Experimental multiuser secure quantum communications

Bogdanski, Jan

January 2009

We are currently experiencing a rapid development of quantum information, a new branch of science, being an interdisciplinary of quantum physics, information theory, telecommunications, computer science, and many others. This new science branch was born in the middle of the eighties, developed rapidly during the nineties, and in the current decade has brought a technological breakthrough in creating secure quantum key distribution (QKD), quantum secret sharing, and exciting promises in diverse technological fields. Recent QKD experiments have achieved high rate QKD at 200 km distance in optical fiber. Significant QKD results have also been achieved in free-space. Due to the rapid broadband access deployment in many industrialized countries and the standing increasing transmission security treats, the natural development awaiting quantum communications, being a part of quantum information, is its migration into commercial switched telecom networks. Such a migration concerns both multiuser quantum key distribution and multiparty quantum secret sharing that have been the main goal of my PhD studies. They are also the main concern of the thesis. Our research efforts in multiuser QKD has led to a development of the five-user setup for transmissions over switched fiber networks in a star and in a tree configuration. We have achieved longer secure quantum information distances and implemented more nodes than other multi-user QKD experiments. The measurements have shown feasibility of multiuser QKD over switched fiber networks, using standard fiber telecom components. Since circular architecture networks are important parts of both intranets and the Internet, Sagnac QKD has also been a subject of our research efforts. The published experiments in this area have been very few and results were not encouraging, mainly due to the single mode fiber (SMF) birefringence. Our research has led to a development of a computer controlled birefringence compensation in Sagnac that open the door to both classical and quantum Sagnac applications. On the quantum secret sharing side, we have achieved the first quantum secret sharing experiment over telecom fiber in a five-party implementation using the "plug & play" setup and in a four-party implementation using Sagnac configuration. The setup measurements have shown feasibility and scalability of multiparty quantum communication over commercial telecom fiber networks.

Quantum key distribution

multiparty quantum secret sharing

Sagnac interferometer

“plug & play” QKD

Passive Optical Network (PON)

decoy states

quantum bit error rate

visibility

Physics

Fysik

Secret sharing approaches for secure data warehousing and on-line analysis in the cloud / Approches de partage de clés secrètes pour la sécurisation des entrepôts de données et de l’analyse en ligne dans le nuage

Attasena, Varunya

22 September 2015

Les systèmes d’information décisionnels dans le cloud Computing sont des solutions de plus en plus répandues. En effet, ces dernières offrent des capacités pour l’aide à la décision via l’élasticité des ressources pay-per-use du Cloud. Toutefois, les questions de sécurité des données demeurent une des principales préoccupations notamment lorsqu'il s’agit de traiter des données sensibles de l’entreprise. Beaucoup de questions de sécurité sont soulevées en terme de stockage, de protection, de disponibilité, d'intégrité, de sauvegarde et de récupération des données ainsi que des transferts des données dans un Cloud public. Les risques de sécurité peuvent provenir non seulement des fournisseurs de services de cloud computing mais aussi d’intrus malveillants. Les entrepôts de données dans les nuages devraient contenir des données sécurisées afin de permettre à la fois le traitement d'analyse en ligne hautement protégé et efficacement rafraîchi. Et ceci à plus faibles coûts de stockage et d'accès avec le modèle de paiement à la demande. Dans cette thèse, nous proposons deux nouvelles approches pour la sécurisation des entrepôts de données dans les nuages basées respectivement sur le partage vérifiable de clé secrète (bpVSS) et le partage vérifiable et flexible de clé secrète (fVSS). L’objectif du partage de clé cryptée et la distribution des données auprès de plusieurs fournisseurs du cloud permet de garantir la confidentialité et la disponibilité des données. bpVSS et fVSS abordent cinq lacunes des approches existantes traitant de partage de clés secrètes. Tout d'abord, ils permettent le traitement de l’analyse en ligne. Deuxièmement, ils garantissent l'intégrité des données à l'aide de deux signatures interne et externe. Troisièmement, ils aident les utilisateurs à minimiser le coût de l’entreposage du cloud en limitant le volume global de données cryptées. Sachant que fVSS fait la répartition des volumes des données cryptées en fonction des tarifs des fournisseurs. Quatrièmement, fVSS améliore la sécurité basée sur le partage de clé secrète en imposant une nouvelle contrainte : aucun groupe de fournisseurs de service ne peut contenir suffisamment de volume de données cryptées pour reconstruire ou casser le secret. Et cinquièmement, fVSS permet l'actualisation de l'entrepôt de données, même si certains fournisseurs de services sont défaillants. Pour évaluer l'efficacité de bpVSS et fVSS, nous étudions théoriquement les facteurs qui influent sur nos approches en matière de sécurité, de complexité et de coût financier dans le modèle de paiement à la demande. Nous validons également expérimentalement la pertinence de nos approches avec le Benchmark schéma en étoile afin de démontrer son efficacité par rapport aux méthodes existantes. / Cloud business intelligence is an increasingly popular solution to deliver decision support capabilities via elastic, pay-per-use resources. However, data security issues are one of the top concerns when dealing with sensitive data. Many security issues are raised by data storage in a public cloud, including data privacy, data availability, data integrity, data backup and recovery, and data transfer safety. Moreover, security risks may come from both cloud service providers and intruders, while cloud data warehouses should be both highly protected and effectively refreshed and analyzed through on-line analysis processing. Hence, users seek secure data warehouses at the lowest possible storage and access costs within the pay-as-you-go paradigm.In this thesis, we propose two novel approaches for securing cloud data warehouses by base-p verifiable secret sharing (bpVSS) and flexible verifiable secret sharing (fVSS), respectively. Secret sharing encrypts and distributes data over several cloud service providers, thus enforcing data privacy and availability. bpVSS and fVSS address five shortcomings in existing secret sharing-based approaches. First, they allow on-line analysis processing. Second, they enforce data integrity with the help of both inner and outer signatures. Third, they help users minimize the cost of cloud warehousing by limiting global share volume. Moreover, fVSS balances the load among service providers with respect to their pricing policies. Fourth, fVSS improves secret sharing security by imposing a new constraint: no cloud service provide group can hold enough shares to reconstruct or break the secret. Five, fVSS allows refreshing the data warehouse even when some service providers fail. To evaluate bpVSS' and fVSS' efficiency, we theoretically study the factors that impact our approaches with respect to security, complexity and monetary cost in the pay-as-you-go paradigm. Moreover, we also validate the relevance of our approaches experimentally with the Star Schema Benchmark and demonstrate its superiority to related, existing methods.

Entrepôts de données

Analyse en ligne (OLAP)

Infonuagique

Partage de clés secrètes

Confidentialité des données

Disponibilité des données

Intégrité des données

Data Warehouses

On-line analysis processing (OLAP)

Cloud computing

Secret sharing

Data privacy

Data availability

Data integrity

以智能合約實現分散式電子投票與投標系統 / Distributed E-Voting and E-Bidding Systems Based on Smart Contract

蕭人和, Hsiao, Jen-Ho

Unknown Date

區塊鏈有著不可否認性、可追溯性以及共識性等特點，所有的交易內容都會完整的被記錄在區塊鏈上，基於上述幾項特性，我們利用區塊鏈來記錄公開資訊，將私密資料經由分散式秘密共享後再加密存放於智能合約中。其中，智能合約是一個能將交易狀態和交易狀態內嵌於區塊鏈上的應用，透過智能合約作為媒介，我們能夠將加密後的私密資料完整的存放於區塊鏈上，最後經由區塊鏈網路上的節點驗證後，達到資料正確性驗證的目的。 本研究分析現有的電子投票以及電子投標等應用的系統架構後，發現兩者皆存在著可信賴的第三方進行開票及開標的角色，且驗證流程繁瑣，無法提供一個便利性的投票與投標流程。此外，上述兩種應用皆須滿足機密性、不可否認性、匿名性以及可驗證性等安全性質，若能結合區塊鏈與智能合約於上述應用中，將可提升資料的可驗證性以及降低成本的負擔，對參與應用的人而言也能達到公開透明的需求。 因此，本文提出一個分散式架構下的電子投票與投標機制，結合區塊鏈以及智能合約的優點與技術，讓所有參與投票的選民、投標的廠商共同參與驗證與計算，並加強參與者的匿名性、資料傳輸的隱私性、開票與開標階段資料的可信賴性以及可驗證性。 / With the rise of blockchain technology, the core concept of decentralization has gradually drawn attention. In this context, the main objective of this study is to realize more convenient and secure electronic applications with the use of blockchain technology. This research is aimed to design a distributed e-voting and e-bidding system. The core idea is to combine the blockchain technology with secret sharing scheme and homomorphic encryption in order to realize the distributed e-voting and e-bidding application without a trusted third party. The system allows voters to participate in opening phase. It provides a public and transparent process while protecting the anonymity of voter’s and vendor’s identity, the privacy of data transmission and verifiability of data during the opening phase.

區塊鏈

秘密共享

電子投票

同態加密

智能合約

分散式

Blockchain

Secret-sharing

E-voting

Homomorphic

Smart contract

Distributed

Paillier encryption

SurvSec Security Architecture for Reliable Surveillance WSN Recovery from Base Station Failure

Megahed, Mohamed Helmy Mostafa

30 May 2014

Surveillance wireless sensor networks (WSNs) are highly vulnerable to the failure of the base station (BS) because attackers can easily render the network useless for relatively long periods of time by only destroying the BS. The time and effort needed to destroy the BS is much less than that needed to destroy the numerous sensing nodes. Previous works have tackled BS failure by deploying a mobile BS or by using multiple BSs, which requires extra cost. Moreover, despite using the best electronic countermeasures, intrusion tolerance systems and anti-traffic analysis strategies to protect the BSs, an adversary can still destroy them. The new BS cannot trust the deployed sensor nodes. Also, previous works lack both the procedures to ensure network reliability and security during BS failure such as storing then sending reports concerning security threats against nodes to the new BS and the procedures to verify the trustworthiness of the deployed sensing nodes. Otherwise, a new WSN must be re-deployed which involves a high cost and requires time for the deployment and setup of the new WSN. In this thesis, we address the problem of reliable recovery from a BS failure by proposing a new security architecture called Surveillance Security (SurvSec). SurvSec continuously monitors the network for security threats and stores data related to node security, detects and authenticates the new BS, and recovers the stored data at the new BS. SurvSec includes encryption for security-related information using an efficient dynamic secret sharing algorithm, where previous work has high computations for dynamic secret sharing. SurvSec includes compromised nodes detection protocol against collaborative work of attackers working at the same time where previous works have been inefficient against collaborative work of attackers working at the same time. SurvSec includes a key management scheme for homogenous WSN, where previous works assume heterogeneous WSN using High-end Sensor Nodes (HSN) which are the best target for the attackers. SurvSec includes efficient encryption architecture against quantum computers with a low time delay for encryption and decryption, where previous works have had high time delay to encrypt and decrypt large data size, where AES-256 has 14 rounds and high delay. SurvSec consists of five components, which are: 1. A Hierarchical Data Storage and Data Recovery System. 2. Security for the Stored Data using a new dynamic secret sharing algorithm. 3. A Compromised-Nodes Detection Algorithm at the first stage. 4. A Hybrid and Dynamic Key Management scheme for homogenous network. 5. Powerful Encryption Architecture for post-quantum computers with low time delay. In this thesis, we introduce six new contributions which are the followings: 1. The development of the new security architecture called Surveillance Security (SurvSec) based on distributed Security Managers (SMs) to enable distributed network security and distributed secure storage. 2. The design of a new dynamic secret sharing algorithm to secure the stored data by using distributed users tables. 3. A new algorithm to detect compromised nodes at the first stage, when a group of attackers capture many legitimate nodes after the base station destruction. This algorithm is designed to be resistant against a group of attackers working at the same time to compromise many legitimate nodes during the base station failure. 4. A hybrid and dynamic key management scheme for homogenous network which is called certificates shared verification key management. 5. A new encryption architecture which is called the spread spectrum encryption architecture SSEA to resist quantum-computers attacks. 6. Hardware implementation of reliable network recovery from BS failure. The description of the new security architecture SurvSec components is done followed by a simulation and analytical study of the proposed solutions to show its performance.

Surveillance Wireless Sensor Network

Security manager (SM)

Backup security manager (BKSM)

Network trustworthiness

Efficient dynamic secret sharing

Distributed users tables (DUT)

Node compromise attack

Hybrid key management

Dynamic key management

Homogenous network

High end Sensor Nodes (HSNs)

Network scalability

Network connectivity

Unpredictability principal

PRNG

Resistant to quantum computer

SurvSec Security Architecture for Reliable Surveillance WSN Recovery from Base Station Failure

Megahed, Mohamed Helmy Mostafa

January 2014

Surveillance wireless sensor networks (WSNs) are highly vulnerable to the failure of the base station (BS) because attackers can easily render the network useless for relatively long periods of time by only destroying the BS. The time and effort needed to destroy the BS is much less than that needed to destroy the numerous sensing nodes. Previous works have tackled BS failure by deploying a mobile BS or by using multiple BSs, which requires extra cost. Moreover, despite using the best electronic countermeasures, intrusion tolerance systems and anti-traffic analysis strategies to protect the BSs, an adversary can still destroy them. The new BS cannot trust the deployed sensor nodes. Also, previous works lack both the procedures to ensure network reliability and security during BS failure such as storing then sending reports concerning security threats against nodes to the new BS and the procedures to verify the trustworthiness of the deployed sensing nodes. Otherwise, a new WSN must be re-deployed which involves a high cost and requires time for the deployment and setup of the new WSN. In this thesis, we address the problem of reliable recovery from a BS failure by proposing a new security architecture called Surveillance Security (SurvSec). SurvSec continuously monitors the network for security threats and stores data related to node security, detects and authenticates the new BS, and recovers the stored data at the new BS. SurvSec includes encryption for security-related information using an efficient dynamic secret sharing algorithm, where previous work has high computations for dynamic secret sharing. SurvSec includes compromised nodes detection protocol against collaborative work of attackers working at the same time where previous works have been inefficient against collaborative work of attackers working at the same time. SurvSec includes a key management scheme for homogenous WSN, where previous works assume heterogeneous WSN using High-end Sensor Nodes (HSN) which are the best target for the attackers. SurvSec includes efficient encryption architecture against quantum computers with a low time delay for encryption and decryption, where previous works have had high time delay to encrypt and decrypt large data size, where AES-256 has 14 rounds and high delay. SurvSec consists of five components, which are: 1. A Hierarchical Data Storage and Data Recovery System. 2. Security for the Stored Data using a new dynamic secret sharing algorithm. 3. A Compromised-Nodes Detection Algorithm at the first stage. 4. A Hybrid and Dynamic Key Management scheme for homogenous network. 5. Powerful Encryption Architecture for post-quantum computers with low time delay. In this thesis, we introduce six new contributions which are the followings: 1. The development of the new security architecture called Surveillance Security (SurvSec) based on distributed Security Managers (SMs) to enable distributed network security and distributed secure storage. 2. The design of a new dynamic secret sharing algorithm to secure the stored data by using distributed users tables. 3. A new algorithm to detect compromised nodes at the first stage, when a group of attackers capture many legitimate nodes after the base station destruction. This algorithm is designed to be resistant against a group of attackers working at the same time to compromise many legitimate nodes during the base station failure. 4. A hybrid and dynamic key management scheme for homogenous network which is called certificates shared verification key management. 5. A new encryption architecture which is called the spread spectrum encryption architecture SSEA to resist quantum-computers attacks. 6. Hardware implementation of reliable network recovery from BS failure. The description of the new security architecture SurvSec components is done followed by a simulation and analytical study of the proposed solutions to show its performance.

Surveillance Wireless Sensor Network

Security manager (SM)

Backup security manager (BKSM)

Network trustworthiness

Efficient dynamic secret sharing

Distributed users tables (DUT)

Node compromise attack

Hybrid key management

Dynamic key management

Homogenous network

High end Sensor Nodes (HSNs)

Network scalability

Network connectivity

Unpredictability principal

PRNG

Resistant to quantum computer