Multifunctional and Multidimensional Secure Data Aggregation Scheme in WSNs
Multifunctional and Multidimensional Secure Data Aggregation Scheme in WSNs
Multifunctional and Multidimensional Secure Data Aggregation Scheme in WSNs
Abstract—In wireless sensor networks (WSNs), data aggre- dimensions, our scheme is superior to the existing schemes in
gation (DA) has become one of the most practical techniques terms of computation and communication costs.
to reduce processing delay and improve energy efficiency. To
support intelligent applications, sensor nodes need to report Index Terms—Chinese remainder theorem, homomorphic
heterogeneous and diverse data, which induce the demand for encryption, secure data aggregation, wireless sensor networks
multidimensional DA and multifunctional data analysis. To solve (WSNs).
the current security problems and functional requirements,
we propose a multifunctional and multidimensional secure DA I. I NTRODUCTION
scheme to strike the balance between data availability and pri- ITH the rapid proliferation of wireless sensor networks
vacy. First, we design a Chinese remainder theorem conversion
method with the counter to encode multidimensional data into
large integers, which can be operated by linear homomorphic
W (WSNs), a large amount of heterogeneous data have
been collected by sensor nodes and consumed by various intel-
encryption schemes. Then, we introduce a multifunctional data ligent services [1], [2]. As shown in Fig. 1, the Internet of
analysis method supporting diversified aggregation functions, Things (IoT) technology stack consists of three tiers: 1) sen-
including linear, polynomial, and continuous functions. Moreover, sor nodes; 2) gateways; and 3) data analytic center. The sensor
we demonstrate that the proposed scheme can achieve confiden-
tiality, integrity, authentication, and resistance against false data node, equipped with limited resources, acts as the data pro-
injection attacks. The experimental results show that the sup- ducer to collect raw data and report these data via wireless
ported max dimension of one ciphertext in our scheme is at networks. The data analytic center, owned powerful compu-
least twice that of existing schemes. Thus, in scenarios with high tational ability, acts as the data consumer to analyze these data
and provide intelligent services. The gateway is an important
Manuscript received December 31, 2020; revised March 1, 2021 and
April 5, 2021; accepted May 3, 2021. Date of publication May 6, 2021; middleman element that acts as a bridge to connect sensor
date of current version February 4, 2022. This work was supported in nodes and the center. Nowadays, the gateway has become more
part by the Taif University Researchers Supporting Project, Taif University, intelligent to support additional functionality. Specifically, the
Taif, Saudi Arabia, under Grant TURSP-2020/60; in part by the Major
Scientific and Technological Innovation Project of Shandong Province gateway can acts as an aggregator to preprocess raw data and
under Grant 2020CXGC010115; in part by the National Natural Science upload the aggregated data to the center.
Foundation of China under Grant 61972294 and Grant 61932016; in part Data aggregation (DA) has become one of the most practi-
by the Blockchain Core Technology Strategic Research Program of the
Ministry of Education of China under Grant 2020KJ010301; in part by cal techniques to reduce processing delay and improve energy
the Special Project on Science and Technology Program of Hubei Province efficiency. However, DA at gateways may suffer from some
under Grant 2020AEA013; in part by the Natural Science Foundation of potential risks on data security and user privacy [3]. First, it is
Hubei Province under Grant 2020CFA052; and in part by the Wuhan
Municipal Science and Technology Project under Grant 2020010601012187. easily for adversaries to carry out attacks (e.g., eavesdropping,
(Corresponding author: Min Luo.) injection, and tampering) through wireless networks to infringe
Cong Peng is with the School of Cyber Science and Engineering and the data confidentiality and integrity. Second, it is able for adver-
School of Mathematics and Statistics, Wuhan University, Wuhan 430072,
China, and also with the Cyberspace Security Research Center, Peng Cheng saries to corrupt the gateway for stealing all nodes’ raw data.
Laboratory, Shenzhen 518000, China (e-mail: [email protected]). Third, it is possible that sensor nodes may send false data and
Min Luo is with the School of Cyber Science and Engineering, Wuhan affect the accuracy of DA due to some malfunctions or attacks.
University, Wuhan 430072, China, and also with the Shandong Provincial Key
Laboratory of Computer Networks, Qilu University of Technology (Shandong It is becoming common practice to implement data encryption
Academy of Sciences), Jinan 250014, China (e-mail: [email protected]). so as to prevent malicious attacks. But, traditional encryption
Pandi Vijayakumar is with the Department of Computer Science and techniques cannot strike the balance between data availabil-
Engineering, University College of Engineering Tindivanam, Tindivanam
604001, India (e-mail: [email protected]). ity and data privacy since ciphertexts are difficult to support
Debiao He is with the School of Cyber Science and Engineering, Wuhan aggregation operations (e.g., add, sum, and average) [4].
University, Wuhan 430072, China (e-mail: [email protected]). To solve the above problems, researchers have consid-
Omar Said is with the Department of Information Technology, College of
Computers and Information Technology, Taif University, Taif 21944, Saudi ered to utilize some special cryptographic primitives (e.g.,
Arabia, and also with the Mathematics and Computer Science Department, homomorphic encryption and aggregate signature) to con-
Faculty of Science, Menoufia University, Shebin El-Kom 32511, Egypt struct privacy-preserving DA schemes [5]–[15] for single-
(e-mail: [email protected]).
Amr Tolba is with the Computer Science Department, Community dimensional data aggregation. But, in the real-world scenario,
College, King Saud University, Riyadh 11437, Saudi Arabia, and also a sensor node usually collects different types of data (e.g.,
with the Mathematics and Computer Science Department, Faculty of temperature, humidity, and wind direction in atmospheric
Science, Menoufia University, Shebin El-Kom 32511, Egypt (e-mail:
[email protected]). monitoring). When uploading data to the gateway, the node
Digital Object Identifier 10.1109/JIOT.2021.3077866 will package all types of data into a single message packet
2327-4662 © 2021 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See https://www.ieee.org/publications/rights/index.html for more information.
Authorized licensed use limited to: South Asian University. Downloaded on February 12,2024 at 17:23:40 UTC from IEEE Xplore. Restrictions apply.
2658 IEEE INTERNET OF THINGS JOURNAL, VOL. 9, NO. 4, FEBRUARY 15, 2022
Authorized licensed use limited to: South Asian University. Downloaded on February 12,2024 at 17:23:40 UTC from IEEE Xplore. Restrictions apply.
PENG et al.: MULTIFUNCTIONAL AND MULTIDIMENSIONAL SECURE DATA AGGREGATION SCHEME IN WSNs 2659
TABLE I
C OMPARISON OF D IFFERENT M ULTIDIMENSIONAL S ECURE DA S CHEMES
TABLE II
S UMMARY OF N OTATIONS single-dimensional aggregation of the sum of multiple data
actually.
In summary, there are two main problems with those
schemes: 1) cross-dimensional interference or data overflow.
The conversion method of integer vectors does not have an
overflow protection design so that the data results of one
dimension will interfere with other dimensions once they
exceed the limit (see Section IV-C) and 2) supporting few
aggregation functions. All these above schemes are designed
for linear aggregation functions, which are difficult to meet
the requirements in practical use.
III. P RELIMINARIES
A. Notations
For any positive integer N, we write ZN to denote the set
Lu et al. [20] proposed a two-subset DA scheme, which used {0, 1, . . . , N − 1} while Z∗N = {1, . . . , N − 1}. We use x to
the fractional-order group to encrypt different dimensional denote the vector {x1 , x2 , . . . , xt }, where xi is the ith element
data. Subsequently, Li et al. [26] and Wang et al. [29] designed of x. lcm(a, b) refers to the least common multiple of two
an improved multisubset DA scheme using the superincreasing integers a and b. Some notations are listed in Table II.
sequence and multiple fractional-order groups, respectively.
Sui et al. [21] designed a robust and efficient secure aggre- B. Chinese Remainder Theorem
gation scheme that uses ElGamal encryption [35] and the Theorem 1 (Chinese Remainder Theorem): Let
hash-based message authentication code to protect data confi- φ1 , φ2 , . . . , φβ be β integers, which are pairwise co-
dentiality, integrity, and authentication. However, the ElGamal prime, i.e., gcd(φi , φj ) = 1 for all 1 ≤ i = j ≤ β. For any
encryption scheme supporting homomorphic operations needs β-dimensional integer vector a = {a1 , a2 , . . . , aβ } satisfying
to solve the discrete logarithm problem during decryption. 0 ≤ ai < φi for all 1 ≤ i ≤ β, there exists a unique integer A
So, the scheme only supports small range data aggrega- in Z satisfying A = ai mod φi for all i = 1, 2, . . . , β, and
tion. This limited data range is also a problem in other two the integer A can be computed as
schemes [24], [28]. A = a1 1 + a2 2 + · · · + aβ β , mod (1)
Shen et al. [22] utilized Horner’s rule to encode and β
decode the integer vector and presented a multidimensional where = i=1 φi and i = /φi · ((/φi )−1 mod φi ) for
DA scheme with Paillier encryption [34] and BLS short signa- all 1 ≤ i ≤ β.
ture [36]. Pan et al. [23], [25] proposed two multidimensional Obviously, the CRT provides an efficient transformation
DA schemes. The first scheme [23] utilized the blind fac- method CRT(·), which converts an integer vector a into a
tor, generated by the shared key between a trusted author- large integer A = CRT(a) to perform addition or mul-
ity and the nodes, to encrypt each message. The second tiplication operations. Assuming a = {a1 , a2 , . . . , aβ } and
scheme [25] used Paillier encryption and the CRT con- b = {b1 , b2 , . . . , bβ }, we have
version method to encrypt multidimensional data without a
CRT(a) + CRT(b) = ai + bi , mod φi
trusted third party. Recently, Mohammadali and Haghighi [30] (2)
CRT(a) × CRT(b) = ai × bi , mod φi .
proposed a homomorphic privacy-preserving DA scheme with
multidimensional and fault tolerance, which only achieved the So, CRT provides a natural approach to process vector data.
Authorized licensed use limited to: South Asian University. Downloaded on February 12,2024 at 17:23:40 UTC from IEEE Xplore. Restrictions apply.
2660 IEEE INTERNET OF THINGS JOURNAL, VOL. 9, NO. 4, FEBRUARY 15, 2022
Authorized licensed use limited to: South Asian University. Downloaded on February 12,2024 at 17:23:40 UTC from IEEE Xplore. Restrictions apply.
PENG et al.: MULTIFUNCTIONAL AND MULTIDIMENSIONAL SECURE DATA AGGREGATION SCHEME IN WSNs 2661
Algorithm 1 Convert an Integer Vector Into a Large Integer needs calculate some function values for the uploaded
Input: An integer vector a = {a1 , . . . , aβ } and the parameters data, such as sin(x), cos(x), ex , etc.
ppCRT .
Output: A large integer A in ZN .
1: A ← 0 V. M ULTIFUNCTIONAL AND M ULTIDIMENSIONAL
2: for i = 1 to β do S ECURE DATA AGGREGATION S CHEME
3: A ← A + ai · i mod N In this section, we first introduce a new CRT-based conver-
4: end for
5: return A
sion method with a counter, and then describe details of the
proposed scheme and illustrate its multifunctionality.
Authorized licensed use limited to: South Asian University. Downloaded on February 12,2024 at 17:23:40 UTC from IEEE Xplore. Restrictions apply.
2662 IEEE INTERNET OF THINGS JOURNAL, VOL. 9, NO. 4, FEBRUARY 15, 2022
Algorithm 2 Convert a Large Integer Into an Integer Vector Algorithm 3 Data Generation (Operations on Ni )
Input: A large integer A in ZN , the counter ctr and the parameters Input: β integers {mi,1 , mi,2 , . . . , mi,β } and the parameters pp.
ppCRT . Output: The reported ciphertext {Ci , σi }.
Output: An integer vector a = {a1 , . . . , aβ }. 1: Set mi ← {mi,1 , mi,2 , . . . , mi,β }
1: A0 ← A mod φ0 2: Mi ← V2I(mi )
2: s ← −1 · (ctr − A0 ) mod φ0 3: Ci ← HEnc(pk, Mi )
3: A ← s · N + A mod 4: σi ← Sig(ski , Ci )
4: for i = 1 to β do 5: return {Ci , σi }
5: ai = A mod φi
6: end for
7: return a = {a1 , . . . , aβ } Algorithm 4 DA (Operations on GW)
Input: α integer vectors {C1 , C2 , . . . , Cα }, α signatures
{σ1 , σ2 , . . . , σα }, the weightings {w1 , w2 , . . . , wα }, the
parameters pp.
Consider the scenario of linear aggregation of α integer Output: The aggregated ciphertext {C, σ }.
vectors {m1 , m2 , . . . , mα }, {M1 , M2 , . . . , Mα } are the encoding 1: for i = 1 to α do
2: d ← Vrf(pki , Ci , σi )
larger integers, i.e., Mi = V2I(mi ) for i = 1, 2, . . . , α. Let the 3: if σi is invalid then
linear aggregation function be f (x1 , x2 , . . . , xα ) = αi=1 wi ·xi . 4: reject Ci and exit with error
Then, as long as the sum of weightings αi=1 wi is less than 5: end if
φ0 , the property 6: end for
7: C ← 0
8: for i = 1 to α do
f m1,j , m2,j , . . . , mα,j , mod φj
α
9: Ci ← HMul(wi , Ci )
10: C ← HAdd(C, Ci )
= I2Vj f (M1 , M2 , . . . , Mα ), wi (4) 11: end for
i=1 12: σ ← Sig(skGW , C)
13: return {C, σ }
holds on each dimension since the final calculation result
f (M1 , M2 , . . . , Mα ) is less than φ0 ·N. In homomorphic encryp-
tion pattern, the plaintext data hidden in each ciphertext is
guaranteed to be less than N. Therefore, the core of overflow 2) Data Generation: To report β data {mi,1 , mi,2 , . . . , mi,β }
prevention lies in controlling the weight of linear operation, simultaneously, the node Ni follows the steps below to
so that the sum is less than the predetermined prime. generate the reported ciphertext, as shown in Algorithm 3.
1) Step 1: Ni arranges the data {mi,1 , mi,2 , . . . , mi,β } into
a vector mi in the predetermined order and encodes the
B. Details of the Proposed Scheme vector to a large integer Mi = V2I(mi ).
In this part, we give the framework description of our 2) Step 2: Ni encrypts Mi as Ci = HEnc(pk, Mi ).
scheme (as shown in Fig. 2) and instantiate it with the Paillier Specifically, Ni randomly picks an integer ri in Z∗N and
encryption scheme [34] and the Schnorr signature scheme [37]. computes Ci = (1 + N · Mi ) · gri mod N 2 .
The specific description is as follows. 3) Step 3: Ni signs the ciphertext Ci to obtain the sig-
1) System Initialization: Given a security parameter κ and a nature σi = Sig(ski , Ci ). Specifically, Ni randomly
dimension β, the analytic center AC initializes the parameters picks an integer ki in Z∗q , computes Ki = gk2i ,
of linear homomorphic encryption, digital signature, and CRT- hi = H(pki , Ki , Ci ), and si = ki − hi · ski , and sets
based conversion method with the counter, and publishes the σi = (hi , si ).
parameters pp = {ppLHE , ppSig , ppCRT }. Then, Ni sends the reported ciphertext {Ci , σi } to GW.
1) Step 1: AC randomly selects two strong primes u and v, 3) Data Aggregation: After receiving α reported cipher-
computes N = uv and λ = lcm(u−1, v−1), and chooses texts {C1 , σ1 , C2 , σ2 , . . . , Cα , σα }, GW follows the steps
an element g1 in ZN 2 satisfying gλ1 = 1 mod N 2 . Then, below to aggregate the reported data with a linear function
AC sets the public parameter of linear homomorphic f (x1 , x2 , . . . , xα ) = αi=1 wi · xi , as shown in Algorithm 4.
encryption as ppLHE = pk where the public key pk = 1) Step 1: GW verifies the validity of all signatures
{N, g1 } and keeps the private key sk = λ. {σ1 , σ2 , . . . , σα }. Specifically, GW computes Ki = gs2i ·
2) Step 2: AC takes the modulus N and the dimension β pkihi , checks whether hi equals to H(pki , Ki , Ci ), and
as inputs to select parameters ppCRT , as described in aborts if the check fails.
Section V-A. 2) Step 2: GW calculates the linear function of encrypted
3) Step 3: AC chooses a cyclic group G of a prime order data, i.e., C = [w1 ]C1 ⊕ [w2 ]C2 ⊕ · · · ⊕ [wα ]Cα .
q and a generator g2 of G. Also, AC chooses a hash Specifically, GW first sets C to be zero, and com-
function H : {0, 1}∗ → Z∗q . AC sets the public parameter putes the homomorphic scalar multiplication result Ci =
of digital signature as ppSig = {G, q, g2 , H}. HMul(wi , Ci ) and the homomorphic addition result C =
Moreover, each node Ni generates its own signature key HAdd(C, Ci ) for each i = 1, 2, . . . , α.
pair (pki = gsk 2 , ski ) and registers pki to its parent gateway
i
3) Step 3: GW uses its private key skGW to sign C and
GW. Also, GW generates the signature key pair (pkGW = obtain the signature σ = Sig(skGW , C). Specifically,
sk
g2 GW , skGW ) and registers pkGW to AC. GW randomly picks an integer k in Z∗q , computes K= gk2 ,
Authorized licensed use limited to: South Asian University. Downloaded on February 12,2024 at 17:23:40 UTC from IEEE Xplore. Restrictions apply.
PENG et al.: MULTIFUNCTIONAL AND MULTIDIMENSIONAL SECURE DATA AGGREGATION SCHEME IN WSNs 2663
Algorithm 5 Data Reading (Operations on AC) according to the properties of linear homomorphic encryption
Input: The aggregated ciphertext (C, σ ), the parameters pp. scheme, we have
Output: An integer vector z = {z1 , . . . , zβ }.
1: d ← Vrf(pkGW , C, σ ) α
2: if σ is invalid then M = wi · Mi , mod N
3: reject C and exit with error i=1
4: end if α α
5: M ← HDec(sk, C)
⇒ I2Vj M, wi = wi · Mi , mod φj , 1 ≤ j ≤ β
6: {z1 , z2 , . . . , zβ } ← I2V(M, α i=1 wi )
7: return z = {z1 , z2 , . . . , zβ } as the aggregated plaintext i=1 i=1
⇒ zj = f m1,j , m2,j , . . . , mα,j , mod φj , 1 ≤ j ≤ β. (5)
Based on Theorem 2, the condition αi=1 wi < φ0 needs to
h = H(pkGW , K, C) and s = k − h · skGW , and sets be satisfied for the aggregation function to be correct. This
σ = (h, s). condition can be easily satisfied since the weightings wi (1 ≤
Then, GW sends the aggregated ciphertext {C, σ } and the i ≤ α) are controlled by GW. Thus, the correctness of DA
counter αi=1 wi to AC. can be guaranteed.
4) Data Reading and Analysis: On receiving the aggre-
gated ciphertext (C, σ ) and the counter αi=1 wi , AC follows C. Multifunctional Aggregation
the steps below to extract the aggregated data, as shown in In this section, we will show how to implement the proposed
Algorithm 5. scheme to achieve multiple data analysis functions.
1) Step 1: AC verifies the validity of the signature σ . 1) Raw Data Mapping to Available Integer: First, we dis-
Specifically, AC computes K = gs2 · pkGW h , checks
cuss the representation of actual measurements. The input
whether h equals to H(pkGW , K , C), and aborts if the vectors in the above design scheme must be integers, but the
check fails. data detected in a real IoT environment are floats generally.
2) Step 2: AC uses the private key sk to decrypt C and Suppose that xi = {xi,1 , xi,2 , . . .} are the raw data detected by
obtain M = HDec(sk, C). Specifically, AC computes the node Ni and each raw data xi,j belongs to the real domain,
M = ((Cλ mod N 2 ) − 1)/(N · λ) mod N. i.e., xi,j ∈ [LBj , UBj ], where LBj and UBj are the lower and
3) Step 3: AC decodes M to extract the aggregated plain- upper bounds on the jth dimension, respectively.
text z = {z1 , z2 , . . . , zβ } = I2V(M, αi=1 wi ). Obviously, xi,j cannot be directly converted by CRT meth-
After obtaining the integer vector z, AC can process sub- ods, and we need a linear function R2I(·) to map the raw
sequent data analysis of various functions, which will be data to the integer space. The most common solution is,
discussed in Section V-C. R2I(xi,j ) = (xi,j − LBj )/ACj where ACj is the accuracy on jth
Correctness: First, the correctness of the signature is easy dimension. Its inverse function is I2R(mi,j ) = mi,j · ACj + LBj .
to verify, that is, Ki = gs2i · pkihi = gs2i +hi ·ski = gk2i = Ki . Then, For example, the effective range of sea surface temperature is
Authorized licensed use limited to: South Asian University. Downloaded on February 12,2024 at 17:23:40 UTC from IEEE Xplore. Restrictions apply.
2664 IEEE INTERNET OF THINGS JOURNAL, VOL. 9, NO. 4, FEBRUARY 15, 2022
[6, 32] °C and the accuracy is 0.01 °C. Assuming the raw data Algorithm 6 Multifunctional Data Analysis
xi,j = 13.72 °C, the converted data are mi,j = R2I(xi,j ) = 772. Input: The vectors mi = {mi,j , m1i,j , m2i,j , m3i,j , · · · }(1 ≤ i ≤ α), the
2) Multifunctional Supporting: Next, we list a few typical counter α and the parameters pp.
instances to illustrate the multifunctionality of our scheme. To Output: Various function results.
support multifunctionality, the following two mechanisms are 1: Encrypt mi to obtain (Ci , σi ) following Algorithm 3
2: Aggregate {C1 , C2 , . . . , Cα } to obtain C following Algorithm 4
available.
3: Decrypt C to obtain α m , α 1 , α m2 , α m3 ,
i,j
1) The node can pack {xi,j , xi,j 2 , x3 , . . .} into one reported i=1 i=1 mi,j i=1 i,j i=1 i,j
i,j · · · , following Algorithm 5
ciphertext to support polynomial functions. 4: CNT = α
2) The gateway can compute several linear aggregation 5: SUM ← α i=1 mi,j
functions {f1 (x) = αi=1 wi1 ·xi , f2 (x) = αi=1 wi2 ·xi , . . .} 6: MEAN ← SUM/CNT
α
on the same α reported ciphertexts x. 7: QMEAN ← 2
i=1 mi,j /CNT
Obviously, if the above mechanisms are used, the dimen- α
8: HMEAN ← CNT/ i=1 m1
i,j
sion of raw data in each ciphertext will decrease, while the 9: VAR ← QMEAN 2 − MEAN 2
√
supported aggregation functions will be much richer. 10: STD ← VAR
For brevity, denote the integer vector as m̄j = 1 α 1 α
11: EXP ← CNT + α 2
i=1 mi,j + 2 i=1 mi,j + · · · + t
t
i=1 mi,j
{m1,j , m2,j , . . . , mα,j } where mi,j is an integer mapped by 12: return SUM, MEAN, VAR, STD, EXP
R2I(xi,j ). As shown in Algorithm 6, the following three types
of functions can be supported by our scheme.
1) Type-1 (Linear Functions Supported by 1-D Data):
Naturally, the proposed scheme can support various such as sin(x), cos(x), ex , and ln(x), can be approxi-
linear functions with 1-D inputs, such as follows. mated by algebraic polynomials, such as linear approx-
a) Linear Weighted Sum: WSUM(m̄j ) = αi=1 wi ·mi,j imation and quadratic approximation using Taylor’s
where the weighting wi is added by the aggregation formula [38]. But it is worth noting that the accuracy
process. of the approximation needs
to be preset in advance. For
α
example, let Fj (m̄j ) = αi=1 emi,j ; here, e is Euler’s num-
b) Arithmetic α Mean: MEAN(m̄j ) = [( i=1 mi,j )/α]
where i=1 mi,j is decrypted by AC. ber. According to Taylor’s expansion, ex ≈ 1 + x +
c) Quadratic Mean: QMEAN(m̄j ) = (1/2!)x2 +(1/3!)x3 +· · · . Thus,
Fj (m̄j ) canbe computed
α by the results, like αi=1 mi,j , αi=1 m2i,j , αi=1 m3i,j , . . .,
[( i=1 mi,j )/α], where mi,j is encrypted
2 2
with the corresponding Taylor’s series. In addition,
by Ni and αi=1 m2i,j is decrypted by AC. nodes can also take emi,j as input to provide richer
d) Harmonic Mean: HMEAN(m̄j ) = analysis functions for AC.
α/ αi=1 (1/m i,j ), where (1/m i,j ) is encrypted In a word, in terms of the analysis function provided
by Ni and αi=1 (1/mi,j ) is decrypted by AC. by AC, our scheme has a very strong supporting capacity.
2) Type-2 (Polynomial Functions Supported by Multiple- The limitation of the scheme is that the sum of weight-
Dimensional Data): Suppose AC wants to get the ings at each gateway aggregation should be less than a
aggregated results of polynomial functions, i.e., predetermined prime φ0 . A simple solution is that we can
α α
select the larger prime (maybe larger than 264 ) to prevent
Fj m̄j = wi,1 · mi,j + wi,2 · m2i,j this problem. Since φ0 is public, GW can also control this
i=1 i=1 problem.
α
+ ··· + wi,s · msi,j . (6)
i=1
VI. S ECURITY A NALYSIS
If {mi,j , m2i,j , . . . , msi,j } are packed in one reported cipher- In this section, we analyze the security of the proposed
text by Ni , GW can aggregate α reported ciphertexts scheme. As we discussed in Section IV-B, the powerful adver-
α
to obtainthe encrypted i=1 wi,1 · mi,j , i=1 wi,2 · sary A can eavesdrop on the communication channel between
α
mi,j , . . . , i=1 wi,s · mi,j and upload these ciphertexts to
2 s
Ni , GW, and AC.
AC. Then, AC can calculate the final result by decrypt- Confidentiality: The ith node’s reported data
ing these uploaded ciphertexts. For example, AC can xi = {xi,1 , xi,2 , . . . , xi,β } are formed as Mi =
compute the variance of m̄j as V2I(mi,1 , mi,2 , . . . , mi,β ), where mi,j = R2Ij (xi,j ) for
2 2
VAR m̄j = QMEAN m̄j − MEAN m̄j j = 1, 2, . . . , β. Then, Ci = HEnc(pk, Mi ) is a valid cipher-
α 2 α 2 text of the linear homomorphic cryptosystem. Specifically,
i=1 mi,j i=1 mi,j Ci = (1 + N · Mi ) · gri mod N 2 is a Paillier cipher-
= − (7)
α α2 text. Since the Paillier encryption scheme is semantic
α α
where i=1 mi,j and i=1 m2i,j can be decrypted from secure against chosen plaintext attacks [34], the adver-
the aggregated ciphertext. Similarly, the standard devia- sary A cannot distinguish the ciphertext between two
tion can be calculated as STD(m̄j ) = VAR(m̄j ). known plaintexts. Although xi may be low entropy,
3) Type-3 (Continuous Functions Supported by Polynomial A cannot find the correct plaintext by exhaustive
Approximation): Mathematically, continuous functions, attacks.
Authorized licensed use limited to: South Asian University. Downloaded on February 12,2024 at 17:23:40 UTC from IEEE Xplore. Restrictions apply.
PENG et al.: MULTIFUNCTIONAL AND MULTIDIMENSIONAL SECURE DATA AGGREGATION SCHEME IN WSNs 2665
TABLE III
From the gateway’s perspective, GW can obtain the cipher- E XECUTION T IME OF BASIC O PERATIONS W ITH 80-B ITS
texts {C1 , C2 , . . . , Cα } and C. Similarly, these ciphertexts are S ECURITY L EVEL ( MS )
encrypted by a semantic secure homomorphic encryption. The
honest-but-curious gateway has no ability to extract the hid-
den context in ciphertexts. Moreover, if some sensor nodes
are compromised and their reported data are revealed, the
adversary A (or the gateway) also cannot extract the reported
data from safety nodes or the aggregated data in C. Since the
only decryption key is held by AC, nobody could decrypt the
ciphertext except AC.
Authentication and Integrity: In the proposed scheme, the
ciphertexts transmitted in the channel are signed by the sender, the Paillier encryption scheme, the length of two basic primes
i.e., the node or the gateway. So, as long as the signature (u, v) is 512 bits and the length of the modulus N is 1024 bits.
scheme is existential unforgeability against chosen message For the elliptic curve group (denoted as G), the prime of the
attacks, the validity of signatures can guarantee the authen- basic field is selected as a 160 bits prime and the length of
tication and integrity of ciphertexts. The security of Schnorr elements in G is 320 bits.
signature had been discussed in [37]. It concluded that the
Schnorr signature is existential unforgeable against chosen A. Computation Costs
message attacks in the random oracle model under the discrete To implement those compared schemes, we utilize the
logarithm assumption. So, the authentication and integrity of well-known Relic library [39] to provide basic cryptographic
reported data and aggregated data can be achieved. primitives. The experiments are performed on a Laptop with
Resistance on Impersonation and Injection Attack: First, the Window 10 OS, Intel Core i7-8850U 2.00 GHz and 8-GB
adversary cannot impersonate a node to send a message to the RAM. Table III lists the execution time of basic operations.
gateway, because the gateway must authenticate the data each Since some operations, e.g., addition in ZN 2 , are considered
time it receives. Obviously, the adversary cannot cheat the negligible compared with exponentiation in ZN 2 and point
gateway since it cannot obtain the private key. However, the multiplication in G. But, we do not ignore multiplication in
adversary can compromise some nodes. If this attack happens, ZN 2 since the number of times it appears increases as the num-
the adversary can control these nodes to send false data to ber of nodes increases. Note that when comparing, we will not
the gateway. For example, the false data can exceed the range compare the computation costs of the signature part, because
limits of the scheme (e.g., several hundred degrees Fahrenheit). some schemes only support homomorphic data aggregation.
Then, two situations may happen as follows. Moreover, the Schnorr signature used in our scheme is only
1) jth-dimensional data mi,j are out of the jth range j . an instance, which can be replaced by other secure signature
Actually, the results of jth-dimensional data are always schemes.
in Zψj , no matter how many additions have been exe- 1) Computation Cost of Sensor Nodes: Denote the dimen-
cuted. sion of sensor node’s reported data as β. In our scheme, the
2) The converted integer Mi is larger than the modulus . sensor node requires β + β/31 exponentiation operations
According to the homomorphic operation, the decrypted and β multiplication operation in ZN 2 , where a 32-bits prime
data are less than N. That is, even if the data before ψ0 is used for counting. Hence, the total computation cost
encryption are greater than N, the decryption process in our scheme is (β + β/31)Ten2 + βTmn2 ≈ 0.437β +
performs modular N operations on the original result. 0.435(β/31) ms. In scheme [17], the sensor node requires
In our assumption, aggregated data can be correctly β + β/16 exponentiation operations in ZN 2 , where the lim-
restored as long as the counter is less than the prime ψ0 . ited ranges are 64-bits primes. Hence, the total computation
At this point, the gateway is easy to control because the cost in [17] is (β + β/16)Ten2 ≈ 0.435β + 0.435β/16 ms.
sum of the weights used equals to the counter. Therefore, In scheme [26], the sensor node requires 2β + β/10,
the problem of large number overflow can be effectively where the result of each dimension requires 96 bits length
solved. space to prevent overflow. Hence, the total computation cost
Therefore, our scheme has a good fault-tolerance mechanism in [17] is (2β + β/10)Ten2 ≈ 0.87β + 0.435β/10 ms. In
to resist impersonation and injection attack. scheme [28], the sensor node requires 3 · β/2 point multi-
plication in G. Hence, the total computation cost in [17] is
(3 · β/2)Tpm ≈ 0.282β/2 ms.
VII. P ERFORMANCE E VALUATION As shown in Fig. 3, we can see that our scheme is faster than
In this section, we measure the performance of our scheme other schemes based on Paillier encryption with the increase of
in terms of computation costs and communication costs. The dimension. However, compared to the ElGammal encryption
performance results are compared with previous schemes, i.e., scheme, our scheme is much slower.
Lu et al.’s scheme EPPA [17], Li et al.’s scheme PPMA [26], 2) Computation Cost of the Gateway: Denote the num-
and Ming et al.’s scheme P2 MDA [28]. ber of sensor nodes’ reported data as α. In our scheme, the
To be fair, we set the security level to 80 bits and select gateway requires (α − 1) · β/31 multiplication operation in
the corresponding parameters to initialize those schemes. For ZN 2 . In scheme [17], the gateway requires (α − 1) · β/16
Authorized licensed use limited to: South Asian University. Downloaded on February 12,2024 at 17:23:40 UTC from IEEE Xplore. Restrictions apply.
2666 IEEE INTERNET OF THINGS JOURNAL, VOL. 9, NO. 4, FEBRUARY 15, 2022
Fig. 3. Comparison of computation costs comparison at sensor nodes. Fig. 5. Comparison of computation costs at the gateway when β = 30.
TABLE IV
C OMPUTATIONS C OSTS OF D IFFERENT E NTITIES ( MS )
B. Communication Costs
multiplication operation in ZN 2 . In scheme [26], the gateway First, we consider the size of node’s reported ciphertexts.
requires (α − 1) · β/10 multiplication operation in ZN 2 . In Obviously, the communication costs between Ni and GW are
scheme [28], the gateway requires (α−1)·β/2 point addition related to the dimension. So, the node sends a β/31|ZN 2 |
in G. The total computation costs of the gateway are listed in bits ciphertext to the gateway in our scheme, which should
Table IV. Two different dimensions are selected to measure be β/16|ZN 2 | bits and β/10|ZN 2 | bits in EPPA [17]
the computing time of the gateway, as shown in the Figs. 4 and PPMA [26], respectively. In P2MDA [28], it becomes
and 5. From these two figures, our scheme is more suitable β|G| bits. Based on this conclusion, we show the commu-
for scenarios with larger dimensions. nication overhead at different dimensions in Fig. 6. At the
3) Computation Cost of the Analytic Center: For the ana- gateway, the length of the aggregated ciphertext is the same
lytic center, the computation costs are directly related to the as the ciphertext uploaded by the node. Therefore, the com-
number of ciphertexts after aggregation. As analyzed in the munication cost between the gateway and the center is the
previous paragraphs, the center requires β/31 exponentia- same as the communication cost between the gateway and
tion operation in ZN 2 in our scheme, while the center requires nodes.
β/16 and β/10 exponentiation operation in ZN 2 in other As shown in Fig. 6, the ciphertext length increases the slow-
two schemes [17], [26], respectively. The center requires est with the increase of dimension in our scheme. This further
β/2 point multiplication in G in scheme [28]. illustrates the very low data redundancy of our scheme.
Authorized licensed use limited to: South Asian University. Downloaded on February 12,2024 at 17:23:40 UTC from IEEE Xplore. Restrictions apply.
PENG et al.: MULTIFUNCTIONAL AND MULTIDIMENSIONAL SECURE DATA AGGREGATION SCHEME IN WSNs 2667
VIII. C ONCLUSION [20] R. Lu, K. Alharbi, X. Lin, and C. Huang, “A novel privacy-preserving
set aggregation scheme for smart grid communications,” in Proc. IEEE
In this article, we presented a new multifunctional and Global Commun. Conf. (GLOBECOM), San Diego, CA, USA, 2015,
multidimensional secure DA scheme for WSNs. On the one pp. 1–6.
[21] Z. Sui, M. Niedermeier, and H. de Meer, “RESA: A robust and efficient
hand, we explained theoretically how to improve the efficiency secure aggregation scheme in smart grids,” in Proc. Int. Conf. Crit. Inf.
of our scheme by reducing the data redundancy in cipher- Infrastruct. Security, 2015, pp. 171–182.
texts. On the other hand, through experimental analysis, we [22] H. Shen, M. Zhang, and J. Shen, “Efficient privacy-preserving cube-
data aggregation scheme for smart grids,” IEEE Trans. Inf. Forensics
demonstrated that our scheme has the optimal computation Security, vol. 12, pp. 1369–1381, 2017.
and communication costs when the data dimension is higher. [23] B. Pan, P. Zeng, and K.-K. R. Choo, “A new multidimensional and
fault-tolerable data aggregation scheme for privacy-preserving smart grid
Therefore, the proposed scheme is more suitable for applica- communications,” in Proc. Int. Conf. Appl. Techn. Cyber Security Intell.,
tions in WSNs. As future work, we want to further reduce the 2017, pp. 206–219.
[24] O. R. M. Boudia, S. M. Senouci, and M. Feham, “Elliptic curve-based
computation and communication costs of nodes by using the secure multidimensional aggregation for smart grid communications,”
homomorphic signcryption mechanism. Also, we may try to IEEE Sens. J., vol. 17, no. 23, pp. 7750–7757, Dec. 2017.
use the zero-knowledge proof to prove that the counter in the [25] B. Pan, P. Zeng, and K.-K. R. Choo, “An efficient data aggregation
scheme in privacy-preserving smart grid communications with a high
ciphertext meets the requirements of the scheme. practicability,” in Proc. Conf. Complex Intell. Softw. Intensive Syst.,
2017, pp. 677–688.
[26] S. Li, K. Xue, Q. Yang, and P. Hong, “Ppma: Privacy-preserving mul-
R EFERENCES tisubset data aggregation in smart grid,” IEEE Trans. Ind. Informat.,
[1] L. Zhao and X. Dong, “An Industrial Internet of Things feature selection vol. 14, no. 2, pp. 462–471, Feb. 2018.
method based on potential entropy evaluation criteria,” IEEE Access, [27] B. Lang, J. Wang, and Z. Cao, “Multidimensional data tight aggregation
vol. 6, pp. 4608–4617, 2018. and fine-grained access control in smart grid,” J. Inf. Security Appl.,
[2] M. Shu, D. Yuan, C. Zhang, Y. Wang, and C. Chen, “A MAC protocol vol. 40, pp. 156–165, Jun. 2018.
for medical monitoring applications of wireless body area networks,” [28] Y. Ming, X. Zhang, and X. Shen, “Efficient privacy-preserving multi-
Sensors, vol. 15, no. 6, pp. 12906–12931, 2015. dimensional data aggregation scheme in smart grid,” IEEE Access, vol. 7,
[3] X. Liu, J. Yu, F. Li, W. Lv, Y. Wang, and X. Cheng, “Data aggregation pp. 32907–32921, 2019.
in wireless sensor networks: From the perspective of security,” IEEE [29] X. Wang, Y. Liu, and K. Choo, “Fault-tolerant multisubset aggrega-
Internet Things J., vol. 7, no. 7, pp. 6495–6513, Jul. 2020. tion scheme for smart grid,” IEEE Trans. Ind. Informat., vol. 17, no. 6,
[4] R. Li, C. Sturtivant, J. Yu, and X. Cheng, “A novel secure and efficient pp. 4065–4072, Jun. 2021.
data aggregation scheme for IoT,” IEEE Internet Things J., vol. 6, no. 2, [30] A. Mohammadali and M. S. Haghighi, “A privacy-preserving homomor-
pp. 1551–1560, Apr. 2019. phic scheme with multiple dimensions and fault tolerance for metering
[5] W. He, X. Liu, H. Nguyen, K. Nahrstedt, and T. Abdelzaher, “PDA: data aggregation in smart grid,” IEEE Trans. Smart Grid, early access,
Privacy-preserving data aggregation in wireless sensor networks,” in Jan. 5, 2021, doi: 10.1109/TSG.2021.3049222.
Proc. IEEE INFOCOM 26th Int. Conf. Comput. Commun., Anchorage, [31] P. Zhang, J. Wang, K. Guo, F. Wu, and G. Min, “Multi-functional secure
AK, USA, 2007, pp. 2045–2053. data aggregation schemes for WSNs,” Ad Hoc Netw., vol. 69, pp. 86–99,
[6] T. Feng, C. Wang, W. Zhang, and L. Ruan, “Confidentiality protection Feb. 2018.
for distributed sensor data aggregation,” in Proc. IEEE INFOCOM 27th [32] Z. Guan et al., “APPA: An anonymous and privacy preserving data
Conf. Comput. Commun., Phoenix, AZ, USA, 2008, pp. 56–60. aggregation scheme for fog-enhanced IoT,” J. Netw. Comput. Appl.,
[7] C.-X. Liu, Y. Liu, Z.-J. Zhang, and Z.-Y. Cheng, “High energy-efficient vol. 125, pp. 82–92, Jan. 2019.
and privacy-preserving secure data aggregation for wireless sensor [33] L. Zhu et al., “Privacy-preserving authentication and data aggregation for
networks,” Int. J. Commun. Syst., vol. 26, no. 3, pp. 380–394, 2013. fog-based smart grid,” IEEE Commun. Mag., vol. 57, no. 6, pp. 80–85,
[8] F. Li, B. Luo, and P. Liu, “Secure information aggregation for smart grids Jun. 2019.
using homomorphic encryption,” in Proc. 1st IEEE Int. Conf. Smart Grid [34] P. Paillier, “Public-key cryptosystems based on composite degree resid-
Commun., Gaithersburg, MD, USA, 2010, pp. 327–332. uosity classes,” in Proc. Int. Conf. Theory Appl. Cryptograph. Techn.,
[9] J. Lee, K. Kapitanova, and S. H. Son, “The price of security in wireless 1999, pp. 223–238.
sensor networks,” Comput. Netw., vol. 54, no. 17, pp. 2967–2978, 2010. [35] T. ElGamal, “A public key cryptosystem and a signature scheme based
[10] K. Alharbi and X. Lin, “LPDA: A lightweight privacy-preserving on discrete logarithms,” IEEE Trans. Inf. Theory, vol. 31, no. 4,
data aggregation scheme for smart grid,” in Proc. Int. Conf. Wireless pp. 469–472, Jul. 1985.
Commun. Signal Process. (WCSP), Huangshan, China, 2012, pp. 1–6. [36] D. Boneh, B. Lynn, and H. Shacham, “Short signatures from the weil
[11] B. Sun, X. Shan, K. Wu, and Y. Xiao, “Anomaly detection based secure pairing,” J. Cryptol., vol. 17, no. 4, pp. 297–319, 2004.
in-network aggregation for wireless sensor networks,” IEEE Syst. J., [37] C.-P. Schnorr, “Efficient identification and signatures for smart cards,”
vol. 7, no. 1, pp. 13–25, Mar. 2013. in Proc. Conf.. Theory Appl. Cryptol., 1989, pp. 239–252.
[12] S. Roy, M. Conti, S. Setia, and S. Jajodia, “Secure data aggregation in [38] P. Benigno and M. Woodford, “Linear-quadratic approximation of
wireless sensor networks,” IEEE Trans. Inf. Forensics Security, vol. 7, optimal policy problems,” J. Econ. Theory, vol. 147, no. 1, pp. 1–42,
pp. 1040–1052, 2012. 2012.
[13] C. Li, R. Lu, H. Li, L. Chen, and J. Chen, “PDA: A privacy-preserving [39] D. F. Aranha, C. P. L. Gouvêa, T. Markmann, R. S. Wahby, and K. Liao.
dual-functional aggregation scheme for smart grid communications,” RELIC Is an Efficient Library for Cryptography. Accessed: Dec. 7, 2020.
Security Commun. Netw., vol. 8, no. 15, pp. 2494–2506, 2015. [Online]. Available: https://github.com/relic-toolkit/relic
[14] H. Bao and L. Chen, “A lightweight privacy-preserving scheme with
data integrity for smart grid communications,” Concurrency Comput.
Pract. Exp., vol. 28, no. 4, pp. 1094–1110, 2016.
[15] Y. Liu, W. Guo, C.-I. Fan, L. Chang, and C. Cheng, “A practical privacy-
preserving data aggregation (3PDA) scheme for smart grid,” IEEE Trans.
Ind. Informat., vol. 15, no. 3, pp. 1767–1774, Mar. 2019.
[16] X. Lin, R. Lu, and X. Shen, “MDPA: Multidimensional privacy-
preserving aggregation scheme for wireless sensor networks,” Wireless
Commun. Mobile Comput., vol. 10, no. 6, pp. 843–856, 2010. Cong Peng received the M.S. degree in applied
[17] R. Lu, X. Liang, X. Li, X. Lin, and X. Shen, “EPPA: An effi- mathematics from Wuhan University, Wuhan, China,
cient and privacy-preserving aggregation scheme for secure smart grid in 2013, where he is currently pursuing the Ph.D.
communications,” IEEE Trans. Parallel Distrib. Syst., vol. 23, no. 9, degree in applied mathematics.
pp. 1621–1631, Sep. 2012. He is with the School of Cyber Science and
[18] W. Jia, H. Zhu, Z. Cao, X. Dong, and C. Xiao, “Human-factor-aware Engineering, Wuhan University and also with the
privacy-preserving aggregation in smart grid,” IEEE Syst. J., vol. 8, no. 2,
Cyberspace Security Research Center, Peng Cheng
pp. 598–607, Jun. 2014.
Laboratory, Shenzhen, China. His major research
[19] X. Liu, Y. Zhang, B. Wang, and H. Wang, “An anonymous data aggre-
gation scheme for smart grid systems,” Security Commun. Netw., vol. 7, interests include elliptic curves, cryptography, and
no. 3, pp. 602–610, 2014. information security.
Authorized licensed use limited to: South Asian University. Downloaded on February 12,2024 at 17:23:40 UTC from IEEE Xplore. Restrictions apply.
2668 IEEE INTERNET OF THINGS JOURNAL, VOL. 9, NO. 4, FEBRUARY 15, 2022
Min Luo received the Ph.D. degree in computer Omar Said received the Ph.D. degree from
science from Wuhan University, Wuhan, China, in Menoufia University, Shibin el Kom, Egypt, in
2003. 2005.
He is currently an Associate Professor with the He is currently an Associate Professor with the
School of Cyber Science and Engineering, Wuhan Department of Information Technology, College
University. He is with the Shandong Provincial Key of Computers and Information Technology, Taif
Laboratory of Computer Networks, Qilu University University, Taif, Saudi Arabia. In addition, he is
of Technology (Shandong Academy of Sciences), an Associate Professor with the Faculty of Science,
Jinan, China. His research interests mainly include Menoufia University. He has authored many arti-
applied cryptography and blockchain technology. cles at international journals and conferences. His
research areas are Internet of Things, network man-
agement, Internet protocols, routing, multimedia communication, QoS, and
wireless communication.
Authorized licensed use limited to: South Asian University. Downloaded on February 12,2024 at 17:23:40 UTC from IEEE Xplore. Restrictions apply.