Information and Communications Security

One of the central lines of cryptographic research is identifying the weakest assumptions required for the construction of secure primitives. In the context of group signatures the gap between what is known to be necessary (one-way functions) and what is known to be sufficient (trapdoor permutations) is quite large. In this paper, we provide the first step towards closing this gap by showing that the existence of secure group signature schemes implies the existence of secure public-key encryption schemes. Our result shows that the construction of secure group signature schemes based solely on the existence of one-way functions is unlikely. This is in contrast to what is known for standard signature schemes, which can be constructed from any one-way function.

The notion of concurrent signatures was recently introduced by Chen, Kudla and Paterson in their seminal paper in [5]. In concurrent signature schemes, two entities can produce two signatures that are not binding, until an extra piece of information (namely the keystone) is released by one of the parties. Upon release of the keystone, both signatures become binding to their true signers concurrently. In this paper, we extend this notion by introducing a new and stronger notion called perfect concurrent signatures. We require that although both signers are known to be trustworthy, the two signatures are still ambiguous to any third party (c.f. [5]). We provide two secure schemes to realize the new notion based on Schnorr’s signature schemes and bilinear pairing. These two constructions are essentially the same. However, as we shall show in this paper, the scheme based on bilinear pairing is more efficient than the one that is based on Schnorr’s signature scheme.

Identity-based (ID-based) cryptosystems avoid the necessity of certificates to authenticate public keys in a digital communications system. This is desirable, specially for these applications which involve a large number of public keys in each execution. For example, any computation and verification of a ring signature, where a user anonymously signs a message on behalf of a set of users including himself, requires to authenticate the public keys of all the members of the set.We use bilinear pairings to design a new ID-based ring signature scheme. We give bounds on the concrete security of our scheme in the random oracle model, under the assumption that the Computational Diffie-Hellman problem is hard to solve. Then we extend this scheme to scenarios where a subset of users anonymously sign on behalf of some access structure of different subsets.

As a value-added service to deliver important data over the Internet with guaranteed receipt for each successful delivery, certified email has been discussed for years and a number of research papers appeared in the literature. But most of them deal with the two-party scenarios, i.e., there are only one sender and one recipient. In some applications, however, the same certified message may need to be sent to a set of recipients. In ISC’02, Ferrer-Gomila et. al presented a multi-party certified email protocol [5]. It has two major features. A sender could notify multiple recipients of the same information while only those recipients who acknowledged are able to get the information. In addition, its exchange protocol is optimized, which has only three steps. In this paper, we demonstrate some flaws and weaknesses in that protocol, and propose an improved version which is robust against the identified attacks while preserving the features of the original protocol.

In order to decide on advertisement fees for web servers, Naor and Pinkas introduced (threshold) metering schemes secure against coalitions of corrupt servers and clients. They show that one should be able to detect illegal behavior of clients, i.e., one needs to verify the shares received from clients. Most metering schemes do not offer this feature. But Ogata and Kurosawa pointed out a minor flaw in the extension protocol by Naor and Pinkas providing detection of such illegal behavior and propose a correction. In this paper we extend the linear algebra approach from Nikov et al. in order to build robust unconditionally secure general metering schemes. As a tool to achieve this goal we introduce doubly-labelled matrices and an operation on such matrices. Certain properties of this operation are proven.

Electronic payment is a key building block of distributed business applications in mobile ad hoc networks (MANETs). However, existing payment systems do not fulfill the requirements imposed by the highly dynamic and decentralized nature of MANETs. Either they rely on digital coins that suffer from usability problems, or they build on cellular phone technology which is bound to the availability of a fixed infrastructure. Therefore, we propose PayFlux, as a new system for electronic payment in MANETs. It is based on the light-weight Simple Public Key Infrastructure (SPKI) that allows for the decentralized creation and delegation of authorizations. Adopting the well-known abstraction of direct debits and enhancing it with new useful features, it offers good usability and can be easily integrated into the existing banking system.

The current packet based stream authentication schemes provide effective and efficient authentication over a group of packets transmitted on erasure channels. However, by fixing the packets in transmission, any packet manipulation will cause authentication failure. In p2p content delivery network where a proxy-in-the-middle is able to store, forward, transcode and transform the stream, previous schemes are simply unapplicable. To address the problem, we propose a flexible verification scheme that relies on special stream formats (i.e. Unequal Loss Protection ULP scheme [7]). We apply the so called Unequal Loss Verification ULV scheme into MPEG-4 framework. The encoding, packing, amortizing and verifying methods are elaborated in this paper. Our analysis shows that the scheme is secure and cost effective. The scheme is indeed content aware and ensures the verification rate intuitively reflecting a meaningful stream. Further on, we describe the general method of publishing and retrieving a stream in p2p CDN.

We present a provably secure authenticated tree based key agreement protocol. The protocol is obtained by combining Boldyreva’s multi-signature with Barua et al.’s unauthenticated ternary tree based multi-party extension of Joux’s key agreement protocol. The security is in the standard model as formalized by Bresson et al.. The proof is based on the techniques used by Katz and Yung in proving the security of their key agreement protocol.

In this paper, we first model the variants of OAEP and SAEP, and establish a systematic proof technique, the comprehensive event dividing tree, and apply the technique to prove the security of the (120) variants of OAEP and SAEP. Moreover, we point out the concrete attack procedures against all insecure schemes; we insist that the security proof failure leads to some attacks. From the security consideration, we find that one of them leads to a scheme without a redundancy; the scheme is not $\mathcal{PA}$ (plaintext aware) but IND-CCA2 secure. Finally, from the comparison of the variants, we conclude that some of them are practical in terms of security tightness and short bandwidth.

Fail-stop signature (FSS) schemes are important primitives because in a fail-stop signature scheme the signer is protected against unlimited powerful adversaries as follows: Even if an adversary breaks the scheme’s underlying computational hard problem and hence forges a signature, then with overwhelming probability the signer is able to prove that a forgery has occurred (i.e. that the underlying hard problem has been broken). Although there is a practical FSS scheme based on the discrete logarithm problem, no provable secure FSS scheme is known that is based on the pure factorization problem (i.e. the assumption that integer factoring for arbitrary integers is hard). To be more concrete, the most popular factorization based FSS scheme relies on the assumption that factoring a special kind of Blum integers is intractable. All other FSS schemes related to integer factoring are based on even stronger assumptions or insecure.In this paper, we first cryptanalyze one of those schemes and show how to construct forged signatures that don’t enable the signer to prove forgery. Then we repair the scheme at the expense of a reduced message space. Finally, we develop a new provable secure scheme based on the difficulty of factoring integers of the shape p2q for primes p,q.

Software Security has received a lot of attention during the last years. It aims at preventing security problems by building software without the so-called security holes. One of the ways to do this is to apply specific patterns in software architecture. In the same way that the well-known design patterns for building well-structured software have been used, a new kind of patterns, called security patterns have emerged. The way to build secure software is still vague, but guidelines for this have already appeared in the literature. Furthermore, the key problems in building secure software have been mentioned. Finally, threat categories for a software system have been identified. Based on these facts, it would be useful to evaluate known security patterns based on how well they follow each guideline, how they encounter with possible problems in building secure software and for which of the threat categories they do take care of.

Inference attacks mean that a user infers (or tries to infer) the result of an unauthorized query execution using only authorized queries to the user. We say that a query q is secure against inference attacks by a user u if there exists no database instance for which u can infer the result of q. The security problem against inference attacks has been formalized under a model of object-oriented databases called method schemas. It is known that the technique of type inference is useful for deciding the security. However, the relationship of type inferability and decidability of the security has not been examined.This paper introduces a subclass of method schemas, called linearschemas, and presents the following results. First, type inference of linear queries is possible under linear schemas. Next, the security of type-inferable queries is undecidable under linear schemas. Moreover, type inference is impossible for queries whose security is decidable under linear schemas. These results imply that type inferability and decidability of the security problem are incomparable.

This research presents a software-based computer forensics method capable of recovering and storing digital evidence from volatile memory without corrupting the hard drive. Acquisition of volatile memory is difficult because it must be transferred onto non-volatile memory prior to disrupting power. If this data is transferred onto the hard drive of the compromised computer it could destroy critical evidence. This research will enhance investigations by allowing the inclusion of hidden processes, kernel modules, and kernel modifications present only in memory that may have otherwise been neglected. This methodology can be applied to any operating system and has been proven through implementation on Linux.

A new Workflow Management System (WFMS) model is presented, that uses a Trust Establishment framework. This new model enables creating dynamic user-role assignment where not all users are known in advance. Thus it can fit into dynamic environments where new users are added, or credentials of existing users are revoked, like on the Web. The model is composed of three distributed agents called Credentials Collector, Role Manager and Task Manager that communicate with each other. The Credentials Collector is responsible for collecting all the needed credentials in order to allow membership of a user in a role, the Role Manager is required to find a suitable user-role assignment which satisfy role assignment constraints, and the Task Manager has to find an assignment of users/roles to tasks which satisfy the workflow constraints. The agents use constraint processing to solve their respective problems, and also attempt to achieve an optimized solution.

We present a scheme to steganographically embed information in x86 program binaries. We define sets of functionally-equivalent instructions, and use a key-derived selection process to encode information in machine code by using the appropriate instructions from each set. Such a scheme can be used to watermark (or fingerprint) code, sign executables, or simply create a covert communication channel. We experimentally measure the capacity of the covert channel by determining the distribution of equivalent instructions in several popular operating system distributions. Our analysis shows that we can embed only a limited amount of information in each executable (approximately $\frac{1}{110}$ bit encoding rate), although this amount is sufficient for some of the potential applications mentioned. We conclude by discussing potential improvements to the capacity of the channel and other future work.

Content security requires authenticity given by integrity checks, authentication and non-repudiation. This can be achieved by using digital signatures. This paper presents a new semi-fragile steganographic technique for embedding digital signatures in images. This is achieved by using a novel modified Bit-Plane Complexity Segmentation (BPCS) Based Steganography scheme. Semi-fragile implies survival from limited processing, which is achieved by utilising Convolutional coding, a Forward Error Correcting (FEC) channel coding technique, in the embedding.

In a fingerprinting scheme a different set of marks is embedded in each copy of a digital object, in order to deter illegal redistribution. A group of dishonest users, called traitors, collude to create a pirate copy that hides their identities, by putting together different parts of their copies. If the sets to be embedded are the codewords of an error correcting code then efficient algorithms can be used to trace the traitors. In this paper we present a tracing algorithm, that by applying the Viterbi algorithm to the trellis representation of a cyclic traceability code, finds all possibly identifiable traitors.

We present in this paper a decentralized architecture to correlate alerts between cooperative nodes in a secure multicast infrastructure. The purpose of this architecture is to detect and prevent the use of network resources to perform coordinated attacks against third party networks. By means of a cooperative scheme based on message passing, the different nodes of this system will collaborate to detect its participation on a coordinated attack and will react to avoid it. An overview of the implementation of this architecture for GNU/Linux systems will demonstrate the practicability of the system.

Reflector attack belongs to one of the most serious types of Distributed Denial-of-Service (DDoS) attacks, which can hardly be traced by traceback techniques, since the marked information written by any routers between the attacker and the reflectors will be lost in the replied packets from the reflectors. In response to such attacks, advanced IP traceback technology must be suggested. This study proposed an improved iTrace technique that identifies DDoS traffics with Pushback based multi-hop iTrace mechanism based on authenticated packet marking information at reflector for malicious reflector source trace and cope with DDoS attack packets efficiently.

The NRL Pump protocol defines a multilevel secure component whose goal is to minimize leaks of information from high level systems to lower level systems, without degrading average time performances. We define a probabilistic model for the NRL Pump and show how a probabilistic model checker (FHP-murϕ) can be used to estimate the capacity of a probabilistic covert channel in the NRL Pump. We are able to compute the probability of a security violation as a function of time for various configurations of the system parameters (e.g. buffer sizes, moving average size, etc). Because of the model complexity, our results cannot be obtained using an analytical approach and, because of the low probabilities involved, it can be hard to obtain them using a simulator.

The commutative property of exponentiation that is necessary to model the Diffie-Hellman key exchange can lead to inefficiency when reasoning about protocols that make use of that cryptographic construct. In this paper we discuss the feasibility of approximating the commutative rule for exponentiation with a pair of rewrite rules, for which in unification-based systems, the complexity of the unification algorithm changes from at best exponential to at worst quadratic in the number of variables. We also derive and prove conditions under which the approximate model is sound with respect to the original model. Since the conditions make the protocol easier to reason about and less prone to error, they often turn out to be in line with generally accepted principles for sound protocol design.

Since the work of Coron ([Co99]) we are aware of Differential Power Analysis (DPA) as a tool used by attackers of elliptic curve cryptosystems. In 2003 Ebeid and Hasan proposed a new defense in the spirit of earlier work by Oswald/Aigner and Ha/Moon. Their algorithm produces a random representation of the key in binary signed digits. This representation translates into an addition-subtraction chain for the computation of multiplication by the key (on the elliptic curve). The security rests on the fact, that addition and subtraction are indistinguishable from a power analysis viewpoint. We introduce an attack on this new defense under the assumption that SPA is possible: The attacker has a method to detect the presence of an addition or subtraction at a particular bit position of the addition-subtraction chain, while he needs not to be able to discriminate between these. We make the embedded system execute a number N (may be as few as 100) of instances of the cryptoalgorithm with the secret key. For each bit of the key we record a statistic on the occurence of a nonzero digit at this position in the (internal) binary signed digits representation of the key. If the number N of executions is large enough, the statistic can be used to estimate the respective probability (for a nonzero digit of the random binray signed digits representation of the key at this particular position). These probabilities in turn allow to deduce the secret key.We then propose a second algorithm along the lines given by Ebeid and Hasan, which however, processes the bits in the other direction. One of us suggested that probabilistic switching between the two algorithms might provide better security. A closer analysis showed that exploiting the correlations between the power traces makes it possible to isolate a sufficient majority of executions of a particular one of the algorithms and to mount the attack.

Side channel attacks have been attracted by most implementers of cryptographic primitives. And Randomized Exponentiation Algorithm (REA) is believed to be a good countermeasure against them. This paper analyzes the security of the two well-known REAs, the Ha-Moon algorithm and the MIST algorithm. Finding the fact that the intermediate values are variable in two cases, this paper shows that Ha-Moon algorithm is not secure even when it deploys both randomized binary recording technique and branch removing technique for DPA and SPA, respectively. In addition, this paper analyzes the security of the MIST algorithm. Some adaptively chosen ciphertext attacker can lower the security deeply, which can be placed more below than Walter’s analysis.

In [HLS04a], Han et al. presented a nice overview of some side channel attacks (SCA), and some classical countermeasures. However, their proposed countermeasures against SCA are so inefficient that the efficiency of XTR with SCA countermeasures is at least 129 times slower than that of XTR without them. Thus they remained the construction of the efficient countermeasures against SCA as an open question. In this paper, we show that XTR can be also attacked by the modified refined power analysis (MRPA) and the modified zero-value attack (MZVA). To show validity of MRPA and MZVA on XTR, we give some numerical data of them.We propose a novel efficient countermeasure (XTR-RSE) against “SCAs”: SPA, Data-bit DPA, Address-bit DPA, Doubling attack, MRPA, and MZVA. We show that XTR-RSE itself without other countermeasures is secure against all “SCAs”. From our implementation results, if we compare XTR with ECC with countermeasures against “SCAs”, we think XTR is as suitable to smart-cards as ECC due to the efficiency of the proposed XTR-RSE.

The unauthorised use of mobile terminals may result in an abuse of sensitive information kept locally on the terminals or accessible over the network. Therefore, there is a need for security means capable of detecting the cases when the legitimate user of the terminal is substituted. The problem of user substitution detection is considered in the paper as a problem of classifying the behaviour of the person interacting with the terminal as originating from the user or someone else. Different aspects of behaviour are analysed by designated one-class classifiers whose classifications are subsequently combined. A modification of majority voting that takes into account some of the dependencies between individual classifiers is proposed as a scheme for combining one-class classifiers. It is hypothesised that by employing the proposed scheme, the classification accuracy may be improved as compared with the base majority voting scheme. The conducted experiments with synthetic data support this hypothesis.

NEMO (NEtworks in MOtion), currently being standardized under IETF, addresses issues such as connectivity, reachability and session continuity for nodes in a mobile network (i.e., the whole network or subnet moving from one Internet attached point to another). While the current NEMO basic proposal is based on the MobileIPv6 standard (and therefore, it is based on the security in MIPv6 as well) and relatively stable, in this paper, we study the security issues related to the NEMO basic protocol as well as its operation. After carefully analyzing various pieces of related standard protocols (for example, MIPv6 and IPsec) and their integration under the NEMO framework, we present here a list of interesting practical attacks against NEMO and their potential security damages. Finally, we examine two simple solutions to handle some of the attacks and describe their limitations.

The autonomous capabilities of Internet mobile agents are one of their great attractions, yet leave them at the mercy of ill-intending agent platforms. We have devised an infrastructural strategy that allows mobile agent users to delegate responsibility to a trusted third party for the safe management of mobile agents they deploy onto the Internet. Our infrastructural approach is based on a Mobile Agent Secure Hub (MASH) which is capable of providing a large number of security services for agent users and their deployed Internet mobile agents. For instance, the MASH can gather statistics on the track record of agent platforms in providing safe and reliable execution of agents. These publishable statistics act as a deterrent against maliciously behaving agent platforms, as some agent users would be hesitant to send their agents to platforms with unsound track records.

A mobile ad hoc network (MANET) is formed by a group of mobile wireless nodes, each of which functions as a router and agrees to forward packets for others. Many routing protocols (e.g., AODV, DSDV, etc) have been proposed for MANETs. However, most assume that nodes are trustworthy and cooperative. Thus, they are vulnerable to a variety of attacks. We propose a secure routing protocol based on DSDV, namely S-DSDV, in which a well-behaved node can successfully detect a malicious routing update with any sequence number fraud (larger or smaller) and any distance fraud (shorter, same, or longer) provided no two nodes are in collusion. We compare security properties and efficiency of S-DSDV with superSEAD. Our analysis shows that S-DSDV-R, a variation of S-DSDV with a risk window similar to that of superSEAD, offers better security than superSEAD with less network overhead.

The problem of minimizing the amount of secret information (secret bits) required for certain key management schemes is addressed. It is important to note that the secret storage minimization originates from the fact that this storage should be both read-proof and tamper-proof. The proposed minimization of the secret storage at the user’s side is based on an appropriate trade-off between the required public storage and the processing complexity. As the main components, two methods are proposed for assigning multiple roles to the same secret key bits, and both of them require only simple operations implying a high implementation efficiency. The first proposed one-way mapping is based on certain sequence comparison issues and the second one follows the model of a communication channel with erasures. Employment of a proposed mapping method in two computationally secure key management schemes for the broadcast encryption SD and LSD is considered and the modified versions of these schemes with minimized secret storage requirements are proposed. The main overheads of the original and the modified SD and LSD based schemes are compared and the advantages of the modified schemes are pointed out. Also, it is shown that the proposed secret to public storage exchange preserves the security of the original SD and LSD schemes.

In this paper, we analyze the generalized self-shrinking generator newly proposed in [8]. Some properties of this generator are described and an equivalent definition is derived, after which two attacks are developed to evaluate its security. The first attack is an improved clock-guessing attack using short keystream with the filter function (vector G) known. The complexity of this attack is O(20.694n), where n is the length of the LFSR used in the generator. This attack shows that the generalized self-shrinking generator can not be more secure than the self-shrinking generator, although much more computations may be required by it. Our second attack is a fast correlation attack with the filter function (vector G) unknown. We can restore both the initial state of the LFSR with arbitrary weight feedback polynomial and the filter function (vector G) with complexity much lower than the exhaustive search. For example, for a generator with 61-stage LFSR, given a keystream segment of 217.1 bits, the complexity is around 256, which is much lower than 2122, the complexity of the exhaustive search.

“Algebraic Cryptanalysis” against a cryptosystem often comprises finding enough relations that are generally or probabilistically valid, then solving the resultant system. The security of many schemes (most important being AES) thus depends on the difficulty of solving multivariate polynomial equations. Generically, this is NP-hard.The related methods of XL (eXtended Linearization), Gröbner Bases, and their variants (of which a large number has been proposed) form a unified approach to solving equations and thus affect our assessment and understanding of many cryptosystems.Building on prior theory, we analyze these XL variants and derive asymptotic formulas giving better security estimates under XL-related algebraic attacks; through this examination we have hopefully improved our understanding of such variants. In particular, guessing a portion of variables is a good idea for both XL and Gröbner Bases methods.

In 2002, Murphy and Robshaw introduced an extension BES of AES and argued this could compromise the security of AES. We introduce here two block-ciphers CES and Big-BES that are some extensions of the AES and BES respectively in the spirit of Hensel lifting extensions. They are defined similarly to the AES respectively BES except that every operations are performed in a ring structure including the field GF(28). We show that the AES and BES can be embedded in their extensions. More precisely, by restricting these extensions on a given subset, we obtain a fully equivalent description of the AES and BES. Furthermore, we show that these natural extensions are trivially weak by describing a cryptanalysis of them despite it leads to no consequence about the security of AES or BES. This shows that (except the nice mathematical construction) the Murphy-Robshaw extension might be pointless.

Clock control sequence reconstruction is an important phase in the cryptanalysis of irregularly clocked Linear Feedback Shift Registers(LFSRs). The methods of reconstruction proposed so far have been designed to work in the known plaintext attack scenario, i.e. without noise. We present a clock control reconstruction procedure intended to function in the ciphertext only attack scenario. The reconstruction is performed by a directed depth-first like search through the edit distance matrix. The directedness of the search is achieved by gradually increasing the permitted weight deviation from the optimal one, and by limiting it according to the noise level in the statistical model of the generator. The experimental results show that the total number of candidate clock control sequences increases moderately as the probability of noise and/or the necessary clock control sequence length increase. The attack is effective even if the noise level is relatively high and the solution is guaranteed to be found.

At Crypto 2000, the public-key system XTR was introduced by Lenstra and Verheul. This system uses an efficient and compact method to represent subgroup elements. Application of XTR in cryptographic protocols, such as Diffie-Hellman key agreement, El Gamal encryption or DSA signature, greatly reduces the computational cost without compromising security. XTR in the presence of a fault, i.e. when processing under unexpected conditions, has never been studied. This paper presents four different fault analyses and shows how an error during the XTR exponentiation can be exploited by a malicious adversary to recover a part or the totality of the secret parameter. Countermeasures are also presented to counteract fault attacks. They are very simple to implement and induce a negligible performance penalty in terms of both memory and time.

E-mail system has become one of the most important and popular Internet services. Instead of using traditional surface mail, we have the alternative of employing e-mail system which provides a reliable and efficient message delivery. However, in the electronic era, privacy, data integrity, and authentication requirements turn out to be especially unavoidable. Secure e-mail system specifications and software developments have been widely discussed in the past decade. Among which OpenPGP is a widespread and well known specification, and PGP becomes a famous implementation. But only limited security analyses on both theoretical and practical aspects about secure e-mail system has been considered previously. In this paper, new chosen ciphertext attacks against the latest version of OpenPGP are proposed with detailed analysis. Furthermore, a new vulnerability due to system version backward compatibility will be pointed out.

In this paper we propose a new strong and perfectly key-insulated signature scheme, more efficient than previous proposals and whose key length is constant and independent of the number of insulated time periods. Moreover, unlike previous schemes, it becomes forward-secure when all the existing secrets at a given time period are compromised. We also present a variant forward-secure scheme in which an adversary needs to compromise a user at a second time period before being able to compute future secret keys.

At EUROCRYPT 2004, Boneh and Boyen [5] proposed a new hierarchical identity-based (ID-based) encryption (HIBE) scheme provably selective-ID secure without random oracles. In this paper we propose a new hierarchical ID-based signature that shares the same system parameters with their hierarchical ID-based encryption scheme (BB-HIBE). BB-HIBE and our signature scheme yield a complete ID-based public key cryptosystem. To the best of the authors’ knowledge, our scheme is the first provably secure hierarchical ID-based signature scheme (HIBS) and is also the first ID-based signature scheme working with the BB-HIBE. The scheme is provably secure against existential forgery for selective-ID, adaptive chosen-message-and-identity attack (EF-sID-CMIA) in the random oracle model, and have a good exact security under adaptive chosen-message attack. As a bonus result, we extend our HIBS scheme into a new forward-secure signature scheme.

Designated verifier signatures were introduced in the middle of the 90’s by Jakobsson, Sako and Impagliazzo, and independenty patended by Chaum as private signatures. In this setting, a signature can only be verified by a unique and specific user. At Crypto’03, Desmedt suggested the problem of generalizing the designated verifier signatures. In this case, a signature should be intended to a specific set of different verifiers. In this article, we provide a formal definition of multi-designated verifiers signatures and give a rigorous treatment of the security model for such a scheme. We propose a construction based on ring signatures, which meets our definition, but does not achieve the privacy of signer’s identity property. Finally, we propose a very efficient bi-designated verifiers signature scheme based on bilinear maps, which protects the anonymity of signers.

Recently, there is an increase in the number of group communication applications which support multiple service groups of different access privileges. Traditional access control schemes for group applications assume that all the group members have the same access privilege and mostly focus on how to reduce rekeying messages upon user joining and leaving. Relatively little research effort has been spent to address security issues for group communications supporting multiple access privileges. In this paper, we propose a dynamic access control scheme for group communications which support multiple service groups with different access privileges. Our scheme allows dynamic formation of service groups and maintains forward/backward security when users switch service groups.

This paper proposes an efficient authentication scheme for multicast packets using Recovery Information in Signature (RIS) to provide source authentication. The problems of the existing schemes are as follows: TESLA requires time synchronization between the sender and the receiver, and hash-based schemes have high communication overheads due to additional hash values and require many buffers and delay for verification on receivers. Our main focus is reducing the buffer size, communication, and computation burden of the receiver. The proposed scheme in this paper is highly robust to packet loss using the recovery layer based on XOR operation. It also provides low communication overhead, low verification cost, non- repudiation of the origin, immediate verification, and robustness against DoS attack on the receiver.

In this paper we explore restricted delegation of searches on encrypted audit logs. We show how to limit the exposure of private information stored in the log during such a search and provide a technique to delegate searches on the log to an investigator. These delegated searches are limited to authorized keywords that pertain to specific time periods, and provide guarantees of completeness to the investigator. Moreover, we show that investigators can efficiently find all relevant records, and can authenticate retrieved records without interacting with the owner of the log. In addition, we provide an empirical evaluation of our techniques using encrypted logs consisting of approximately 27,000 records of IDS alerts collected over a span of a few months.

In today’s digital world digital information is ubiquitous and threats against it proliferate. Therefore, one of the most important challenges facing us is that of providing secure enforcement of rights of access to, and usage of, this information. Self-protecting information objects have significant relevance in this context. A self-protecting information object has the ability to allow us to define access rules, to manage access to its information content in accordance with these rules, to protect its contained information against unauthorized access, and to update and modify these rules with ease. This means that such an object must be able to deal with attacks by both unauthorized users and authorized users seeking unauthorized access and usage. This paper describes and analyses a model of Rights-Carrying and Self-Enforcing Information Objects (SEOs) for Digital Rights Management (DRM) for a secure information distribution system that carry with them access and usage rights and themselves enforce these rights, preserving their confidentiality and integrity. The model was originally developed as part of the distributed DRM model for an information distribution system for the net-based learning project in Norwegian schools.