction of over 50% in randomness requirement with a minor increase in FPGA resource overhead and latency. Through both theoretical and practical analyses, we prove that our approach maintains the same security claims against SCA, FA, and combined attacks as the original M&M-AES. Additionally, we discuss the feasibility of low-cost countermeasures against statistical ineffective fault attacks (SIFA). This work provides a new perspective on enhancing combined countermeasures by reducing system overhead.

Clarifying CPU Vendor’s Responsibilities for Remote Attestation with Intel SGX

Intel Software Guard eXtensions (SGX) allows users to confirm the confidentiality and integrity of running programs on cloud platforms by remote attestation. SGX has recently adopted the new remote attestation, ECDSA Attestation, and will abolish the previous one, EPID Attestation. ECDSA Attestation enables third parties to build their own verification environment. However, its high degree of freedom obscures the boundary of responsibility between the CPU vendor and third parties regarding ECDSA Attestation. This paper clarifies the scope of responsibility for Intel, the developer of SGX, in ECDSA Attestation. To achieve this, we compared each component of ECDSA Attestation and EPID Attestation. Our analysis revealed that Intel is no longer responsible for the entire verification process but is instead limited to distributing signed data. Furthermore, we demonstrate that modifying DCAP does not violate responsibility boundaries in ECDSA Attestation. To the best of our knowledge, this study is the first to highlight the necessity of discussing the scope of responsibility in TEE.

Decentralized Federated Learning Using Blockchain with Token Allocation Based on Contribution of Model Updates

The architecture of federated learning poses several challenges, including the centralization of authority in the central server and the potential for severe disruptions to the entire training process caused by server failure. To address these challenges, decentralized federated learning has been proposed, in which the role of the central server is replaced by coordination among nodes. However, correct operation of the nodes is crucial for effectively training the machine learning model in the decentralized federated learning setting. In this paper, we propose a blockchain-based decentralized federated learning method that incorporates a reward allocation mechanism based on evaluating the contribution of each node to the update of global model. The proposed method employs smart contracts on a blockchain to facilitate consensus formation among nodes, enabling appropriate local model training while allocating rewards in the form of tokens to nodes that contribute to the training process. Furthermore, the method addresses the issue of free-riding, where nodes attempt to earn rewards without contributing to the update of global model, by detecting such nodes and preventing them from receiving rewards. Our intensive simulation results demonstrate that the proposed approach ensures sufficient rewards for nodes that behave honestly while restricting rewards for malicious nodes that attempt to exploit the system as free riders.

Privacy-Preserving Inference of Machine Learning Models without Retraining

This work investigates the application of fully homomorphic encryption (FHE) to privacy-preserving machine learning, specifically focusing on reproducing traditional models and reusing existing parameters. Machine Learning as a Service (MLaaS) allows businesses to outsource machine learning tasks. However, ensuring data privacy in this context remains a significant challenge. Although many works propose a solution to this problem, none of them simultaneously meet our goal of security, privacy, consistency with existing architectures, and backward compatibility with existing training parameters. To tackle this issue, this research proposes a non-interactive, fully homomorphic encryption-based system for executing convolutional neural networks (CNNs) privately, ensuring that data remains encrypted throughout the entire process. The proposed system effectively manages homomorphic operations’ restrictions and computational overhead. Experimental results demonstrate the robustness of the proposed system, achieving a high agreement with the plaintext model with only a minimal drop in accuracy on the CIFAR-10 and ImageNet datasets. These results highlight the minimal impact of encryption noise on model performance.

Adversarial Examples on Vertical Federated Split Learning by Using Gradient Sign Prediction

Vertical federated split learning (VFSL) is a technique in which multiple clients and a single server cooperate to train a deep neural network model. In VFSL, the DNN model is split between the clients and the server. They exchange intermediate features and gradients of the loss at the split boundary to perform both training and inference. This approach enables effective model training while preserving data confidentiality, as it avoids directly sharing input data and labels directly. In this paper, we investigate an adversarial examples (AEs) generation attack in a VFSL setting, where clients and the server continue to collaborate during the inference phase. Specifically, a malicious attacker, who is one of the clients, manipulates the intermediate feature sent to the server so that it behaves as AEs to mislead the inference results. To generate AEs, the attacker needs to obtain the gradient of the loss (calculated from the inference result and the ground-truth label) with respect to the intermediate feature. However, during inference, the server does not transmit gradients. Accordingly, the attacker trains an attack model using the intermediate features and gradients available during the training phase, which is then used to estimate the sign of the gradient from the target intermediate feature during inference. A variant of the fast gradient sign method (FGSM) algorithm is used to generate AEs. Our experimental results demonstrate that the generated AEs significantly degrade inference accuracy compared to perturbations generated by random noise.

Card-Based Arithmetic Operations Using Integer Commitments and Their Application to Statistical Data Aggregation

Card-based cryptography enables players to compute logical and arithmetic operations securely, such as bitwise AND and addition of integers. Several multiparty computation protocols and zero-knowledge proof protocols utilizing these secure computations have been developed as its applications. However, the realization of an efficient protocol for an arithmetic operation other than addition and subtraction remains an open problem. This paper proposes card-based protocols, based on integer commitment, for multiplication, division, and square root. Compared to general constructions for protocols for these operations based on binary integer commitment, the proposed protocols exhibit superior simplicity and efficiency. Furthermore, these protocols introduce novel applications for card-based cryptography to secure statistical data aggregation.

Efficient Card-Based Protocols for Basic Arithmetic Operations

Card-based cryptography studies the problem of representing the functionality and security of cryptographic primitives visually by using physical cards, to demonstrate their security properties for those who are unfamiliar with cryptography. In this study, we propose efficient card-based protocols for secure computation of the four basic arithmetic operations (addition, subtraction, multiplication, and division). Existing protocols for securely performing these operations on ℓ-bit integers either require an exponential number of card manipulations in ℓ or need Ω(ℓ) additional cards. The proposed protocols simultaneously resolves these drawbacks for the first time by achieving a polynomial number of card manipulations in ℓ while requiring only a constant number of additional cards. The construction of our protocols is based on the long-hand algorithms for each of the four arithmetic operations. The technical novelty lies in demonstrating that the number of additional cards can be kept constant by freeing the cards representing intermediate values that are no longer needed during the process.

Card-Based Zero-Knowledge Proof Protocols for Pancake Sorting

Assume that, given a sequence of n integers from 1 to n arranged in random order, we want to sort them, provided that the only acceptable operation is a prefix reversal, which means to take any number of integers (sub-sequence) from the left of the sequence, reverse the order of the sub-sequence, and return them to the original sequence. This problem is called “pancake sorting,” and sorting an arbitrary sequence with the minimum number of operations restricted in this way is known to be NP-hard. In this paper, we consider applying the concept of zero-knowledge proofs to the pancake sorting problem. That is, we design card-based zero-knowledge proof protocols in which a user (the prover) who knows how to sort a given sequence with ℓ operations can convince another user (the verifier) that the prover knows this information without divulging it.

Efficient Card-Based Protocols with a Standard Deck of Playing Cards Using Partial Opening

Card-based protocols are cryptographic protocols that use a deck of physical cards. In this paper, we deal with card-based protocols using a standard deck of playing cards, which are commonly and commercially available. For finite-runtime committed-format protocols, Mizuki (CANS 2016) proposed an eight-card AND protocol with four random bisection cuts and a six-card COPY protocol with one random bisection cut. In this paper, we propose a partial-open action, which reveals any position of the face of cards, by generalizing the half-open action introduced by Miyahara and Mizuki (IJTCS-FAW 2022). Using the partial-open action, we propose four-card AND protocols with three random cuts, a four-card COPY protocol with three random cuts, and a four-card base conversion protocol with a random cut. We note that, without partial-open actions, these AND and COPY protocols with random cuts only are known to be impossible to construct using four cards. Therefore, the partial-open actions are inherently necessary to obtain our results.

On Hadamard-Type Matrices of Even Orders over Finite Fields

Hadamard-type matrix on GF(p) is a square matrix H that have its elements on GF(p) and satisfies HH^T = nI under modulo p, where n represents the order of the matrix and I is an identity matrix. Any additions and multiplications should be executed under modulo p. It has been shown that the order of an arbitrary Hadamard-type matrix of odd order is limited to a quadratic residue of a given prime p. In this study, we show that it is possible to generate a Hadamard-type matrix of any even order.

Improving Multi-Level Flash Memory with SHare Coding for Faster and More Efficient Data Access

Flash memory is gaining prominence in modern storage systems due to its ability to provide large-capacity and high-speed data access. Multi-level flash memory, which stores multiple bits per cell, has become particularly important for increasing storage density. However, this technology faces a significant challenge: as the number of bits per cell increases, more read threshold voltages are required, resulting in slower access speeds. Previous work by Sharon et al. introduced random input-output (RIO) codes to address this issue by reducing the number of read thresholds to one. While RIO codes successfully improve read speeds, they sacrifice storage capacity compared to conventional uncoded multi-level flash memory. To overcome these limitations, we propose SHare Coding (SHC), a novel multi-cell coding scheme that maintains maximum storage efficiency while reducing the number of required read thresholds. We demonstrate that our proposed SHC enables single-read operation for multi-level cell (MLC) flash memory using three cells, achieving both high speed and full storage capacity. Furthermore, we provide a formal definition of SHC and present a comprehensive error rate analysis, showing that the bit error rates of SHC are comparable to those of conventional MLC systems. Our results indicate that SHC offers a practical solution for improving flash memory performance without compromising storage capacity.

Upper Bounds on Error Probability for Linear Codes with Mismatched Decoding Using Decision Feedback Scheme

If the channel matrix is unknown or there are constraints on the hardware implementation, decoding may use a different metric from the actual one. This kind of decoding is called mismatched decoding. In this paper, upper bounds on the error probability are derived for the ensemble of linear codes using decision feedback (ARQ) with mismatched decoding by Forney’s rule (FR). FR uses a maximum likelihood codeword and determines whether the received sequence is decoded or the retransmission is requested. We also derive their Shulman and Feder type bounds, which give a single-letter expression of a lower bound on the error exponent.

End-to-End Machine-Learning-Aided Signature Code for Multi-Access Rayleigh Fading Channel

Signature codes are widely used for user identification (UI) and channel estimation (CE) in wireless networks due to their high spectral efficiency. To design an effective signature matrix exploiting prior information, we propose an end-to-end machine-learning-aided signature code (ML-SC) system. The ML-SC system comprises an encoder based on binarized neural networks (BNNs) and a decoder based on a modified trainable iterative soft-thresholding algorithm (TISTA). The BNNs efficiently handle the trainable discrete signature matrix, while the modified TISTA enables support for a large number of users with enhanced performance under Rayleigh fading channels. Our simulation results demonstrate that the proposed ML-SC system maintains scalability across different matrix dimensions. With this scalability advantage, the ML-SC achieves consistent performance improvements. The signature matrix generated by the ML-SC system, which we refer to as the ML-signature matrix, yields superior decoding performance compared to randomly generated and deterministic binary matrices, demonstrating an effective SNR gain of approximately 2.5-5 dB compared to conventional approaches. We also verify that the proposed ML-signature matrix demonstrates strong compatibility with various prevalent decoding methods. Furthermore, we confirm significant enhancement of the restricted isometry constant (RIC) for the ML-signature matrix, which provides theoretical support for the observed performance improvements.

On Pool Selection Criteria for Generating Quasi-Random Designs with Constant Pool Sizes in Non-Adaptive Group Testing

Group testing is a method for identifying defective items from a large set by performing a relatively small number of tests on subsets of items, called pools. The collection of pools are called designs. This work explores quasi-random designs, a hybrid approach that combines the practicality of random designs with the combinatorial advantages of deterministic designs. We provide a unified theoretical explanation for various pool selection criteria involving rows and columns of design matrices in the generation of quasi-random designs with constant pool sizes. By employing linear algebraic techniques, we offer insights into the essential differences between these criteria and demonstrate their efficient implementation, addressing several computational issues encountered in previous studies. Moreover, simulations show that quasi-random designs outperform traditional random designs in noiseless group testing, even with limited pool sizes, and that the criteria proposed by Hamada and Lu (ISITA 2024) deliver the best performance in most cases, achieving higher identification accuracy and greater stability compared to the other evaluated criteria.

Classification and Generation of the Hadamard-Type Matrices of Third Order over Finite Fields

Hadamard matrix is a square matrix where any components are -1 or +1, and where any pairs of rows are mutually orthogonal. On the other hand, Hadamard-type matrix on finite fields is a similar one, but has multi-valued components on finite fields. To be more specific, we consider n × n matrices H that have their elements on the given finite fields GF(p), and satisfy HH^T = nI under modulo p, where I is an identity matrix. Any additions and multiplications should be executed under modulo p. In the authors’ previous studies, some properties of Hadamard-type matrices on finite fields have been proven. For example, it has been shown that the order of a Hadamard-type matrix of odd order on GF(p) is limited to a quadratic residue of a given prime p. On the other hand, it is not clear how many and how various Hadamard-type matrices on GF(p) exist in general. In this paper, we count all possible Hadamard-type matrices on finite fields when the order n of a matrix is small. We also categorize Hadamard-type matrices into six different types when n = 3 and p = 11. In addition, we prove that for any prime p, a Hadamard-type matrix over GF(p) in each of the six types always exists if and only if the order ‘3’ is a quadratic residue of a given p.

Soft Binary Hypothesis Testing via Tunable Loss Functions

In this study, we investigate soft binary hypothesis testing using a random sample, wherein decisions are made based on a soft test function. To evaluate this test function, we introduce two classes of tunable loss functions and define generalized type I and II errors, as well as Bayesian errors. We analyze the trade-offs between these errors and establish asymptotic results that extend the Neyman-Pearson lemma, the Chernoff-Stein lemma, and Chernoff information in classical binary hypothesis testing.

Achievable Cost Region for Erasure of Distributed Information Using a Common Random Number

Confidential information held by companies and individuals is often stored on storage devices. When the migration or disposal of such devices is required, it is necessary to overwrite and erase the information from the devices. In order to avoid degradation or to reduce the erasure time, it is desirable to minimize the cost of information erasure, such as the number of overwriting locations. In this paper, we consider the case where confidential information is distributed and stored in multiple storage devices. To analyze the costs of information erasure for this setting, we consider the achievable cost region, i.e., the region of possible cost values. We then show that this region can be characterized using single-letter random variables of bounded cardinalities. Here, we assume that the confidential information is generated by a stationary memoryless source and that a common random number is available in storage devices for erasure.

An Explicit Construction of a Coded Caching Scheme with Heterogeneous Cache Sizes and Its Extension via Optimization

In the coded caching scheme proposed by Maddah-Ali and Niesen, we usually consider the setup where K users have respective cache memories of equal size and request an arbitrary one of N files to a server. The server multicasts a signal to all the users so that all the users can reproduce the files of their requests from the transmitted signal using the contents in their respective cache memories. Finding the memory-rate tradeoff is one of the fundamental problems in coded caching. In this paper, we consider the problem of centralized coded caching where K users have cache memories of heterogeneous sizes. We first give a new explicit construction of the coded caching scheme under a certain assumption on the cache sizes. The validity of the scheme is established theoretically. Next, we consider an extension of the scheme so that we can apply the scheme to general heterogeneous cache memories. We divide the N files into K + 1 portions and apply the proposed scheme to each portion in the most efficient way by solving a certain linear programming problem. We compare the memory-rate tradeoff of this optimized scheme with existing coded caching schemes.

Acceleration of ID-NIKS Based on Discrete Logarithm Problem by Parallelization of ρ Method Using Distinguished Point Method

In 1990’s, ID-based Non-Interactive Key Sharing Scheme (MK) based on the discrete logarithm problem over a composite number was proposed. In this letter, we propose an MK scheme with 𝒢-Numbers n = pq, where p - 1 and q - 1 consist of B-smooth prime factors. We implement the private-key computation using the ρ method with distinguished point method and Montgomery multiplications (DPMM-ρ method). We also parallelize the DPMM-ρ method using a server-client model and compare private key computation times between serial and parallel calculations.

Impossibility Bounds Using Conditional Rényi Entropy in Authentication Codes with Partially Leaked Key

In message authentication, we consider a situation where a sender transmits a message to a receiver through an insecure channel. In the insecure channel, there is a risk of impersonation or substitution by an adversary. Message authentication is a scheme to detect such attacks and to accept the message sent by the sender as legitimate. One of the research topics in message authentication is the estimation of limits on how small the probabilities of a successful attack can be. Previous research has shown impossibility bounds using Rényi entropy in the case where a shared key may be non-uniform. In this study, we consider a situation where the adversary has side-information that is correlated with a possibly non-uniform shared key, and investigate the impossibility using conditional Rényi entropy. In particular, we show that, in contrast to the previous research, impossibility bounds using conditional min-entropy do not hold in general. In addition, the success probabilities can be bounded in general using conditional collision entropy, and we show that the bound is the tightest in terms of conditional Rényi entropy.

Deep Unfolded Simulated Bifurcation for Massive MIMO Signal Detection

Recently, various Multiple-input multiple-output (MIMO) signal detectors based on deep learning techniques or quantum(-inspired) algorithms have been proposed to improve the detection performance compared with conventional detectors. This paper focuses on the simulated bifurcation (SB) algorithm, a quantum-inspired algorithm. This paper proposes two techniques to improve its detection performance. The first is modifying the algorithm inspired by the Levenberg-Marquardt algorithm to eliminate local minima of the maximum likelihood detection. The second is the use of deep unfolding, a deep learning technique to train the internal parameters of an iterative algorithm. We propose a deep-unfolded SB by making the update rule of SB differentiable. The numerical results show that these proposed detectors significantly improve the signal detection performance in massive MIMO systems.

Empirical Bayes Estimation for Lasso-Type Regularizers and Its Consistency

This paper focuses on linear regression models with non-conjugate sparsity-inducing regularizers such as lasso and group lasso. Although the empirical Bayes approach enables us to estimate the regularization parameter, little is known on the properties of the estimators. In particular, many aspects regarding the specific conditions under which the mechanism of automatic relevance determination (ARD) occurs remain unexplained. In this paper, we derive the empirical Bayes estimators for the group lasso regularized linear regression models with limited parameters. It is shown that the estimators diverge under a specific condition, giving rise to the ARD mechanism. In addition, we demonstrate that group lasso solutions with the empirical Bayes estimators yield characteristics similar to those of the adaptive lasso, suggesting that such solutions exhibit consistency. Furthermore, we prove their consistency in variable selection. We also prove that empirical Bayes methods can produce the ARD mechanism in general regularized linear regression models and clarify the conditions under which models such as ridge, lasso, and group lasso can do.

Offline Learning Approach for Deep-Unfolded MIMO Detector via Vector Similarity Search

This paper proposes a vector similarity search (VSS) based offline learning approach for the deep-unfolded multiple-input multiple-output (MIMO) detector. The VSS offline learning approach consists of an offline learning phase and a real-time detection phase. In the offline learning phase, trained parameters of the deep-unfolded MIMO detector are stored in a vector database with a feature vector extracted from the channel matrix. In the real-time detection phase, the detector parameters are retrieved from the database with similarity matching of the feature vector. The critical advantage of the proposal is that it can offload the training computational cost from the edge server to the training server. Numerical results indicate that the VSS offline learning provides appropriate convergence acceleration in almost all cases, and that it improves the robustness of the deep-unfolded MIMO detector in dynamic channel environments.

A Study on Predictor Variable-Dependent Model Selection for Minimizing the Bayes Risk of Prediction Error

Model selection is a critical step in data analysis and machine learning, particularly in prediction tasks where the true underlying model is rarely known. Although numerous techniques have been proposed, most traditional methods select the same model regardless of the predictor variables. In practice, however, predictor variables may be fully or partially available at the time of prediction, which is expected to improve predictive accuracy. In this paper, we present a novel model selection framework in which the chosen model varies depending on the values of the predictor variables based on statistical decision theory. We begin by defining a loss function that explicitly incorporates the predictor variables and then derive the corresponding Bayes risk function. Subsequently, we present an expression for model selection that minimizes this Bayes risk. Using the same procedure, we also define a loss function for the scenario in which predictor variables are unavailable and derive an expression that minimizes the Bayes risk in that setting. Building on these formulations, we establish a theorem for a model selection method that minimizes Bayes risk, enabling us to obtain explicit selection criteria under commonly used loss functions, including the logarithmic and squared error losses. Furthermore, by applying this theorem, we demonstrate a connection to the existing Procedure for Optimal Predictive Model Selection (POPMOS). In particular, we show that POPMOS — originally devised to minimize the Kullback-Leibler divergence between each model’s predictive distribution and the posterior predictive distribution — arises as a special case of our general Bayes risk minimization framework when the logarithmic loss function is employed. We validate the effectiveness of our approach through extensive simulations on synthetic data, demonstrating that our framework not only reduces prediction error but also compares favorably with current model selection techniques.

Probability Distribution on Rooted Trees: Generalization from Full Trees

The hierarchical and recursive expressive capability of rooted trees is applicable to represent statistical models in various areas, such as data compression, image processing, and machine learning. On the other hand, such hierarchical expressive capability causes a problem to avoid overfitting. One unified approach to solve this is a Bayesian approach, in which the rooted tree is regarded as a random variable and a direct loss function can be assumed on the selected model or the predicted value for a new data point. However, all the previous studies on this approach are based on the probability distribution on full trees, to the best of our knowledge. In this paper, we propose a generalized probability distribution for any rooted trees in which only the maximum number of child nodes and the maximum depth are fixed. Furthermore, we derive recursive methods to evaluate the characteristics of the probability distribution without any approximations.

Efficient Hardware Implementation of Robust Binary Neural Networks Using End-to-End Unipolar Representation

This paper presents a hardware-efficient binary neural network with end-to-end unipolar representation, which is robust to input noise and weight bit flipping. Leveraging stochastic encoding based on multiple-parallel-training strategy, the proposed design probabilistically converts raw inputs into unipolar representations to reduce the complexity of the input layer and achieve random modeling of input noise in training. Lightweight computational modules based on AND gates and adder trees, along with a trainable threshold mechanism, eliminate the need for complex normalization layers and nonlinear activation functions in previous designs and enhance robustness to bit flipping of weights. For the MNIST dataset, we implement a hardware prototype of the design on Xilinx FPGA to demonstrate superiority. Gaussian noise with variable standard deviation and random bit flipping are added to the input and weights respectively to simulate real-world uncertainty. Compared with other FPGA-based BNN implementations, the proposed design reduces at least 42% of Lookup Tables (LUTs) and 25% of power consumption while maintaining comparable classification accuracy with better noise resistance.

Small-Area CNN Inference Architecture with Bit-Serial Pipeline Datapath and Zero Skipping

In this paper, we propose applying bit-serial arithmetic units to reduce the circuit area of neural network inference engines. Additionally, we propose applying datapath pipelining and zero skipping to significantly reduce the required clock cycles. In recent years, studies have demonstrated the efficacy of neural networks in voice and image recognition applications; however, an extremely large number of multiply-and-accumulate operations are required in order to achieve high accuracy. Therefore, we explored the application of bit-serial arithmetic units to these operations to reduce circuit area. Bit-serial arithmetic is a method of sequentially calculating multi-bit data by inputting and outputting one bit at a time, which enables the reduction of the circuit area and amount of wiring. The disadvantage of this method is that it requires a large number of clock cycles. For example, a bit-serial multiplier with an input of N bits requires 2N cycles. In this study, pipeline processing and zero skipping were applied to reduce the required clock cycles. Zero skipping reduces the required clock cycles by skipping the calculation of an input activation when the value of that activation is zero. We propose two methods of zero skipping: reactive zero skipping, which checks whether activation is zero before the bit-serial operation starts, and proactive zero skipping, which reads ahead, examining subsequent memory locations, during the bit-serial operation and skips all consecutive zeros in one step. The effectiveness of zero skipping is highly dependent on the ratio of zeros in the input activation. In a convolutional neural network (CNN) that uses a rectified linear unit (ReLU) as the activation function, the input activation of the second and subsequent convolution layers has a high ratio of zeros. To further increase sparsity and improve the effectiveness of zero skipping, we propose setting the dropout rate during training as high as possible without affecting the recognition accuracy. We implemented a CNN using the proposed bit-serial arithmetic units and a CNN using conventional parallel arithmetic units, and compared their performances. The former exhibited a 22.9% smaller circuit area than the latter. In addition, the increase in the number of required clock cycles was limited to 2.12 times, and the clock period was reduced by 47.4%, resulting in a 7.8% reduction in runtime.

Nested-Pipeline Delta-Stepping Scalable FPGA Accelerator for Parallel Single-Source Shortest Path with High-Level Synthesis

Delta-Stepping is a parallel algorithm commonly used to solve Single Source Shortest Path (SSSP) problems in graph benchmarks like Graph500. Although it is highly effective for very large graphs (over one billion edges), its advantages greatly diminish for medium-to-large graphs (around 100,000 to 10 million edges). Moreover, Delta-Stepping’s complex bucket structure makes hardware implementation challenging, resulting in few hardware accelerators for this algorithm. In this paper, we propose a Delta-Stepping hardware accelerator using a nested pipeline structure designed with High-Level Synthesis (HLS), supporting up to 32 parallel units. Our design simplifies the handling of nested loops and resource conflicts. Simulation results show frequency improvements of 1.19× to 3.07× compared to traditional accelerators based on Dijkstra or Bellman-Ford algorithms. Our approach achieves a self-speedup of 17.63× at 32 parallelism. Compared to previous FPGA implementations, our accelerator provides up to 11.77× higher performance. Furthermore, it achieves a speedup of up to 23.08× compared to software-based Delta-Stepping implementations, enabling Delta-Stepping to be effectively applied to a wider range of practical graph processing tasks.

Design Parameter Modeling for Design Space Exploration of Real-Time HDR Synthesis on FPGA

In this paper, we propose and discuss design parameter modeling for design space exploration of real-time high dynamic range (HDR) synthesis on FPGA. HDR synthesis is a technique to produce an image with wider dynamic range from multiple camera images with different exposures. Mertens et al. proposed an adaptable HDR synthesis method based on visual criteria, which works without knowledge of exposure times and camera-specific parameters. Our research group has proposed an fully-pipelined FPGA implementation of the simplified Mertens’ method, whose low latency is suitable for real-time applications such as autonomous vehicle systems. It has two major design parameters which affect a quality of HDR synthesis: the number of input images and the number of image pyramid layers. Typically, finding the best combination of the two parameters under the given resource constraints of a target FPGA device is a difficult task requiring repeated runs of time-consuming logic synthesis process. Therefore, we propose a mathematical model to estimate resource usage of the HDR synthesis system to accelerate design space exploration. Since Block RAM (BRAM) is the most dominant resource of the system, we focus on a BRAM usage in this model. Comparison results targeting a Zynq UltraScale+ MPSoC FPGA reveal the usefulness of the proposed model for efficient design space exploration. Though the model has some estimation error due to the granularity of BRAM, the error is predictable since it mainly depends on two parameters (bit width and image width) which are independent of the parameters to be explored. Under the typical setting, for example, the error is approximately 12.5% and almost constant. We also conduct design space exploration considering a quality of HDR synthesis based on the Multi-Exposure Fusion Structural Similarity index (MEF-SSIMd), suggesting that a 6-input, 7-layer configuration provides the best trade-off between resource usage and HDR synthesis quality under the given constraints.

TGSyn: Transformer Guided Topology-based Exact Synthesis for Majority-Inverter Graphs

Exact synthesis is a method to find an optimal circuit that meets the specification. SAT-based exact synthesis is commonly used for its ability to allow for a more versatile approach to addressing synthesis requirements. However, the runtime of SAT-based exact synthesis is very long and unpredictable to check all possible structures. Recently, topology-based exact synthesis methods have been studied to reduce the runtime of exact synthesis, where all structures are classified into sub-classes of topologies and each sub-class is checked using a simpler Conjunctive Normal Form separately. There is a freedom on the order of topologies to be checked, and we found that the Transformer is effective to decide the order. This paper proposes a Transformer-guided topology-based exact synthesis method (TGSyn) to achieve better time efficiency. A Transformer model is used to predict the success probability of synthesis for each topology in topology-based exact synthesis, and the order is decided based on the predicted probability to accelerate the synthesis process. The proposed Transformer-based model achieves 98.56% of top-15 categorical accuracy. To evaluate the TGSyn, we used subgraphs in MIG with 3 to 5 inputs in EPFL and ISCAS’85 benchmarks using cut enumeration. The TGSyn reduces the runtime of the exact synthesis of 19,148 circuits by 64.02% compared with a method without Transformer guiding.

Complexity and Exact Solution of Set-Pair Routing Problem

This paper focuses on the set-pair routing problem. The contributions of this paper are as follows: 1) proving the NP-hardness of the set-pair routing problem; and 2) presenting an Integer Linear Programming (ILP) formulation addressing the set-pair routing problem. The proposed method outputs the optimal solution for the benchmarks within the practical run-time.

ReRAM Resistance Design of LRS and HRS for Ultrahigh-Capacity Digital Memory and Analog Computation-in-Memory

This paper proposes a ReRAM resistance design for ultrahigh-capacity digital memory and analog Computation-in-Memory (CiM). The read-out current of the bit-line is degraded by the interconnection resistance of the bit-line due to IR drop. The bit-line current formulation reveals that the ReRAM resistance should be set as high as 1.0 × 10⁵ Ω for the high-capacity digital ReRAM memory. In addition, the ReRAM resistance of LRS and HRS is designed as 1.0 × 10⁵ Ω and 1.0 × 10⁹ Ω for the high-capacity analog ReRAM CiM.

A Multiple Target Seed Generation Method for Random Pattern Resistant Faults on Built-In Self-Test

In recent years, Built-In Self-Test (BIST) techniques have been widely used to reduce manufacturing test cost in large scale integrated circuits. However, it is difficult to achieve complete fault coverage on BIST, which uses pseudo-random test patterns, due to the presence of random pattern resistant faults. One-pass seed generation methods for a single target fault using satisfiability problem have been proposed as an efficient seed generation method. However, to target a single fault might require many seeds to obtain complete fault coverage. We propose a multiple target seed generation method for random pattern resistant stuck-at faults on BIST using pseudo-Boolean optimization and a compatible fault set to achieve complete fault coverage with the smaller number of seeds. The number of seeds is reduced by maximizing the number of detected faults per seed. Experimental results for ISCAS’89 benchmark circuits and ITC’99 benchmark circuits show that the proposed method could reduce the number of seeds by 49.69% on average and by 76.72% on maximum.

Coefficient Sensitivity Analysis for Lattice and Direct Form Based State-Space Descriptions of a Second-Order Notch Digital Filter

This paper analyzes coefficient sensitivity for state-space descriptions of a second-order recursive notch digital filter. To this end, second-order recursive notch digital filters are realized by a lattice-form or direct-form based state-space description. The coefficient sensitivities for each state-space description are then analyzed to derive the improved l₂-sensitivity measure. Moreover, adaptive recursive notch digital filters are presented by the lattice-form or direct-form based description. Finally, the coefficient sensitivity of the lattice-form based state-space description is compared with that of the direct-form based counterpart by means of numerical experiments. The simulation results clarify that the lattice-form based state-space description has much lower improved l₂-sensitivity than the direct-form based counterpart.