Search Results (243)

Marine scientific observation missions operate over disrupted, high-loss links and must keep heterogeneous sensor, image, and log data confidential and verifiable under fragmented, out-of-order delivery. This paper proposes an end-to-end encryption–verification co-design that integrates HMR integrity structuring with EMR hybrid encapsulation. By externalizing block boundaries and maintaining a minimal receiver-side verification state, the framework supports block-level integrity/provenance verification and selective recovery without continuous sessions, enabling multi-hop and intermittent connectivity. Experiments on a synthetic multimodal ocean dataset show reduced storage/encapsulation overhead (10.4% vs. 12.8% for SHA-256 + RSA + AES), lower hashing latency (6.8 ms vs. 12.5 ms), and 80.1 ms end-to-end encryption–decryption latency (21.2% lower than RSA + AES). Under fragmentation, verification latency scales near-linearly with block count (R² = 0.998) while throughput drops only slightly (11.8 → 11.3 KB/ms). With 100 KB blocks, transmission latency stays below 1.024 s in extreme channels and around 0.08–0.10 s in typical ranges, with expected retransmissions < 0.25. On Raspberry Pi 4, runtime slowdown remains stable at ~3.40× versus a PC baseline, supporting deployability on resource-constrained nodes. Full article

Unmanned Aerial Vehicles (UAVs) are increasingly integrated into Internet of Things (IoT) ecosystems for applications such as surveillance, disaster response, environmental monitoring, and logistics. These missions demand reliable and secure communication between UAVs and cloud platforms for command, control, and data storage. However, UAV communication channels are highly vulnerable to eavesdropping, spoofing, and man-in-the-middle attacks due to their wireless and often long-range nature. Traditional cryptographic schemes either impose excessive computational overhead on resource-constrained UAVs or lack sufficient robustness for cloud-level security. To address this challenge, we propose a dual-layer encryption architecture that balances lightweight efficiency with strong cryptographic guarantees. Unlike prior dual-layer approaches, the proposed framework introduces a context-aware adaptive lightweight layer for UAV-to-gateway communication and a hybrid post-quantum layer for gateway-to-cloud security, enabling dynamic cipher selection, energy-aware key scheduling, and quantum-resilient key establishment. In the first layer, UAV-to-gateway communication employs a lightweight symmetric encryption scheme optimized for low latency and minimal energy consumption. In the second layer, gateway-to-cloud communication uses post-quantum asymmetric encryption to ensure resilience against emerging quantum threats. The architecture is further reinforced with optional multi-path hardening and blockchain-assisted key lifecycle management to enhance scalability and tamper-proof auditability. Experimental evaluation using a UAV testbed and cloud integration shows that the proposed framework achieves 99.85% confidentiality preservation, reduces computational overhead on UAVs by 42%, and improves end-to-end latency by 35% compared to conventional single-layer encryption schemes. These results confirm that the proposed adaptive and hybridized dual-layer design provides a scalable, secure, and resource-aware solution for UAV-to-cloud communication, offering both present-day practicality and future-proof cryptographic resilience. Full article

Accredited laboratories participating in Proficiency Testing (PT) and Interlaboratory Comparison (ILC) typically submit measurement results (and associated uncertainties) to an organizer for performance evaluation using statistics such as the z-score and the En value. This requirement can undermine confidentiality when the disclosed plaintext values reveal commercially sensitive methods or client-related information. This paper proposes a secure-by-design PT/ILC workflow based on fully homomorphic encryption (FHE), enabling the required scoring computations to be executed directly on ciphertexts. Using the CKKS scheme (Microsoft SEAL), the organizer distributes encrypted assigned values and a public/evaluation key set; each participant locally encrypts pre-processed measurement data, evaluates encrypted z-score and En value, and returns only encrypted performance metrics. The organizer decrypts the metrics without receiving the ciphertexts of participants’ raw measurement values. We quantify feasibility via execution time, run-to-run variability across fresh key generations (coefficient of variation), and relative calculation error versus plaintext scoring. On commodity hardware, end-to-end score computation takes 1 to 8 s, the coefficient of variation can be reduced below 1e⁻¹⁰, and the relative error remains below 1e⁻⁶, indicating practical deployability and numerical stability for PT/ILC decision-making. Given that PT/ILC reporting cycles are typically on the order of days to weeks, a per-participant computation time of seconds is operationally negligible, while the observed coefficient of variation and relative error indicate that the CKKS approximation and key-dependent variability are far below typical decision thresholds used for pass/fail classification. Full article

Dynamic network conditions in precision agriculture motivate a scalable, privacypreserving federated learning architecture that tightly integrates ground-based edge intelligence with a space-assisted hierarchical aggregation layer. In Phase 1, heterogeneous tractors act as intelligent farm nodes that train local models, form capability- and task-aware clusters, and employ Network Quality Index (NQI)-driven scheduling, similarity-based checkpointing, and compressed transmissions to cope with highly variable 3G/4G/5G connectivity. In Phase 2, cluster drivers synchronize with Low Earth Orbit (LEO) and Geostationary Earth Orbit (GEO) satellites that perform regional and global aggregation using staleness- and fairness-aware weighting, while end-to-end Salsa20 + MAC encryption preserves the confidentiality and integrity of all model updates. Across two representative tasks—nutrient prediction and crop health assessment—our full hierarchical system matches or exceeds centralized performance (e.g., AUC 0.92 vs. 0.91 for crop health) while reducing uplink traffic by ∼90% relative to vanilla FedAvg and cutting the communication energy proxy by more than 4×. The proposed fairness-aware GEO aggregation substantially narrows regional performance gaps (standard deviation of AUC across regions reduced from 0.058 to 0.017) and delivers the largest gains in low-connectivity areas (AUC 0.74 → 0.88). These results demonstrate that coupling on-farm intelligence with multi-orbit federated aggregation enables near-centralized model quality, strong privacy guarantees, and communication efficiency suitable for large-scale, connectivity-challenged agricultural deployments. Full article

Secure and auditable data sharing in large-scale Internet of Things (IoT) environments remains a significant challenge due to weak trust coordination, limited scalability, and susceptibility to emerging quantum attacks. This study introduces a hybrid blockchain-based framework that integrates post-quantum cryptography with intelligent anomaly detection to ensure end-to-end data integrity and resilience. The proposed system utilizes Hyperledger Fabric for permissioned device lifecycle management and Ethereum for public auditability of encrypted telemetry, thereby providing both private control and transparent verification. Device identities are established using quantum-entropy-seeded credentials and safeguarded with lattice-based encryption to withstand quantum adversaries. A convolutional long short-term memory (CNN–LSTM) model continuously monitors device behavior, facilitating real-time trust scoring and autonomous revocation via smart contract triggers. Experimental results demonstrate 97.4% anomaly detection accuracy and a 0.968 F1-score, supporting up to 1000 transactions per second with cross-chain latency below 6 s. These findings indicate that the proposed architecture delivers scalable, quantum-resilient, and computationally efficient data sharing suitable for mission-critical IoT deployments. Full article

The proliferation of Internet of Things (IoT) deployments demands Authentication and Key Agreement (AKA) protocols that scale from one initiator to many devices while preserving strong security guarantees on constrained hardware. Prior lightweight one-to-many designs often rely on a network-wide secret, reuse a single group session key across devices, or omit Perfect Forward Secrecy (PFS), leaving systems vulnerable to compromise and traffic exposure. To this end, we present in this paper a lightweight protocol, named Lightweight One-To-many User-to-Sensors Authentication and Key Agreement (LOTUS-AKA), that achieves mutual authentication, PFS, and per-sensor key isolation while keeping devices free of public-key costs. The user and gateway perform an ephemeral elliptic-curve Diffie–Hellman exchange to derive a short-lived group key, from which independent per-sensor session keys are expanded via Hashed Message Authentication Code HMAC-based Key Derivation Function (HKDF). Each sensor receives its key through a compact Authenticated Encryption with associated data (AEAD) wrap under its long-term secret; sensors perform only hashing and AEAD, with no elliptic-curve operations. The login path uses an augmented Password-Authenticated Key Exchange (PAKE) to eliminate offline password guessing in the smart-card theft setting, and a stateless cookie gates expensive work to mitigate denial-of-service. We provide a game-based security argument and a symbolic verification model, and we report microbenchmarks on Cortex-M–class platforms showing reduced device computation and linear low-constant communication overhead with the number of sensors. The design offers a practical path to secure, scalable multi-sensor sessions in resource-constrained IoT. Full article

Industrial Internet of Things (IIoT) deployments increasingly rely on low-cost microcontrollers and single-board computers to stream operational telemetry for monitoring, control, and predictive maintenance, yet the canonical “TLS-to-broker” model does not protect message content from a compromised or curious MQTT broker. This study therefore designs and implements a practical, application-layer end-to-end (E2E) encryption pipeline spanning an ESP32 data client (C++/mbedTLS), an untrusted MQTT broker, and a Raspberry Pi gateway (Python/PyCryptodome) using AES-256-GCM with Additional Authenticated Data (AAD). Sensor measurements are serialized as compact JSON, encrypted and authenticated on the ESP32, framed into a binary record, Base64-encoded for MQTT payload carriage, and verified/decrypted only at the gateway. Experiments on ESP32-WROOM-32 and Raspberry Pi 4 show an average ESP32 packet-preparation latency of 41.754 ms (JSON 1.0 ms; AES-GCM 29.5 ms; Base64 11.2 ms), robust rejection of ciphertext tampering and unauthorized devices via MAC verification and whitelist checks, and 99.72% decrypt-and-store success over a one-hour run (718/720 messages). These results indicate that commodity IIoT hardware can support practical and replicable E2E confidentiality and integrity without sacrificing operational throughput, while eliminating the MQTT broker as a de facto man-in-the-middle. Full article

Instant messaging (IM) applications are ubiquitous, and while end-to-end encryption protects message content, traffic metadata remains observable. This paper proposes a traffic correlation framework for IM call services under a passive ISP-level threat model to infer communication parties from encrypted traffic. The framework extracts and matches metadata from sustained, bidirectional call flows and jointly analyzes endpoint identifiability, shared server connectivity, symmetry in call duration and traffic volume, and service type indicators to derive correlation artifacts for matching. The framework is instantiated and evaluated on WhatsApp, Facebook Messenger, and Snapchat across diverse user behavior scenarios and commonly deployed network settings. Experimental results show that the method reliably links caller and callee flows, revealing edges in users’ social graphs without decrypting any packets. Under typical data retention regimes, these findings indicate that metadata-based correlation provides a practical basis for deanonymization and represents a persistent privacy risk for users of IM calling. Full article

The rapid proliferation of Electric Vehicle (EV) infrastructures has led to the massive generation of high-frequency streaming data uploaded to cloud platforms for real-time analysis, while such data supports intelligent energy management and behavioral analytics, it also encapsulates sensitive user information, the disclosure or misuse of which can lead to significant privacy and security threats. This work addresses these challenges by developing a secure and scalable scheme for protecting and verifying streaming data during storage and collaborative analysis. The proposed scheme ensures end-to-end confidentiality, forward security, and integrity verification while supporting efficient encrypted aggregation and fine-grained, time-based authorization. It introduces a lightweight mechanism that hierarchically organizes cryptographic keys and ciphertexts over time, enabling privacy-preserving queries without decrypting individual data points. Building on this foundation, an electric vehicle key management and query system is further designed to integrate the proposed encryption and verification scheme into practical V2X environments. The system supports privacy-preserving data sharing, verifiable statistical analytics, and flexible access control across heterogeneous cloud and edge infrastructures. Analytical and experimental evidence show that the designed system attains rigorous security guarantees alongside excellent efficiency and scalability, rendering it ideal for large-scale electric vehicle data protection and analysis tasks. Full article

This article addresses the lack of low-cost, secure image-transmission solutions for IoT systems in remote environments. The design and implementation of a complete LoRa-based transmission system using ESP32 microcontrollers and Ebyte E220 modules, featuring AES-CBC encryption, HMAC integrity protection, and a custom retransmission protocol, are presented. The system achieves 100% packet delivery ratio (PDR) for 20 kB images over distances exceeding 2 km under line-of-sight conditions, with functional transmission up to 4.1 km. Image transmission time ranges from 35 s (0.1 m) to 110 s (600 m), while energy consumption increases from 4.95 mWh to 15.18 mWh. Critically, encryption imposes less than 1% overhead on total energy consumption. Unlike prior work focusing on isolated components, this article provides a complete, deployable architecture combining (i) low-cost hardware (<USD 50 total), (ii) long-range LoRa communication, (iii) custom reliability mechanisms for fragmenting 20 kB images into 100 packets, and (iv) end-to-end cryptographic protection, all evaluated experimentally across multi-kilometer distances. These findings demonstrate that secure long-range image transmission using commodity hardware is feasible and scalable for smart home and industrial monitoring applications. Full article

Advancements in Non-Terrestrial Network (NTN) technology facilitate ubiquitous network access for users, whereas satellite-based Quantum Key Distribution (QKD) offers a viable solution for long-distance quantum key exchange in scenarios lacking terrestrial network infrastructure. This study explores the feasibility and practical utility of integrating NTN technology with satellite-based QKD and proposes a novel quantum-enhanced security framework for next-generation space–terrestrial networks. We have developed and deployed the first-of-its-kind 5G-enabled (fifth generation mobile communication) NTN prototype system leveraging satellite-based QKD key encryption. This system comprises a quantum satellite system, a communication satellite system, a 5G network infrastructure, and end-to-end encryption/decryption modules, aiming to validate the feasibility and usability of the proposed quantum-encrypted NTN security framework. Comprehensive tests and performance evaluations were carried out on the testbed constructed based on this prototype system, which collected critical Quality of Experience (QoE) metrics, including Round-Trip Time (RTT) and jitter, during user-plane ping measurements. Experimental results demonstrate that the integration of quantum encryption capabilities incurs an RTT overhead of 5 ms (0.75%), a necessary trade-off for systems incorporating supplementary quantum-encrypted transmission. Concurrently, the deployment of Virtual Private Network (VPN) infrastructure mitigates network jitter by 50%. These results hold critical theoretical and practical implications for the development of next-generation NTN security frameworks enabled by satellite-based QKD. Full article

With the rapid development of the Internet of Medical Things (IoMT), the data generated and collected by various sensors and medical devices are gradually increasing. How to realize flexible, efficient, and secure data sharing while ensuring data confidentiality and patient privacy has become a critical research challenge. The traditional Public Key Infrastructure (PKI) must deal with the complicated certificate management problem. An identity-based cryptosystem has the inherent key-escrow risk. These concerns make them unsuitable for resource-constrained and dynamic IoMT environments. To address it, this paper introduces a cloud data sharing protocol for IoMT using a Certificateless Proxy Re-encryption (CL-PRE) scheme that integrates an efficient access-list-based user revocation mechanism. In our system, a patient’s data can be encrypted and securely stored in a semi-trusted third party like the cloud server. When the patient wants to grant the access to designated users, e.g., doctors or medical institutions, a delegated proxy server will re-encrypt the ciphertext to a new one, which is decryptable by the designators. The proxy server also learns nothing during the re-encryption process, so as to maintain the end-to-end confidentiality. As for the security, the authors formally prove that the proposed CL-PRE mechanism for IoMT achieves Type-I and Type-II indistinguishability against adaptive chosen-identity and chosen-ciphertext attacks (IND-PrID-CCA) under the Decisional Bilinear Diffie–Hellman (DBDH) assumption. Moreover, the functional and computational comparisons with previous studies reveal the qualitative advantage of simultaneously achieving certificateless properties and user revocation, and the quantitative advantage of an optimized encryption cost (requiring only one bilinear pairing and two scalar multiplications), making it a theoretically efficient solution for resource-constrained IoMT devices. Full article

One-Time Passwords (OTPs) are a core component of multi-factor authentication in banking, e-commerce, and digital platforms. However, conventional delivery channels such as SMS and email are increasingly vulnerable to SIM-swap fraud, phishing, spoofing, and session hijacking. This study proposes an end-to-end mobile authentication architecture that integrates a permissioned Hyperledger Fabric blockchain for tamper-evident identity management, an AI-driven risk engine for behavioral and SIM-swap anomaly detection, Zero-Knowledge Proofs (ZKPs) for privacy-preserving verification, and geolocation-bound OTP validation for contextual assurance. Hyperledger Fabric is selected for its permissioned governance, configurable endorsement policies, and deterministic chaincode execution, which together support regulatory compliance and high throughput without the overhead of cryptocurrency. The system is implemented as a set of modular microservices that combine encrypted off-chain storage with on-chain hash references and smart-contract–enforced policies for geofencing and privacy protection. Experimental results show sub-0.5 s total verification latency (including ZKP overhead), approximately 850 transactions per second throughput under an OR-endorsement policy, and an F1-score of 0.88 for SIM-swap detection. Collectively, these findings demonstrate a scalable, privacy-centric, and interoperable solution that strengthens OTP-based authentication while preserving user confidentiality, operational transparency, and regulatory compliance across mobile network operators. Full article

Machine learning (ML) offers significant potential for disease prediction, clinical decision support, and medical data classification, but its reliance on sensitive patient data raises privacy and security concerns, particularly under strict healthcare regulations. Traditional encryption methods require data to be decrypted prior to computation, such as in ML workflows, thereby introducing risks of exposure and undermining data confidentiality. Homomorphic Encryption (HE) addresses this challenge by enabling computations directly on encrypted data, ensuring end-to-end privacy. This paper explores the integration of the Cheon-Kim-Kim-Song (CKKS) HE scheme into the inference phase of medical tabular data classification. We evaluate the performance of Logistic Regression (LR), Support Vector Machine (SVM), and a lightweight multilayer perceptron (MLP) under HE-based inference, and compare their classification accuracy, computational overhead, and latency against plaintext counterparts. Additionally, we propose two hybrid models (LR-MLP and SVM-MLP) to accelerate training convergence and enhance inference performance. Experimental results demonstrate that while HE-based inference introduces moderate computational cost and data transmission overheads, it maintains accuracy comparable to plaintext inference. These outcomes affirm the practical feasibility of HE for privacy-preserving machine learning in healthcare, while also highlighting key implementation trade-offs. Furthermore, the findings support the advancement of secure AI systems and promote the adoption of cryptographic techniques in digital health and other privacy-critical fields. Full article

This paper presents a federated learning (FL) architecture tailored for anomaly detection in wire arc additive manufacturing (WAAM) that preserves data privacy while enabling secure and distributed model training across heterogeneous process units. WAAM’s inherent process complexity, characterized by high-dimensional and asynchronous sensor streams, including current, voltage, travel speed, and visual bead profiles, necessitates a decentralized learning paradigm capable of handling non-identical client distributions without raw data pooling. To this end, the proposed framework integrates reversible data hiding in the encrypted domain (RDHE) for the secure embedding of sensor-derived features into weld images, enabling confidential parameter transmission and tamper-evident federation. Each client node employs a domain-specific long short-term memory (LSTM)-based classifier trained on locally curated time-series or vision-derived features, with model updates embedded and transmitted securely to a central aggregator. Three FL strategies, FedAvg, FedProx, and FedPer, are systematically evaluated against four robust aggregation techniques, including KRUM, Multi KRUM, and Trimmed Mean, across 100 communication rounds using eight non-independent and identically distributed (non-IID) WAAM clients. Experimental results reveal that FedPer coupled with Trimmed Mean delivers the optimal configuration, achieving maximum F1-score (0.912), area under the curve (AUC) (0.939), and client-wise generalization stability under both geometric and temporal noise. The proposed approach demonstrates near-lossless RDHE encoding (PSNR > 90 dB) and robust convergence across adversarial conditions. By embedding encrypted intelligence within weld imagery and tailoring FL to WAAM-specific signal variability, this study introduces a scalable, secure, and generalizable framework for process monitoring. These findings establish a baseline for federated anomaly detection in metal additive manufacturing, with implications for deploying privacy-preserving intelligence across smart manufacturing (SM) networks. The federated pipeline is backbone-agnostic. We instantiate LSTM clients because the sequences are short (five steps) and edge compute is limited in WAAM. The same pipeline can host Transformer/TCN encoders for longer horizons without changing the FL or security flow. Full article