Multifunctional and Multidimensional Secure Data Aggregation Scheme in WSNs

Download as pdf or txt
Download as pdf or txt
You are on page 1of 12

IEEE INTERNET OF THINGS JOURNAL, VOL. 9, NO.

4, FEBRUARY 15, 2022 2657

Multifunctional and Multidimensional Secure Data


Aggregation Scheme in WSNs
Cong Peng , Min Luo , Pandi Vijayakumar , Debiao He , Member, IEEE, Omar Said , and Amr Tolba

Abstract—In wireless sensor networks (WSNs), data aggre- dimensions, our scheme is superior to the existing schemes in
gation (DA) has become one of the most practical techniques terms of computation and communication costs.
to reduce processing delay and improve energy efficiency. To
support intelligent applications, sensor nodes need to report Index Terms—Chinese remainder theorem, homomorphic
heterogeneous and diverse data, which induce the demand for encryption, secure data aggregation, wireless sensor networks
multidimensional DA and multifunctional data analysis. To solve (WSNs).
the current security problems and functional requirements,
we propose a multifunctional and multidimensional secure DA I. I NTRODUCTION
scheme to strike the balance between data availability and pri- ITH the rapid proliferation of wireless sensor networks
vacy. First, we design a Chinese remainder theorem conversion
method with the counter to encode multidimensional data into
large integers, which can be operated by linear homomorphic
W (WSNs), a large amount of heterogeneous data have
been collected by sensor nodes and consumed by various intel-
encryption schemes. Then, we introduce a multifunctional data ligent services [1], [2]. As shown in Fig. 1, the Internet of
analysis method supporting diversified aggregation functions, Things (IoT) technology stack consists of three tiers: 1) sen-
including linear, polynomial, and continuous functions. Moreover, sor nodes; 2) gateways; and 3) data analytic center. The sensor
we demonstrate that the proposed scheme can achieve confiden-
tiality, integrity, authentication, and resistance against false data node, equipped with limited resources, acts as the data pro-
injection attacks. The experimental results show that the sup- ducer to collect raw data and report these data via wireless
ported max dimension of one ciphertext in our scheme is at networks. The data analytic center, owned powerful compu-
least twice that of existing schemes. Thus, in scenarios with high tational ability, acts as the data consumer to analyze these data
and provide intelligent services. The gateway is an important
Manuscript received December 31, 2020; revised March 1, 2021 and
April 5, 2021; accepted May 3, 2021. Date of publication May 6, 2021; middleman element that acts as a bridge to connect sensor
date of current version February 4, 2022. This work was supported in nodes and the center. Nowadays, the gateway has become more
part by the Taif University Researchers Supporting Project, Taif University, intelligent to support additional functionality. Specifically, the
Taif, Saudi Arabia, under Grant TURSP-2020/60; in part by the Major
Scientific and Technological Innovation Project of Shandong Province gateway can acts as an aggregator to preprocess raw data and
under Grant 2020CXGC010115; in part by the National Natural Science upload the aggregated data to the center.
Foundation of China under Grant 61972294 and Grant 61932016; in part Data aggregation (DA) has become one of the most practi-
by the Blockchain Core Technology Strategic Research Program of the
Ministry of Education of China under Grant 2020KJ010301; in part by cal techniques to reduce processing delay and improve energy
the Special Project on Science and Technology Program of Hubei Province efficiency. However, DA at gateways may suffer from some
under Grant 2020AEA013; in part by the Natural Science Foundation of potential risks on data security and user privacy [3]. First, it is
Hubei Province under Grant 2020CFA052; and in part by the Wuhan
Municipal Science and Technology Project under Grant 2020010601012187. easily for adversaries to carry out attacks (e.g., eavesdropping,
(Corresponding author: Min Luo.) injection, and tampering) through wireless networks to infringe
Cong Peng is with the School of Cyber Science and Engineering and the data confidentiality and integrity. Second, it is able for adver-
School of Mathematics and Statistics, Wuhan University, Wuhan 430072,
China, and also with the Cyberspace Security Research Center, Peng Cheng saries to corrupt the gateway for stealing all nodes’ raw data.
Laboratory, Shenzhen 518000, China (e-mail: [email protected]). Third, it is possible that sensor nodes may send false data and
Min Luo is with the School of Cyber Science and Engineering, Wuhan affect the accuracy of DA due to some malfunctions or attacks.
University, Wuhan 430072, China, and also with the Shandong Provincial Key
Laboratory of Computer Networks, Qilu University of Technology (Shandong It is becoming common practice to implement data encryption
Academy of Sciences), Jinan 250014, China (e-mail: [email protected]). so as to prevent malicious attacks. But, traditional encryption
Pandi Vijayakumar is with the Department of Computer Science and techniques cannot strike the balance between data availabil-
Engineering, University College of Engineering Tindivanam, Tindivanam
604001, India (e-mail: [email protected]). ity and data privacy since ciphertexts are difficult to support
Debiao He is with the School of Cyber Science and Engineering, Wuhan aggregation operations (e.g., add, sum, and average) [4].
University, Wuhan 430072, China (e-mail: [email protected]). To solve the above problems, researchers have consid-
Omar Said is with the Department of Information Technology, College of
Computers and Information Technology, Taif University, Taif 21944, Saudi ered to utilize some special cryptographic primitives (e.g.,
Arabia, and also with the Mathematics and Computer Science Department, homomorphic encryption and aggregate signature) to con-
Faculty of Science, Menoufia University, Shebin El-Kom 32511, Egypt struct privacy-preserving DA schemes [5]–[15] for single-
(e-mail: [email protected]).
Amr Tolba is with the Computer Science Department, Community dimensional data aggregation. But, in the real-world scenario,
College, King Saud University, Riyadh 11437, Saudi Arabia, and also a sensor node usually collects different types of data (e.g.,
with the Mathematics and Computer Science Department, Faculty of temperature, humidity, and wind direction in atmospheric
Science, Menoufia University, Shebin El-Kom 32511, Egypt (e-mail:
[email protected]). monitoring). When uploading data to the gateway, the node
Digital Object Identifier 10.1109/JIOT.2021.3077866 will package all types of data into a single message packet
2327-4662 © 2021 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See https://www.ieee.org/publications/rights/index.html for more information.
Authorized licensed use limited to: South Asian University. Downloaded on February 12,2024 at 17:23:40 UTC from IEEE Xplore. Restrictions apply.
2658 IEEE INTERNET OF THINGS JOURNAL, VOL. 9, NO. 4, FEBRUARY 15, 2022

aggregation functions. The main contributions are listed as


follows.
1) We design a new CRT conversion method with counter
to remove strict limits on the input domain and reduce
data redundancy of ciphertexts.
2) We construct an efficient multifunctional and
multidimensional secure DA scheme based on the
linear homomorphic encryption scheme and the digital
signature scheme, called MMDA, and demonstrate its
security, in terms of the confidentiality, authentication,
integrity, and resistance against false data injection
attacks.
3) We illustrate an data analysis method to support multiple
aggregation functions, including linear functions, poly-
Fig. 1. System model. nomial functions, and continuous functions.
4) The performance results show that the max dimension of
one ciphertext in our scheme is at least twice that of the
and submit it as a report. It is not a wise choice to use existing schemes. Thus, in scenarios with high dimen-
single-dimensional privacy-preserving DA schemes to guaran- sions (such as 20), our scheme is superior to the existing
tee the security of multidimensional data, because it will result schemes in terms of computation and communication
in a lot of ciphertext data redundancy and increase communica- costs.
tion costs. Therefore, how to realize efficient multidimensional Organizations: The remainder of this article is as follows.
secure DA becomes a significant issue for researchers. In Sections II and III, the extant literature and related crypto-
Subsequently, many privacy-preserving schemes [16]–[30] graphic primitives are reviewed, respectively. In Section IV,
suitable for multidimensional data aggregation have been the system model, attacker model, problem statement, and
proposed. The core idea is to construct a conversion mech- design goal are discussed. In Section V, our proposed DA
anism between multidimensional data and large integers, and scheme is presented. The secure analysis and performance
then use linear homomorphic encryption to realize encrypted evaluation are given in Sections VI and VII, respectively.
data aggregation. The superincreasing sequence or the Chinese Finally, Section VIII concludes this article.
remainder theorem (CRT) are two typical conversion meth-
ods used in existing works. But both of them cannot solve
the data overflow problems, so that existing schemes have to II. R ELATED W ORKS
impose strict limits on the input domain of each dimension for In this section, we mainly discuss related works of
aggregation accuracy. This will open a door for the malicious multidimensional DA schemes in WSNs and some typically
attacker to disturb the DA results, as it can instruct a com- application areas, such as IoT [32] and smart grid [33].
promised sensor node to encrypt and transmit an out-of-range The comparison of different multidimensional secure DA
data (such as very large monitoring values). Thus, it is a major schemes [16]–[30] is given in Table I.
challenge to to remove these strict limits and resist on false Lin et al. [16] integrated the superincreasing sequence and
data attacks. perturbation techniques to design a novel multidimensional
In practice, the gateway needs to support various aggrega- privacy-preserving DA scheme for wireless sensor networks.
tion functions [31], including lower order statistics (e.g., sum, However, the neighbor sensor node shares its private key to
average, variance, and standard deviation), higher order statis- the aggregator node such that the privacy of aggregated data
tics (e.g., skewness and kurtosis), and other functions (e.g., is vulnerable to disclosure. Lu et al. [17] selected a super-
max/min and histogram). For example, the data center can increasing sequence of large primes and combined it with
use the summation, mean, variance, and other indicators to Paillier encryption [34] to present an efficient and privacy-
analyze the distribution of sensed data. However, most secure preserving aggregation scheme (EPPA) in smart grid. Besides,
DA schemes only support summation-based statistical results they adopted the multigenerator pattern to accelerate the
since the underlying homomorphic encryption only supports multidimensional data encryption process.
the modulus addition operation. Thus, multifunctional secure Jia et al. [18] utilized secure multiparty computation tech-
DA is another major problem to be solved. niques to construct a human-factor-aware privacy-preserving
Contributions: This article aims to solve the above aggregation scheme, in which multidimensional data are
three requirements simultaneously, that is, data privacy encrypted by a randomness Vandermonde matrix and some
preserving, multidimensional DA, and multifunction data anal- secret keys. However, this scheme is insecure since secret
ysis. Compared with existing schemes, we attempt to enhance keys can be revealed when different nodes reported the same
the security of data aggregation, such as resisting false data multidimensional data. Liu et al. [19] proposed an anony-
attacks from nodes. Also, we attempt to improve the effi- mous multidimensional DA scheme based on bilinear pairing
ciency and functionality of data aggregation, by reducing cryptography, in which reported data are aggregated in plain-
the data redundancy of ciphertexts and providing diversified text form to support addition and nonaddition functions.

Authorized licensed use limited to: South Asian University. Downloaded on February 12,2024 at 17:23:40 UTC from IEEE Xplore. Restrictions apply.
PENG et al.: MULTIFUNCTIONAL AND MULTIDIMENSIONAL SECURE DATA AGGREGATION SCHEME IN WSNs 2659

TABLE I
C OMPARISON OF D IFFERENT M ULTIDIMENSIONAL S ECURE DA S CHEMES

TABLE II
S UMMARY OF N OTATIONS single-dimensional aggregation of the sum of multiple data
actually.
In summary, there are two main problems with those
schemes: 1) cross-dimensional interference or data overflow.
The conversion method of integer vectors does not have an
overflow protection design so that the data results of one
dimension will interfere with other dimensions once they
exceed the limit (see Section IV-C) and 2) supporting few
aggregation functions. All these above schemes are designed
for linear aggregation functions, which are difficult to meet
the requirements in practical use.

III. P RELIMINARIES
A. Notations
For any positive integer N, we write ZN to denote the set
Lu et al. [20] proposed a two-subset DA scheme, which used {0, 1, . . . , N − 1} while Z∗N = {1, . . . , N − 1}. We use x to
the fractional-order group to encrypt different dimensional denote the vector {x1 , x2 , . . . , xt }, where xi is the ith element
data. Subsequently, Li et al. [26] and Wang et al. [29] designed of x. lcm(a, b) refers to the least common multiple of two
an improved multisubset DA scheme using the superincreasing integers a and b. Some notations are listed in Table II.
sequence and multiple fractional-order groups, respectively.
Sui et al. [21] designed a robust and efficient secure aggre- B. Chinese Remainder Theorem
gation scheme that uses ElGamal encryption [35] and the Theorem 1 (Chinese Remainder Theorem): Let
hash-based message authentication code to protect data confi- φ1 , φ2 , . . . , φβ be β integers, which are pairwise co-
dentiality, integrity, and authentication. However, the ElGamal prime, i.e., gcd(φi , φj ) = 1 for all 1 ≤ i = j ≤ β. For any
encryption scheme supporting homomorphic operations needs β-dimensional integer vector a = {a1 , a2 , . . . , aβ } satisfying
to solve the discrete logarithm problem during decryption. 0 ≤ ai < φi for all 1 ≤ i ≤ β, there exists a unique integer A
So, the scheme only supports small range data aggrega- in Z satisfying A = ai mod φi for all i = 1, 2, . . . , β, and
tion. This limited data range is also a problem in other two the integer A can be computed as
schemes [24], [28]. A = a1 1 + a2 2 + · · · + aβ β , mod  (1)
Shen et al. [22] utilized Horner’s rule to encode and β
decode the integer vector and presented a multidimensional where  = i=1 φi and i = /φi · ((/φi )−1 mod φi ) for
DA scheme with Paillier encryption [34] and BLS short signa- all 1 ≤ i ≤ β.
ture [36]. Pan et al. [23], [25] proposed two multidimensional Obviously, the CRT provides an efficient transformation
DA schemes. The first scheme [23] utilized the blind fac- method CRT(·), which converts an integer vector a into a
tor, generated by the shared key between a trusted author- large integer A = CRT(a) to perform addition or mul-
ity and the nodes, to encrypt each message. The second tiplication operations. Assuming a = {a1 , a2 , . . . , aβ } and
scheme [25] used Paillier encryption and the CRT con- b = {b1 , b2 , . . . , bβ }, we have
version method to encrypt multidimensional data without a 
CRT(a) + CRT(b)  = ai + bi , mod φi
trusted third party. Recently, Mohammadali and Haghighi [30] (2)
CRT(a) × CRT(b)  = ai × bi , mod φi .
proposed a homomorphic privacy-preserving DA scheme with
multidimensional and fault tolerance, which only achieved the So, CRT provides a natural approach to process vector data.

Authorized licensed use limited to: South Asian University. Downloaded on February 12,2024 at 17:23:40 UTC from IEEE Xplore. Restrictions apply.
2660 IEEE INTERNET OF THINGS JOURNAL, VOL. 9, NO. 4, FEBRUARY 15, 2022

C. Linear Homomorphic Encryption 1) N: Each sensor node Ni is equipped with various


Homomorphic encryption is a special encryption method, sensors and meters to precept and collect real-time
which can ensure that some ciphertext operations and plaintext heterogeneous data from the surrounding environment
operations remain homomorphic. For example, additive homo- or device state. Then, Ni encrypts multidimensional data
morphic encryption makes the homomorphic addition of two at once and reports ciphertexts periodically to GW.
ciphertext homomorphic equals to the sum of their correspond- 2) GW: Acting as a mediator and aggregator, each gate-
ing plaintexts. Generally, the linear homomorphic encryption way GW is responsible for providing communication
consists of five schemes. relay to Ni and AC, while implementing localized DA
1) (pk, sk) → HKGen(κ): Taking a security parameter κ to reduce communication overhead between itself and
as input, the key generation algorithm generates a secret AC. GW provides a variety of DA functions (such as
key sk and a public key pk. sum, mean, and variance) and only sends aggregated
2) ci → HEnc(pk, mi ): Taking a public key pk and a mes- ciphertexts to AC.
sage mi as inputs, the encryption algorithm generates a 3) AC: The analytic center AC has powerful computing
ciphertext ci of mi . power to process and analyze the information uploaded
3) mi → HDec(sk, ci ): Taking a secret key sk and a cipher- by gateways. Similarly, it can also perform ciphertext
text ci as inputs, the decryption algorithm extracts the aggregation function.
plaintext mi hidden in ci . Without loss of generality, we assume that each gateway
4) ck → HAdd(ci , cj ): Taking two ciphertexts ci and aggregates β-dimensional data reported by α nodes at a time
cj as inputs, the homomorphic addition algorithm cal- slot. For brevity, since the aggregation pattern of AC is con-
culates a new ciphertext ck , where HDec(sk, ck ) = sistent with GW, we do not consider its aggregation scenario
HDec(sk, ci ) + HDec(sk, cj ). in this article.
5) ck → HMul(mi , cj ): Taking a plaintext mi and a
ciphertext cj as inputs, the homomorphic scalar multipli- B. Attacker Model
cation algorithm calculates a new ciphertext ck , where From the security perspective, we consider AC and GW as
HDec(sk, ck ) = mi ∗ HDec(sk, cj ). semihonest roles that strictly follow protocol processes but are
Namely, linear homomorphism enables ciphertexts to per- also curious about some privacy information. More accurately,
form linear function operations. In our scheme, we utilize the AC is far away from nodes and cannot directly decrypt the
Paillier encryption scheme [34] to provide the homomorphic ciphertext reported by nodes. Meanwhile, GW cannot obtain
encryption function. any decrypted data from AC.
Assume that adversary A has the following attack
D. Digital Signature capabilities.
1) A can eavesdrop on all communications between nodes,
Digital signature can realize the authentication and integrity
gateways, and the analytic center for stealing transmitted
protection of data source. Generally, the digital scheme con-
data.
sists of three algorithms.
2) A can corrupt the gateway to steal all data reported by
1) (pk, sk) ← SigKGen(κ): Taking a security parameter κ
nodes.
as input, the key generation algorithm generates a secret
3) A can corrupt the node or the gateway to inject false
key sk and a public key pk.
data to compromise the accuracy of results.
2) σ ← Sig(sk, m): Taking a secret key sk and a message
m as inputs, the signature generation algorithm generates
a signature σ of m. C. Problem Statement
3) 1/0 ← Vrf(pk, m, σ ): Taking a public key pk and a Considering homomorphic encryption on multidimensional
message-signature pair (m, σ ) as inputs, the signature data, a straightforward method is encrypting data in each
verification algorithm checks the validity of the signature dimension independently with a ciphertext vector as out-
and returns 1 if valid or 0 otherwise. put. However, computation and communication overhead will
Due to the Schnorr signature [37] having a short signature increase linearly with the dimension. Moreover, the plaintext
size and the batch verification method, we utilize it to provide space of the existing linear homomorphic encryption schemes
the digital signature function in our scheme. is much larger than the range space of the data in practical
applications. If a ciphertext contains only one data, it will
lead to significant data redundancy. The other two ways are
IV. S YSTEM D ESIGN as follows.
A. System Model Using Superincreasing Sequence: Suppose
{ψ1 , ψ2 , . . . , ψβ } is a superincreasing sequence of inte-
In our system model, we focus on how to securely aggregate i−1
multidimensional data to obtain various linear function results gers satisfying j=1 ψj · j < ψi for all i = 1, 2, . . . , β, the

and provide privacy-preserving data analysis. There are three integer vector a can be converted into A = i=1 ai ψi where
roles participated in our scheme: 1) a set of sensor nodes i is the upper bound of ai . Obviously, the limitation of this
{N1 , N2 , . . . , Nα }; 2) the gateway GW; and 3) the analytic approach is that the results of addition and multiplication for
center AC, as shown in Fig. 1. each dimension must be within the range [0, i ]. Otherwise,

Authorized licensed use limited to: South Asian University. Downloaded on February 12,2024 at 17:23:40 UTC from IEEE Xplore. Restrictions apply.
PENG et al.: MULTIFUNCTIONAL AND MULTIDIMENSIONAL SECURE DATA AGGREGATION SCHEME IN WSNs 2661

Algorithm 1 Convert an Integer Vector Into a Large Integer needs calculate some function values for the uploaded
Input: An integer vector a = {a1 , . . . , aβ } and the parameters data, such as sin(x), cos(x), ex , etc.
ppCRT .
Output: A large integer A in ZN .
1: A ← 0 V. M ULTIFUNCTIONAL AND M ULTIDIMENSIONAL
2: for i = 1 to β do S ECURE DATA AGGREGATION S CHEME
3: A ← A + ai · i mod N In this section, we first introduce a new CRT-based conver-
4: end for
5: return A
sion method with a counter, and then describe details of the
proposed scheme and illustrate its multifunctionality.

A. CRT-Based Conversion Method With Counter


there will cause overflow problems affecting the correctness
of the results. To solve the overflow and modulus conversion problem, we
Using CRT: Suppose {φ1 , φ2 , . . . , φβ } are primes, the inte- discuss some properties between the modulus N and .
ger vector a can be converted into the A = CRT(a). This Theorem 2: Let N and  be two integers, φi be a prime
approach solves the overflow problem for each dimension factor of , and the difference = N −  is not divisible
because the results of additions and multiplications are always by φi . For any integer A in the interval [0, φi ·N−1], if knowing
in Zφi . Another serious problem is that linear homomorphic the remainders of A modulo N and φi , i.e., a = A mod N and
encryption (Paillier encryption or ElGamal encryption) pro- ai = A mod φi , then A can be computed as A = s · N + a,
vides addition or scalar multiplication operations on ZN , not where s = −1 · (ai − a) mod φi .
operations on Z . For this reason, many schemes restrict the Proof: Without loss of generality, A can be written in the
operation result of the converted integer to be less than N. form A = s · N + a (0 ≤ s < φi ). Then, we have
In practice, however, a malicious adversary can inject some
A = s · N + a = s · ( + ) + a = s ·  + (s · + a)
large converted integers (although less than N) to make the
final results greater than N. ⇒ A=s· + a = ai mod φi . (3)

Obviously, has an inverse −1 in Zφi , i.e., · −1 = 1


D. Design Goal mod φi . s is less than the prime φi , and s can be uniquely
Our goal is to design a multifunctional and solved by the formula s = −1 · (ai − a) mod φi .
multidimensional secure DA scheme. The following properties When  is properly selected, if knowing the remainder of
should be achieved. a larger integer A modulo N and the remainder of A modulo a
1) Security: The proposed scheme should protect data prime φi , the integer A can be recovered according to the above
confidentiality, integrity, and authentication. It is nec- Theorem 2. Based on this feature, we construct a counter each
essary to prevent nodes’ data or aggregated data from time encoding the integer vector. After a finite number of oper-
being leaked to the adversary, and prevent illegal or ations, we can restore the original integer according to the
false messages from being participated in aggregation value of the final counter. The specific methods are described
operations. as follows.
2) Efficient: The proposed scheme should achieve high Parameter Selection: Given the dimension β and the
efficient of computation and communication. On the modulus N, choose β + 1 primes {φ0 , φ1 , . . . , φβ } such

one hand, it is necessary to avoid using computation- that = N − i=0 φi is not divisible by φ0 . Compute

intensive cryptographic primitives (e.g., bilinear pairing  = i=0 φi and i = /φi · ((/φi )−1 mod φi ) for all
operations) for design. On the other hand, it is nec- i = 0, 1, . . . , β. The published parameters are ppCRT =
essary to take advantage of aggregators to minimize {β, N, , −1 , φ0 , . . . , φβ , 0 , . . . , β }.
communication overhead. Convert an Integer Vector Into a Large Integer (V2I):
3) Multidimensional: The proposed scheme should support Similar to the traditional CRT conversion method, we use
the node to report various collected data in one commu- the CRT solution equation (1) to construct the larger integer,
nication interaction. Specifically, nodes can package and denote as A = V2I(a), as shown in Algorithm 1. The differ-
upload each type of data individually, but this pattern is ence is that we use β+1 primes to transform the β-dimensional
very inefficient. The designed scheme needs to be able integer vector, and fix the input integer of the first dimension
to package multidimensional data in a single communi- to be one, i.e., a0 = 1. The setting here is to make it easier
cation packet without interfering with subsequent data to match the number of subsequent linear operations.
analysis. Convert a Large Integer Into an Integer Vector (I2V): If the
4) Multifunctional: The proposed scheme should support linear operation result A is greater than N, the CRT reduction
various data analysis functions. In general, the aggre- from A will not be accurate. To recover the integer vector cor-
gation function makes it easy to calculate the sum and rectly, we need to derive the integer A before modulus N from
average of reported data. However, the statistical analy- A. Based on Theorem 2, we can calculate s and A as shown
sis in the actual scenario will require more measurement in Algorithm 2, and then get the remainders ai = A mod φi
indicators, such as quadratic mean, harmonic mean, vari- of different dimensions as output. Denote the j-dimensional
ance, and standard deviation. More complicated, AC output as aj = I2Vj (A, ctr).

Authorized licensed use limited to: South Asian University. Downloaded on February 12,2024 at 17:23:40 UTC from IEEE Xplore. Restrictions apply.
2662 IEEE INTERNET OF THINGS JOURNAL, VOL. 9, NO. 4, FEBRUARY 15, 2022

Algorithm 2 Convert a Large Integer Into an Integer Vector Algorithm 3 Data Generation (Operations on Ni )
Input: A large integer A in ZN , the counter ctr and the parameters Input: β integers {mi,1 , mi,2 , . . . , mi,β } and the parameters pp.
ppCRT . Output: The reported ciphertext {Ci , σi }.
Output: An integer vector a = {a1 , . . . , aβ }. 1: Set mi ← {mi,1 , mi,2 , . . . , mi,β }
1: A0 ← A mod φ0 2: Mi ← V2I(mi )
2: s ← −1 · (ctr − A0 ) mod φ0 3: Ci ← HEnc(pk, Mi )
3: A ← s · N + A mod  4: σi ← Sig(ski , Ci )
4: for i = 1 to β do 5: return {Ci , σi }
5: ai = A mod φi
6: end for
7: return a  = {a1 , . . . , aβ } Algorithm 4 DA (Operations on GW)
Input: α integer vectors {C1 , C2 , . . . , Cα }, α signatures
{σ1 , σ2 , . . . , σα }, the weightings {w1 , w2 , . . . , wα }, the
parameters pp.
Consider the scenario of linear aggregation of α integer Output: The aggregated ciphertext {C, σ }.
vectors {m1 , m2 , . . . , mα }, {M1 , M2 , . . . , Mα } are the encoding 1: for i = 1 to α do
2: d ← Vrf(pki , Ci , σi )
larger integers, i.e., Mi = V2I(mi ) for i = 1, 2, . . . , α. Let the 3: if σi is invalid then
linear aggregation function be f (x1 , x2 , . . . , xα ) = αi=1 wi ·xi . 4: reject Ci and exit with error
Then, as long as the sum of weightings αi=1 wi is less than 5: end if
φ0 , the property 6: end for
7: C ← 0
  8: for i = 1 to α do
f m1,j , m2,j , . . . , mα,j , mod φj
 α
9: Ci ← HMul(wi , Ci )
 10: C ← HAdd(C, Ci )
= I2Vj f (M1 , M2 , . . . , Mα ), wi (4) 11: end for
i=1 12: σ ← Sig(skGW , C)
13: return {C, σ }
holds on each dimension since the final calculation result
f (M1 , M2 , . . . , Mα ) is less than φ0 ·N. In homomorphic encryp-
tion pattern, the plaintext data hidden in each ciphertext is
guaranteed to be less than N. Therefore, the core of overflow 2) Data Generation: To report β data {mi,1 , mi,2 , . . . , mi,β }
prevention lies in controlling the weight of linear operation, simultaneously, the node Ni follows the steps below to
so that the sum is less than the predetermined prime. generate the reported ciphertext, as shown in Algorithm 3.
1) Step 1: Ni arranges the data {mi,1 , mi,2 , . . . , mi,β } into
a vector mi in the predetermined order and encodes the
B. Details of the Proposed Scheme vector to a large integer Mi = V2I(mi ).
In this part, we give the framework description of our 2) Step 2: Ni encrypts Mi as Ci = HEnc(pk, Mi ).
scheme (as shown in Fig. 2) and instantiate it with the Paillier Specifically, Ni randomly picks an integer ri in Z∗N and
encryption scheme [34] and the Schnorr signature scheme [37]. computes Ci = (1 + N · Mi ) · gri mod N 2 .
The specific description is as follows. 3) Step 3: Ni signs the ciphertext Ci to obtain the sig-
1) System Initialization: Given a security parameter κ and a nature σi = Sig(ski , Ci ). Specifically, Ni randomly
dimension β, the analytic center AC initializes the parameters picks an integer ki in Z∗q , computes Ki = gk2i ,
of linear homomorphic encryption, digital signature, and CRT- hi = H(pki , Ki , Ci ), and si = ki − hi · ski , and sets
based conversion method with the counter, and publishes the σi = (hi , si ).
parameters pp = {ppLHE , ppSig , ppCRT }. Then, Ni sends the reported ciphertext {Ci , σi } to GW.
1) Step 1: AC randomly selects two strong primes u and v, 3) Data Aggregation: After receiving α reported cipher-
computes N = uv and λ = lcm(u−1, v−1), and chooses texts {C1 , σ1 , C2 , σ2 , . . . , Cα , σα }, GW follows the steps
an element g1 in ZN 2 satisfying gλ1 = 1 mod N 2 . Then, below to aggregate  the reported data with a linear function
AC sets the public parameter of linear homomorphic f (x1 , x2 , . . . , xα ) = αi=1 wi · xi , as shown in Algorithm 4.
encryption as ppLHE = pk where the public key pk = 1) Step 1: GW verifies the validity of all signatures
{N, g1 } and keeps the private key sk = λ. {σ1 , σ2 , . . . , σα }. Specifically, GW computes Ki = gs2i ·
2) Step 2: AC takes the modulus N and the dimension β pkihi , checks whether hi equals to H(pki , Ki , Ci ), and
as inputs to select parameters ppCRT , as described in aborts if the check fails.
Section V-A. 2) Step 2: GW calculates the linear function of encrypted
3) Step 3: AC chooses a cyclic group G of a prime order data, i.e., C = [w1 ]C1 ⊕ [w2 ]C2 ⊕ · · · ⊕ [wα ]Cα .
q and a generator g2 of G. Also, AC chooses a hash Specifically, GW first sets C to be zero, and com-
function H : {0, 1}∗ → Z∗q . AC sets the public parameter putes the homomorphic scalar multiplication result Ci =
of digital signature as ppSig = {G, q, g2 , H}. HMul(wi , Ci ) and the homomorphic addition result C =
Moreover, each node Ni generates its own signature key HAdd(C, Ci ) for each i = 1, 2, . . . , α.
pair (pki = gsk 2 , ski ) and registers pki to its parent gateway
i
3) Step 3: GW uses its private key skGW to sign C and
GW. Also, GW generates the signature key pair (pkGW = obtain the signature σ = Sig(skGW , C). Specifically,
sk
g2 GW , skGW ) and registers pkGW to AC. GW randomly picks an integer k in Z∗q , computes K= gk2 ,

Authorized licensed use limited to: South Asian University. Downloaded on February 12,2024 at 17:23:40 UTC from IEEE Xplore. Restrictions apply.
PENG et al.: MULTIFUNCTIONAL AND MULTIDIMENSIONAL SECURE DATA AGGREGATION SCHEME IN WSNs 2663

Fig. 2. Design architecture of the proposed scheme.

Algorithm 5 Data Reading (Operations on AC) according to the properties of linear homomorphic encryption
Input: The aggregated ciphertext (C, σ ), the parameters pp. scheme, we have
Output: An integer vector z = {z1 , . . . , zβ }.
1: d ← Vrf(pkGW , C, σ ) α

2: if σ is invalid then M = wi · Mi , mod N
3: reject C and exit with error i=1
4: end if  α α
5: M ← HDec(sk, C)
 
 ⇒ I2Vj M, wi = wi · Mi , mod φj , 1 ≤ j ≤ β
6: {z1 , z2 , . . . , zβ } ← I2V(M, α i=1 wi )
7: return z = {z1 , z2 , . . . , zβ } as the aggregated plaintext  i=1 i=1

⇒ zj = f m1,j , m2,j , . . . , mα,j , mod φj , 1 ≤ j ≤ β. (5)

Based on Theorem 2, the condition αi=1 wi < φ0 needs to
h = H(pkGW , K, C) and s = k − h · skGW , and sets be satisfied for the aggregation function to be correct. This
σ = (h, s). condition can be easily satisfied since the weightings wi (1 ≤
Then, GW sends the aggregated ciphertext {C, σ } and the i ≤ α) are controlled by GW. Thus, the correctness of DA
counter αi=1 wi to AC. can be guaranteed.
4) Data Reading and Analysis: On  receiving the aggre-
gated ciphertext (C, σ ) and the counter αi=1 wi , AC follows C. Multifunctional Aggregation
the steps below to extract the aggregated data, as shown in In this section, we will show how to implement the proposed
Algorithm 5. scheme to achieve multiple data analysis functions.
1) Step 1: AC verifies the validity of the signature σ . 1) Raw Data Mapping to Available Integer: First, we dis-
Specifically, AC computes K = gs2 · pkGW h , checks
cuss the representation of actual measurements. The input
whether h equals to H(pkGW , K , C), and aborts if the vectors in the above design scheme must be integers, but the
check fails. data detected in a real IoT environment are floats generally.
2) Step 2: AC uses the private key sk to decrypt C and Suppose that xi = {xi,1 , xi,2 , . . .} are the raw data detected by
obtain M = HDec(sk, C). Specifically, AC computes the node Ni and each raw data xi,j belongs to the real domain,
M = ((Cλ mod N 2 ) − 1)/(N · λ) mod N. i.e., xi,j ∈ [LBj , UBj ], where LBj and UBj are the lower and
3) Step 3: AC decodes M to extract the  aggregated plain- upper bounds on the jth dimension, respectively.
text z = {z1 , z2 , . . . , zβ } = I2V(M, αi=1 wi ). Obviously, xi,j cannot be directly converted by CRT meth-
After obtaining the integer vector z, AC can process sub- ods, and we need a linear function R2I(·) to map the raw
sequent data analysis of various functions, which will be data to the integer space. The most common solution is,
discussed in Section V-C. R2I(xi,j ) = (xi,j − LBj )/ACj where ACj is the accuracy on jth
Correctness: First, the correctness of the signature is easy dimension. Its inverse function is I2R(mi,j ) = mi,j · ACj + LBj .
to verify, that is, Ki = gs2i · pkihi = gs2i +hi ·ski = gk2i = Ki . Then, For example, the effective range of sea surface temperature is

Authorized licensed use limited to: South Asian University. Downloaded on February 12,2024 at 17:23:40 UTC from IEEE Xplore. Restrictions apply.
2664 IEEE INTERNET OF THINGS JOURNAL, VOL. 9, NO. 4, FEBRUARY 15, 2022

[6, 32] °C and the accuracy is 0.01 °C. Assuming the raw data Algorithm 6 Multifunctional Data Analysis
xi,j = 13.72 °C, the converted data are mi,j = R2I(xi,j ) = 772. Input: The vectors mi = {mi,j , m1i,j , m2i,j , m3i,j , · · · }(1 ≤ i ≤ α), the
2) Multifunctional Supporting: Next, we list a few typical counter α and the parameters pp.
instances to illustrate the multifunctionality of our scheme. To Output: Various function results.
support multifunctionality, the following two mechanisms are 1: Encrypt mi to obtain (Ci , σi ) following Algorithm 3
2: Aggregate {C1 , C2 , . . . , Cα } to  obtain C following Algorithm 4
available.
3: Decrypt C to obtain α m , α 1 , α m2 , α m3 ,
i,j
1) The node can pack {xi,j , xi,j 2 , x3 , . . .} into one reported i=1 i=1 mi,j i=1 i,j i=1 i,j
i,j · · · , following Algorithm 5
ciphertext to support polynomial functions. 4: CNT = α
2) The gateway can  compute several linear  aggregation 5: SUM ← α i=1 mi,j
functions {f1 (x) = αi=1 wi1 ·xi , f2 (x) = αi=1 wi2 ·xi , . . .} 6: MEAN ← SUM/CNT

on the same α reported ciphertexts x. 7: QMEAN ← 2
i=1 mi,j /CNT
Obviously, if the above mechanisms are used, the dimen- α
8: HMEAN ← CNT/ i=1 m1
i,j
sion of raw data in each ciphertext will decrease, while the 9: VAR ← QMEAN 2 − MEAN 2

supported aggregation functions will be much richer. 10: STD ← VAR
For brevity, denote the integer vector as m̄j =  1 α 1 α
11: EXP ← CNT + α 2
i=1 mi,j + 2 i=1 mi,j + · · · + t
t
i=1 mi,j
{m1,j , m2,j , . . . , mα,j } where mi,j is an integer mapped by 12: return SUM, MEAN, VAR, STD, EXP
R2I(xi,j ). As shown in Algorithm 6, the following three types
of functions can be supported by our scheme.
1) Type-1 (Linear Functions Supported by 1-D Data):
Naturally, the proposed scheme can support various such as sin(x), cos(x), ex , and ln(x), can be approxi-
linear functions with 1-D inputs, such as follows. mated by algebraic polynomials, such as linear approx-

a) Linear Weighted Sum: WSUM(m̄j ) = αi=1 wi ·mi,j imation and quadratic approximation using Taylor’s
where the weighting wi is added by the aggregation formula [38]. But it is worth noting that the accuracy
process. of the approximation needs
 to be preset in advance. For

example, let Fj (m̄j ) = αi=1 emi,j ; here, e is Euler’s num-
b) Arithmetic α Mean: MEAN(m̄j ) = [( i=1 mi,j )/α]
where i=1 mi,j is decrypted by AC. ber. According to Taylor’s expansion, ex ≈ 1 + x +
c) Quadratic Mean: QMEAN(m̄j ) = (1/2!)x2 +(1/3!)x3 +· · · . Thus,
Fj (m̄j ) canbe computed
α by the results, like αi=1 mi,j , αi=1 m2i,j , αi=1 m3i,j , . . .,
[( i=1 mi,j )/α], where mi,j is encrypted
2 2
 with the corresponding Taylor’s series. In addition,
by Ni and αi=1 m2i,j is decrypted by AC. nodes can also take emi,j as input to provide richer
d) Harmonic Mean: HMEAN(m̄j ) = analysis functions for AC.
α/ αi=1 (1/m  i,j ), where (1/m i,j ) is encrypted In a word, in terms of the analysis function provided
by Ni and αi=1 (1/mi,j ) is decrypted by AC. by AC, our scheme has a very strong supporting capacity.
2) Type-2 (Polynomial Functions Supported by Multiple- The limitation of the scheme is that the sum of weight-
Dimensional Data): Suppose AC wants to get the ings at each gateway aggregation should be less than a
aggregated results of polynomial functions, i.e., predetermined prime φ0 . A simple solution is that we can
α α
    select the larger prime (maybe larger than 264 ) to prevent
Fj m̄j = wi,1 · mi,j + wi,2 · m2i,j this problem. Since φ0 is public, GW can also control this
i=1 i=1 problem.
α

+ ··· + wi,s · msi,j . (6)
i=1
VI. S ECURITY A NALYSIS
If {mi,j , m2i,j , . . . , msi,j } are packed in one reported cipher- In this section, we analyze the security of the proposed
text by Ni , GW can aggregate α reported  ciphertexts scheme. As we discussed in Section IV-B, the powerful adver-
α
to obtainthe encrypted i=1 wi,1 · mi,j , i=1 wi,2 · sary A can eavesdrop on the communication channel between
α
mi,j , . . . , i=1 wi,s · mi,j and upload these ciphertexts to
2 s
Ni , GW, and AC.
AC. Then, AC can calculate the final result by decrypt- Confidentiality: The ith node’s reported data
ing these uploaded ciphertexts. For example, AC can xi = {xi,1 , xi,2 , . . . , xi,β } are formed as Mi =
compute the variance of m̄j as V2I(mi,1 , mi,2 , . . . , mi,β ), where mi,j = R2Ij (xi,j ) for
   2  2
VAR m̄j = QMEAN m̄j − MEAN m̄j j = 1, 2, . . . , β. Then, Ci = HEnc(pk, Mi ) is a valid cipher-
α 2 α 2 text of the linear homomorphic cryptosystem. Specifically,
i=1 mi,j i=1 mi,j Ci = (1 + N · Mi ) · gri mod N 2 is a Paillier cipher-
= − (7)
α α2 text. Since the Paillier encryption scheme is semantic
α α
where i=1 mi,j and i=1 m2i,j can be decrypted from secure against chosen plaintext attacks [34], the adver-
the aggregated ciphertext. Similarly, the standard devia- sary A cannot distinguish the ciphertext between two
tion can be calculated as STD(m̄j ) = VAR(m̄j ). known plaintexts. Although xi may be low entropy,
3) Type-3 (Continuous Functions Supported by Polynomial A cannot find the correct plaintext by exhaustive
Approximation): Mathematically, continuous functions, attacks.

Authorized licensed use limited to: South Asian University. Downloaded on February 12,2024 at 17:23:40 UTC from IEEE Xplore. Restrictions apply.
PENG et al.: MULTIFUNCTIONAL AND MULTIDIMENSIONAL SECURE DATA AGGREGATION SCHEME IN WSNs 2665

TABLE III
From the gateway’s perspective, GW can obtain the cipher- E XECUTION T IME OF BASIC O PERATIONS W ITH 80-B ITS
texts {C1 , C2 , . . . , Cα } and C. Similarly, these ciphertexts are S ECURITY L EVEL ( MS )
encrypted by a semantic secure homomorphic encryption. The
honest-but-curious gateway has no ability to extract the hid-
den context in ciphertexts. Moreover, if some sensor nodes
are compromised and their reported data are revealed, the
adversary A (or the gateway) also cannot extract the reported
data from safety nodes or the aggregated data in C. Since the
only decryption key is held by AC, nobody could decrypt the
ciphertext except AC.
Authentication and Integrity: In the proposed scheme, the
ciphertexts transmitted in the channel are signed by the sender, the Paillier encryption scheme, the length of two basic primes
i.e., the node or the gateway. So, as long as the signature (u, v) is 512 bits and the length of the modulus N is 1024 bits.
scheme is existential unforgeability against chosen message For the elliptic curve group (denoted as G), the prime of the
attacks, the validity of signatures can guarantee the authen- basic field is selected as a 160 bits prime and the length of
tication and integrity of ciphertexts. The security of Schnorr elements in G is 320 bits.
signature had been discussed in [37]. It concluded that the
Schnorr signature is existential unforgeable against chosen A. Computation Costs
message attacks in the random oracle model under the discrete To implement those compared schemes, we utilize the
logarithm assumption. So, the authentication and integrity of well-known Relic library [39] to provide basic cryptographic
reported data and aggregated data can be achieved. primitives. The experiments are performed on a Laptop with
Resistance on Impersonation and Injection Attack: First, the Window 10 OS, Intel Core i7-8850U 2.00 GHz and 8-GB
adversary cannot impersonate a node to send a message to the RAM. Table III lists the execution time of basic operations.
gateway, because the gateway must authenticate the data each Since some operations, e.g., addition in ZN 2 , are considered
time it receives. Obviously, the adversary cannot cheat the negligible compared with exponentiation in ZN 2 and point
gateway since it cannot obtain the private key. However, the multiplication in G. But, we do not ignore multiplication in
adversary can compromise some nodes. If this attack happens, ZN 2 since the number of times it appears increases as the num-
the adversary can control these nodes to send false data to ber of nodes increases. Note that when comparing, we will not
the gateway. For example, the false data can exceed the range compare the computation costs of the signature part, because
limits of the scheme (e.g., several hundred degrees Fahrenheit). some schemes only support homomorphic data aggregation.
Then, two situations may happen as follows. Moreover, the Schnorr signature used in our scheme is only
1) jth-dimensional data mi,j are out of the jth range j . an instance, which can be replaced by other secure signature
Actually, the results of jth-dimensional data are always schemes.
in Zψj , no matter how many additions have been exe- 1) Computation Cost of Sensor Nodes: Denote the dimen-
cuted. sion of sensor node’s reported data as β. In our scheme, the
2) The converted integer Mi is larger than the modulus . sensor node requires β + β/31 exponentiation operations
According to the homomorphic operation, the decrypted and β multiplication operation in ZN 2 , where a 32-bits prime
data are less than N. That is, even if the data before ψ0 is used for counting. Hence, the total computation cost
encryption are greater than N, the decryption process in our scheme is (β + β/31)Ten2 + βTmn2 ≈ 0.437β +
performs modular N operations on the original result. 0.435(β/31) ms. In scheme [17], the sensor node requires
In our assumption, aggregated data can be correctly β + β/16 exponentiation operations in ZN 2 , where the lim-
restored as long as the counter is less than the prime ψ0 . ited ranges are 64-bits primes. Hence, the total computation
At this point, the gateway is easy to control because the cost in [17] is (β + β/16)Ten2 ≈ 0.435β + 0.435β/16 ms.
sum of the weights used equals to the counter. Therefore, In scheme [26], the sensor node requires 2β + β/10,
the problem of large number overflow can be effectively where the result of each dimension requires 96 bits length
solved. space to prevent overflow. Hence, the total computation cost
Therefore, our scheme has a good fault-tolerance mechanism in [17] is (2β + β/10)Ten2 ≈ 0.87β + 0.435β/10 ms. In
to resist impersonation and injection attack. scheme [28], the sensor node requires 3 · β/2 point multi-
plication in G. Hence, the total computation cost in [17] is
(3 · β/2)Tpm ≈ 0.282β/2 ms.
VII. P ERFORMANCE E VALUATION As shown in Fig. 3, we can see that our scheme is faster than
In this section, we measure the performance of our scheme other schemes based on Paillier encryption with the increase of
in terms of computation costs and communication costs. The dimension. However, compared to the ElGammal encryption
performance results are compared with previous schemes, i.e., scheme, our scheme is much slower.
Lu et al.’s scheme EPPA [17], Li et al.’s scheme PPMA [26], 2) Computation Cost of the Gateway: Denote the num-
and Ming et al.’s scheme P2 MDA [28]. ber of sensor nodes’ reported data as α. In our scheme, the
To be fair, we set the security level to 80 bits and select gateway requires (α − 1) · β/31 multiplication operation in
the corresponding parameters to initialize those schemes. For ZN 2 . In scheme [17], the gateway requires (α − 1) · β/16

Authorized licensed use limited to: South Asian University. Downloaded on February 12,2024 at 17:23:40 UTC from IEEE Xplore. Restrictions apply.
2666 IEEE INTERNET OF THINGS JOURNAL, VOL. 9, NO. 4, FEBRUARY 15, 2022

Fig. 3. Comparison of computation costs comparison at sensor nodes. Fig. 5. Comparison of computation costs at the gateway when β = 30.

TABLE IV
C OMPUTATIONS C OSTS OF D IFFERENT E NTITIES ( MS )

Fig. 6. Comparison of communication costs with different dimensions.

In general, our scheme is most advantageous at higher


dimensions, because we make full use of the plaintext space of
the encryption scheme. Compared with the ElGammal encryp-
tion scheme, our scheme is slower in the data generation
process, but does not have the problem of solving discrete log-
arithms. Once the data are out of limited bounds, the discrete
Fig. 4. Comparison of computation costs at the gateway when β = 16. logarithm problem is difficult to solve.

B. Communication Costs
multiplication operation in ZN 2 . In scheme [26], the gateway First, we consider the size of node’s reported ciphertexts.
requires (α − 1) · β/10 multiplication operation in ZN 2 . In Obviously, the communication costs between Ni and GW are
scheme [28], the gateway requires (α−1)·β/2 point addition related to the dimension. So, the node sends a β/31|ZN 2 |
in G. The total computation costs of the gateway are listed in bits ciphertext to the gateway in our scheme, which should
Table IV. Two different dimensions are selected to measure be β/16|ZN 2 | bits and β/10|ZN 2 | bits in EPPA [17]
the computing time of the gateway, as shown in the Figs. 4 and PPMA [26], respectively. In P2MDA [28], it becomes
and 5. From these two figures, our scheme is more suitable β|G| bits. Based on this conclusion, we show the commu-
for scenarios with larger dimensions. nication overhead at different dimensions in Fig. 6. At the
3) Computation Cost of the Analytic Center: For the ana- gateway, the length of the aggregated ciphertext is the same
lytic center, the computation costs are directly related to the as the ciphertext uploaded by the node. Therefore, the com-
number of ciphertexts after aggregation. As analyzed in the munication cost between the gateway and the center is the
previous paragraphs, the center requires β/31 exponentia- same as the communication cost between the gateway and
tion operation in ZN 2 in our scheme, while the center requires nodes.
β/16 and β/10 exponentiation operation in ZN 2 in other As shown in Fig. 6, the ciphertext length increases the slow-
two schemes [17], [26], respectively. The center requires est with the increase of dimension in our scheme. This further
β/2 point multiplication in G in scheme [28]. illustrates the very low data redundancy of our scheme.

Authorized licensed use limited to: South Asian University. Downloaded on February 12,2024 at 17:23:40 UTC from IEEE Xplore. Restrictions apply.
PENG et al.: MULTIFUNCTIONAL AND MULTIDIMENSIONAL SECURE DATA AGGREGATION SCHEME IN WSNs 2667

VIII. C ONCLUSION [20] R. Lu, K. Alharbi, X. Lin, and C. Huang, “A novel privacy-preserving
set aggregation scheme for smart grid communications,” in Proc. IEEE
In this article, we presented a new multifunctional and Global Commun. Conf. (GLOBECOM), San Diego, CA, USA, 2015,
multidimensional secure DA scheme for WSNs. On the one pp. 1–6.
[21] Z. Sui, M. Niedermeier, and H. de Meer, “RESA: A robust and efficient
hand, we explained theoretically how to improve the efficiency secure aggregation scheme in smart grids,” in Proc. Int. Conf. Crit. Inf.
of our scheme by reducing the data redundancy in cipher- Infrastruct. Security, 2015, pp. 171–182.
texts. On the other hand, through experimental analysis, we [22] H. Shen, M. Zhang, and J. Shen, “Efficient privacy-preserving cube-
data aggregation scheme for smart grids,” IEEE Trans. Inf. Forensics
demonstrated that our scheme has the optimal computation Security, vol. 12, pp. 1369–1381, 2017.
and communication costs when the data dimension is higher. [23] B. Pan, P. Zeng, and K.-K. R. Choo, “A new multidimensional and
fault-tolerable data aggregation scheme for privacy-preserving smart grid
Therefore, the proposed scheme is more suitable for applica- communications,” in Proc. Int. Conf. Appl. Techn. Cyber Security Intell.,
tions in WSNs. As future work, we want to further reduce the 2017, pp. 206–219.
[24] O. R. M. Boudia, S. M. Senouci, and M. Feham, “Elliptic curve-based
computation and communication costs of nodes by using the secure multidimensional aggregation for smart grid communications,”
homomorphic signcryption mechanism. Also, we may try to IEEE Sens. J., vol. 17, no. 23, pp. 7750–7757, Dec. 2017.
use the zero-knowledge proof to prove that the counter in the [25] B. Pan, P. Zeng, and K.-K. R. Choo, “An efficient data aggregation
scheme in privacy-preserving smart grid communications with a high
ciphertext meets the requirements of the scheme. practicability,” in Proc. Conf. Complex Intell. Softw. Intensive Syst.,
2017, pp. 677–688.
[26] S. Li, K. Xue, Q. Yang, and P. Hong, “Ppma: Privacy-preserving mul-
R EFERENCES tisubset data aggregation in smart grid,” IEEE Trans. Ind. Informat.,
[1] L. Zhao and X. Dong, “An Industrial Internet of Things feature selection vol. 14, no. 2, pp. 462–471, Feb. 2018.
method based on potential entropy evaluation criteria,” IEEE Access, [27] B. Lang, J. Wang, and Z. Cao, “Multidimensional data tight aggregation
vol. 6, pp. 4608–4617, 2018. and fine-grained access control in smart grid,” J. Inf. Security Appl.,
[2] M. Shu, D. Yuan, C. Zhang, Y. Wang, and C. Chen, “A MAC protocol vol. 40, pp. 156–165, Jun. 2018.
for medical monitoring applications of wireless body area networks,” [28] Y. Ming, X. Zhang, and X. Shen, “Efficient privacy-preserving multi-
Sensors, vol. 15, no. 6, pp. 12906–12931, 2015. dimensional data aggregation scheme in smart grid,” IEEE Access, vol. 7,
[3] X. Liu, J. Yu, F. Li, W. Lv, Y. Wang, and X. Cheng, “Data aggregation pp. 32907–32921, 2019.
in wireless sensor networks: From the perspective of security,” IEEE [29] X. Wang, Y. Liu, and K. Choo, “Fault-tolerant multisubset aggrega-
Internet Things J., vol. 7, no. 7, pp. 6495–6513, Jul. 2020. tion scheme for smart grid,” IEEE Trans. Ind. Informat., vol. 17, no. 6,
[4] R. Li, C. Sturtivant, J. Yu, and X. Cheng, “A novel secure and efficient pp. 4065–4072, Jun. 2021.
data aggregation scheme for IoT,” IEEE Internet Things J., vol. 6, no. 2, [30] A. Mohammadali and M. S. Haghighi, “A privacy-preserving homomor-
pp. 1551–1560, Apr. 2019. phic scheme with multiple dimensions and fault tolerance for metering
[5] W. He, X. Liu, H. Nguyen, K. Nahrstedt, and T. Abdelzaher, “PDA: data aggregation in smart grid,” IEEE Trans. Smart Grid, early access,
Privacy-preserving data aggregation in wireless sensor networks,” in Jan. 5, 2021, doi: 10.1109/TSG.2021.3049222.
Proc. IEEE INFOCOM 26th Int. Conf. Comput. Commun., Anchorage, [31] P. Zhang, J. Wang, K. Guo, F. Wu, and G. Min, “Multi-functional secure
AK, USA, 2007, pp. 2045–2053. data aggregation schemes for WSNs,” Ad Hoc Netw., vol. 69, pp. 86–99,
[6] T. Feng, C. Wang, W. Zhang, and L. Ruan, “Confidentiality protection Feb. 2018.
for distributed sensor data aggregation,” in Proc. IEEE INFOCOM 27th [32] Z. Guan et al., “APPA: An anonymous and privacy preserving data
Conf. Comput. Commun., Phoenix, AZ, USA, 2008, pp. 56–60. aggregation scheme for fog-enhanced IoT,” J. Netw. Comput. Appl.,
[7] C.-X. Liu, Y. Liu, Z.-J. Zhang, and Z.-Y. Cheng, “High energy-efficient vol. 125, pp. 82–92, Jan. 2019.
and privacy-preserving secure data aggregation for wireless sensor [33] L. Zhu et al., “Privacy-preserving authentication and data aggregation for
networks,” Int. J. Commun. Syst., vol. 26, no. 3, pp. 380–394, 2013. fog-based smart grid,” IEEE Commun. Mag., vol. 57, no. 6, pp. 80–85,
[8] F. Li, B. Luo, and P. Liu, “Secure information aggregation for smart grids Jun. 2019.
using homomorphic encryption,” in Proc. 1st IEEE Int. Conf. Smart Grid [34] P. Paillier, “Public-key cryptosystems based on composite degree resid-
Commun., Gaithersburg, MD, USA, 2010, pp. 327–332. uosity classes,” in Proc. Int. Conf. Theory Appl. Cryptograph. Techn.,
[9] J. Lee, K. Kapitanova, and S. H. Son, “The price of security in wireless 1999, pp. 223–238.
sensor networks,” Comput. Netw., vol. 54, no. 17, pp. 2967–2978, 2010. [35] T. ElGamal, “A public key cryptosystem and a signature scheme based
[10] K. Alharbi and X. Lin, “LPDA: A lightweight privacy-preserving on discrete logarithms,” IEEE Trans. Inf. Theory, vol. 31, no. 4,
data aggregation scheme for smart grid,” in Proc. Int. Conf. Wireless pp. 469–472, Jul. 1985.
Commun. Signal Process. (WCSP), Huangshan, China, 2012, pp. 1–6. [36] D. Boneh, B. Lynn, and H. Shacham, “Short signatures from the weil
[11] B. Sun, X. Shan, K. Wu, and Y. Xiao, “Anomaly detection based secure pairing,” J. Cryptol., vol. 17, no. 4, pp. 297–319, 2004.
in-network aggregation for wireless sensor networks,” IEEE Syst. J., [37] C.-P. Schnorr, “Efficient identification and signatures for smart cards,”
vol. 7, no. 1, pp. 13–25, Mar. 2013. in Proc. Conf.. Theory Appl. Cryptol., 1989, pp. 239–252.
[12] S. Roy, M. Conti, S. Setia, and S. Jajodia, “Secure data aggregation in [38] P. Benigno and M. Woodford, “Linear-quadratic approximation of
wireless sensor networks,” IEEE Trans. Inf. Forensics Security, vol. 7, optimal policy problems,” J. Econ. Theory, vol. 147, no. 1, pp. 1–42,
pp. 1040–1052, 2012. 2012.
[13] C. Li, R. Lu, H. Li, L. Chen, and J. Chen, “PDA: A privacy-preserving [39] D. F. Aranha, C. P. L. Gouvêa, T. Markmann, R. S. Wahby, and K. Liao.
dual-functional aggregation scheme for smart grid communications,” RELIC Is an Efficient Library for Cryptography. Accessed: Dec. 7, 2020.
Security Commun. Netw., vol. 8, no. 15, pp. 2494–2506, 2015. [Online]. Available: https://github.com/relic-toolkit/relic
[14] H. Bao and L. Chen, “A lightweight privacy-preserving scheme with
data integrity for smart grid communications,” Concurrency Comput.
Pract. Exp., vol. 28, no. 4, pp. 1094–1110, 2016.
[15] Y. Liu, W. Guo, C.-I. Fan, L. Chang, and C. Cheng, “A practical privacy-
preserving data aggregation (3PDA) scheme for smart grid,” IEEE Trans.
Ind. Informat., vol. 15, no. 3, pp. 1767–1774, Mar. 2019.
[16] X. Lin, R. Lu, and X. Shen, “MDPA: Multidimensional privacy-
preserving aggregation scheme for wireless sensor networks,” Wireless
Commun. Mobile Comput., vol. 10, no. 6, pp. 843–856, 2010. Cong Peng received the M.S. degree in applied
[17] R. Lu, X. Liang, X. Li, X. Lin, and X. Shen, “EPPA: An effi- mathematics from Wuhan University, Wuhan, China,
cient and privacy-preserving aggregation scheme for secure smart grid in 2013, where he is currently pursuing the Ph.D.
communications,” IEEE Trans. Parallel Distrib. Syst., vol. 23, no. 9, degree in applied mathematics.
pp. 1621–1631, Sep. 2012. He is with the School of Cyber Science and
[18] W. Jia, H. Zhu, Z. Cao, X. Dong, and C. Xiao, “Human-factor-aware Engineering, Wuhan University and also with the
privacy-preserving aggregation in smart grid,” IEEE Syst. J., vol. 8, no. 2,
Cyberspace Security Research Center, Peng Cheng
pp. 598–607, Jun. 2014.
Laboratory, Shenzhen, China. His major research
[19] X. Liu, Y. Zhang, B. Wang, and H. Wang, “An anonymous data aggre-
gation scheme for smart grid systems,” Security Commun. Netw., vol. 7, interests include elliptic curves, cryptography, and
no. 3, pp. 602–610, 2014. information security.

Authorized licensed use limited to: South Asian University. Downloaded on February 12,2024 at 17:23:40 UTC from IEEE Xplore. Restrictions apply.
2668 IEEE INTERNET OF THINGS JOURNAL, VOL. 9, NO. 4, FEBRUARY 15, 2022

Min Luo received the Ph.D. degree in computer Omar Said received the Ph.D. degree from
science from Wuhan University, Wuhan, China, in Menoufia University, Shibin el Kom, Egypt, in
2003. 2005.
He is currently an Associate Professor with the He is currently an Associate Professor with the
School of Cyber Science and Engineering, Wuhan Department of Information Technology, College
University. He is with the Shandong Provincial Key of Computers and Information Technology, Taif
Laboratory of Computer Networks, Qilu University University, Taif, Saudi Arabia. In addition, he is
of Technology (Shandong Academy of Sciences), an Associate Professor with the Faculty of Science,
Jinan, China. His research interests mainly include Menoufia University. He has authored many arti-
applied cryptography and blockchain technology. cles at international journals and conferences. His
research areas are Internet of Things, network man-
agement, Internet protocols, routing, multimedia communication, QoS, and
wireless communication.

Pandi Vijayakumar received the B.E. degree in


computer science and engineering from Madurai
Kamaraj University, Madurai, India, in 2002, the
M.E. degree in computer science and engineer-
ing from the Karunya Institute of Technology,
Coimbatore, India, in 2005, and the Ph.D. degree
in computer science and engineering from Anna
University Chennai, Chennai, India, in 2013.
He is the Former Dean and presently work-
ing as an Assistant Professor with the Department
of Computer Science and Engineering, University
College of Engineering Tindivanam, Tindivanam, India, which is a constituent
college of Anna University Chennai. He has produced four Ph.D. candi-
dates successfully. His current research interests include key management in
network security, VANET security, and multicasting in computer networks.

Debiao He (Member, IEEE) received the Ph.D.


degree in applied mathematics from the School
of Mathematics and Statistics, Wuhan University, Amr Tolba received the M.Sc. and Ph.D.
Wuhan, China, in 2009. degrees from the Mathematics and Computer
He is currently a Professor with the School of Science Department, Faculty of Science, Menoufia
Cyber Science and Engineering, Wuhan University. University, Shibin el Kom, Egypt, in 2002 and 2006,
His main research interests include cryptogra- respectively.
phy and information security, in particular, cryp- He is currently an Associate Professor with the
tographic protocols. He has published over 150 Faculty of Science, Menoufia University. He is cur-
research papers in refereed international journals rently on leave from Menoufia University to the
and conferences, such as the IEEE T RANSACTIONS Computer Science Department, Community College,
ON D EPENDABLE AND S ECURE C OMPUTING , IEEE T RANSACTIONS ON King Saud University, Riyadh, Saudi Arabia. He has
I NFORMATION S ECURITY AND F ORENSIC, and Usenix Security Symposium. authored/coauthored over 85 scientific papers in top-
His work has been cited more than 7000 times at Google Scholar. ranked (ISI) international journals and conference proceedings. His main
Prof. He is the recipient of the 2018 IEEE Sysems Journal Best Paper research interests include socially aware networks, vehicular ad hoc networks,
Award and the 2019 IET Information Security Best Paper Award. He is with Internet of Things, intelligent systems, big data, recommender systems, and
the editorial board of several international journals, such as the Journal of cloud computing.
Information Security and Applications, Frontiers of Computer Science, and Dr. Tolba serves as a technical program committee member of several
Human-Centric Computing and Information Sciences. conferences.

Authorized licensed use limited to: South Asian University. Downloaded on February 12,2024 at 17:23:40 UTC from IEEE Xplore. Restrictions apply.

You might also like