Secure and Efficient Systems for Integrated Compression and Encryption (NSERC-SPG)


As cloud computing and mobile computing continue to become more widely adopted, there is an ever increasing demand for efficient transmission and storage of data. Compression is widely used in Internet-based information systems to satisfy these demands. At the same time, as our daily lives become ever more reliant upon this digital infrastructure, protecting the security and privacy of data becomes a pervasive necessity. Even when a system is built from secure cryptographic algorithms, the protection provided by these algorithms can be compromised at the system level when pre- or post-processing operations, such as compression, are used in conjunction with encryption and authentication. The two recent attacks CRIME and BREACH demonstrated that conventional techniques for combining compression and encryption are susceptible to "compression side-channel" attacks. The only effective remedy is to disable compression for SSL/TLS and HTTPS communication, which almost 90% of web sites have done. There is also growing momentum to use encryption for almost all Internet connections. The combination of these forces extracts an opportunity cost in transmission time and bandwidth consumption. This research will address these challenges by creating a new paradigm of security mechanisms for securely combining compression and encryption/authentication operations that will minimize compression side channel leakage and be optimized for efficient implementation in hardware. The research will have three thrusts: a) new security measures and algorithms that integrate compression and encryption; b) optimized hardware implementations of these algorithms; c) tools for the design, optimization, and analysis of these systems. The research results will benefit everyone from consumers using mobile phones for financial transaction to companies using cloud-computing networks for massive databases.

Research Topics

In this project, we treat encryption and authentication as one general operator, denoted as EncA. The goal of the project is to explore how EncA can be pre- or post-processed with compression where compression side channel leakage is minimized, termed as crypto-compression, and how it can be implemented in hardware with optimization in terms of power, performance, and area. The proposed research has three thrusts:

  • fundamental limits, trade-offs and algorithms that integrate compression and encryption
  • optimized hardware implementations of the algorithms
  • tools for the design, optimization, security analysis, and functional verification of these systems.

Privacy Protection and Authentication Mechanisms for RFID Systems


Radio frequency identification (RFID) is a technology for the automated identification of physical entities using radio frequency transmissions. Typically, RFID systems consist of RFID devices or so called tags, RFID readers or interrogators, and backend networks. An RFID tag is a simple and low-cost electronic device (transponder) that is attached to a physical object for wireless data transmission. It transmits data over the air in response to interrogation by an RFID reader. An RFID reader is a more powerful device (transceiver) that can queue data stored in tags. Multiple readers can then connect to a network that acts as a data processing subsystem and database. In the past ten years, RFID systems have gained popularity in many applications, such as supply chain management, library systems, e-passports, contactless cards (e.g., proximity cards, automated toll-payment transponders, and payment tokens), identification systems, and human implantation (such as medical-record indexing, and physical access control). Future applications could include smart appliances, shopping, and medication compliance monitoring. RFID is one of the most promising technologies in the field of ubiquitous and pervasive computing. Many new applications can be created by embedding an object with RFID tags. However, the rapid development of RFID systems raises serious privacy and security concerns that could prevent the benefits of RFID technology from being fully utilized.

The concerns about RFID systems arise from a) privacy concerns of users about clandestine physical tracking and inventorying of tags; b) authentication problems from counterfeit or cloned tags; and c) communication attacks: jamming, traffic analysis, spoofing, eavesdropping, relay or man-in-the-middle attacks, denial of service attacks, and side-channel attacks, all of which are easy to launch for both RFID tags and readers. Overcoming these concerns will be a significant challenge, because RFID tags do not have sufficient computational power and memory capacity to support standard cryptographic primitives.

Research Topics

  • Physical layer assisted privacy protection in RFID systems
  • Lightweight crypto engine based core security functions for FRID Security

Physical Layer Security in Wireless Networks


The physical-layer security under the information-theoretic (perfect) security models can get exponentially close to perfect secrecy in theory. However, the information-theoretic security is an average-information measure. The system can be designed and tuned for a specific level of security¡ªe.g., with very high probability a block is secure, but it may not be able to guarantee security with probability 1. So any deployment of a physical-layer security protocol in a classical system would be part of a ¡°layered security¡± solution where security is provided at a number of different layers, each with a specific goal in mind. The physical-layer security can provide an additional layer of security for wireless networks. We investigate a novel MIMO aided security scheme. By exploiting an extra dimension provided by MIMO systems for adding artificial noise to the transmission process, which let the attacker¡¯s signal be a degraded version of the legitimate receiver¡¯s signal, the physical-layer security is enhanced as a result. We also investigate a novel framework for Physical layer Assisted message Authentication (PAA) under public key infrastructure (PKI) in wireless communication networks.

Research Topics

  • Finding practical method to build the wire-tap channel model for multiple input multiple output (MIMO) and single input single output (SISO) system.
  • Developing the wire-tap channel code close to capacity.
  • Exploring to build a cross-layer framework for achieving fast and light-weighted message authentication for wireless networks in virtue of physical layer assisted message Authentication.

Securing Wireless Sensor Networks


Wireless sensor networks (WSNs) are innovative networks consisting of a large number of distributed, autonomous, low-power, low-cost, sensor nodes which cooperatively collect information through infrastructureless wireless networks, as illustrated in Figure 1. There are numerous applications for wireless sensor networks, and security is vital for many of them. However, WSNs suffer from many constraints, including low computation capability, small memory, limited energy resources, susceptibility to physical capture, and the lack of infrastructure, all of which impose unique security challenges and make innovative approaches desirable.

Figure 1: Wireless Sensor Networks

Preliminary Results

Random Key Distribution for WSNs
Key establishment is one of most important building blocks for security services. Currently random key predistribution approaches are prevalent in wireless sensor network. We design a new key predistribution protocol which combines basic random key predistribution with multi-hash chain mechanism. Comprehensive analysis shows that its security performance outweighs that of original scheme, with reasonable tradeoff of a few hash operations.

Mutual Entity Authentication in WSNs
Mutual entity authentication plays a significant role in achieving many security goals of wireless sensor networks. We developed a mutual entity authentication framework for wireless sensor networks. This framework is basically flexible combination sets of two previous elegant one-way authentication protocols---HB+ and HB#, with significant enhancements in terms of infeasibility of storage/communication requirement and extension to mutual authentication.

Node Clone Detection
Sensor nodes lack tamper-resistant hardware and are subject to the node clone attack. We introduce two approaches to detect the attack distributively. One is based on Distributed Hash Table (DHT). A Chord overlay network is built upon the sensor network, and provides the key-based routing, caching, and checking facilities for our protocol. A deterministic witness and additional memory-efficient, potential witnesses assure the good security properties. Furthermore, the mechanism of random round seeds limits the adversary's ability to conceal the clone by compromising witness nodes. The other is an innovative randomly directed exploration protocol, which does not demand any strong assumptions and is highly practical in the general sensor network applications.

Security in Ad Hoc Networks


Recently many people in the media, industry, and academia are talking about ubiquitous computing and ad hoc networking, but it seems that everybody has a different understanding of the topic. Some people associate ad hoc networks with Personal Area Networks (PANs), as for instance wireless communications among PDA's, cellular phones, and laptops using the Bluetooth protocol, whereas others might imagine military applications, such as exploring enemy territory by the use of sensor networks. The number of applications are countless.

So what are ad hoc networks? What is their infrastructure? What are their properties? What are the applications of such networks and do those applications require the implementation of any security? All these questions have not been sufficiently answered yet. Clear definitions of architecture, properties, and security requirements can still not be found in the literature. Although some applications are already implemented, the desired security properties have still not been completely achieved.


With the increasing number of applications that involve wireless communication among mobile devices, the demand for implementing security in such systems becomes inevitable. Networks that consists of mobile devices that spontaneously form a wireless network are usually referred to as ad hoc networks.

We believe that there are four main security problems that need to be dealt with in ad hoc networks:
  • the authentication of devices that wish to talk to each other
  • the secure establishment of a session key among the authenticated devices
  • the secure routing in multi-hop networks
  • the secure storage of key data in the devices

The primary focus of our research is on authentication and key establishment protocols that are applicable in ad hoc networks. The constrained devices, the lack of infrastructure, and other special properties of ad hoc networks make achieving those security properties a challenging task.

Sequences for Communication Systems

  • For details, please see the poster [PDF].

WG Stream Cipher


We propose a new synchronous stream cipher, called WG cipher. The cipher is based on WG (Welch-Gong) transformations. The WG cipher has been designed to produce keystream with guaranteed randomness properties, i.e., balance, long period, large and exact linear complexity, 3-level additive autocorrelation, and ideal 2-level multiplicative autocorrelation. It is resistant to Time/Memory/Data tradeoff attacks, algebraic attacks and correlation attacks. The cipher can be implemented with a small amount of hardware.

Figure 2: Block diagram of WG stream cipher
Figure 3: Welch Gong Transformation (WG-29)

For More Information

  • Read the full paper: Yassir Nawaz and Guang Gong, "The WG stream cipher", submitted to ECRYPT STREAM CIPHER PROJECT, [PDF]
  • Go to ECRYPT STREAM CIPHER PROJECT website at C code is also available at this site.


  • H. El-Razouk, A. Reyhani-Masoleh, and G. Gong, New Hardware Implementations of WG (29, 11) and WG-16 Stream Ciphers Using Polynomial Basis, IEEE Transactions on Computers, IEEE, 2015
  • H. El-Razouk, A. Reyhani-Masoleh, and G. Gong, New Implementations of the WG Stream Cipher, IEEE Transactions on Very Large Scale Integration (VLSI) Systems, Vol. 22, No. 9, pp. 1865-1878, IEEE, 2014
  • X. Fan, T. Wu, and G. Gong, An Efficient Stream Cipher WG-16 and its Application for Securing 4G-LTE Networks, Applied Mechanics and Materials, Vol. 490, pp. 1436-1450, Trans Tech Publ, 2014
  • K. Mandal, G. Gong, X. Fan, and M. Aagaard, Optimal Parameters for the WG Stream Cipher Family, Cryptography and Communications, Vol. 6, No. 2, pp. 117-135, Springer, 2014
  • G. Gong, M. Aagaard, and X. Fan, Resilience to Distinguishing Attacks on WG-7 Cipher and their Generalizations, Cryptography and Communications, Vol. 5, No. 4, pp. 277-289, Springer, 2013
  • X. Fan, N. Zidaric, M. Aagaard, and G. Gong, Efficient Hardware Implementation of the Stream Cipher WG-16 with Composite Field Arithmetic, Proceedings of the 3rd international workshop on Trustworthy embedded devices, pp. 21-34, ACM, 2013
  • G. Yang, and X. Fan, M. Aagaard, and G. Gong, Design Space Exploration of the Lightweight Stream Cipher WG-8 for FPGAs and ASICs, Proceedings of the Workshop on Embedded Systems Security, p. 8, ACM, 2013
  • K. Mandal, G. Gong, X. Fan, and M. Aagaard, On Selection of Optimal Parameters for the WG Stream Cipher Family, 2013 13th Canadian Workshop on Information Theory (CWIT), pp. 17-21, IEEE, 2013
  • X. Fan, K. Mandal, and G. Gong, WG-8: A Lightweight Stream Cipher for Resource-constrained Smart Devices, Quality, Reliability, Security and Robustness in Heterogeneous Networks, pp. 617-632, Springer, 2013
  • M. Aagaard, G. Gong, and R. Mota, Hardware Implementations of the WG-5 Cipher for Passive RFID Tags, 2013 IEEE International Symposium on Hardware-Oriented Security and Trust (HOST), pp. 29-34, IEEE, 2013
  • C. Lam, M. Aagaard, and G. Gong, Hardware Implementations of Multi-output Welch-Gong Ciphers, Technical Report, CACR 2011-01, University of Waterloo, 2011
  • Y. Luo, Q. Chai, G. Gong, and X. Lai, WG-7, A Lightweight Stream Cipher with Good Cryptographic Properties, IEEE Global Communications Conference -- GLOBECOM, pp. 1-6, 2010
  • Y. Nawaz and G. Gong, The WG Stream Cipher, ECRYPT Stream Cipher Project Report 2005, Vol. 33, 2005

Proxy Assisted Security Service (PASS)


Current authentication technologies are commonly based asymmetric encryption techniques such as digital signatures. To be able to employ these techniques requires a significant amount of computing resources, which are uncommon to many lightweight mobile devices such as cell phones and personal digital assistants (PDAs). It is therefore currently infeasible or uneconomical to implement mutual authentication services between these devices. A new protocol called “Controlled Proxy-Assisted Secure End-to-End Communication Protocol” was proposed by Professor Hung-Yu Lin to solve the problem. The goal of a Fourth Year Design Project at UW of Jimmy Choi, Kenneth Choi, Kenric Li, and Truman Ng supervised by Prof. Guang Gong, was to build a secure communication system that employs such proxy-assisted protocol as illustrated in Figure 4.

Figure 4: Mutual authentication between mobile stations using security proxies.


A new protocol called "Controlled Proxy-Assisted Secure End-to-End Communication Protocol" was proposed by Professor Hung-Yu Lin to solve the problem. This protocol removes the computing requirement that imposes on mobile devices by introducing an entity called the Security Proxy. The significance of the Security Proxy is that it has the computing resources to perform asymmetric authentication very fast. Thus the hard computatio steps are shifted from very constrained devices (the mobile stations) to a more powerful trusted server (security proxie). When mobile users want to establish a secure session, the Security Proxy performs the mutual authentication for the mobile devices and enables them to establish a session key. The session key is then used to encrypt all further communications between the mobile station for the period of one sessio nusing symmetric and thus cheap encryption schemes.


The proxy assisted protocol can be implemented in many different languages using different SDKs. In the fourth year project the students concluded to use .Net framework and Windows Networking SDK to implement the server part and to use Microsoft SQL for the database.The architecture of the components is shown in Figure 5. The implementation was successfully demonstrated on the 4th year design symposium on 2 mobile clients in 2 PDAs.

Figure 5: Architecture of PASS components.


  • H. Lin. "Controlled Proxy-assisted Secure End-to-End Communication", Technical Report, CORR 2002-31, University of Waterloo, 2002. [PS]

Gong-Harn Public-key Cryptosystem (GH-PKC) Software Implementation


With the emergence of the 3G (third-generation) networks for mobile communications, data security becomes even more important. Designing cryptosystems that meet both the power contraints and computing constraints of mobile units is very challenging. The GH-PKC reduces the size of the modulus and speeds up the computations of the same degree of security as existing cryptosystems. Our research focus is on software implementation of the GH-PKC and analysis on its performance over the existing cryptosystems.


The GH Public-key Cryptosystem (GH-PKC) was developed by G. Gong and L. Harn in 1999. This cryptosystem is based on the third-order linear feedback shift register (LFSR) sequences with a particular phase. Such a particular LSFR sequences are called a characteristic sequence. The elements of the sequences are taken from a finite field GF(q). The security of GH-PKS is based on the difficult of the solving discrete logrithm in the extension GF(q3) of GF(q).

The part of the GH Diffie-Hellman (GH-DH) key agreement protocol was published in the proceddings of ChinaCrypto'1998 and the GH-DH together with the GH-RSA type was published in the November 1999 issue of IEEE Transactions on Information Theory.

Two important features of the GH-PKC:

  • GH-PKC has the same modular size as the elliptic curve public-key system while achieving the same 1024 bit security level for q = p2 .
  • GH-PKC can be resistant to power analysis attack and timer analysis attack without increasing cost of computation.

The XTR, presented at Crypto'2000 by Lenstra and Verheul, is a special case of the special type of characteristic sequences when q = p2.

Some papers and slides on the GH-PKCS

  • S. Sin, Software Implementation of Gong-Harn Public-key Cryptosystem and Analysis, Master's Thesis, April 2004, Waterloo, University of Waterloo, supervised by G. Gong, Thesis (Appendices are removed)
  • S. Sin, The GH-DSA, RIM-Seminar, October 2003, Slides on GH-DSA [PDF]
  • S.Sin, Gong-Harn Public-key Cryptosystems, Poster
  • G. Gong and L. Harn, A new approach for public key distribution, Proceedings of China-Crypto'98, May 1998, Chengdu, China (PS).
  • G. Gong and L. Harn, Public-key cryptosystems based on cubic finite field extensions, IEEE Trans. on Inform. Theory, vol. 45, No.7, November 1999, pp. 2601-2605 [PS, PDF]
  • Slides of the talk on the GH public-key cryptosystems at Queens University [PS], October 2000.
  • G. Gong, L. Harn and H.P. Wu, The GH public-key cryptosystems, the Proceedings of the Eighth Annual Workshop on Selected Areas in Cryptography, Toronto, August 16-18, 2001. CORR 2001-35 [PS, slides].
  • K. J. Giuliani, Generating large instances of the Gong-Harn cryptosystems, to be presented at the Conference on Cryptography and Coding, Dec. 17-19, 2001, Cirencester, UK, [PS].
  • Roy Krischer, An implementation of the Gong-Harn Diffie Hellman key agreement protocol [PS], supervised Undergraduate Research Assistant, Spring 2001, Research Project Report.