We present the first known implementation of elliptic curve cryptography over F2 p for sensor networks based on the 8-bit, 7.3828-MHz MICA2 mote. Through instrumentation of UC Berkeley's TinySec module, we argue that, although secret-key cryptography has been tractable in this domain for some time, there has remained a need for an efficient, secure mechanism for distribution of secret keys among nodes. Although public-key infrastructure has been thought impractical, we argue, through analysis of our own implementation for TinyOS of multiplication of points on elliptic curves, that public-key infrastructure is, in fact, viable for TinySec keys' distribution, even on the MICA2. We demonstrate that public keys can be generated within 34 seconds, and that shared secrets can be distributed among nodes in a sensor network within the same, using just over 1 kilobyte of SRAM and 34 kilobytes of ROM.

This paper considers a cryptanalytic approach called integral cryptanalysis.

Abstract. We investigate the link between the nonlinearity of a Boolean function and its propagation characteristics. We prove that highly nonlinear functions usually have good propagation properties regarding different criteria. Conversely, any Boolean function satisfying the propagation criterion with respect to a linear subspace of codimension 1 or 2 has a high nonlinearity. We also point out that most highly nonlinear functions with a three-valued Walsh spectrum can be transformed into 1-resilient functions. 1

: In this paper, we present a detailed tutorial on linear cryptanalysis and differential cryptanalysis, the two most significant attacks applicable to symmetric-key block ciphers. The intent of the paper is to present a lucid explanation of the attacks, detailing the practical application of the attacks to a cipher in a simple, conceptually revealing manner for the novice cryptanalyst. The tutorial is based on the analysis of a simple, yet realistically structured, basic Substitution-Permutation Network cipher. Understanding the attacks as they apply to this structure is useful, as the Rijndael cipher, recently selected for the Advanced Encryption Standard (AES), has been derived from the basic SPN architecture. As well, experimental data from the attacks is presented as confirmation of the applicability of the concepts as outlined.

This work presents the first known implementation of elliptic curve cryptography for sensor networks, motivated by those networks' need for an e#cient, secure mechanism for shared cryptographic keys' distribution and redistribution among nodes. Through instrumentation of UC Berkeley's TinyOS, this work demonstrates that secret-key cryptography is already viable on the MICA2 mote. Through analyses of another's implementation of modular exponentiation and of its own implementation of elliptic curves, this work concludes that public-key infrastructure may also be tractable in 4 kilobytes of primary memory on this 8-bit, 7.3828-MHz device.

In this paper, we describe the design of a new family of block cipher, named FOX and designed upon the request of MediaCrypt AG [23]. The main features ofthis design, besides a very high security level, are a large flexibility in terms of use

Differential cryptanalysis analyzes ciphers by studying the development of differences during encryption. Linear cryptanalysis is similar but is based on studying approximate hnear relations. In 1994, Langford and Hellman showed that both kinds of analysis can be combined together by a technique called differential-linear cryptanalysis, in which the differential part creates a hnear approximation with probabihty 1. They apphed their technique to 8-round DES. In this paper we present an enhancement of differential-linear cryptanalysis in which the inherited hnear probabihty is smaller than 1. We use this extension to describe a differential-hnear distinguisher for a 7-round reducedversion of DES, and to present the best known key-recovery attack on a 9-round reduced-version of DES. We use our enhanced technique to attack COCONUT98 with time complexity 233'7 encryptions and 227'7 chosen plaintexts.

Abstract. Most present symmetric encryption algorithms result from a tradeoff between implementation cost and resulting performances. In addition, they generally aim to be implemented efficiently on a large variety of platforms. In this paper, we take an opposite approach and consider a context where we have very limited processing resources and throughput requirements. For this purpose, we propose low-cost encryption routines (i.e. with small code size and memory) targeted for processors with a limited instruction set (i.e. AND, OR, XOR gates, word rotation and modular addition). The proposed design is parametric in the text, key and processor size, allows efficient combination of encryption/decryption, “on-the-fly ” key derivation and its security against a number of recent cryptanalytic techniques is discussed. Target applications for such routines include any context requiring low-cost encryption and/or authentication. 1

The boomerang aack is a new and very powerful cryptanalytic echnique. However due o he adaptive chosen plainex and cipherex nature of he aack boomerang key recovery aacks ha re- rieve key material on boh sides of he boomerang distinguisher axe haxd o moun. We also presen a method for using a boomerang distinguisher, which enables rerieving subkey bks on boh sides of he boomerang dis- inguisher. The rectangle aack evolved from he boomerang aack. In his paper we presen a new algorithm which improves he results of he rectangle aack.

Abstract. We consider a range of attacks on reduced-round variants of the block cipher Skipjack. In particular we concentrate on the role of truncated differentials and consider what insight they give us into the design and long-term security of Skipjack. An attack on the full 32 rounds of Skipjack remains elusive. However we give attacks on the first 16 rounds of Skipjack that can efficiently recover the key with about 2 17 chosen plaintexts and an attack on the middle sixteen rounds of Skipjack which recovers the secret key using only two chosen plaintexts. Several highprobability truncated differentials are presented the existence of which might best be described as surprising. Most notably, we show that the techniques used by Biham et al. can be presented in terms of truncated differentials and that there exists a 24-round truncated differential that holds with probability one. 1