and analysis of the generic composition paradigm

We expect a future where we are surrounded by embedded devices, ranging from Java-enabled cell phones to sensor networks and smart appliances. An adversary can compromise our privacy and safety by maliciously modifying the memory contents of these embedded devices. In this paper, we propose a SoftWare-based ATTestation technique (SWATT) to verify the memory contents of embedded devices and establish the absence of malicious changes to the memory contents. SWATT does not need physical access to the device's memory, yet provides memory content attestation similar to TCG or NGSCB without requiring secure hardware. SWATT can detect any change in memory contents with high probability, thus detecting viruses, unexpected configuration settings, and Trojan Horses. To circumvent SWATT, we expect that an attacker needs to change the hardware to hide memory content changes.

Abstract. The previous key recovery attacks against Helix obtain the key with about 2 88 operations using chosen nonces (reusing nonce) and about 1000 adaptively chosen plaintext words (or 2 35.6 chosen plaintext words). The stream cipher Phelix is the strengthened version of Helix. In this paper we apply the differential-linear cryptanalysis to recover the key of Phelix. With 2 34 chosen nonces and 2 37 chosen plaintext words, the key of Phelix can be recovered with about 2 41.5 operations. 1

Abstract: In this paper, the hardware implementations of five representative stream ciphers are compared in terms of performance and consumed area in an FPGA device. The ciphers used for the comparison are the A5/1, W7, E0, RC4 and Helix. The first three ones have been used for the security part of well-known standards, especially wireless communication protocols. The Helix cipher is a recently introduced fast, word oriented, stream cipher. W7 algorithm has been recently proposed as a more trustworthy solution for GSM, due to the security problems concerning A5/1. The designs were implemented using VHDL language. For the hardware implementation of the designs, an FPGA device was used. The implementation results illustrate the hardware performance of each stream cipher in terms of throughput-to-area ratio. This ratio equals to: 5.88 for the A5/1, 1.26 for the W7, 0.21 for the E0, 2.45 for the Helix and 0.86 for the RC4.

T-function is a relatively new cryptographic building block suitable for streamciphers. It has the potential of becoming a substitute for LFSRs, and those that correspond to maximum length LFSRs are called single cycle T-functions. We present a family of single cycle T-functions, previously unknown. An attempt at building a hardware oriented streamcipher based on this new T-function is given.

Dragon is a word oriented stream cipher submitted to the ECRYPT project, it operates on key sizes of 128 and 256 bits. The original idea of the design is to use a nonlinear feedback shift register (NLFSR) and a linear part (counter), combined by a filter function to generate a new state of the NLFSR and produce the keystream. The internal state of the cipher is 1088 bits, i.e., any kinds of TMD attacks are not applicable. In this paper we present two statistical distinguishers that distinguish Dragon from a random source both requiring around O(2 ) words of the keystream. In the first scenario the time complexity is around O(2 ) with the memory complexity O(2 ), whereas the second scenario needs only O(2 ) of time, but O(2 ) of memory. The attack is based on a statistical weakness introduced into the keystream by the filter function F . This is the first paper presenting an attack on Dragon, and it shows that the cipher does not provide full security when the key of size 256 bits is used.

Trivium is a stream cipher designed in 2005 by C. De Cannière and B. Preneel for the European project eSTREAM. It has successfully passed the first phase of the project and has been selected for a special focus in the second phase for the hardware portfolio of the project. Trivium has an internal state of size 288 bits and the key of length 80 bits. Although the design has a simple and elegant structure, no attack on it has been found yet. In this paper we study a class of Trivium-like designs. We propose a set of techniques that one can apply in cryptanalysis of such constructions. The first group of methods is for recovering the internal state and the secret key of the cipher, given a piece of a known keystream. Our attack is more than 2 30 faster than the best known attack. Another group of techniques allows to gather statistics on the keystream, and to build a distinguisher. We study two designs: the original design of Trivium and a truncated version Bivium, which follows the same design principles as the original. We show that the internal state of the full Trivium can be recovered in time around c · 2 83.5,andforBivium this complexity is c · 2 36.1. These are the best known results for these ciphers. Moreover, a distinguisher for Bivium with working time 2 32 is presented, the correctness of which has been verified by simulations. 1

In this paper, the hardware implementations of five representative stream ciphers are compared in terms of performance and consumed area. The ciphers used for the comparison are the A5/1, W7, E0, RC4 and Helix. The first three ones have been used for the security part of wellknown standards. The Helix cipher is a recently introduced fast, word oriented, stream cipher. W7 algorithm has been proposed as a more trustworthy solution, due to the security problems that occurred concerning A5/1 strength. The designs were coded using VHDL language. For the hardware implementation of the designs, an FPGA device was used. The implementation results illustrate the hardware performance of each cipher in terms of throughput-to-area ratio. This ratio equals to: 5.88 for the A5/1, 1.26 for W7, 0.21 for the E0, 2.45 for the Helix and 0.86 for the RC4. 1.

Abstract. We present Badger, a new fast and provably secure MAC based on universal hashing. In the construction, a modified tree hash that is more efficient than standard tree hashing is used and its security is proven. Furthermore, in order to derive the core hash function of the tree, we use a novel technique for reducing ∆-universal function families to universal families. The resulting MAC is very efficient on standard platforms both for short and long messages. As an example, for a 64-bit tag, it achieves performances up to 2.2 and 1.3 clock cycles per byte on a Pentium III and Pentium 4 processor, respectively. The forgery probability is at most 2 −52.2.

Abstract. Efficient cryptographic implementations are a fundamental factor in the achievement and dissemination of new computerized applications. In some recent environments with (very) limited resources such as smart cards, sensor networks or RFID tags, standard algorithms may not be completely adapted.Consequently, the design of new solutions for low-cost cryptography is sometimes necessary and is at least an interesting research direction. In this context, stream ciphers are usually believed to be an efficient alternative to block ciphers, because of a lower hardware (or even software) implementation cost. The eSTREAM research initiative was consequently established in order to investigate the possibility of building secure and efficient stream ciphers. Among a large number of submitted candidates, the project recently (September 2006) narrowed the “hardware profiled ” stream ciphers to four focused candidates, namely Trivium, Grain-128, MICKEY-128 2.0 and Phelix. In this paper, we evaluate the hardware performance of these algorithms in the reconfigurable hardware Xilinx Virtex-II devices. Based on our implementations (that mainly confirm previous results), we discuss the respective interest of the focused candidates and suggest certain guidelines for their comparison. 1