Jonathan Katz

A pairwise key predistribution scheme for wireless sensor networks

To achieve security in wireless sensor networks, it is important to be able to encrypt and authenticate messages sent between sensor nodes. Before doing so, keys for performing encryption and authentication must be agreed upon by the communicating parties. Due to resource constraints, however, achieving key agreement in wireless sensor networks is nontrivial. Many key agreement schemes used in general networks, such as Diffie-Hellman and other public-key based schemes, are not suitable for wireless sensor networks due to the limited computational abilities of the sensor nodes. Predistribution of secret keys for all pairs of nodes is not viable due to the large amount of memory this requires when the network size is large.In this paper, we provide a framework in which to study the security of key predistribution schemes, propose a new key predistribution scheme which substantially improves the resilience of the network compared to previous schemes, and give an in-depth analysis of our scheme in terms of network resilience and associated overhead. Our scheme exhibits a nice threshold property: when the number of compromised nodes is less than the threshold, the probability that communications between any additional nodes are compromised is close to zero. This desirable property lowers the initial payoff of smaller-scale network breaches to an adversary, and makes it necessary for the adversary to attack a large fraction of the network before it can achieve any significant gain.

Toward secure key distribution in truly ad-hoc networks

Ad-hoc networks - and in particular wireless mobile ad-hoc networks

Chosen-Ciphertext Security from Identity-Based Encryption

have unique characteristics and constraints that make traditional cryptographic mechanisms and assumptions inappropriate. In particular it may not be warranted to assume pre-existing shared secrets between members of the network or the presence of a common PKI. Thus, the issue of key distribution in ad-hoc networks represents an important problem. Unfortunately, this issue has been largely ignored; as an example, most protocols for secure ad-hoc routing assume that key distribution has already taken place. Traditional key distribution schemes either do not apply in an ad-hoc scenario or are not efficient enough for small, resource-constrained devices. We propose to combine efficient techniques from identity-based (ID-based) and threshold cryptography to provide a mechanism that enables flexible and efficient key distribution while respecting the constraints of ad-hoc networks. We also discuss the available mechanisms and their suitability for the proposed task.

Signing a Linear Subspace: Signature Schemes for Network Coding

We propose simple and efficient CCA-secure public-key encryption schemes (i.e., schemes secure against adaptive chosen-ciphertext attacks) based on any identity-based encryption (IBE) scheme. Our constructions have ramifications of both theoretical and practical interest. First, our schemes give a new paradigm for achieving CCA-security; this paradigm avoids “proofs of well-formedness” that have been shown to underlie previous constructions. Second, instantiating our construction using known IBE constructions we obtain CCA-secure encryption schemes whose performance is competitive with the most efficient CCA-secure schemes to date. Our techniques extend naturally to give an efficient method for securing IBE schemes (even hierarchical ones) against adaptive chosen-ciphertext attacks. Coupled with previous work, this gives the first efficient constructions of CCA-secure IBE schemes.

Signature Schemes with Bounded Leakage Resilience

Network coding offers increased throughput and improved robustness to random faults in completely decentralized networks. In contrast to traditional routing schemes, however, network coding requires intermediate nodes to modify data packets en route ; for this reason, standard signature schemes are inapplicable and it is a challenge to provide resilience to tampering by malicious nodes. We propose two signature schemes that can be used in conjunction with network coding to prevent malicious modification of data. Our schemes can be viewed as signing linear subspaces in the sense that a signature *** on a subspace V authenticates exactly those vectors in V . Our first scheme is (suitably) homomorphic and has constant public-key size and per-packet overhead. Our second scheme does not rely on random oracles and is based on weaker assumptions. We also prove a lower bound on the length of signatures for linear subspaces showing that our schemes are essentially optimal in this regard.

Efficiency improvements for signature schemes with tight security reductions

A leakage-resilient cryptosystem remains secure even if arbitrary, but bounded, information about the secret key (and possibly other internal state information) is leaked to an adversary. Denote the length of the secret key by n . We show: A full-fledged signature scheme tolerating leakage of n *** n *** bits of information about the secret key (for any constant *** > 0), based on general assumptions. A one-time signature scheme, based on the minimal assumption of one-way functions, tolerating leakage of

Ring Signatures: Stronger Definitions, and Constructions without Random Oracles

(\frac{1}{4}-\epsilon) \cdot n

Secure remote authentication using biometric data

bits of information about the signers entire state. A more efficient one-time signature scheme, that can be based on several specific assumptions, tolerating leakage of

On the efficiency of local decoding procedures for error-correcting codes

(\frac{1}{2}-\epsilon) \cdot n

Parallel and concurrent security of the HB and HB + protocols

bits of information about the signers entire state. The latter two constructions extend to give leakage-resilient t -time signature schemes. All the above constructions are in the standard model.