Sage Journals: Discover world-class research

Abstract

With the distributed sensors that are deployed to monitor the urban environment in smart cities, the sensed data are overwhelming and beyond the scope of the wireless sensor networks (WSNs) capability. Due to the communication range limits of the sensors, most of these data will be outsourced and stored on some untrusted servers. Thus, how to maintain the data confidentiality and integrity, as well as source authentication and data query privacy of the outsourced data, is a challenging problem. In this paper, we propose a secure searchable encryption scheme, named SSE, for urban sensing and querying to address the problem. Specifically, our SSE constructs a secure hidden vector encryption-(HVE-) based rang query predicate. The sensed data can be stored on an untrusted server in encrypted form. A requester can obtain the correct ciphertexts when his authorized range query matches the HVE-based encryption predicate. With the help of the base station, the ciphertexts can be decrypted and data integrity can be verified; then, the requester can obtain the correct original data. Security analysis demonstrates that; in the SSE, only the authorized requesters can obtain the query results, while the data confidentiality and integrity and source authentication are also preserved.

1. Introduction

Nowadays, with the continuous expansion of urban populations, there are increasing needs in many aspects related to urban living, such as environment monitoring, and public safety supervision [1]. Especially, a city can be defined as “smart” when modern information and communication infrastructures (ICI) communication can automatically control the urban living in a secure means. Wireless sensor networks (WSNs) increasingly become viable solutions to urban sensing and querying for smart cities. Widely distributed sensors monitor the urban environment in real time and collect data for intelligent decision making by multi-hop wireless transmission, as shown in Figure 1, which can facilitate various services and improve the quality of urban living [2]. However, deploying sensors without security in mind has often proved to be dangerous in hostile environments [3]. Especially, when there is terrorism, the detection of suspicious activities should be reported to the proper authorities in a secure approach.

Figure 1

The conceptional model of wireless sensor network.

In the worst case scenario, a single corrupted message can lead to the ICI systems in a total tizzy. For example, if a fake traffic accident information is broadcasted in rush hours, the ICI systems maybe make some misleading decisions to the drivers; thus, traffic jams will be caused in that city. This kind of fake data injection attacks not only prevent the authorities from collecting correct messages but also exhaust the energy of the forwarders [4]. Consequently, it is essential to prevent the malicious node from impersonating good nodes for spreading misleading information intentionally. Hence, sensitive monitoring data should be transmitted in encrypted form to achieve data confidentiality, integrity, and authentication between communicating parties. Furthermore, with the distributed sensors, the data collections are going to be several millions a day. In order to save energy and relieve the burden of data storage and maintenance [5], data outsourcing is the best way to let sensors store their sensed data on some untrusted servers (cloud or third party provided servers) in encrypted form and execute computation and queries using server's computational capabilities. In addition, universal data access with independent geographical locations, avoidance of capital expenditure on hardware, software, and personnel maintenances will make the smart city's ICI system more reliable and efficient.

Naturally, storing data in encrypted form on untrusted server can maintain data confidentiality for the stored data, as long as a secret key corresponding to a certain encryption is not given out to untrusted servers [6]. However, if these data are needed later for matters such as: calculation, analysis, or for intelligent decision-making, searchers (e.g., decision maker) are endowed with the task of querying these data, which can help them to gain organization-wide situational awareness. In this case, querying encrypted data is a major logistic problem. The server is anticipated to be able to evaluate various query predicates against the data without having to decrypt it [7]. Especially, when the query conditions are composed of many conjunctive range requirements (e.g., date ranges and geographic regions, etc.), rang query over encrypted data is much more difficult.

In this paper, we propose a secure searchable encryption scheme (SSE) for urban sensing and querying. The SSE addresses the data confidentiality, integrity, and source authentication by using a secure hidden vector encryption-(HVE-) based range query predicate. The main contributions of this paper are twofold. (i)

Firstly, we propose a secure HVE-base range query predicate. Specifically, a sensor node encrypts its data by using the shared key with the $BS$ . Then, it hides the searchable attributes and the ciphertext into the HVE-base range query predicate. Only when the two vectors associated with the encryption attributes and range query are component-wise equal, the ciphertext can be recovered.

(ii)

Secondly, we analyze the security strengths of the SSE. The analysis results demonstrate that, compared with existing schemes, the SSE is the only one which can achieve data confidentiality and integrity, as well as source authentication and data query privacy.

The remainder of this paper is organized as follows. In Section 2, we discuss the related works. In Section 3, we introduce our system model and security requirements. Then, in Section 4, we review some preliminaries. In Section 5, we construct a secure HVE-based range query predicate. In Section 6, we present our SSE scheme, followed by its security analysis in Section 7. Finally, we conclude this paper in Section 8.

2. Related Works

2.1. Security in Sensor Network

Security in sensor network has been widely studied. Many security proposals for WSNs have focused on efficient key management in WSNs. Some are based on the symmetric cryptosystems. For instance, Perrig et al. [8] propose SPINS, a suite of efficient symmetric key-based security building blocks. Eschenauer and Gligor [9] look at random key predistribution schemes, which open the way to a large number of follow-up works [10]. Zhu et al. [11] proposed LEAP, a rather efficient scheme based on local distribution of secret keys among neighboring nodes. These strategies, however, do not provide perfect resilience, as after a certain percentage of nodes have been compromised, the whole network can be compromised as well. Others have employed public key cryptography (PKC) to adjust conventional algorithms (e.g., RSA [12]) to sensor nodes or to employ more efficient techniques (e.g., NTRU [3], ECC [13]) in this resource constrained environment. However, they all use interactive protocols and therefore nodes are required to exchange messages to agree on keys. Moreover, they are not suitable for data outsourcing and data query. He and Li schedule the sequence of query processing to achieve the optimized overall energy efficiency by fully utilizing the implications among sensor networks [14]. It also cannot be applied to query over encrypted data.

2.2. Range Query over Encrypted Data

The problem of range query over encrypted data is a hot issue in both cryptography and database communities [6, 15–17]. There are essentially four categories of solutions that have been developed for range queries. One general approach is to ensure that order amongst plaintext data is preserved in the ciphertext domain by using order-preserving encryption-based (OPE) techniques [15]. This allows direct translation of range predicates from the original domain to the domain of the ciphertext. As discussed in [18], the coupling distribution of plaintext and ciphertext domains might be exploited by attackers to guess the scope of the corresponding plaintext for a ciphertext. Another bucketization-based (Buck) technique [6] is to use distributional properties of the dataset to partition and index them for efficient querying while trying to keep the information disclosure to a minimum. Queries are evaluated in an approximate manner where the returned set of records may contain some false positives. These records will expose unrelated data's confidentiality and increase the computational and communication overhead of the system.

Thirdly, those that use some specialized data structure for range query evaluation while trying to preserve notions of semantic security of the encrypted data [17], such as B+tree [19]. In order to hide the access patterns, they run fake queries. In addition, they buffer the first few levels of the tree on the client side. Finally, they shuffle from time to time. The last approach is using a specialized type of predicate encryption, the HVE-based approach [20], where two vectors over attributes are associated with a ciphertext and a token, respectively. Under predicate translator, the ciphertext matches the token if and only if the two vectors are component-wise equal. Although most of the existing range query approaches can maintain part of the data confidentiality, all of them are not secure enough to keep the untrusted server from peering the original data when the requester's query is successful. Therefore, the goal of this paper is to propose a secure range query predicate to support data confidentiality and integrity, as well as source authentication and data query privacy.

3. System Model and Security Requirements

In this section, we formalize the system model and identify the security requirements and our design goals.

3.1. System Model

In this paper, we consider a large-scale WSNs consisting of a database server (DB), a base station ( $BS$ ), some cluster heads (CHs), and numerous sensor nodes (SNs) which are grouped into clusters. The clusters can be formed based on various criteria such as capabilities, location, and communication range [21]. Each CH controls a cluster and is responsible for assigning public group information and distributing some command to its cluster members. Each CH is assumed to be reachable to all sensors in its cluster, either directly or by multihop. We also assume that each node is innocent before deployment and cannot be compromised during the first several minutes after deployment since compromising a node takes some time. The system model is depicted in Figure 2. We require that the sensed data from each SN can be stored in a DB by its corresponding CH. Due to the large distances between cluster and the DB, communication from SN to DB can only be performed via CH. This assumption is generally true, since the communication range of each SN is limited. The DB can be cloud servers or other local third party servers; they are honest but curious; sometimes it is untrusted.

Figure 2

System model of SSE.

All the SNs encrypt their data by using the shared keys with the $BS$ and hide their searchable attributes by using the HVE-based encryption predicate. When a requester S got an authorized query tokens from the $BS$ , he can get the corresponding corrected querying results from DB. Next, with the help of the $BS$ , S can decrypt and authenticate the original data. Thus, the $BS$ is trustable.

3.2. Security Requirements

We identify the security requirements for our SSE. In our security model, the $BS$ operates as a trusted authority (TA). The sensors $ℕ = {N_{1}, N_{2}, \dots, N_{v}}$ are honest as well. However, there exists an adversary 𝒜 in the system to eavesdrop and invade the database on DB to steal the individual SN's reports. In addition, 𝒜 can also launch some active attacks to threaten the data confidentiality and integrity. Therefore, in order to prevent 𝒜 from learning the SNs' data and to detect 𝒜's malicious actions, the following security requirements should be satisfied in range query applications for smart cities. (i)

Data Confidentiality. Sensed data should not be disclosed by unauthorized parties and it is the most important issue in mission critical applications. Moreover, in many applications, SNs transmit highly sensitive data, for example, terrorism supervision data, and therefore it is extremely important to build secure channels between SNs and the authorities. The standard approach for keeping sensitive data secret is to encrypt the data with a secret key that only intended authorized receivers possess, hence achieving confidentiality.

(ii)

Data Integrity. A malicious node may just corrupt messages to prevent network from functioning properly. Thus, sensitive data needs to be protected from being altered. Message authentication code (MAC) is a widely used approach to guarantee that the message being transferred is never corrupted. Therefore, data integrity can be achieved.

(iii)

Source Authentication. Since wireless sensor networks use a shared wireless medium, without source authentication, an adversary could masquerade a node, thus gaining unauthorized access to resource and sensitive information and interfering with the operation of other nodes. Moreover, a compromised node may send data to its CH under several fake identities so that the decision-making is misled.

(iv)

Data Query Privacy. Since SN's sensed data are stored on the untrusted DB in an encrypted form, generally, the server cannot know the original data. In this case, when a requester's query vectors in the query tokens match the encryption vectors, the original data can be exposed to the DB. This is also the security vulnerability of the data privacy. Therefore, double encryption is needed to ensure data privacy when range query succeeds.

4. Preliminaries

In this section, we will briefly describe the basic definition and properties of bilinear pairings, polynomial-based key predistribution, and HVE-based comparison query predicate.

4.1. Bilinear Pairing

Bilinear pairing is an important cryptographic primitive [22]. Let $𝔾_{1}$ and $𝔾_{2}$ be two cyclic multiplication groups of prime order q. Let a and b be elements of $Z_{q}^{*}$ . We assume that the discrete logarithm problem (DLP) in both $𝔾_{1}$ and $𝔾_{2}$ is hard. g is a generator of $𝔾_{1}$ . A bilinear pairing is a map $e : 𝔾_{1} \times 𝔾_{1} \to 𝔾_{2}$ with the following properties: (1)

bilinear: $e (g^{a}, h^{b}) = e (g, h)^{a b}$ for any $(g, h) \in 𝔾_{1}^{2}$ ;

(2)

nondegenerate: $e (g, h) \neq 1_{𝔾_{2}}$ whenever $g, h \neq 1_{𝔾_{1}}$ ;

(3)

computable: there is an efficient algorithm to compute $e (g, h) \in 𝔾_{2}$ for all $(g, h) \in 𝔾_{1}^{2}$ .

Definition 1.

A bilinear parameter generator $𝒢 e n$ is a probabilistic algorithm that takes a security parameter κ as input and outputs a 5-tuple $(q, g, 𝔾_{1}, 𝔾_{2}, e)$ .

4.2. Polynomial-Based Key Predistribution

In this section, we briefly review the polynomial-based key predistribution approach [23]. To predistribute shared keys, the TA randomly generates a bivariate t-degree polynomial $h (x, y) = \sum_{i, j = 0}^{t} ‍ a_{i j} x_{i} y_{j}$ over a finite field $F_{q}$ , where q is a large prime number. The polynomial has the property of $h (x, y) = h (y, x)$ . For example, if two sensor nodes i and j need to establish a shared symmetric key, the KDC computes a polynomial share of $h (x, y)$ , that is, $h (i, y)$ to the node i. Then, node i can compute the common key $h (i, j)$ by evaluating $h (i, y)$ at point j, and node j can compute the shared symmetric key $h (j, i) = h (i, j)$ by evaluating $h (j, y)$ at point i.

4.3. HVE-Based Comparison Query Predicate

HVE [16] is a type of predicate encryption where two vectors over attributes are associated with a ciphertext and a token, respectively. The ciphertext matches the token if and only if the two vectors are component-wise equal. There are two character sets $\sum ‍$ and $\sum_{*} ‍ = \sum ‍ \cup {*}$ in the setting of HVE. Here, $\sum ‍$ is an arbitrary set of attributes. We assume $\sum ‍ = ℤ_{q}$ ; * is a special symbol denoting a wildcard component, which means that the component related to * is not involved with any attribute. HVE mainly consists of four phases: key generation, data encryption, token generation, and data query.

In key generation phase, a TA distributes the public/private key pair $(PK, SK)$ to a receiver.

Then, in the data encryption phase, a SN chooses a vector $x = (x_{1}, \dots, x_{l}) \in {\sum ‍}^{l}$ to characterize its data. If we map the ith component $x_{i} \in x$ to a number of its domain $j \in {1, \dots, n}$ as in [20], the value of $x_{i}$ is one of the number in set ${1, \dots, n}$ . The SN builds an encryption vector $σ (x) = (σ_{i, j}) \in {0,1}^{n l}$ for $x = (x_{1}, \dots, x_{l}) \in {1, \dots, n}^{l}$ , as follows:

\begin{matrix} σ_{i, j} = {\begin{cases} 1, & if x_{i} \geq j, \\ 0, & otherwise, \end{cases} \end{matrix}

(1)

where

i \in {1, \dots, l}

and

j \in {1, \dots, n}

. For example,

l = 3

n = 5

and let

x = (1,3, 2)

. Thus,

x = (x_{1}, \dots, x_{l}) \in {1, \dots, n}^{l} = {1,2, 3,4, 5}^{3}

and the corresponding encryption vector

σ (x) = (10000, 11100,11000)

. Then, SN's data m should be encrypted into a ciphertext

C T

under the encryption vector

σ (x)

and the receiver's public key.

Next, in the token generation phase, the requester chooses a vector $w = (w_{1}, \dots, w_{l}) \in (\sum_{*} ‍)^{l}$ to represent his query bound and builds a query vector $σ^{*} (w) = (σ_{i, j}^{*}) \in {0,1, *}^{n l}$ for $w = (w_{1}, \dots, w_{l}) \in {1, \dots, n}^{l}$ as follows:

\begin{matrix} σ_{i, j}^{*} = {\begin{cases} 1, & if w_{i} = j, \\ *, & otherwise . \end{cases} \end{matrix}

(2)

Similarly, we assume that

l = 3

n = 5

, and

w = (w_{1}, \dots, w_{l}) \in {1, \dots, n}^{l} = {1,2, 3,4, 5}^{3}

. For example, if the receiver's query condition is

P = (x_{1} \geq 1) \land (x_{2} \geq 3) \land (x_{3} \geq 1)

; that is,

w = (1,3, 1)

. Thus, the query vector

σ^{*} (w) = (1 * * * *, * * 1 * *, 1 * * * *)

. Note that, the number of the elements in

σ^{*} (w)

n l

. Based on the query vector

σ^{*} (w)

, a query token

T_{P}

is generated. The receiver sends

T_{P}

to the server.

In the data query phase, let $s (σ^{*} (w))$ denote the set of all indexes k which satisfies $σ_{k}^{*} \neq *$ , where $k \in {1, \dots, n l}$ . Let $P_{σ^{*} (w)} (σ (x))$ be the following comparison predicate:

\begin{matrix} P_{σ^{*} (w)} (σ (x)) = {\begin{cases} 1, & if \forall i \in s (σ^{*} (w)), σ^{*} (w_{i}) = σ (x_{i}), \\ 0, & otherwise . \end{cases} \end{matrix}

(3)

Finally, the server can disclose the data m if the comparison predicate

P_{σ^{*} (w)} (σ (x)) = 1

5. Construction of Secure HVE-Based Range Query Encryption Predicate

In this section, we modified the HVE scheme in [7] to support data query privacy. To protect the original data from exposing to the untrusted server even when the range query succeeds, double encryption is needed. Firstly, sensed data m can be encrypted into a ciphertext C by using its shared secret key with the $BS$ . Then, to enable range query on the untrusted DB, the ciphertext C can be encrypted into a searchable cipher $C T$ by using the HVE-based range query encryption predicate. Consequently, the DB can only get the ciphertext C when the requester's query tokes match the encryption vectors. Finally, the requester can get the original data with the help of the $BS$ .

Three entities: sender, server, and requester are involved in this section. It mainly consists of the following five phases: key generation phase, data encryption phase, token generation phase, data query phase, and data decryption phase. (1)

In key generation phase, a TA also distributes the public/private key pair $(PK, SK)$ to a receiver. We extend the comparison predicate to support range query predicate. Specifically, we can achieve the opposite semantics of the above comparison query in (1), that is, $x_{i} \leq j$ , by constituting the vectors $σ (x)$ in a reverse manner as follows:

\begin{matrix} σ_{i, j} = {\begin{cases} 1, & if x_{i} \leq j, \\ 0, & otherwise . \end{cases} \end{matrix}

(4)

Thus, the encryption predicate can support range queries, such as

a \leq x_{i} \leq b

(2)

In the data encryption phase, the SN should define two encryption vectors: $σ_{g} (x)$ and $σ_{s} (x)$ according to (1) and (4) when $x_{i} \geq j$ and $x_{i} \leq j$ , respectively. The receiver can get the correct data if and only if both conditions $x_{i} \geq a$ and $x_{i} \leq b$ hold. Suppose that, if the encrypted data in HVE is M, the SN $N_{i} \in ℕ$ should encrypt M into a ciphertext C. Then, $N_{i}$ split C into different parts by using secret sharing: randomly chooses a polynomial $f (x) = α_{0} + α_{1} x + \dots + α_{t} x^{t - 1}$ , where $α_{0} = C$ and $α_{i}$ are randomly coefficients. In our scheme, C only needs to be divided into two directions of the range query; thus, $t = 2$ . Then, $N_{i}$ chooses two random integers $ξ, π$ and computes two data shares $f (ξ)$ and $f (π)$ ; that is, C is divided into two parts: $f_{0} = f (ξ)$ and $f_{1} = f (π)$ . $N_{i}$ encrypts $f_{0}$ and $f_{1}$ under vectors $σ_{g} (x)$ and $σ_{s} (x)$ , respectively. For example, if we assume $l = 3$ , $n = 5$ , and $x = (2,3, 4)$ , $f_{0}$ is encrypted under the vector $σ_{g} (x) = (11000,11100,11110)$ , as shown in Table 1. $N_{i}$ outputs $C T_{0}$ . Also, $f_{1}$ is encrypted under the vector $σ_{s} (x) = (01111,00111,00011)$ , as shown in Table 2. Similarly, $N_{i}$ outputs $C T_{1}$ . Thus, ciphertext C is encrypted into ciphertexts $C T_{0}$ and $C T_{1}$ .

(3)

In the token generation phase, the requester's range query is defined with two vectors: $σ_{g}^{*} (w)$ and $σ_{s}^{*} (w)$ when $x_{i} = a$ and $x_{i} = b$ , respectively. Let $s (σ_{g}^{*} (w))$ be the set of all indexes k which satisfies $σ_{g}^{*} (w_{k}) \neq *$ , and let $s (σ_{s}^{*} (w))$ be the sets of all indexes $k^{'}$ which satisfies $σ_{s}^{*} (w_{k^{'}}) \neq *$ . Here, $k, k^{'} \in (1, \dots, n l)$ . Finally, in the data query phase, the server checks two comparison predicates $P_{σ_{g}^{*} (w)} (σ_{g} (x))$ and $P_{σ_{s}^{*} (w)} (σ_{s} (x))$ , which are generated according to (4). The server can obtain $f_{0}$ if $σ_{g} (x_{k})$ and $σ_{g}^{*} (w_{k})$ are equal for all $k \in s (σ^{*} (w_{g}))$ ; that is, $P_{σ_{g}^{*} (w)} (σ_{g} (x)) = 1$ . Similarly, the server can obtain $f_{1}$ if $σ_{s} (x_{k^{'}})$ and $σ_{s}^{*} (w_{k^{'}})$ are equal for all $k^{'} \in s (σ_{s}^{*} (w))$ ; that is, $P_{σ_{s}^{*} (w)} (σ_{s} (x)) = 1$ . The range query predicate can be denoted as follows:

\begin{array}{l} P_{(σ_{g}^{*} (w), σ_{s}^{*} (w))} (σ_{g} (x), σ_{s} (x)) \\ = {\begin{cases} 1, & if P_{σ_{g}^{*} (w)} (σ_{g} (x)) = 1, P_{σ_{s}^{*} (w)} (σ_{s} (x)) = 1, \\ 0, & otherwise . \end{cases} \end{array}

(5)

For instance, a range query

P = (2 \leq x_{1} \leq 3) \land (2 \leq x_{2} \leq 4) \land (3 \leq x_{3} \leq 5)

can be divided into two parts:

P_{g} = (x_{1} \geq 2) \land (x_{2} \geq 2) \land (x_{3} \geq 3)

and

P_{s} = (x_{1} \leq 3) \land (x_{2} \leq 4) \land (x_{3} \leq 5)

. Thus,

w_{g} = (2,2, 3)

w_{s} = (3,4, 5)

. Two query tokens

T_{P g}

and

T_{P s}

are computed under the vectors

σ_{g}^{*} (w) = (* 1 * * *, * 1 * * *, * * 1 * *)

and

σ_{s}^{*} (w) = (* * 1 * *, * * * 1 *, * * * * 1)

, respectively.

(4)

In the data query phase, when the query tokens $T_{P g}$ and $T_{P s}$ are deposited to the DB. As shown in Table 1, if the corresponding position of vectors $σ_{g} (x)$ and $σ_{g}^{*} (w)$ are equal for all $k \in s (σ_{g}^{*} (w))$ , the ciphered $f_{0}$ can be recovered by using $C T_{0}$ and $T_{P g}$ . Similarly, as shown in Table 2, if the corresponding position of vectors $σ_{s} (x)$ and $σ_{s}^{*} (w)$ are equal for all $k^{'} \in s (σ_{s}^{*} (w))$ , $f_{1}$ will be recovered by using $C T_{1}$ and $T_{P s}$ . Then, the ciphertext C can be computed from $f_{0}$ and $f_{1}$ when $P_{(σ_{g}^{*} (w), σ_{s}^{*} (w))} (σ_{g} (x), σ_{s} (x)) = 1$ .

(5)

In the data decryption phase, with the help of the $BS$ , the ciphertext C can be decrypted. Finally, the $BS$ distributes the data M to the requester in a secure channel.

Table 1

The larger condition vectors.

$σ_{g} (x)$	j					$σ_{g}^{*} (w)$	j
$σ_{g} (x)$	1	2	3	4	5	$σ_{g}^{*} (w)$	1	2	3	4	5
$σ_{g} (x_{1})$	1	1	0	0	0	$σ_{g}^{*} (w_{1})$	*	1	*	*	*
$σ_{g} (x_{2})$	1	1	1	0	0	$σ_{g}^{*} (w_{2})$	*	1	*	*	*
$σ_{g} (x_{3})$	1	1	1	1	0	$σ_{g}^{*} (w_{3})$	*	*	1	*	*

Table 2

The less condition vectors.

$σ_{s} (x)$	j					$σ_{s}^{*} (w)$	j
$σ_{s} (x)$	1	2	3	4	5	$σ_{s}^{*} (w)$	1	2	3	4	5
$σ_{s} (x_{1})$	0	1	1	1	1	$σ_{s}^{*} (w_{1})$	*	*	1	*	*
$σ_{s} (x_{2})$	0	0	1	1	1	$σ_{s}^{*} (w_{2})$	*	*	*	1	*
$σ_{s} (x_{3})$	0	0	0	1	1	$σ_{s}^{*} (w_{3})$	*	*	*	*	1

6. Proposed SSE Scheme

In this section, we describe the details of our SSE scheme. There are also five phases: key generation phase, data encryption phase, token generation phase, data query phase, and data decryption and verification phase.

6.1. Key Generation Phase

For our scheme, we assume that there is a TA (actually is the $BS$ ) which can bootstrap the whole system. Specifically, in this system initialization phase, the TA generates a bivariate t-degree polynomial $h (x, y) = \sum_{i, j = 0}^{t} ‍ α_{i j} x_{i} y_{j}$ . TA computes two polynomial share: $h (x, BS)$ for $BS$ itself and $h (i, y)$ for the node $N_{i}$ . $h (N_{i}, y)$ will be preloaded in the S's memory. A symmetric encryption algorithm $Enc (\cdot)$ is used to encrypt the data $m_{i}$ , for example, AES. Given the security parameter $1^{k}$ , the TA first generates $(q, g, 𝔾_{1}, 𝔾_{2}, e)$ by running $𝒢 e n (1^{k})$ . TA selects some random elements $g, g_{1}, g_{2}, (h_{1}, u_{1}, ψ_{1}), \dots$ , $(h_{n l}, u_{n l}, ψ_{n l}) \in 𝔾_{1}$ . It also picks random numbers $y_{1}, y_{2}, v_{1}, \dots, v_{n l}$ , $t_{1}, \dots, t_{n l} \in ℤ_{p}$ . Then, it computes $Y_{1} = g^{y_{1}}, Y_{2} = g^{y_{2}}, v_{k} = g^{v_{k}} \in 𝔾_{1}$ for $(k = 1, \dots, n l)$ . In addition, it computes $A = e (g_{1}, Y_{1}) \cdot e (g_{2}, Y_{2}) \in 𝔾_{2}$ . Then, TA distributes the public/private key pair $(PK, SK)$ to the $BS$ as follows:

\begin{matrix} PK = (g, Y_{1}, Y_{2}, (h_{1}, u_{1}, ψ_{1}, V_{1}, T_{1}), \dots, (h_{n l}, u_{n l}, ψ_{l}, V_{n l}, T_{n l})) \\ SK = (g_{1}, g_{2}, y_{1}, y_{2}, v_{1}, \dots, v_{n l}, t_{1}, \dots, t_{n l}) . \end{matrix}

(6)

6.2. Data Encryption Phase

If $N_{i} (1 \leq i \leq n)$ wants to report a data $m_{i}$ to the $BS$ , each data has l searchable attributes; $N_{i}$ chooses a vector $x_{i} = (x_{i 1}, \dots, x_{i l}) \in \sum_{}^{l}$ to characterize its data $m_{i}$ in different dimensions. $N_{i}$ computes a message authentication code (MAC) for $m_{i}$ by using its secret key with the $BS$ as follows: $N_{i}$ inputs $BS$ 's identity into its polynomial share $h (N_{i}, y)$ and obtains a shared secret key $k_{i} = h (N_{i}, BS)$ with the $BS$ . $N_{i}$ encrypts his data $m_{i}$ by using $k_{i}$ as $C_{i} = E n_{k_{i}} (m_{i})$ . Then, the $BS$ computes an ${MAC}_{i} = H {MAC}_{k_{i}} (m_{i})$ for authenticating data $m_{i}$ 's integrity. Also, $N_{i}$ computes another ${MAC}_{i}^{'} = H {MAC}_{k_{i}} (N_{i})$ to authenticate his identity $N_{i}$ .

In order to support range query “ $a_{j} \leq x_{i j} \leq b_{j}$ ” $(1 \leq j \leq l)$ , $C_{i}$ should be divided into two parts as we described in Section 5. Only when both conditions “ $x_{i j} \geq a_{j}$ ” and “ $x_{i j} \leq b_{j}$ ” are satisfied, $C_{i}$ can be recovered. Therefore, the $N_{i}$ divides each $C_{i}$ into two parts: $f_{i 0}$ and $f_{i 1}$ . $f_{i 0}$ is encrypted by using the encryption vector $σ_{g} (x_{i})$ ; $f_{i 1}$ is encrypted by using the encryption vector $σ_{s} (x_{i})$ . Thus, the $BS$ can recover $C_{i}$ only when both encryption vectors are satisfied with the corresponding query vectors in the range query tokens. The encryption details are as follows: (1)

$N_{i}$ maps $x_{i}$ to an encryption vector $σ_{g} (x_{i})$ as (1). It selects two random numbers $r_{i 1}, r_{i 2} \in Z_{p}$ , and computes some tags for the partial data $f_{i 0}$ by using the mapped vector $σ_{g} (x_{i})$ as

\begin{array}{l} C_{i 10} = Y_{1}^{r_{i 1}}, C_{i 20} = Y_{2}^{r_{i 2}}, \\ C_{i 3,10} = {(h_{1} u_{1}^{σ_{g} (x_{i 1})})}^{r_{1}} V_{1}^{r_{i 2}}, \\ \dots, \\ C_{i 3, n l 0} = {(h_{n l} u_{n l}^{σ_{g} (x_{i n l})})}^{r_{i 1}} V_{n l}^{r_{i 2}}, \\ C_{i 4,10} = ψ_{1}^{r_{i 1}} T_{1}^{r_{i 2}}, \\ \dots, \\ C_{i 4, n l 0} = ψ_{n l}^{r_{i 1}} T_{n l}^{r_{i 2}}, \\ C_{i 50} = g^{r_{i 2}}, \\ C_{i 60} = A^{r_{i 1}} C . \end{array}

(7)

Let

C T_{i 0} = (C_{i 10}, C_{i 20}, C_{i 3,10}, \dots, C_{i 3, n l 0}, C_{i 4,10}, \dots, C_{i 4, n l 0}, C_{i 50}, C_{i 60})

. Similarly,

N_{i}

maps

x_{i}

to an encryption vector

σ_{s} (x_{i})

as (4).

N_{i}

can encrypt the partial data

m_{i 1}

into ciphertext

C T_{i 1}

by using the encryption vector

σ_{s} (x_{i})

. Then,

N_{i}

deposits

C T_{i 0}

and

C T_{i 1}

to its cluster head

{CH}_{i}

\begin{matrix} N_{i} ⟶ {CH}_{i} : {N_{i}, C T_{i 0}, C T_{i 1}, t s_{i}, {MAC}_{i}, {MAC}_{i}^{'}} . \end{matrix}

(8)

(2)

The CH also adds the cluster number $c l_{i}$ to the ciphertexts and transmits them to the $BS$

\begin{matrix} {CH}_{i} ⟶ DB : {N_{i}, C T_{i 0}, C T_{i 1}, t s_{i}, {MAC}_{i}, {MAC}_{i}^{'}, c l_{i}} . \end{matrix}

(9)

6.3. Token Generation Phase

In this phase, firstly, the $BS$ will authenticate the requester S's identity by using any identity-based mechanism [24]. Then, if S is a valid data user, the $BS$ will help requester to transfer its range query into query tokens. If the range query is $P = (a_{1} \leq x_{1} \leq b_{1}) \land (a_{2} \leq x_{2} \leq b_{2}) \dots \land (a_{l} \leq x_{l} \leq b_{l})$ . For each querying interval

\begin{matrix} S ⟶ BS : {P} . \end{matrix}

(10)

Then,

BS

divides P into two parts:

P_{g} = (x_{1} \geq a_{1}) \land (x_{2} \geq a_{2}) \dots \land (x_{l} \geq a_{l})

and

P_{s} = (x_{1} \leq b_{1}) \land (x_{2} \leq b_{2}) \dots \land (x_{1} \leq b_{l})

. Let

w_{g} = (a_{1}, \dots, a_{l})

and

w_{s} = (b_{1}, \dots, b_{l})

The $BS$ generates a predicate vector $σ_{g}^{*} (w) \in (\sum_{*} ‍)^{n l}$ to represent $P_{g}$ . The wildcard * in the vector $σ_{g}^{*} (w)$ means that he does not care about the attributes related to *. Let $s (σ_{g}^{*} (w))$ be the set of all indexes k such that $σ_{g}^{*} (w) \neq *$ . Then, a token $T_{P g}$ will be computed under the vector $σ_{g}^{*} (w)$ as follows. (1)

Select a random $α, β \in Z_{p}$ and generate $λ_{j}, k_{j}, γ_{j}, τ_{j} \in Z_{p}$ such that $λ_{j} y_{1} + ψ_{j} y_{2} = α$ , $γ_{j} y_{1} + τ_{j} y_{2} = β$ for all $j \in s (σ_{g}^{*} (w))$ .

(2)

Compute the token $T_{P g}$ as

\begin{array}{l} K_{u 10} = g_{1} \prod_{k \in s (σ^{*} (w_{g}))} ‍ {(h_{k} u_{k}^{σ^{*} (w_{g k})})}^{λ_{k}} ψ_{k}^{γ_{k}}, \\ K_{u 20} = g_{2} \prod_{k \in s (σ^{*} (w_{g}))} ‍ {(h_{k} u_{k}^{σ^{*} (w_{g k})})}^{φ_{k}} ψ_{k}^{τ_{k}}, \\ K_{u 30} = g^{α}, \\ K_{u 40} = g^{β}, \\ K_{u 50} = g^{- \sum_{k \in s (σ^{*} (w_{g}))}^{} (v_{k} α + t_{k} β)} . \end{array}

(11)

Let

T_{P g} = (K_{u 10}, K_{u 20}, K_{u 30}, K_{u 40}, K_{u 50})

. In the same way,

BS

can generate the

T_{P s}

for partial query

P_{s}

. Then, the

BS

gets query tokens

T_{P g}

and

T_{P s}

and sends them to the requester S

\begin{matrix} BS ⟶ S : T_{P g}, T_{P s} . \end{matrix}

(12)

6.4. Data Query Phase

In this phase, S deposits its range query tokens to the DB to query their required data. After finish receiving the query tokens from S, the DB searches its database to find if there is a data ciphertext which matches S's query. For each data ciphertext, the DB checks that

\begin{matrix} f_{i 0} = \frac{D_{1} \cdot D_{2} \cdot e (K_{u 50}, C_{u 50})}{e (K_{u 10}, C_{u 10}) \cdot e (K_{u 20}, C_{u 20})}, \end{matrix}

(13)

where

D_{1} = e (K_{u 30}, \prod_{k \in s (σ_{g}^{*} (w))} ‍ C_{u 30, k})

and

D_{2} = e (K_{u 40}, \prod_{k \in s (σ_{g}^{*} (w))} ‍ C_{u 40, k})

. If for all

k \in s (σ_{g}^{*} (w))

σ_{g}^{*} (w_{k})

and

σ_{g} (x_{i k})

are equal,

f_{i 0}

will be recovered. Similarly,

f_{i 1}

will be recovered when

σ_{s}^{*} (w_{k})

and

σ_{s} (x_{i k})

are equal at the corresponding position. Then, the

BS

can derive the coefficients of

f (x)

by interpolation and hence calculate the secret

C_{i} = Σ_{v = 1}^{t} f_{i v} L_{v} (0)

, where

L_{v} (0)

is the Lagrange coefficient such as

\begin{matrix} L_{v} (x) = \frac{\prod_{j \neq v}^{} (x - x_{j})}{\prod_{j \neq v}^{} (x_{v} - x_{j})} . \end{matrix}

(14)

Thus, the DB can recover $C_{i}$ by using $f_{i 0}$ and $f_{i 1}$ and Lagrange coefficient. Then, DB distributes these data to S

\begin{matrix} DB ⟶ S : (C_{i}, {MAC}_{i}, {MAC}_{i}^{'}, N_{i}), (C_{i^{'}}, \dots, N_{i^{'}}) \dots . \end{matrix}

(15)

6.5. Data Decryption and Verification

Note that, there are more than one query results which match and the range query tokens. When S received the query results from DB, it will send them to the $BS$ for decryption and verification

\begin{matrix} S ⟶ BS : (C_{i}, {MAC}_{i}, {MAC}_{i}^{'}, N_{i}), (C_{i^{'}}, \dots, N_{i^{'}}) \dots . \end{matrix}

(16)

The

BS

recovers original data from the ciphertexts by using its shared secret key

k_{i}

with S. The

BS

inputs data owner's identity

N_{i}

into its polynomial share

f (x, BS)

and obtains its shared key

k_{i} = f (N_{i}, BS)

with the

N_{i}

\begin{matrix} BS : m_{i} = {Dec}_{k_{i}} (C_{i}), \dots . \end{matrix}

(17)

Dec (\cdot)

is the symmetric decryption algorithm corresponding to the opposite operation of

Enc (\cdot)

Then, the $BS$ computes a new MAC as ${MAC}_{1} = H {MAC}_{k_{i}} (m_{i})$ by using the recovered $m_{i}$ and $k_{i}$ . The $BS$ checks whether ${MAC}_{1} = {MAC}_{i}$ . If so, the data verification succeeds, which means that the recovered $m_{i}$ is the original data; otherwise, the verification fails and $m_{i}$ can be discarded. Next, the $BS$ computes another MAC by using the received identity as ${MAC}_{2} = H {MAC}_{k_{i}} (N_{i})$ . If ${MAC}_{2} = {MAC}_{i}^{'}$ , the identity verification succeeds, which means that $N_{i}$ is the original valid sender; otherwise, nothing will be returned. If all the verifications are successful, the $BS$ distributes the correct query results to the requester in a secure channel as

\begin{matrix} BS ⟶ S : {(m_{i}, N_{i}), \dots} . \end{matrix}

(18)

As a result, the requester obtains the original data.

7. Security Analysis

In this section, we analyze the security properties of the proposed SSE scheme. In particular, following the security requirements discussed earlier, our analysis will focus on how the proposed SSE scheme can achieve the data confidentiality, data integrity, source authentication, and data query privacy. (i)

The SN's data confidentiality is preserved in the proposed SSE scheme. In the SSE, each SN's data $m_{i}$ is encrypted by using the HVE-based encryption vectors $σ_{g} (x)$ and $σ_{s} (x)$ . Anyone, including the cluster head CH and DB who does not know the $BS$ 's secret key and query tokens can not recover $C_{i}$ and $m_{i}$ from the ciphertexts $C T_{i 0}$ and $C T_{i 1}$ . Thus, the data confidentiality is preserved in the SSE.

(ii)

The SN's data integrity is preserved in the proposed SSE scheme. In the SSE, each SN's data packet is followed by an MAC. The MAC is generated by using the shared secret key $k_{i}$ between the SN and the $BS$ . If any intermediate node, including the CH, forges or modifies the MAC, its malicious behavior can be detected during the data verification phase. The reason is that they have little knowledge of the secret keys $k_{i}$ and $m_{i}$ . Any modification will fail in the verification. Therefore, the data integrity is preserved in the SSE.

(iii)

The source authentication is preserved in the proposed SSE scheme. In the SSE, except the data authentication message, ${MAC}_{i}^{'}$ is followed with the data packet, and another identity authentication message ${MAC}_{i}^{'}$ is also attached. After data verification, the $BS$ also will check the source authentication by verifying if ${MAC}_{i}^{'} = {MAC}_{2}^{} = H {MAC}_{k_{i}} (N_{i})$ to authenticate sender's identity $N_{i}$ . Similarly, any impersonation and modification will fail in the source authentication. By this means, the source authentication is preserved in the SSE.

(iv)

The data query privacy is achieved in the proposed SSE scheme. In the SSE, when the query vectors in the query tokens match the HVE-base encryption vectors, the original data will not expose to the DB. The reason is that the secret keys needed for data decryption phase is kept secret. As described in the key generation phase, the polynomial share $h (i, y)$ for each node $N_{i}$ is preloaded in $N_{i}$ 's memory. Only the $BS$ and $N_{i}$ can correctly generate the secret key $k_{i} = h (N_{i}, BS) = h (BS, N_{i})$ . Anyone who does not get the polynomial share $h (i, y)$ or $h (x, BS)$ cannot compute the key $k_{i}$ . As a result, even if the adversary 𝒜 can get the data ciphertext and MAC message by eavesdropping, it also can not obtain any information about $k_{i}$ and $m_{i}$ . As a result, the data query privacy is preserved in the SSE.

Compared with the original OPE-based scheme [15], Buck-based scheme [6], and the original HVE-based scheme [20], as shown in Table 3, our SSE is the only one which can achieve all of the data confidentiality and intergrity, source authentication, and data query privacy. Furthermore, our SSE has no false positive results when querying the DB, which makes it more secure and efficient than the Buck-based scheme [6].

Table 3

Comparison of security properties.

Properties	SSE	OPE [15]	Buket [6]	HVE [20]
Confidentiality	Yes	partial	partial	Yes
Data integrity	Yes	No	No	No
Source authentication	Yes	No	No	No
Data query privacy	Yes	No	partial	partial
False positive	No	No	Yes	No

8. Conclusion

In this paper, we propose a secure searchable encryption scheme, named SSE, for urban sensing and querying to address the data security, source authentication, and range query problems of the sensed data in smart cities. The SSE allows the sensed data to be stored on a untrusted server in encrypted form. An authorized requester can obtain the correct ciphertexts when his authorized range query matches the HVE-based encryption predicate. With the help of the base station, the data integrity and source authentication can be verified. Security analysis demonstrates that the SSE can achieve data confidentiality and integrity, source authentication, and data query privacy. For our future work, we intend to enhance our SSE to support fine-grained search with logical operations.

Footnotes

Acknowledgments

This work is supported by the National Natural Science Foundation of China under Grant nos. 61073189, 61272437, and 61202369, Innovation Program of Shanghai Municipal Education Commission nos. 13ZZ131 and 14YZ129, the Foundation Key Project of Shanghai Science and Technology Committee no. 12JC1404500, and the Project of Shanghai Science and Technology Committee no. 12510500700.

References

Bartoli

Hernández-Serrano

Soriano

Dohler

Kountouris

Barthel

Security and privacy in your smart city

Proceedings of the Barcelona Smart Cities Congress

December 2011

Chen

Towards smart city: M2M communications with software agent intelligence

Multimedia Tools and Applications 2013 67 1 167 178

2-s2.0-84857135283

10.1007/s11042-012-1013-4

Wen

Yin

Wang

Chen

A ntru based key generation and data transmission scheme for sensor networks

Journal of Computational Information Systems 2012 8 6 2417 2424

Yuen

Xiang

A tag encoding scheme against pollution attack to linear network coding

IEEE Transactions on Parallel and Distributed Systems 2013

10.1109/TPDS.2013.24

Wang

Ren

Lou

Privacy-preserving public auditing for data storage security in cloud computing

Proceedings of the IEEE International Conference on Computer Communications (INFOCOM '10)

March 2010

1 9

2-s2.0-77953295132

10.1109/INFCOM.2010.5462173

Hore

Mehrotra

Canim

Kantarcioglu

Secure multidimensional range queries over outsourced data

The VLDB Journal 2012 21 3 333 358

2-s2.0-79961111714

10.1007/s00778-011-0245-7

Parikh

P. P.

Kanabar

M. G.

Sidhu

T. S.

Opportunities and challenges of wireless communication technologies for smart grid applications

Proceedings of the IEEE Power and Energy Society General Meeting (PES '10)

July 2010

1 7

2-s2.0-78649673610

10.1109/PES.2010.5589988

Perrig

Szewczyk

Tygar

J. D.

Wen

Culler

D. E.

SPINS: security protocols for sensor networks

Wireless Networks 2002 8 5 521 534

2-s2.0-0036738266

10.1023/A:1016598314198

Eschenauer

Gligor

V. D.

A key-management scheme for distributed sensor networks

Proceedings of the 9th ACM Conference on Computer and Communications Security

November 2002

ACM

41 47

2-s2.0-0038341106

10.

Hwang

Kim

Revisiting random key pre-distribution schemes for wireless sensor networks

Proceedings of the 2nd ACM Workshop on Security of Ad Hoc and Sensor Networks (SASN '04)

October 2004

ACM

43 52

2-s2.0-14844335004

11.

Zhu

Setia

Jajodia

LEAP: efficient security mechanisms for large-scale distributed sensor networks

Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS '03)

October 2003

ACM

62 72

2-s2.0-10044284351

12.

Gura

Patel

Wander

Eberle

Shantz

S. C.

Comparing elliptic curve cryptography and RSA on 8-bit CPUs

Cryptographic Hardware and Embedded Systems—CHES 2004 2004 3156

Berlin, Germany

Springer

119 132

2-s2.0-35048818581

13.

Malan

D. J.

Welsh

Smith

M. D.

A public-key infrastructure for key distribution in TinyOS based on elliptic curve cryptography

Proceedings of the 1st Annual IEEE Communications Society Conference on Sensor and Ad Hoc Communications and Networks (SECON '04)

October 2004

IEEE

71 80

2-s2.0-20344381294

14.

Cose: a query-centric framework of collaborative heterogeneous sensor networks

IEEE Transactions on Parallel and Distributed Systems 2012 23 9 1681 1693

15.

Boldyreva

Chenette

O'Neill

Order-preserving encryption revisited: improved security analysis and alternative solutions

Advances in Cryptology—CRYPTO 2011 2011 6841

Berlin, Germany

Springer

578 595

2-s2.0-80052002672

10.1007/978-3-642-22792-9_33

16.

Boneh

Waters

Conjunctive, subset, and range queries on encrypted data

Theory of Cryptography 2007 4392

Berlin, Germany

Springer

535 554

2-s2.0-38049045519

17.

Shi

Bethencourt

Chan

T.-H. H.

Song

Perrig

Multi-dimensional range query over encrypted data

Proceedings of the IEEE Symposium on Security and Privacy (SP '07)

May 2007

350 364

2-s2.0-34548774576

10.1109/SP.2007.29

18.

Agrawal

Kiernan

Srikant

Order preserving encryption for numeric data

Proceedings of the ACM International Conference on Management of Data (SIGMOD '04)

June 2004

563 574

2-s2.0-3142716056

19.

de Capitani di Vimercati

Foresti

Paraboschi

Pelosi

Samarati

Efficient and private access to outsourced data

Proceedings of the 31st International Conference on Distributed Computing Systems (ICDCS '11)

July 2011

Springer

710 719

2-s2.0-80051865953

10.1109/ICDCS.2011.37

20.

Park

J. H.

Efficient hidden vector encryption for conjunctive queries on encrypted data

IEEE Transactions on Knowledge and Data Engineering 2011 23 10 1483 1497

2-s2.0-80051794695

10.1109/TKDE.2010.206

21.

Wen

Chen

K.-F.

Zheng

Y.-F.

Reliable pairwise key-updating scheme for sensor networks

Journal of Software 2007 18 5 1232 1245

2-s2.0-34347263038

10.1360/jos181232

22.

Boneh

Franklin

Identity-based encryption from the weil pairing

Advances in Cryptology—CRYPTO 2001 2001 2139

Berlin, Germany

Springer

213 229

23.

Blundo

de Santis

Herzberg

Kutten

Vaccaro

Yung

Perfectly secure key distribution for dynamic conferences

Advances in Cryptology—CRYPTO’ 92 1993 740

Berlin, Germany

Springer

471 486

24.

Zhang

Lin

P.-H.

Shen

An efficient identity-based batch verification scheme for vehicular sensor networks

Proceedings of the 27th IEEE Communications Society Conference on Computer Communications (INFOCOM '08)

April 2008

IEEE

246 250

2-s2.0-51449098979

10.1109/INFOCOM.2007.58

SSE: A Secure Searchable Encryption Scheme for Urban Sensing and Querying

Abstract

1. Introduction

2. Related Works

2.1. Security in Sensor Network

2.2. Range Query over Encrypted Data

3. System Model and Security Requirements

3.1. System Model

3.2. Security Requirements

4. Preliminaries

4.1. Bilinear Pairing

Definition 1.

4.2. Polynomial-Based Key Predistribution

4.3. HVE-Based Comparison Query Predicate

5. Construction of Secure HVE-Based Range Query Encryption Predicate

6. Proposed SSE Scheme

6.1. Key Generation Phase

6.2. Data Encryption Phase

6.3. Token Generation Phase

6.4. Data Query Phase

6.5. Data Decryption and Verification

7. Security Analysis

8. Conclusion

Footnotes

Acknowledgments

References