Choosing the most storage- and energy-e#cient block cipher specifically for wireless sensor networks (WSNs) is not as straightforward as it seems. To our knowledge so far, there is no systematic evaluation framework for the purpose. In this paper, we have identified the candidates of block ciphers suitable for WSNs based on existing literature.

bart.preneel(AT)esat.kuleuven.be

Abstract. We find certain neglected issues in the study of private-key encryption schemes. For one, private-key encryption is generally held to the same standard of security as public-key encryption (i.e., indistinguishability) even though usage of the two is very different. Secondly, though the importance of secure encryption of single blocks is well known, the security of modes of encryption (used to encrypt multiple blocks) is often ignored. With this in mind, we present definitions of a new notion of security for private-key encryption called encryption unforgeability which captures an adversary’s inability to generate valid ciphertexts. We show applications of this definition to authentication protocols and adaptive chosen ciphertext security. Additionally, we present and analyze a new mode of encryption, RPC (for Related Plaintext Chaining), which is unforgeable in the strongest sense of the above definition. This gives the first mode provably secure against chosen ciphertext attacks. Although RPC is slightly less efficient than, say, CBC mode (requiring about 33 % more block cipher applications and having ciphertext expansion of the same amount when using a block cipher with 128-bit blocksize), it has highly parallelizable encryption and decryption operations.

This article presents a proposal for an authentication protocol for Radio Frequency Identification (RFID) smart tags. RFID tags are microchips attached to products to identify them contactless during production or in use via radio frequency. Cryptographic authentication is necessary to protect branded goods from forgery. Existing protocols do not include cryptographic authentication mechanisms. Therefore, a new approach for authentication is proposed in this paper. Because of the limited computing power, low die-size, and low-power requirements a two-way challenge-response authentication scheme is used. Packet and frame formats are presented to include the new approach to the existing protocol which is defined in the ISO/IEC 18000 standard. To verify this approach Java models in different abstraction levels were implemented. The hardware implementation was done in VHDL for an FPGA target device to get a fast prototype.

A popular paradigm for achieving privacy plus authenticity is to append some “redundancy” to the data before encrypting. We investigate the security of this paradigm at both a general and a specific level. We consider various possible notions of privacy for the base encryption scheme, and for each such notion we provide a condition on the redundancy function that is necessary and sufficient to ensure authenticity of the encryption-with-redundancy scheme. We then consider the case where the base encryption scheme is a variant of CBC called NCBC, and find sufficient conditions on the redundancy functions for NCBC encryption-with-redundancy to provide authenticity. Our results highlight an important distinction between public redundancy functions, meaning those that the adversary can compute, and secret ones, meaning those that depend on the shared key between the legitimate parties.

We cryptanalyse some block cipher proposals that are based on dedicated hash functions SHA-1 and MD5. We discuss a related-key attack against SHACAL-1 and present a method for finding “slid pairs” for it. We also present simple attacks against MDC-MD5 and the Kaliski-Robshaw block cipher.

Centera uses cryptographic hash functions as a means of addressing stored objects, thus creating a new class of data storage referred to as CAS (content addressed storage). Such hashing serves the useful function of providing a means of uniquely identifying data and providing a global handle to that data, referred to as the Content Address or CA. However, such a model begs the question: how certain can one be that a given CA is indeed unique? In this paper we describe fundamental concepts of cryptographic hash functions, such as collision resistance, preimage resistance, and second-preimage resistance. We then map these properties to the MD5 and SHA-256 hash algorithms, which are used to generate the Centera content address. Finally, we present a proof of the collision resistance of the Centera Content Address.

accounting. PMAC uses #|M |/n# block-cipher invocations for any nonempty message M . (The empty string takes one block-cipher invocation). We compare with the CBC MAC: The "basic" CBC MAC, which assumes that the message is a nonzero multiple of the block length and which is only secure when all messages to be MACed are of one fixed length, uses the same number of block cipher calls: |M |/n. The version of the CBC MAC described in [10], which removes the two restrictions just mentioned, uses the same number of calls as PMAC, #|M |/n#. Obligatory padding (to support short-final-block messages) and standard methods to process the final block (double or triple encryption, to achieve security across variable-length messages) can raise the number of block-cipher calls to as much as #|M + 1|/n# + 2. Thus PMAC saves between 0 and 3 block-cipher calls compared to the various versions of the CBC MAC. As with any mode, there is further overhead beyond the block-cipher calls. Per block, this overhead is about three n-bit xor operations plus associated logic. The work for this associated logic will vary according to whether or not one precomputed L(i)-values, whether or not there is an ntz() instruction available, and on other factors. Though some of the needed L(i)-values are likely to be pre-computed, calculating these values "on the fly" is not too expensive. Starting with 0 n we form successive o#sets by xoring the previous o#set with L, 2

accounting. OCB uses djM j=ne + 2 block-cipher calls for a nonempty message M . (The empty string takes three block-cipher invocations, the same as a one-block message). We compare with CBC encryption and CBC encryption plus a CBC MAC:

In information security, message authentication is an essential technique to verify that received messages come from the alleged source and have not been altered. A key element of authentication schemes is the use of a message authentication code (MAC). One technique to produce a MAC is based on using a hash function and is referred to as an HMAC. Message Digest 5 (MD5) is one of the algorithms, which has been specified for use in Internet Protocol Security (IPSEC), as the basis for an HMAC. The input message may be arbitrarily large and is processed in 512-bit blocks by executing 64 steps involving the manipulation of 128-bit blocks. There is an increasing interest in high-speed cryptographic accelerators for IPSEC applications such as Virtual Private Networks. As we shall show in the paper, it is reasonable to construct cryptographic accelerators using hardware implementations of HMACs based on a hash algorithm such as MD5. Two different architectures, iterative and full loop unrolling, of MD5 have been implemented using Field Programmable Gate Arrays (FPGAs). The performance of these implementations is discussed.