Analysis of the End-by-Hop Protocol for Secure Aggregation in Sensor Networks

In order to save bandwidth and thus battery power, sensor network measurements are sometimes aggregated en-route while being reported back to the querying server. Authentication of the measurements then becomes a challenge if message integrity is important for the application. At ESAS 2007, the End-by-Hop protocol for securing in-network aggregation for sensor nodes was presented. The solution was claimed to be secure and efficient and to provide the possibility of trading off bandwidth against computation time on the server. In this paper, we disprove these claims. We describe several attacks against the proposed solution and point out shortcomings in the original complexity analysis. In particular, we show that the proposed solution is inferior to a naive solution without in-network aggregation both in security and in efficiency

On the Role of the Inner State Size in Stream Ciphers

Many modern stream ciphers consist of a keystream generator and a key schedule algorithm. In fielded systems, security of the keystream generator is often based on a large inner state rather than an inherently secure design. Note, however, that little theory on the initialisation of large inner states exists, and many practical designs are based on an ad-hoc approach. As a consequence, an increasing number of attacks on stream ciphers exploit the (re-)initialisation of large inner states by a weak key schedule algorithm. In this paper, we propose a strict separation of keystream generator and key schedule algorithm in stream cipher design. A formal definition of inner state size is given, and lower bounds on the necessary inner state size are proposed. After giving a construction for a secure stream cipher from an insecure keystream generator, the limitations of such an approach are discussed. We introduce the notion of inner state size efficiency and compare it for a number of fielded stream ciphers, indicating that a secure cipher can be based on reasonable inner state sizes. Concluding, we ask a number of open questions that may give rise to a new field of research that is concerned with the security of key schedule algorithms

Cryptanalysis of LFSR-based Pseudorandom Generators - a Survey

Pseudorandom generators based on linear feedback shift registers (LFSR) are a traditional building block for cryptographic stream ciphers. In this report, we review the general idea for such generators, as well as the most important techniques of cryptanalysis

On Cryptographic Properties of LFSR-based Pseudorandom Generators

Pseudorandom Generators (PRGs) werden in der modernen Kryptographie verwendet, um einen kleinen Startwert in eine lange Folge scheinbar zufälliger Bits umzuwandeln. Viele Designs für PRGs basieren auf linear feedback shift registers (LFSRs), die so gewählt sind, dass sie optimale statistische und periodische Eigenschaften besitzen. Diese Arbeit diskutiert Konstruktionsprinzipien und kryptanalytische Angriffe gegen LFSR-basierte PRGs. Nachdem wir einen vollständigen Überblick über existierende kryptanalytische Ergebnisse gegeben haben, führen wir den dynamic linear consistency test (DLCT) ein und analysieren ihn. Der DLCT ist eine suchbaum-basierte Methode, die den inneren Zustand eines PRGs rekonstruiert. Wir beschließen die Arbeit mit der Diskussion der erforderlichen Zustandsgröße für PRGs, geben untere Schranken an und Beispiele aus der Praxis, die veranschaulichen, welche Größe sichere PRGs haben müssen

Dynamic curricular concepts for research orientated programs in optics and photonics

Teaching and learning concepts that are adapted to the constantly evolving requirements due to rapid technological progress are essential for teaching in media photonics technology. After the development of a concept for research-oriented education in optics and photonics, the next step will be a conceptual restructuring and redesign of the entire curriculum for education in media photonics technology. By including typical research activities as essential components of the learning process, a broad platform for practical projects and applied research can be created, offering a variety of new development opportunities

The suffix-free-prefix-free hash function construction and its indifferentiability security analysis

In this paper, we observe that in the seminal work on indifferentiability analysis of iterated hash functions by Coron et al. and in subsequent works, the initial value (IV) of hash functions is fixed. In addition, these indifferentiability results do not depend on the Merkle–Damgård (MD) strengthening in the padding functionality of the hash functions. We propose a generic n -bit-iterated hash function framework based on an n -bit compression function called suffix-free-prefix-free (SFPF) that works for arbitrary IV s and does not possess MD strengthening. We formally prove that SFPF is indifferentiable from a random oracle (RO) when the compression function is viewed as a fixed input-length random oracle (FIL-RO). We show that some hash function constructions proposed in the literature fit in the SFPF framework while others that do not fit in this framework are not indifferentiable from a RO. We also show that the SFPF hash function framework with the provision of MD strengthening generalizes any n -bit-iterated hash function based on an n -bit compression function and with an n -bit chaining value that is proven indifferentiable from a RO

Cryptanalysis of ARMADILLO2

Abstract. ARMADILLO2 is the recommended variant of a multi-purpose cryptographic primitive dedicated to hardware which has been proposed by Badel et al. in [1]. In this paper, we describe a meet-in-themiddle technique relying on the parallel matching algorithm that allows us to invert the ARMADILLO2 function. This makes it possible to perform a key recovery attack when used as a FIL-MAC. A variant of this attack can also be applied to the stream cipher derived from the PRNG mode. Finally we propose a (second) preimage attack when used as a hash function. We have validated our attacks by implementing cryptanalysis on scaled variants. The experimental results match the theoretical complexities. In addition to these attacks, we present a generalization of the parallel matching algorithm, which can be applied in a broader context than attacking ARMADILLO2

Concrete Security for Entity Recognition: The Jane Doe Protocol (Full Paper)

Entity recognition does not ask whether the message is from some entity X, just whether a message is from the same entity as a previous message. This turns turns out to be very useful for low-end devices. Motivated by an attack against a protocol presented at SAC 2003, the current paper proposes a new protocol -- the ``Jane Doe Protocol\u27\u27 --, and provides a formal proof of its concrete security. The protocol neither employs asymmetric cryptography, nor a trusted third party, nor any key pre-distribution. It is suitable for light-weight cryptographic devices such as sensor network motes and RFID tags

Badger - A Fast and Provably Secure MAC

We present Badger, a new fast and provably secure MAC based on universal hashing. In the construction, a modified tree hash that is more efficient than standard tree hash is used and its security is being proven. Furthermore, in order to derive the core hash function of the tree, we use a novel technique for reducing $\Delta$-universal function families to universal families. The resulting MAC is very efficient on standard platforms both for short and long messages. As an example, for a $64$-bit tag, it achieves performances up to 2.2 and 1.2 clock cycles per byte on a Pentium III and Pentium 4 processor, respectively. The forgery probability is at most $2^{-52.2}$