1 / 48

Evolutions and researches on group key agreement (GKA) protocols

Explore the evolution and research on group key agreement (GKA) protocols, covering topics such as GKA resistant to insider attacks, protocols for imbalanced networks, and pairing-based GKA. Discover famous problems like Fermat's Last Theorem and their relevance to cryptography. Delve into personal experiences and advancements in GKA protocols for various cryptographic systems. This comprehensive overview includes definitions, evolutions, and applications of key agreement protocols in different networking environments.

sbahe
Download Presentation

Evolutions and researches on group key agreement (GKA) protocols

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Evolutions and researches on group key agreement (GKA) protocols Yuh-Min TsengInformation Security Lab. (ISL) Department of Mathematics NCUEE-mail: ymtseng@cc.ncue.edu.tw http://ymtseng.math.ncue.edu.tw

  2. Outline • 1. Finding Problems • 2. Definitions and evolutions of problems • 3. Research approaches and related works • 4. Problem 1: GKA protocol resistant to insider attacks • 5. Problem 2: GKA protocol for imbalanced networks • 6. Problem 3: Pairing-based (ID-based) GKA protocol • 7. Conclusions

  3. 1. Finding problems • Assigned by your advisor • Research trend for some problems or applications • Referee of manuscripts submitted to Conferences or Journals • Open / Un-solving problems (Famous problems) • Self-finding problems (Important !) • Seminars • Conferences: New • Journals: Complete • Some experts’ web-sites • Livelihood problems (To solve some practical problems) Periodical downloading papers of relatedConferences and Journals

  4. 1. Finding problems => Famous problems Pythagoras(-572 ~ -492) x2+y2=z2 , right triangle Fermat’s Little Theorem ? for all primes p and 1≦a≦p-1, ap-1≡ 1 (mod p) Fermat(1601-1665) Fermat's conjectures? Fermat’s Last Theorem ? I have obtained a perfect proof, but no space to write it ? xn+yn=zn , n>2 No positive integer solutions

  5. 1. Finding problems => Famous problems Fermat’s Little Theorem Euler Theorem Proof: a corollary of Euler’s theorem for all primes p and 1≦a≦p-1, ap-1≡ 1 (mod p) Euler(1707-1783) Wiles Proof Fermat’s Last Theorem 370 years Based on many previous theorems and conjectures xn+yn=zn , n>2 No positive integer solutions Wiles (1993) Taylor (1995, complete)

  6. 1. Finding problems => Fermat Little Theorem Public key primitiveness in Cryptography • Euler Theorem: for all aZn*, a(n)≡1 (mod n) • Euler’s Totient Function (n) = |Zn*| =the number of positive integers lessthan n and relatively prime to n • Fermat’s Little Theorem:for all primes p, 1≦a≦p-1, ap-1 ≡ 1 (mod p) • Proof: a corollary of Euler’s theorem since (p)=p-1 and gcd(a,p)=1 for 1≦a≦p-1. • Both theorems are useful in public key systems (RSA, DSA, and ElGamal)andPrimality testing.

  7. 1. Finding problems => Fermat Last Theorem One conjecture => Fermat Last Theorem • History • Fermat (n=4), Euler (n=3), Gauss (n=3, complete) • Legendre (n=5) => Legendre Symbol (Primality test) • Dirichlet (n=14), Lame (n=7), Kummer (1810 - 1893)(n<100) • ……….. • Wolfskehl (1908, Offering $100000 Marks bonus) • Taniyama-Shimura theorem/conjecture (1960): Relationships => Fermat last theorem, Elliptic Curve and modular forms • Wiles (1993, 1995):A proof ofFermat last theorem • Based on Taniyama-Shimura theorem/conjecture Elliptic Curve Cryptography (ECC, Secure and Efficient)

  8. 1. Finding problems => Fermat Last Theorem A. Wiles: Modular elliptic curves and Fermat's Last Theorem, Annals of Mathematics 141 (1995), pp. 443-551, => 1998 Fields Medal (Specific Award, 44 years old) R.Taylor and A.Wiles: Ring theoretic properties of certain Hecke algebras, Annals of Mathematics 141 (1995), pp. 553-572

  9. 1. Finding problems => Famous problems • Fermat’s anotherconjecture:Fn=22n+1 is prime • F1=5, F2=17, F3=257, F4=65537 • Error => F5=641*6700417 • Mersenne prime (1588-1648): 2p-1 is prime => p is prime • 22-1=3, 23-1=7, 25-1=31, 27-1=127 • Error => 211-1=23*89 • GIMPS: The Great Internet Mersenne Prime Search • 44 thMersenne prime (2006, September 4) • 232582757 -1 = Known large prime (9,808,358 decimal digits) • 10,000,000 decimal digits => US$100,000

  10. 1.Finding problems => Personal experiences Group key agreement protocols • Deep: Focusing on one issue deeply • Broad: Understanding related issues • Two-party key agreement protocols • Group (Conference, multi-party) key establishment • Conference key distribution protocols • Group key agreement (GKA) protocols • Resource-limited devices: Elliptic Curve • Imbalanced network (WLAN, Cellular network) • Mobile Ad Hoc networks • Sensor networks • Based on various cryptographic systems(ID-based, Pairing) Co-assistive

  11. 2. Definitions and evolutions of problems => Diffie-Hellman key exchange (1976) (1) Randomly select a,Compute Ya=ga mod p (1) Randomly select b,Compute Yb=gb mod p (2) Ya Bob Alice (2*) Yb (3*) Compute Yba=(Ya)b mod p (3) Compute Yab=(Yb)a mod p • DH-scheme provides two-party key agreement • Global parameters: (g, p) • p: a large prime, say, 1024-bit long • g: a generator for group Zp* Discrete logarithm problem K=Yab=Yba=gab mod p

  12. Group key establishment protocol allows users to construct a group key that is used to encrypt/decrypt transmitted messages among the users over an open communication channel. Categories: Group key distribution there is a chairman who is responsible for generating a common key and then securely distributing this group key to the other users. Group key agreement involves all users cooperatively constructing a group key. 2. Definitions and evolutions of problems

  13. 2. Definitions and evolutions of problems=> Categories Group key distribution Group key agreement U2 U3 U2 U3 U1 Chair/key U4 U1 key U4 …… …… Un U5 Un U5 Easy issue Challenging issue

  14. Four research approaches Concurrent Ring (1982, Ingemarsson et al.) First group key agreement Linear Ring + 1 Broadcast (many protocols) Binary Tree (many protocols) Broadcast (many protocols) 2. Definitions and evolutions of problems => Group key agreement Parallel processors

  15. First group key agreement 2. Definitions and evolutions of problems => (1)Concurrent Ring (1982, Ingemarsson et al.) x2 U2 U2 gx1x2 gx1 gx2 gx1x3 U1 U3 x1 U1 U3 gx3 x3 gx2x3 U2 gx1x2x3 gx1x2x3 gx1x2x3 U1 U3 Note: n participants 1. It requires (n-1) rounds 2. Concurrent Easy ? How to devise ?

  16. 2. Definitions and evolutions of problems=> (2) Linear Ring + 1 Broadcast ……………… U1 U2 Un-1 Broadcast Un • Concept: (many protocols, 2002) Note: n participants 1. It requires (n-1) rounds 2. Ui must sends i messages

  17. 2. Definitions and evolutions of problems=> (3)Binary Tree ggx1x2 gx3x4 ggx3x4 ggx1x2 gx3x4 gx1x2 gx3 gx4 gx1 gx2 U2 U1 U3 U4 x1 x2 x3 x4 • Concept: Button-up (many protocols, 2005) Note: n participants 1. It requires log nrounds 2. Semi-concurrent

  18. 2. Definitions and evolutions of problems=> (4)Broadcast • Burmester and Demedt (1994, 2005) Step 1 (Round 1) Ui (1≤ i ≤ n): Keeps xi secret broadcasts yi=gxi mod p Step 2 (Round 2) Ui (1≤ i ≤ n): broadcasts zi=(yi+1/ yi-1)xi mod p Step 3 Each Ui computes common key K …… U1 U1 Un Broadcast channel

  19. Burmester and Demedt (1994) Non-authenticated: requires a secure authenticated broadcast channel (2005, IPL) They provide a complete proof. Research approaches based on BD scheme Authenticated Performance Security properties 3. Research approaches and related works=> Burmester and Demedt scheme

  20. Authenticated: based on different cryptographic systems General Public-key system (RSA, DSA, or ElGamal) Password-based ID-based (Weil pairing and Elliptic curve) Performance: Number of Rounds Message size sent by each participant Computational cost required for each participant Security properties: Withstanding impersonator attacks Providing forward secrecy Resisting malicious participant (Insider) attacks (New) 3. Research approaches and related works=> Three approaches

  21. 3. Research approaches and related works => History and remarks [1]Diffie-Hellman – 1976 (Two- party) First key agreement [2] Ingemaresson - 1982 First group key agreement [3,4] BD – 1994 and 2005 Efficient and Proof Performance [5, 15] Authenticated [6,8,9,10,16-19] Transformation to authenticated [7,11] Malicious participant [12, 13, 14]

  22. 3. Research approaches and related works => History and remarks Performance [5, 15] Transformation to authenticated [7,11] Malicious participant [12, 13, 14] Authenticated [6,8,9,10,16-19] [5] Horng – 2001 Comp. Efficient [6,8] 2002, 2003 Round Efficient [7] Katz – 2003 First Transformation [12]Tang – 2005 Attack it. Insider attack [15] Jung – 2006 Dynamic case (Join/leave) [16] Abdalla – 2006 Password-based [11] Tang – 2005 Round Efficient [9, 17,18] 2004, 2005. ?????? ID-based (Pairing) [10] Tan – 2005 Batch-verification [14] Tseng – 2005 Insider attack [13] Katz – 2005 Insider attack [19] Tseng – 2007 Insider attack

  23. 3. Research approaches and related works => Related papers • [1] Diffie, W. and Hellman, M.E. (1976) New directions in cryptography. IEEE Trans. on Infom. Theory, 22, 644-654. • [2] Ingemaresson, I., Tang, T.D. and Wong, C.K. (1982) A conference key distribution system. IEEE Trans. Infom. Theory, 28, 714-720. • [3] Burmester, M. and Desmedt, Y. (1994) A secure and efficient conference key distribution system. Advances in Cryptology - Proceedings of Eurocrypt’94,Perugia, Italy, 9-12 May, LNCS 950, pp. 275-286, Springer-Verlag, Berlin. • [4] M. Burmester and Y. Desmedt (2005) A secure and scalable group key exchange system, Information Processing Letters, vol. 94, pp. 137-143, 2005. • [5] G. Horng (2001) An efficient and secure protocol for multi-party key establishment, The Computer Journal 44 (5) (2001) 463-470. • [6] W. G. Tzeng (2002) A secure fault-tolerant conference-key agreement protocol, IEEE Trans. on Computers 51 (4) (2002) 373-379. • [7] Katz, J. and Yung, M. (2003) Scalable Protocols for Authenticated Group Key Exchange. Advances in Cryptology - Proceedings of Crypto’03, Santa Barbara, CA, 17-21 August, LNCS 2729, pp. 110-125, Springer-Verlag, Berlin. • [8] Boyd, C. and Nieto, G. (2003) Round-Optimal Contributory Conference Key Agreement. Proc. Public-Key Cryptography’03, Miami, USA, 6-8 January, LNCS 2567, pp. 161-174, Springer-Verlag, Berlin.

  24. 3. Research approaches and related works => Related papers • [9] X. Yi (2004)Identity-Based Fault-Tolerant Conference Key Agreement, IEEE TRANS. ON DEPENDABLE AND SECURE COMPUTING, VOL. 1, NO. 3, pp.170-178, JULY-SEPTEMBER 2004. • [10] C. Tan and J. Teo, (2005) An Authenticated Group Key Agreement for Wireless Networks, IEEE Communications Society, WCNC 2005, pp.2100-2105. • [11] Q. Tang and C. J. Mitchell, (2005) Efficient Compilers for Authenticated Group Key Exchange, Computational Intelligence and Security: International Conference, CIS 2005, Xi'an, China, December 15-19 2005, Proceedings, Part II, Springer-Verlag LNCS 3802, Berlin (2005), pp.192-197. • [12] Q. Tang and C. J. Mitchell (2005) Security properties of two authenticated conference key agreement protocols' (pdf), in: S. Qing, W, Mao, J. Lopez, and G. Wang (eds.), Information and Communications Security: 7th International Conference, ICICS 2005, Beijing, China, December 10-13, 2005. Proceedings, Springer-Verlag LNCS 3783, Berlin (2005), pp.304-314. • [13] J. Katz, J. S. Shin (2005) Modeling Insider Attacks on Group Key Exchange Protocols. ACM Conference on Computer and Communications Security2005, pp. 180-189 . • [14] Tseng, Y.M. (2005) A robust multi-party key agreement protocol resistant to malicious participants. The Computer Journal, 48, 480-487.

  25. 3. Research approaches and related works => Related papers • [15] B. E. Jung (2006) An Efficient Group Key Agreement Protocol, IEEE communications letters, vol.10, no. 2, pp. 106-107, Feb. 2006 • [16] M. Abdalla, E. Bresson, O. Chevassut, D. Pointcheval (2006) Password-based Group Key Exchange in a Constant Number of Rounds, PKC2006, LNCS 3958, pp.427-442. • [17] K. Y. Choi, J. Y. Hwang and D. H. Lee, “Efficient ID-based Group Key Agreement with Bilinear Maps”, 2004 International Workshop on Practice and Theory in Public Key Cryptography (PKC2004). • [18]Y. Shi, G. Chen, and J. Li,” ID-Based One Round authenticated Group Key Agreement Protocol with Bilinear Pairings”, Proceedings of the International Conference on Information Technology: Coding and Computing (ITCC’05), 2005. • [19] Y.M. Tseng, “A communication-efficient and fault-tolerant conference-key agreement protocol with forward secrecy”, Journal of Systems and Software, , 2006, Accepted and to appear. • [20]Y.M. Tseng, “A secure authenticated group key agreement protocol for resource-limited mobile devices”, The Computer Journal, Vol.50, No.1, pp. 41-52, 2007.

  26. 3. Research approaches and related works => Finding worth-to-work problems Keep cranky and thinking continuously !!! • Finding solutions: • Writing a research paper or patent • Developing application systems • Keeping a research record (Important !!) • Finding new problems => solutions • It could be a good approach/technique. • In the future, it is possible to adopt it for other applications or problems.

  27. Problem 1: Malicious participant (Insider) attack The malicious legal participant broadcasts a wrong message todisrupt the conference key establishment The proposed protocol must find who are the malicious participants Problem 2: Imbalanced wireless networks Resource-limited PDA, Smart phone, or UMD (Ultra mobile device) It is a flexible approach to shift the computational burden to the powerful node and reduce the computational cost of mobile nodes Problem 3: Pairing-based (ID-based) public-key system Practical ID-based public-key system (Elliptic Curve) 2001, New 3. Research approaches and related works => Finding worth-to-work problems

  28. 4. Problem 1: GKA protocol resistant to insider attacks • Motivation and finding a solution • All related GKA protocols based on the BD scheme suffer from insider attacks. • Some secure conferences must be held prior to a special time, such as military applications, rescue missions and emergency negotiations. • Related papers: (2005) • [14] Y.M. Tseng (2005)A robust multi-party key agreement protocol resistant to malicious participants. The Computer Journal, 48, 480-487. (2006, Wilkes Award) • [12] Q. Tang and C. J. Mitchell (2005) Security properties of two authenticated conference key agreement protocols', in: S. Qing, W, Mao, J. Lopez, and G. Wang (eds.), Information and Communications Security: 7th International Conference, ICICS 2005, Beijing, China, December 10-13, 2005. Proceedings, Springer-Verlag LNCS 3783, Berlin (2005), pp.304-314. • [13] J. Katz, J. S. Shin (2005) Modeling Insider Attacks on Group Key Exchange Protocols. ACM Conference on Computer and Communications Security2005, pp. 180-189.

  29. 4. Problem 1: GKA protocol resistant to insider attacks • Insider attacks (Malicious participants) on BD scheme Step 1 (Round 1) Ui (1≤ i ≤ n): Keeps xi secret broadcasts yi=gxi mod p Step 2 (Round 2) Ui (1≤ i ≤ n, ij): broadcasts zi=(yi+1/ yi-1)xi mod p Uj broadcastsa random value zj Step 3 Each Ui compute different key K …… U1 U1 Un Broadcast channel Who is the malicious participant ?

  30. 4. Problem 1: Solution GKA protocol resistant to insider attacks Step 1 (Round 1)Ui (1≤ i ≤ n): Keep xi secret broadcasts yi=gxi mod p Step 2 (Round 2) Step 3Ui (1≤ i ≤ n) checks and computes K Zi is computed correctly”

  31. 4. Problem 1: GKA protocol resistant to insider attacks • Security Proofs • Assumption 1: Decision Diffie-Hellman Problem • Theorem 1: The proposed GKA protocol is secure against passive attacks • Theorem 2: The proposed GKA protocol is secure against insider attacks • Discussions • Based on BD scheme, first protocolwith resisting to insider attacks • In fact, the proposed GKA protocol can be applied to other group key agreement protocolswith t-round (t>1) to withstand insider attacks. (Reviewer comments) • Expanding to authenticated (Tseng, 2007, JSS)

  32. 5. Problem 2: GKA protocol for imbalanced wireless networks • Motivation and finding a solution • Resource-limited devices: PDA, Cellular phone, or UMD (Ultra mobile device) • It is a flexible approach to shift the computational burden to the powerful node and reduce the computational cost of mobile nodes • Related papers: • Bresson, E. Chevassut, O., Essiari, A. and Pointcheval, D. (2004) Multual authentication and group key agreement for low-power mobile devices. Computer Communications, 27, 1730-1737. • Nam, J., Kim, S., and Won, D. (2005) A weakness in the Bresson-Chevassut-Essiari-Pointcheval's group key agreementscheme for low-power mobile devices. IEEE Communications Letters, 9, 429-431. • Nam, J., Kim, S., and Won, D. (2005) DDH-based group key agreementin a mobile environment. The Journal of Systems and Software, 78, 73-83. • Y.M. Tseng (2007)“A secure authenticated group key agreement protocol for resource-limited mobile devices”, The Computer Journal, Vol.50, No.1, pp. 41-52.

  33. 5. Problem 2: GKA protocol for imbalanced wireless networks • Weaknesses of Bresson et al.’s Protocol (2004) • Without forward secrecy • Without key authentication • Not a contributory key agreement • Weaknesses of Nam et al. ‘s Protocol (2005) • It provides a authenticated protocol based on the Katz-Yung transformation [7] (2003). (Time-consuming) • In this case, computational cost is expensive for mobile device • Not a contributory key agreement

  34. 5. Problem 2: GKA protocol for imbalanced wireless networks • Goal: • A real contributory key agreement protocol(Proof) • Authenticated GKA protocol • The proposed protocol must be well suited for mobile devices with limited computing capability. • Some related issues and knowledge • Give an example to prove that both Bresson et al.’s and Nam et al. ‘s protocols are not contributory key agreement. • Given a complete proof to show our proposed protocol is a real contributory key agreement. • Understanding the computing capability of mobile devices such as PDA.

  35. 5. Problem 2: GKA protocol for imbalanced wireless networks • Security Proofs • Theorem 1: It is a contributory group key agreement protocol • Theorem 2: Against passive adversary • Lemma 1, Lemma 2, and Theorem 3: Against impersonator’s attack • Theorem 4: Implicit key authentication • Theorem 5: Forward secrecy • Discussions • Comparisons: Computational cost and security properties • This is first protocol which provides the proof of contributory group key agreement • A simulation result shows that the proposed protocol is well suited for mobile devices with limited computing capability.

  36. 5. Problem 2: GKA protocol for imbalanced wireless networks • Some other possible problems and future works • Possible inherent problems of a powerful node • Communication Bottleneck • Single point fail • Trust • Lower bound of the communication cost in a contributory group key agreement for imbalanced networks.=> Optimal solution .

  37. 6. Problem 3: Pairing-based (ID-based) GKA protocol • Motivation and finding a problem • Based on Factoring problem • Shamir (1984) • ID=> Name, ymtseng@cc.ncue.edu.tw and some other information. • The motivation is to simplify certificate management • However, it is not practical. • Based onBilinear Diffie-Hellman assumption • In 2001, D. Boneh and M. Franklin presented first ID-based encryption scheme. • Afterwards, it is a important issue for cryptography research. • Question: If you focus on this topic, what knowledge should you prepare and own ?

  38. 6. Problem 3: Pairing-based (ID-based) GKA protocol • Related knowledge: • Elliptic curve • Bilinear Pairing (Weil pairing and Tate pairing) • Less books focus on this cryptographic systems • ID-based cryptographic protocols • ID-basedsignature (batch, threshold, blind, …) • ID-basedencryption (Broadcast, authenticated) • ID-basedtwo-party key agreement/authentication • Fast pairing computation • ID-based authenticatedGroup key agreement

  39. 6. Problem 3: Pairing-based (ID-based) GKA protocol • Related papers of ID-based signature/encryption • D. Boneh and M. Franklin, "Identity based encryption from the Weil pairing," Crypto 2001, LNCS 2139, pp.213--229, Springer-Verlag, 2001. • D. Boneh and M. Franklin, "Identity based encryption from the Weil pairing," SIAM J. of Computing, Vol. 32, No. 3, pp. 586-615, 2003. • D. Boneh, B. Lynn and H. Shacham, "Short signature from Weil pairing," Asiacrypt 2001, LNCS 2248, pp. 514--532, Springer-Verlag, 2001. • K. Paterson. ID-based Signatures from Pairings on Elliptic Curves. Electronics Letters, Vol. 38, No. 18, pp. 1025{1026, 2002. • F. Hess, "Efficient identity based signature schemes based on pairings," SAC 2002, LNCS 2595, pp. 310--324, Springer-Verlag, 2003. • J. C. Cha and J. H. Cheon, "An identity-based signature from gap Diffie-Hellman groups," PKC 2003, LNCS 2567, pp. 18--30, Springer-Verlag, 2003. • Yoon H. J., Cheon J. H., Kim Y. Batch verifications with ID-based signatures. Proc. ICISC‘2004, December 2–3, Seoul, Korea Berlin Springer-Verlag pp. 233–248, LNCS 3506, 2005. • N. Koblitz and A. Meneze, "Pairing-based cryptography at high security levels," Cryptography and Coding: 10th IMA International Conference, LNCS 3796, pp. 13--36, Springer-Verlag, 2005. • S. Cui, P. Duan, C. W. Chan, An efficient identity-based signature scheme with batch verifications, Proceedings of the 1st international conference on Scalable information systems , Article No. 22, May 30 - June 01, 2006

  40. 6. Problem 3: Pairing-based (ID-based) GKA protocol • Related papers of ID-based key agreement/authentication • NP Smart. An identity based authenticated key agreement protocol based on the Weil pairing. Electronics Letters, volume 38 (13): 630--632, June 2002 . • L. Chen and C. Kudla , Identity Based Authenticated Key Agreement Protocols from Pairings, 16th IEEE Computer Security Foundations Workshop (CSFW'03), 2003, p. 219 • Y. Wang. Efficient identity-based and authenticated key agreement protocol. Cryptology ePrint Archive, Report 2005/108. • G. Xie. An ID-based key agreement scheme from pairing. Cryptology ePrint Archive, Report 2005/093. • Q. Yuan and S. Li. A new efficient ID-based authenticated key agreement protocol. Cryptology ePrint Archive, Report 2005/309. • L. Chen, Z. Cheng, and N.P. Smart, Identity-based Key Agreement Protocols From Pairings, http://grouper.ieee.org/groups/1363/IBC/submissions/Chen-IBE.pdf(Good-survey)2006. • X. Yi, Identity-Based Fault-Tolerant Conference Key Agreement, IEEE TRANS. ON DEPENDABLE AND SECURE COMPUTING, VOL. 1, NO. 3, pp.170-178, JULY-SEPTEMBER 2004. • M. Das, A. Saxena, A. Gulati, and D. Phatak A novel remote user authentication scheme using bilinear pairings, Computers & Security, Volume: 25, Issue: 3, May, 2006, pp. 184-189

  41. 6. Problem 3: Pairing-based (ID-based) GKA protocol • Goal: Pairing-based (ID-based) GKA protocol • Finding some possible solutions => No concrete publication • Extra results: by surveying pairing-based systems • Reviewer of a ID-based partially blind signature (2006) • Improving performance of the Sherman et al.’s scheme (2005) • I presented that their scheme suffers from a forgery attack, reject it! • Try to propose an efficient scheme. • Until now, no concrete result. • Seminar => a two-party key agreement protocol (2006, C&S) • Finding some drawbacks • We have obtained concrete results Conferences

  42. 7. Conclusions Based on the previous knowledgeand new applications/environments Thinking other problems

  43. 7. Conclusions => Thinking other problems • Wireless environments (Resource-limited devices) • Imbalanced networks (WLAN, Cellular network) • Mobile Ad Hoc networks • Distributed architectures • No on-line certificate authority • Sensor networks • Specific Architectures (Pre-distributed secret keys, or passwords) • Energy-aware (Computation V.S. Communication)

  44. 7. Conclusions => Other Problems=> Energy consuming • Sensor networks (2005, Wander et al.) • Specific Architecture (Pre-distributed secret keys) • Energy-aware (Computation V.S. Communication) Mica2dot sensor platform, 2002, …..

  45. 7. Conclusions => Other Problems=> Energy consuming Energy cost of digital signature and key exchange computations [mJ]

  46. 7. Conclusions Research 「當你進入大廈的第一個房間,裏面很黑,伸手不見五指。你在傢俱之間跌跌撞撞,但是你會逐漸搞清楚每一件傢俱所在的位置。最後…你找到了電燈開關(Switch),打開了燈。突然…你能確切地明白你身在何處。」 ------ Wiles 打通 任、督 二脈

  47. 7. Conclusions Thanks for your participation ! Questions and Answers !

More Related