Search Results (282)

Modern power grids are increasingly vulnerable to strategic malicious attacks that can trigger large-scale cascading failures. Existing multi-step Markov game formulations often struggle to align with the instantaneous nature of cascading dynamics, potentially introducing estimation bias in multi-agent learning. To address this issue, we formulate the attack–defense interaction as a stage-wise zero-sum matrix game, enabling direct approximation of the underlying payoff structure without temporal credit assignment. Based on this formulation, we propose a Siamese Relational Nash Double Deep Q-Network (SR-Nash-DDQN), which incorporates a structured relational pooling mechanism to capture high-dimensional strategic dependencies. The framework further integrates physics-driven counterfactual experience replay for improved sample efficiency and adopts a two-timescale learning scheme to stabilize adversarial training. Extensive evaluations on the IEEE 9-bus, 39-bus, and 118-bus systems demonstrate that the proposed method consistently approximates Nash equilibria and maintains strategic diversity across independent trials. Moreover, zero-shot generalization across 100 unseen operating conditions shows that the learned policy effectively improves the security lower bound and reduces worst-case damage under severe uncertainties. Full article

Autonomous vehicle (AV) networks require secure and efficient data processing under strict latency and resource constraints. This paper proposes a secure, lightweight edge-centric framework, SLEVA-AV, for Internet of Things (IoT)-enabled autonomous vehicle communication. The framework integrates multi-modal sensor data processing, lightweight key management, multi-stage encryption, and integrity verification within a unified pipeline. A key derivation function (KDF) is employed to generate session keys using contextual parameters, enabling efficient re-keying during vehicular mobility without repeated handshake overhead. The encryption process combines PRESENT, SPECK, and lightweight encryption algorithm (LEA) ciphers to enhance cryptographic strength, while SHA-256 ensures data integrity. The proposed system is implemented using a CARLA-based simulation environment and validated through CrypTool 2-based cryptographic analysis. Performance evaluation over 10,000 samples demonstrates low latency (0.039–0.794 s), reduced energy consumption (0.0196–0.0589 J), and negligible key management overhead. Comparative analysis with recent state-of-the-art approaches shows improved scalability and efficiency. Security validation through attack simulations demonstrates resistance against brute-force ($2^{336}$ key space), differential ($2^{-185}$), replay, and tampering attacks, achieving 100% detection accuracy. The results indicate that the proposed framework strikes a balanced trade-off among security strength, computational efficiency, and real-time performance, and it is suitable for deployment in IoT environments with high mobility and dynamic edge connectivity. Full article

Sleep disorders, such as insomnia, obstructive sleep apnea (OSA), narcolepsy, REM sleep behavior disorder, and circadian rhythm disturbances, represent a rapidly expanding global health burden that is strongly associated with cardiovascular, metabolic, neurological, and psychiatric diseases. Advancements in wearable sensing technologies and Internet of Medical Things (IoMT) infrastructures have expanded the possibilities for continuous, home-based sleep assessment beyond conventional polysomnography laboratories. These Sleep Health Internet of Things (S-HIoT) systems combine multimodal physiological sensing (EEG, ECG, SpO₂, respiratory effort and actigraphy) with wireless communication and cloud-based analytics for automated sleep-stage classification and disorder detection. Nonetheless, the digitization of sleep medicine brings about significant cybersecurity concerns. The constant transmission of sensitive biomedical information makes S-HIoT networks open to anomalous traffic flows, signal manipulation, replay attacks, spoofing, and data integrity violation. Existing studies mostly focus on analyzing physiological signals and network intrusion detection independently, resulting in a systemic vulnerability of cyber–physical sleep monitoring ecosystems. With the aim of addressing this empirical deficiency, this review integrates emerging advances (2022–2026) in the AI-assisted categorization of sleep phases and IoMT anomaly detector designs on the finer analysis of CNN, LSTM/BiLSTM, Transformer-based systems, and a component part of federated schemes and the lightweight, edge-deployable intruder assessor models available. The aim of this study is to uncover a gap in the literature: integrated architectures to trade off audiences of faithfulness of physiological modeling with communication-layer security. To counter it, we present a single framework to include CNN-based spatial feature extraction, Bidirectional Long Short-Term Memory (BiLSTM)-based temporal models and Random Forest-based ensemble classification using a dual task-learning approach. We propose a multi-objective optimization framework to jointly optimize the performance of sleep-stage prediction and that of network anomaly detection. Performance on publicly available datasets (Sleep-EDF and CICIoMT2024) confirms that hybrid integration can be tailored to achieve high accuracy [99.8% sleep staging; 98.6% anomaly detection] whilst being characterized by low inference latency (<45 ms), which is promising for feasibility in real-time deployment in view of targeting edge devices. This work presents a comprehensive framework for developing secure, intelligent, and clinically robust digital sleep health ecosystems by bridging chronobiological signal modeling with cybersecurity mechanisms. Furthermore, it highlights future research directions, including explainable AI, federated secure learning, adversarial robustness, and energy-aware edge optimization. Full article

In the current context, classic software licensing and protection mechanisms based exclusively on host application checks can be circumvented by patching, emulation and replay attacks in user-controlled environments. This paper presents an adaptive hardware key implemented on the ESP32-S3 platform, which externalizes sensitive decisions and cryptographic operations from the host application to a dedicated device. The solution combines a device-anchored root of trust (secure boot and flash memory encryption), a PKI-verifiable identity (Public Key Infrastructure X.509 certificate and digital signatures as proof of ownership), hierarchical key derivation to avoid static secrets and the establishment of an authenticated encrypted session for all essential data exchanges. User access is conditioned by three-factor authentication (PIN—Personal Identification Number, TOTP—Time based One Time Password and USB physical presence) and a “code-in-dongle” mechanism, in which the important logic runs on the device and the application receives tokens with limited duration. Experimental validation demonstrates correct provisioning, secure session establishment, negative brute-force testing, as well as lifecycle support via signed OTA (Over-The-Air) with anti-rollback and encrypted backup/recovery. Build reports indicate a balanced flash distribution and available DIRAM (Data/Instruction RAM) margin, while IRAM (Instruction RAM) saturation (99.99%) reflects a normal architectural behavior of the ESP32-S3 unified memory model rather than a capacity constraint. Full article

Ensuring data security and privacy has emerged as a serious concern in the realm of blood supply chain. This is mainly because of sensitivity of donor information, the involvement of multiple stakeholders, and the need for transparent traceability. This paper proposes a novel privacy-preserving, permissioned blockchain framework for blood supply chain management that integrates Hyperledger Fabric, the InterPlanetary File System (IPFS), and a Zero-Knowledge Proof (ZKP)-based authentication protocol. The framework introduces a Pseudonymous Role-Bound Zero-Knowledge Authentication (PRZKA) mechanism that enables donors to authenticate and authorize access to their medical data without revealing their real identities. Context-specific pseudonyms derived through cryptographic hash-to-curve operations ensure unlinkability across different healthcare interactions, while Schnorr-style challenge–response proofs prevent replay attacks and credential misuse. Sensitive donor information is protected using Fabric Private Data Collections, whereas encrypted medical records are stored off-chain in IPFS, with only secure content identifiers recorded on the blockchain. Smart contracts enforce fine-grained, consent-aware access control policies and maintain immutable audit logs of all access events. The proposed system architecture combines an off-chain ZKP gateway with on-chain authorization logic to minimize blockchain overhead while preserving strong security guarantees. Furthermore, a performance evaluation framework is defined, including metrics, workload scenarios, and system configurations, to support future empirical validation. Security analysis indicates that the proposed framework enhances privacy, prevents identity linkage, and enables auditable, consent-driven data sharing compared with existing blockchain-based healthcare solutions. Full article

The rapid proliferation of the Internet of Things (IoT) leaves terminal devices vulnerable to considerable security challenges, notably the absence of robust yet efficient identity authentication mechanisms. Traditional certificate-based approaches incur substantial management overhead and storage expenditure, whereas Identity-Based Cryptography poses inherent key escrow risks. To tackle these challenges, this paper proposes a PUF and SM2-based certificateless identity authentication mechanism that integrates SM2 Certificateless Public Key Cryptography (a Chinese national cryptographic standard) with Physical Unclonable Functions (PUFs). Initially, the proposed solution utilizes PUF technology to derive a unique hardware-generated “fingerprint” from an IoT device, which functions as a root key to generate a partial user private key. This approach essentially binds the terminal’s identity to its physical hardware, thereby effectively mitigating physical cloning attacks against nodes. Moreover, through the adoption of a Certificateless Public Key Cryptography (CLPKC) framework, the complete user private key is jointly generated by a semi-trusted Key Generation Centre (KGC) and the terminal device itself. The comprehensive security analysis proves that the proposed scheme is provably secure under the random oracle model, capable of resisting various common attacks such as physical cloning, man-in-the-middle, and replay attacks. Performance evaluation confirms that the implemented PUF + SM2 certificateless mechanism significantly reduces the size of user public key identifiers to within 64 bytes, offering a substantial advantage over the 1–2 KB certificates typically required in conventional PKI/CA systems, thereby enhancing efficiency in storage and communication. Full article

Smart vehicles integrated with the Internet of Things (IoT) provide rich data for traffic management, safety, and liability services; however, existing blockchain-enabled vehicular architectures still struggle with consensus scalability, heavy centralized validation, limited interaction-based corroboration, incomplete attack coverage, and rapid ledger growth. In particular, many schemes either optimize single-layer consensus or embed detailed reputation information into every transaction, while pushing most validation to central servers. This leads to bottlenecks under dense traffic and leaves replay, Sybil-assisted 51% attacks on roadside units (RSUs), and man-in-the-middle tampering only partially addressed. In this context, this paper proposes a novel hierarchical blockchain for vehicular IoT (HBV-IoT) model to address the above challenges. An independent transaction for periodic vehicle status reporting and an interaction-based transaction for corroborating data between vehicles in proximity are presented. Three smart contracts are designed to automate the validation and processing of transactions, and to identify compromised or malicious vehicles within the HBV-IoT network. Algorithms for distributed consensus to accept transactions into the blockchain and for vehicle reputation management to enforce edge-level filtering and down-weighting of malicious nodes are implemented. Simulation results demonstrate significant improvements compared to conventional vehicular blockchain approaches, with performance gains validated by 95% confidence intervals. The model supports practical applications, including real-time traffic monitoring, automated e-challan issuance, intelligent insurance claim processing, and blockchain-based vehicle registration. Full article

Having long served as the backbone of automotive communication, the Controller Area Network utilizes error handling mechanisms under the ISO 11898 standard for communication reliability. However, these legacy error types do not explicitly distinguish between simple electrical noise and malicious intent. To address this structural limitation, we propose a sixth error type as a specialized protocol extension considering cybersecurity along with an error frame designed to notify other controllers and the driver of cybersecurity attacks. By defining a specific detection logic capable of identifying impersonation and replay attacks and introducing a specialized frame structure, this study enables the data link layer to take immediate defensive action without complex cryptographic overhead. Through FPGA based prototyping and Vector CANoe testing, we demonstrated that this mechanism successfully invalidates malicious attempts while preserving compatibility with the existing CAN error-handling mechanism. This research argues that cybersecurity can no longer be treated as an add-on but should be embedded within the protocol itself. Our findings provide a technical foundation for the next evolution of the ISO 11898 standard and toward security integrated CAN communication. Full article

In this study, a hybrid multi-layer scheme for reversible color image encryption is proposed, ensuring lossless reconstruction and strong cryptographic security concurrently. This method consists of three main stages. First, session-specific keys are generated using HKDF-SHA256 along with a timestamp-based mechanism to prevent replay attacks and support dynamic key management. Second, a four-layer confusion–diffusion structure is applied. It uses Gram–Schmidt orthogonal matrices, integer-based PWLCM chaotic mapping, the Hill cipher, and dynamically created S-Boxes. These operations rely on integer modular arithmetic ${\mathbb{Z}}_{256}$ and Q16.16 fixed-point precision. Finally, ChaCha20 stream encryption with HMAC-SHA256 authentication is used to secure data transmission in distributed environments. Experimental tests conducted on standard images show strong cryptographic performance, including near-ideal entropy (7.9993 bits), a significant avalanche effect ($NPCR 99.6\%$, $UACI 33.4\%$), and very low pixel correlation. The method achieves perfect lossless reconstruction and provides an effective key space $\ge 2^{128}$. These results confirm the suitability of the proposed scheme for secure image protection in applications requiring bit-exact recovery, such as medical imaging, digital forensics, and satellite communications. Full article

As a higher-layer protocol over a controller area network (CAN) or CAN with a flexible data-rate bus, Society of Automotive Engineers (SAE) J1939 has been widely adopted in commercial vehicles. Although it supports advanced diagnostics, complex data transmission, and network management in harsh environments, SAE J1939 lacks native authentication mechanisms. Consequently, in-vehicle communication remains vulnerable to replay, spoofing, and injection attacks. In practice, deploying a Security-designated Electronic Control Unit (SeCU) is often deemed necessary to provide robust authentication, as generating and distributing session keys is essential. However, this introduces a single point of failure and renders the SeCU a high-value target for attackers. To address these issues, we propose J1939-ADBE, an authentication and key-distribution scheme that operates without a centralized SeCU. The scheme is built on Authenticated Distributed Broadcast Encryption (ADBE), a tightly integrated construction that augments distributed broadcast encryption with publicly verifiable sender authentication in a shared bilinear setting. By leveraging ADBE, we eliminate the requirement for a SeCU while achieving the desired security goals. Using the Tamarin Prover, we formally verify in the Dolev–Yao model that J1939-ADBE satisfies injective agreement, session secrecy, known-key security, and forward secrecy. Furthermore, the broadcast nature of ADBE reduces the communication cost of key distribution from $\mathcal{O}\left(n\right)$ to $\mathcal{O}\left(\right|\mathcal{G}\left|\right)$, where n denotes the number of Electronic Control Units (ECUs) and $\left|\mathcal{G}\right|$ denotes the number of ECU logical groups. Experimental results show that our proposal is practical for authentication within SAE J1939 networks. Full article

The Internet of Drones (IoD) has emerged as a critical extension of the Internet of Things, enabling unmanned aerial vehicles to support diverse applications, including precision agriculture, logistics, disaster monitoring, and security surveillance. Despite its rapid growth, securing IoD communications remains a significant challenge due to the open wireless environment, high drone mobility, and strict computational and energy constraints. Existing authentication mechanisms either rely on computationally expensive cryptographic operations or remain validated only at the protocol or simulation level, leaving a critical gap in practical, hardware-validated solutions suitable for resource-constrained drone platforms. This gap motivates the need for a lightweight, privacy-preserving authentication scheme that is both theoretically sound and experimentally deployable on real hardware. To address this, we propose a Physically Unclonable Functions (PUF)-assisted lightweight authentication scheme for IoD environments that binds cryptographic keys to each drone’s intrinsic hardware characteristics via PUFs. The scheme employs dynamically generated pseudo-identities to conceal permanent drone identities and prevent tracking, while authentication and key agreement are achieved using efficient symmetric cryptographic primitives, including SHA-256 for key derivation and updates, AES-256 for secure communication, and lightweight XOR operations to minimize overhead. Forward secrecy is ensured through rolling key updates, and periodic renewal of PUF challenges enhances resistance to replay and modeling attacks. To validate practicality, both software-based and hardware-based implementations were developed and evaluated. The software evaluation demonstrates a low communication overhead of 708.5 bytes and an average computation time of 18.87 ms. The hardware implementation on a Nexys A7-100T FPGA operates at 100 MHz with only 12.49% LUT utilization and low dynamic power consumption of approximately 182.5 mW. These results confirm that the proposed framework achieves an effective balance between security, privacy, and efficiency. The significance of this work lies in providing a fully hardware-validated, PUF-based authentication framework specifically tailored to the real-world constraints of IoD environments, offering a practical foundation for securing next-generation drone networks. Full article

LoRaWAN’s role in global maritime logistics has allowed for efficient monitoring of ships and cargo, but it also comes with critical cybersecurity vulnerabilities. Experimental validation of three attack vectors—replay attacks, narrowband jamming and metadata inference—is conducted using a reproducible digital-twin LoRaWAN dataset reflecting Rotterdam port-like operational patterns (N = 20,000 baseline transmissions). Using controlled simulations and Kolmogorov–Smirnov statistical analysis, we show that: (1) replay attacks are feasible under Activation by Personalization (ABP) configurations lacking enforced frame-counter validation and exhibit no univariate separation from legitimate traffic under Kolmogorov–Smirnov analysis (p > 0.46 for all evaluated radio features); (2) narrowband jamming leads to significant SNR degradation (p = 2.36 × 10⁻⁵) on targeted channels without inducing broad distributional anomalies across other radio features; and (3) metadata-only analysis supports elevated metadata-based re-identification susceptibility (median $R_d=0.834$), indicating high predictability under passive observation which can reveal operationally relevant signals even when AES-128 is employed. Our proposed layered mitigation framework consists of mandatory Over-the-Air Activation (OTAA), cryptographic key rotation, channel diversity incorporating Adaptive Data Rate (ADR), gateway hardening, and protocol-level enforcement considerations, customized for maritime LPWAN scenarios. We provide experiment-backed evidence and actionable recommendations to connect academic LPWAN security research to that of industrial maritime practice. Full article

This study presents ZK-EHR, a decentralized access control framework designed to enable secure and privacy-preserving sharing of encrypted electronic health records across institutional boundaries. Unlike existing blockchain-based EHR access control systems that expose user identities on-chain or lack cryptographic privacy guarantees, ZK-EHR decouples authorization from identity disclosure by integrating zk-SNARK-based proofs with blockchain smart contracts to verify policy compliance without revealing user roles, affiliations, or credentials. The framework employs three differentiated actor roles—Patient (Data Owner), Doctor (Care Provider), and Researcher (Authorized Analyst)—with distinct policy-driven access workflows, a custom Groth16 zero-knowledge circuit for role-based constraint enforcement, and a modular architecture combining on-chain verification with off-chain encrypted storage via IPFS. Concrete design proposals for access revocation and replay attack prevention are introduced to address operational security requirements. The system was evaluated under multiple operational and adversarial scenarios. Experimental results indicate consistent on-chain verification latency (approximately 390 ms), reliable rejection of tampered submissions, and per-verification gas consumption of 216,631 gas. A comparative analysis against representative baseline systems demonstrates that ZK-EHR uniquely combines identity anonymity, on-chain cryptographic policy enforcement, and auditable encrypted record retrieval. These findings establish the feasibility of zk-SNARK-based access control for decentralized, verifiable, and privacy-aware EHR management. Full article

Future 6G-enabled smart hospital infrastructures will support latency-critical medical operations such as robotic surgery, autonomous monitoring, and real-time clinical decision systems, which require communication mechanisms that ensure both ultra-low latency and long-term cryptographic security. Existing security solutions either rely on classical cryptographic protocols that are vulnerable to quantum attacks or deploy isolated post-quantum primitives without providing a unified framework for secure real-time medical command transmission. This research presents a latency-aware, multi-layered post-quantum security architecture for 6G-enabled smart hospital environments. The proposed framework establishes an end-to-end secure command transmission pipeline that integrates hardware-rooted device authentication, post-quantum key establishment, hybrid payload protection, dynamic access enforcement, and tamper-evident auditing within a coherent system design. In contrast to existing approaches that focus on individual security mechanisms, the architecture introduces a structured integration of Kyber-based key encapsulation and Dilithium digital signatures with hybrid AES-based encryption and legacy-compatible key transport, while Physical Unclonable Function authentication provides hardware-bound device identity verification. Zero Trust access control, metadata-driven anomaly detection, and blockchain-style audit logging provide continuous verification and traceability, while threshold cryptography distributes cryptographic authority to eliminate single points of compromise. The proposed architecture is evaluated using a discrete-event simulation framework representing adversarial conditions in realistic 6G medical communication scenarios, including replay attacks, payload manipulation, and key corruption attempts. Experimental results demonstrate improved security and operational efficiency, achieving a 48% reduction in detection latency, a 68% reduction in false-positive anomaly detection rate, and a 39% improvement in end-to-end round-trip latency compared to conventional RSA-AES-based architectures. These results demonstrate that the proposed framework provides a practical and scalable approach for achieving post-quantum secure and low-latency command transmission in next-generation 6G smart hospital systems. Full article

Secure cross-domain UAV authentication is challenging because identity verification alone is insufficient to guarantee safe operation. In many UAV applications, it is equally critical to verify that a UAV is currently located within an authorized geographic region. Existing approaches often expose precise GPS coordinates, rely on static identifiers that enable tracking, or fail to guarantee the freshness and authenticity of location evidence. These weaknesses allow replay, location spoofing, and trajectory inference attacks, especially in multi-domain environments. To address these limitations, we propose PrivLocAuth, a zero-knowledge-based cross-domain UAV authentication protocol that enforces geofence restrictions without revealing actual locations. In PrivLocAuth, UAVs encode their current coordinates into fresh Pedersen commitments, which are attested by the home Local Domain Server (LDS) using short-lived Schnorr signatures. Based on these attested commitments, UAVs generate Bulletproof range proofs to demonstrate compliance with cross-domain server-defined geofences. This design ensures that UAVs operate within authorized airspace while preserving strong location privacy. PrivLocAuth further incorporates a lightweight elliptic curve cryptography (ECC) and Schnorr signature-based credential framework that enables unlinkable authentication across-domains, preventing session correlation and identity tracking. Formal security analysis demonstrates resistance to impersonation, replay, geofence-bypass, and linkage attacks. Experimental evaluation shows low computational latency and minimal communication overhead, confirming the protocol’s suitability for resource-constrained UAV platforms operating in dynamic cross-domain environments. Full article