A group signature scheme allows members of a group to sign messages anonymously. To counter misuse, the so-called group manager can revoke the anonymity.

Abstract not found

Secure sensor network communication protocols need to provide three basic properties: data secrecy, authentication, and replay protection. Secure sensor network link layer protocols such as Tiny-Sec [13] and ZigBee [28] enjoy significant attention in the community. However, TinySec achieves low energy consumption by reducing the level of security provided. In contrast, ZigBee enjoys high security, but suffers from high energy consumption. MiniSec is a secure network layer that obtains the best of both worlds: low energy consumption and high security. MiniSec has two operating modes, one tailored for single-source communication, and another tailored for multi-source broadcast communication. The latter does not require per-sender state for replay protection and thus scales to large networks. We present a publicly available implementation of MiniSec for the Telos platform, and experimental results demonstrate our low energy utilization.

... decade has led to an increasingly nomadic computing lifestyle. A computer is no longer an immobile, gargantuan machine that remains in one place for the lifetime of its operation. Today's personal computing devices are portable, and Internet access is becoming ubiquitous. A well-traveled laptop user might use half a dozen different networks throughout the course of a day: a cable modem from home, wide-area wireless on the commute, wired Ethernet at the office, a Bluetooth network in the car, and a wireless, local-area network at the airport or the neighborhood coffee shop. Mobile host

This work presents the first known implementation of elliptic curve cryptography for sensor networks, motivated by those networks' need for an e#cient, secure mechanism for shared cryptographic keys' distribution and redistribution among nodes. Through instrumentation of UC Berkeley's TinyOS, this work demonstrates that secret-key cryptography is already viable on the MICA2 mote. Through analyses of another's implementation of modular exponentiation and of its own implementation of elliptic curves, this work concludes that public-key infrastructure may also be tractable in 4 kilobytes of primary memory on this 8-bit, 7.3828-MHz device.

In this paper we describe how to build a trusted reliable distributed service across administrative domains in a peer-topeer network. The application we use to motivate our work is a public key time stamping service called Prokopius. The service provides a secure, veriable but distributable stable archive that maintains time stamped snapshots of public keys over time. This in turn allows clients to verify time stamped documents or certicates that rely on formerly trusted public keys that are no longer in service or where the signer no longer exists. We nd that such a service can time stamp the snapshots of public keys in a network of 148 nodes at the granularity of a couple of days, even in the worst case where an adversary causes the maximal amount of damage allowable within our fault model.

Abstract. The prospect of outsourcing an increasing amount of data storage and management to cloud services raises many new privacy concerns for individuals and businesses alike. The privacy concerns can be satisfactorily addressed if users encrypt the data they send to the cloud. If the encryption scheme is homomorphic, the cloud can still perform meaningful computations on the data, even though it is encrypted. In fact, we now know a number of constructions of fully homomorphic encryption schemes that allow arbitrary computation on encrypted data. In the last two years, solutions for fully homomorphic encryption have been proposed and improved upon, but it is hard to ignore the elephant in the room, namely efficiency – can homomorphic encryption ever be efficient enough to be practical? Certainly, it seems that all known fully homomorphic encryption schemes have a long way to go before they can be used in practice. Given this state of affairs, our contribution is two-fold. First, we exhibit a number of real-world applications, in the medical, financial, and the advertising domains, which require only that the encryption scheme is “somewhat ” homomorphic. Somewhat homomorphic encryption schemes, which support a limited number of homomorphic operations, can be much faster, and more compact than fully homomorphic encryption schemes. Secondly, we show a proof-of-concept implementation of the recent somewhat homomorphic encryption scheme of Brakerski and Vaikuntanathan, whose security relies on the “ring learning with errors ” (Ring LWE) problem. The system is very efficient, and has reasonably short ciphertexts. Our unoptimized implementation in magma enjoys comparable efficiency to even optimized pairing-based schemes with the same level of security and homomorphic capacity. We also show a number of application-specific optimizations to the encryption scheme, most notably the ability to convert between different message encodings in a ciphertext.

Abstract not found

Abstract. We propose GMSS, a new variant of the Merkle signature scheme. GMSS is the first Merkle-type signature scheme that allows a cryptographically unlimited (2 80) number of documents to be signed with one key pair. Compared to recent improvements of the Merkle signature scheme, GMSS reduces the signature size as well as the signature generation cost. Keywords: Merkle signatures, post-quantum cryptography, SSL. 1

Abstract. At Eurocrypt 2005, Waters proposed an efficient identity-based encryption (IBE) scheme and its extension to a hierarchical IBE (HIBE). We describe a (H)IBE scheme which improves upon Waters scheme by significantly reducing the size of the public parameters. The reduction is based on two ideas. The first idea involves partitioning n-bit identities into l-bit blocks while the second idea involves reusing public parameters over different levels of a HIBE. The basic HIBE scheme is CPA-secure and yields a (hierarchical identity-based) signature scheme. Modification of the basic HIBE scheme using ideas from the work of Boyen, Mei and Waters yields a CCA-secure hybrid HIBE scheme. Further, by appropriately using symmetric key authentication, we are able to eliminate costly pairing operations from the decryption algorithm. The protocols and the security arguments are recast in the most efficient pairing setting, i.e., the Type 3 setting. Using the asymmetric pairing setting leads to several variants of the basic protocol with associated trade-off in the ciphertext overhead and public parameter size. We also incorporate with a small improvement the probabilty analysis that was recently put forth by Bellare and Ristenpart to remove the need of “artificial abort ” in the original security argument of Waters IBE. For 80-bit or 128-bit security levels, the variants of the (H)IBE schemes that we obtain are currently the most efficient and practical among all other schemes which achieve similar security under a static assumption such as the hardness of decisional bilinear