1. New Block Cipher for Ultra-Compact Hardware   BeeM みかか A. Satoh K. Aoki

2. SCIS2006 Rapid Growth of RFID market

3. SCIS2006 Security for RFID Security is very important for radio communication, but there is no room for cryptography in RFIDs We need More room! AES-16 for ultra-compact hardware is proposed Bear (unpackaged) RFID chips

4. SCIS2006 Architecture of AES-16 AES AES-16 Data ： 128 bits → 16 bits Key : 128 bits → 16 bits  AES-16 uses the design concept of AES  All the basic components are shrunk down to 1/8

5. SCIS2006 S-box Comparison AES AES-16 = 8-bit S-box defined over GF(2 8 ) is replaced by 1-bit S-box over GF(2)! S-box can be implemented as one inverter!

6. SCIS2006 Performance comparison AlgorithmSizeFrequencyThroughput AES-161.0 Kgates1 GHz1.6 Gbps AES5.4 Kgates131 MHz311 Mbps AES-16 achieved １ / ５ gates with x5 throughput  Sizes and speeds were evaluated by using a 0.13- um ASIC library

7. SCIS2006 Secure against Power Analysis A switching probability highly dependent on the input data pattern is the key for DPA success Very low power S-box with 100% switching probability gives no clue for DPA

8. SCIS2006 Secure against Cache Attack Cache attack measures the operating time depending on cache hit or miss to estimate the secret data MPU has enough cache memory for a 1-bit S-box table Cash Hit Cash Miss

9. SCIS2006 Provably secure against differential cryptanalysis Security Assessment of AES-16 All candidates show the same differential probability Why? Because, it’s linear Because, it’s linear Gotcha! It’s a liner Provably secure against Linear cryptanalysis, Higher-order differential attack, S QUARE attack, Boomerang attack, Truncated linear attack, etc.

10. SCIS2006 Conclusion  Ultra compact and high-speed H/W  Astonishing linear 1-bit S-box  Probably secure against all the side channel attacks and all the conventional cryptanalysis Tip-top cryptographers never speak about trivial brute force attack 16-bit block cipher AES-16