Matthew J. B. Robshaw

The LED block cipher

We present a new block cipher LED. While dedicated to compact hardware implementation, and offering the smallest silicon footprint among comparable block ciphers, the cipher has been designed to simultaneously tackle three additional goals. First, we explore the role of an ultra-light (in fact non-existent) key schedule. Second, we consider the resistance of ciphers, and LED in particular, to related-key attacks: we are able to derive simple yet interesting AES-like security proofs for LED regarding related- or single-key attacks. And third, while we provide a block cipher that is very compact in hardware, we aim to maintain a reasonable performance profile for software implementation.

PRINTcipher: a block cipher for IC-printing

In this paper we consider some cryptographic implications of integrated circuit (IC) printing. While still in its infancy, IC-printing allows the production and personalisation of circuits at very low cost. In this paper we present two block ciphers PRINTcipher-48 and PRINTcipher-96 that are designed to exploit the properties of IC-printing technology and we further extend recent advances in lightweight block cipher design.

Linear Cryptanalysis Using Multiple Approximations

We present a technique which aids in the linear cryptanalysis of a block cipher and allows for a reduction in the amount of data required for a successful attack. We note the limits of this extension when applied to DES, but illustrate that it is generally applicable and might be exceptionally successful when applied to other block ciphers. This forces us to reconsider some of the initial attempts to quantify the resistance of block ciphers to linear cryptanalysis, and by taking account of this new technique we cover several issues which have not yet been considered.

Hash Functions and RFID Tags: Mind the Gap

The security challenges posed by RFID-tag deployments are well-known. In response there is a rich literature on new cryptographic protocols and an on-tag hash function is often assumed by protocol designers. Yet cheap tags pose severe implementation challenges and it is far from clear that a suitable hash function even exists. In this paper we consider the options available, including constructions based around compact block ciphers. While we describe the most compact hash functions available today, our work serves to highlight the difficulties in designing lightweight hash functions and (echoing [17]) we urge caution when routinely appealing to a hash function in an RFID-tag protocol.

New Stream Cipher Designs

Read more and get great! Thats what the book enPDFd new stream cipher designs the estream finalists will give for every reader to read this book. This is an on-line book provided in this website. Even this book becomes a choice of someone to read, many in the world also loves it so much. As what we talk, when you read more every page of this new stream cipher designs the estream finalists, what you will obtain is something great.

Non-linear approximations in linear cryptanalysis

By considering the role of non-linear approximatioris in linear cryptanalysis we obtain a generalization of Matsuis linear cryptanalytic techniques. This approach allows Ihe cryptanalyst greater flexibility in mounting a linear cryptanalytic attack and we demonstrate the effectiveness of our non-linear techniques with some simple attacks on LOK191. These attacks potentially allow for the recovery of seven additional bits of key information with less than 1/4 of the plaintext that is required using current linear cryptanalytic methods.

The eSTREAM Project

The origins of eSTREAM can be traced back to the 2004 RSA Data Security Conference. There, as part of the Cryptographers Panel, Adi Shamir made some insightful comments on the state of stream ciphers. In particular, with AES [8] deployment being so wide-spread, Shamir wondered whether there remained a need for a stream cipher of dedicated design. As arguments against, one might observe that for most applications, the use of the AES in an appropriate stream cipher mode [9] frequently offers a perfectly adequate solution. Some also doubt our understanding of how best to design a dedicated stream cipher, a view somewhat supported by the lack of surviving stream ciphers in the NESSIE project [1]. However, as counter-arguments Shamir went on to identify two areas where a dedicated stream cipher might conceivably offer some advantage over block ciphers: (1) where exceptionally high throughput is required in software and (2) where exceptionally low resource consumption is required in hardware.

Good Variants of HB + Are Hard to Find

The strikingly simple HB+protocol of Juels and Weis [11] has been proposed for the authentication of low-cost RFID tags. As well as being computationally efficient, the protocol is accompanied by an elegant proof of security. After its publication, Gilbert et al.[8] demonstrated a simple man-in-the-middle attack that allowed an attacker to recover the secret authentication keys. (The attack does not contradict the proof of security since the attacker lies outside the adversarial model.) Since then a range of schemes closely related to HB+have been proposed and these are intended to build on the security of HB+while offering resistance to the attack of [8]. In this paper we show that many of these variants can still be attacked using the techniques of [8] and the original HB+protocol remains the most attractive member of the HB+family.

Public key cryptography and RFID tags

When exploring solutions to some of the formidable security problems facing RFID deployment, researchers are often willing to countenance the use of a strong symmetric primitive such as the AES. At the same time it is often claimed that public key cryptography cannot be deployed on low-cost tags. In this paper we give a detailed analysis of the GPS identification scheme. We show that with regards to all three attributes of space, power, and computation time, the on-tag demands of GPS identification compare favourably to the landmark AES implementation by Feldhofer et al.. Thus, assumed limits to implementing asymmetric cryptography on low-end devices may need to be re-evaluated.

Increasing the Security and Efficiency of

The innovative Open image in new window protocol of Juels and Weis [10] extends device authentication to low-cost RFID tags. However, despite the very simple on-tag computation there remain some practical problems with Open image in new window and despite an elegant proof of security against some limited active attacks, there is a simple man-in-the-middle attack due to Gilbert et al. [8]. In this paper we consider improvements to Open image in new window in terms of both security and practicality. We introduce a new protocol that we denote random- Open image in new window . This proposal avoids many practical drawbacks of Open image in new window , remains provably resistant to attacks in the model of Juels and Weis, and at the same time is provably resistant to a broader class of active attacks that includes the attack of [8]. We then describe an enhanced variant called Open image in new window which offers practical advantages over Open image in new window .