This paper proposes a new lightweight 256-bit hash function Lesamnta-LW. The security of Lesamnta-LW is reduced to that of the underlying AES-based block cipher and it is theoretically analyzed for an important application, namely the key-prefix mode. While most of recently proposed lightweight primitives are hardware-oriented with very small footprints, our main target with Lesamnta-LW is to achieve compact and fast hashing for lightweight application on a wider variety of environments ranging from inexpensive devices to high-end severs at the 2120 security level. As for performance, our primary target CPUs are 8-bit and it is shown that, for short message hashing, Lesamnta-LW offers better tradeoffs between speed and cost on an 8-bit CPU than SHA-256.

In this paper, we propose efficient sequential AES CCM architecture for the IEEE 802.16e. In the proposed architecture, only one AES encryption core is used and the operation of the CTR and the CBC-MAC is processed concurrently within one round. With this design approach, we can design sequential AES CCM architecture having 570 Mbps@102.4 MHz throughput and 1,397 slices at a Spartan3 3s5000 device.

Due to rapid growth of RFID system applications, the security and privacy problems become more and more important to guarantee the validity of RFID systems. Without introducing proper privacy protection mechanisms, widespread deployment of RFID could raise privacy concerns to both companies and individuals. As a fundamental issue for the design and analysis of secure RFID systems, some formal RFID privacy frameworks were proposed in recent years to give the principles for evaluating the security and privacy in RFID system. However, readers can be confused with so many proposed frameworks. In this paper, we make a comparative and survey study on the proposed RFID privacy frameworks. We mainly divide the existing models into three categories, the four-oracle framework, eight-oracle framework and Universal Composability framework. We give a brief review on the existing models and describe their abilities to model the adversarial behavior in RFID systems. We then analyze relations among those existing RFID privacy models and make some comparisons among their properties.

With the evolution of the P2P research field, new problems, such as those related with information security, have arisen. It is important to provide security mechanisms to P2P systems, since it has already become one of the key issues when evaluating them. However, even though many P2P systems have been adapted to provide a security baseline to their underlying applications, more advanced capabilities are becoming necessary. Specifically, privacy preservation and anonymity are deemed essential to make the information society sustainable. Unfortunately, sometimes, it may be difficult to attain anonymity unless it is included into the system's initial design. The JXTA open protocols specification is a good example of this kind of scenario. This work studies how to provide anonymity to JXTA's architecture in a feasible manner and proposes an extension which allows deployed services to process two-way messaging without disclosing the endpoints' identities to third parties.

Constructing a secure and efficient key wrapping scheme is demanding, and the scheme based on a universal hash function and an elementary encryption mode like ECB and CBC modes is potential for a practical use. However, at SAC 2009, Gennaro and Halevi showed that a key wrapping scheme using a universal hash function and ECB mode (a HtECB scheme) is broken, and the security of a scheme based on a universal hash function and CBC mode (a HtCBC scheme) has been left as an open problem. In this paper, we first generalize classical notions of universal and uniform hash functions, and propose a total of four new notions of the keyed hash function. We then prove that HtECB and HtCBC schemes are secure key wrapping schemes if the universal hash function satisfies uniformity and our notions, where the result on the HtCBC scheme gives a partial answer to the open problem. Then we discuss a basic problem of identifying relations between various notions of a keyed hash function, and point out that a monic polynomial hash function satisfies all the new notions.

Establishment of a practical software protection method is a major issue in software distribution. There are several approaches to the issue; however, no practical, secure method for mobile phone applications has been proposed. In this paper, we propose a new software protection scheme combined with a tamper-proof device (TPD) in order to achieve computational security against illegal analysis and copying of the target program. Our scheme achieves a reasonable level of security for encoding the data and variables in a program. The program on a mobile phone deals only with encoded data that is difficult to compromise, and the TPD plays a role of decoding execution results. We implemented the proposed scheme on a 3G mobile phone and a user identification module (UIM). An analysis and copying of the protected program impose exponential computation complexities under our attack model.

Secrecy on the physical layer is receiving increased research interest due to its theoretical and practical importance. In this letter, a subcarrier allocation scheme is proposed for physical-layer security in cooperative orthogonal frequency division multiple access (OFDMA) networks that use the Amplify-and-Forward (AF) strategy. We consider the subcarrier pairing and assignment to maximize overall system rates subject to a secrecy level requirement. Monte Carlo simulations are carried out to validate our analysis.

A buffer overflow attack occurs when a program writes data outside the allocated memory in an attempt to invade a system. Approximately forty percent of all software vulnerabilities over the past several years are attributed to buffer overflow. Taint tracking is a novel technique to prevent buffer overflow. Previous studies on taint tracking ran a victim's program on an emulator to dynamically instrument the code for tracking the propagation of taint data in memory and checking whether malicious code is executed. However, the critical problem of this approach is its heavy performance overhead. Analysis of this overhead shows that 60% of the overhead is from the emulator, and the remaining 40% is from dynamic instrumentation and taint information maintenance. This article proposes a new taint-style system called Embedded TaintTracker to eliminate the overhead in the emulator and dynamic instrumentation by compressing a checking mechanism into the operating system (OS) kernel and moving the instrumentation from runtime to compilation time. Results show that the proposed system outperforms the previous work, TaintCheck, by at least 8 times on throughput degradation, and is about 17.5 times faster than TaintCheck when browsing 1 KB web pages.

An anonymous password-authenticated key exchange (PAKE) protocol is designed to provide both password-only authentication and client anonymity against a semi-honest server, who honestly follows the protocol. In INDOCRYPT2008, Yang and Zhang [26] proposed a new anonymous PAKE (NAPAKE) protocol and its threshold (D-NAPAKE) which they claimed to be secure against insider attacks. In this paper, we first show that the D-NAPAKE protocol [26] is completely insecure against insider attacks unlike their claim. Specifically, only one legitimate client can freely impersonate any subgroup of clients (the threshold t > 1) to the server. After giving a security model that captures insider attacks, we propose a threshold anonymous PAKE (called, TAP+) protocol which provides security against insider attacks. Moreover, we prove that the TAP+ protocol has semantic security of session keys against active attacks as well as insider attacks under the computational Diffie-Hellman problem, and provides client anonymity against a semi-honest server, who honestly follows the protocol. Finally, several discussions are followed: 1) We also show another threshold anonymous PAKE protocol by applying our RATIONALE to the non-threshold anonymous PAKE (VEAP) protocol [23]; and 2) We give the efficiency comparison, security consideration and implementation issue of the TAP+ protocol.

Recently, Li and Xia proposed a physical-layer security design to guarantee a low probability of interception (LPI) for asynchronous cooperative systems without relying on upper-layer data encryption. The proposed scheme utilizes diagonal unitary codes to perform different encoding in the frequency domain over subcarriers within each OFDM block to randomize the transmitted signals. To build on their idea, in this letter, a subcarrier-reference (SR) transmission scheme is proposed with deliberate signal randomization to achieve LPI in multiuser MISO-OFDMA systems. For each user, one of the allocated subcarriers is chosen by the transmitter to send reference signals, and others are chosen to send the user's information symbols. By some deliberate signal randomization, the eavesdropper cannot detect the transmitted symbols, while the authorized users can operate the system successfully without knowledge of the channels by subcarrier-reference demodulation. Extensive simulations are conducted to demonstrate the scheme's effectiveness.

Many malicious programs we encounter these days are armed with their own custom encoding methods (i.e., they are packed) to deter static binary analysis. Thus, the initial step to deal with unknown (possibly malicious) binary samples obtained from malware collecting systems ordinarily involves the unpacking step. In this paper, we focus on empirical experimental evaluations on a generic unpacking method built on a dynamic binary instrumentation (DBI) framework to figure out the applicability of the DBI-based approach. First, we present yet another method of generic binary unpacking extending a conventional unpacking heuristic. Our architecture includes managing shadow states to measure code exposure according to a simple byte state model. Among available platforms, we built an unpacking implementation on PIN DBI framework. Second, we describe evaluation experiments, conducted on wild malware collections, to discuss workability as well as limitations of our tool. Without the prior knowledge of 6029 samples in the collections, we have identified at around 64% of those were analyzable with our DBI-based generic unpacking tool which is configured to operate in fully automatic batch processing. Purging corrupted and unworkable samples in native systems, it was 72%.

Detecting spreaders, or scan sources, helps intrusion detection systems (IDS) identify potential attackers. The existing work can only detect aggressive spreaders that scan a large number of distinct destinations in a short period of time. However, stealthy spreaders may perform scanning deliberately at a low rate. We observe that these spreaders can easily evade the detection because current IDS's have serious limitations. Being lightweight, the proposed scheme can detect scan sources in high speed networking while residing in SRAM. By theoretical analysis and experiments on real Internet traffic traces, we demonstrate that the proposed scheme detects stealthy spreaders successfully.

It is important to find an efficient design-for-testability methodology that satisfies both security and testability, although there exists an inherent contradiction between security and testability for digital circuits. In our previous work, we reported a secure and testable scan design approach by using extended shift registers that are functionally equivalent but not structurally equivalent to shift registers, and showed a security level by clarifying the cardinality of those classes of shift register equivalents (SR-equivalents). However, SR-equivalents are not always secure for scan-based side-channel attacks. In this paper, we consider a scan-based differential-behavior attack and propose several classes of SR-equivalent scan circuits using dummy flip-flops in order to protect the scan-based differential-behavior attack. To show the security level of those SR-equivalent scan circuits, we introduce a differential-behavior equivalent relation and clarify the number of SR-equivalent scan circuits, the number of differential-behavior equivalent classes and the cardinality of those equivalent classes.

We analyze the security notion of information-theoretic secrecy against an adversary who can make adaptive queries to the decryption oracle, and show that it is equivalent to requiring that the encryption scheme can perfectly encrypt +1 different messages. This immediately yields a lower bound on the key length and an optimal construction, namely (+1)-wise independent permutations. This also gives an operational interpretation to the notion of decryption oracles in information-theoretic security.

This paper shows a simple methodology for shortening a ciphertext of reproducible key encapsulation mechanisms. Specifically, it transforms a key encapsulation mechanism having OW-CCCA security and reproducibility into that of IND-CCA secure in the random oracle model whose ciphertext is shorter. Various existing chosen-ciphertext secure key encapsulation mechanisms (in the standard model) are reproducible, and thus their ciphertext can be shortened by the proposed transformation. The transformed scheme requires only one additional hashing for encryption. This property enables us to implement both the original scheme and the transformed scheme into a single chip simultaneously with small gate-size overhead. Using this chip, a sender can flexibly switch schemes to encrypt a message in a message-by-message manner. Such a use of schemes is also analyzed.

In routing, we usually use OSPF with Dijkstra or RIP with Bellman-Ford, but they can only treat single metric routing problem. With multiple metrics, we would use the weighted average of the metrics or techniques from operations research, but they are not suitable for routing because they lack validity and simplicity. Here, we propose a routing algorithm to deal with the three security metrics proposed by I. A. Almerhag and M. E. Woodward, and show an example routing policy. Besides, we make a study on the constraints of the metrics and the routing policies, and come to the precondition of the proposed routing algorithm.

A safe prime p is a prime such that (p-1)/2 is also a prime. A primality test or a safe primality test is normally a combination of trial division and a probabilistic primality test. Since the number of small odd primes used in the trial division affects the performance of the combination, researchers have studied how to obtain the optimal number of small odd primes to be used in the trial division and the expected running time of the combination for primality tests. However, in the case of safe primality tests, the analysis of the combination is more difficult, and thus no such results have been given. In this paper, we present the first probabilistic analysis on the expected running time and the optimal number of small odd primes to be used in the trial division for optimizing the tests. Experimental results show that our probabilistic analysis estimates the behavior of the safe primality tests very well.

In this paper, the first extended Canetti-Krawzcyk (eCK) security model for hierarchical ID-based authenticated key exchange (AKE) that guarantee resistance to leakage of ephemeral secret keys is proposed. Moreover, an two-pass hierarchical ID-based AKE protocol secure in the proposed hierarchical ID-based eCK security model based on a hierarchical ID-based encryption is also proposed.

Existing time synchronization schemes in sensor networks were all developed to be energy-efficient, precise, and robust, but none of them were developed with security in mind. We have developed a secure, accurate and energy-efficient time synchronization protocol (SAEP). SAEP achieves accurate time synchronization service with significantly reducing the number of message exchanges. Also, it safeguards against Byzantine failure, in which nodes drop, modify, or delay time information in an attempt to disrupt the time synchronization service in multi-hop networks. SAEP takes a distributed approach where each sensor independently makes decisions based only on the information collected from multiple adjacent nodes, thus achieving a high level of resistance to various attacks while minimizing the energy cost. We investigate the misbehavior of a maliciously compromised node and analyze how SAEP can combat these attacks. In our experiment SAEP outperforms the existing time synchronization protocol in accuracy, energy consumption and it is even resilient to multiple capture attacks.

Kim and Chung previously proposed a password-based user authentication scheme to improve Yoon and Yoo's scheme. However, Kim and Chung's scheme is still vulnerable to an offline password guessing attack, an unlimited online password guessing attack, and server impersonation. We illustrate how their scheme can be compromised and then propose an improved scheme to overcome the weaknesses. Our improvement is based on the Rabin cryptosystem. We verify the correctness of our proposed scheme using the BAN logic.