Choosing the most storage- and energy-e#cient block cipher specifically for wireless sensor networks (WSNs) is not as straightforward as it seems. To our knowledge so far, there is no systematic evaluation framework for the purpose. In this paper, we have identified the candidates of block ciphers suitable for WSNs based on existing literature.

Abstract. With the establishment of the AES the need for new block ciphers has been greatly diminished; for almost all block cipher applications the AES is an excellent and preferred choice. However, despite recent implementation advances, the AES is not suitable for extremely constrained environments such as RFID tags and sensor networks. In this paper we describe an ultra-lightweight block cipher, present. Both security and hardware efficiency have been equally important during the design of the cipher and at 1570 GE, the hardware requirements for present are competitive with today’s leading compact stream ciphers. 1

lvjiqiang AT hotmail.com Abstract. SMS4 is a 32-round block cipher with a 128-bit block size and a 128-bit user key. It is used in WAPI, the Chinese WLAN national standard. In this paper, we present a rectangle attack on 14-round SMS4, and an impossible differential attack on 16-round SMS4. These are better than any previously known cryptanalytic results on SMS4 in terms of the numbers of attacked rounds.

Abstract. The profile 1 submissions to the eSTREAM call for stream ciphers aim at achieving a high throughput in software. But, for the embedded systems, the trade-off between the throughput and the code size is more critical. We here study the ROM footprints of several eS-TREAM stream ciphers on an ARM920T processor. Most notably we propose some modifications in the implementations of several ciphers which lead to a best throughput/code size trade-off. 1

Abstract. In cryptology we commonly face the problem of finding an unknown key K from the output of an easily computable keyed function F (C, K) where the attacker has the power to choose the public variable C. In this work we focus on self-synchronizing stream ciphers. First we show how to model these primitives in the above-mentioned general problem by relating appropriate functions F to the underlying ciphers. Then we apply the recently proposed framework presented at AfricaCrypt’08 by Fischer et. al. for dealing with this kind of problems to the proposed T-function based self-synchronizing stream cipher by Klimov and Shamir at FSE’05 and show how to deduce some non-trivial information about the key. We also open a new window for answering a crucial question raised by Fischer et. al. regarding the problem of finding weak IV bits which is essential for their attack. Key words: Self-synchronizing Stream Ciphers, T-functions, Key Recovery. 1

Abstract. Khazad is a new block cipher initially proposed as a candidate to the NESSIE project. Its design is very similar to Rijndael, although it is a 64-bit block cipher. In this paper, we propose a new attack that can be seen as an extension of the Square attack. It takes advantage of redundancies between the round key derivation and the round function, and also exploits some algebraic observations over a few rounds. As a result, we can break 5 rounds of Khazad faster than exhaustive key search. This is the best known cryptanalytic result against Khazad. 1

Abstract. The wide trail design strategy claims to design ciphers that are both efficient and secure against linear and differential cryptanalysis. Rijndael, the AES, was designed along the principles of this strategy. We survey the recent results on Rijndael and examine whether the design strategy hasfulfilled itspromise.

Abstract. Recently, a new kind of Generalized Unbalanced Feistel Network, denoted as GUFN-n, is proposed by Choy et al. at ACISP 2009. The advantages of this structure are that it allows parallel computations for encryption and it can provide provable security against traditional differential and linear cryptanalysis given that the round function is bijective. For this new structure, the designers also found a (2n − 1)-round impossible differential and a (3n − 1)-round integral distinguisher. In this paper, we study distinguishing attacks on GUFN-n. We find an n 2-round integral distinguisher and show that it can be simply extended to an (n 2 + n − 2)-round higher-order integral distinguisher. Moreover, we point out that the n 2-round integral distinguisher corresponds to an n 2-round truncated differential with probability 1, based on which an impossible differential with up to (n 2 + n − 2)-round can be constructed. At last, we describe a variant structure of GUFN-n, denoted as GUFN ∗-n, where the round function is F (x ⊕ K). For this variant structure, we present a new kind of n 2-round non-surjective distinguisher and use it to attack GUFN ∗-n with very low data complexity.

Abstract. With the establishment of the AES the need for new block ciphers has been greatly diminished; for almost all block cipher applications the AES is an excellent and preferred choice. However, despite recent implementation advances, the AES is not suitable for extremely constrained environments such as RFID tags and sensor networks. In this paper we describe an ultra-lightweight block cipher, present. Both security and hardware efficiency have been equally important during the design of the cipher and at 1570 GE, the hardware requirements for present are competitive with today’s leading compact stream ciphers. 1 1

In light of the disturbing efficacy of the recently-discovered deletion attack of Knudsen and Mirza