Sage Journals: Discover world-class research

Abstract

Wireless sensor networks (WSNs) are composed of sensor nodes with limited energy which is difficult to replenish. In-network data aggregation is the main solution to minimize energy consumption and maximize network lifetime by reducing communication overhead. However, performing data aggregation while preserving data confidentiality and integrity is challenging, because adversaries can eavesdrop and modify the aggregation results easily by compromised aggregation nodes. In this paper, we propose an efficient confidentiality and integrity preserving aggregation protocol (ECIPAP) based on homomorphic encryption and result-checking mechanism. We also implement ECIPAP on SimpleWSN nodes running TinyOS. Security and performance analysis show that our protocol is quite efficient while persevering both aggregation confidentiality and integrity.

1. Introduction

Wireless sensor networks consist of a large number of sensor nodes which can be deployed to sense, transmit, and process the data collected from the environment in many applications such as battlefield surveillance, health care monitoring, and traffic regulation. The environment data will be transmitted to the base station (BS) hop by hop. Sensor nodes have limited energy storage and their computational ability is not so powerful as base station. We cannot supply energy to the nodes at all times because they are usually deployed in the areas humans hardly reach. If some key nodes cannot work as we supposed, the whole network will break down. The energy of the node is mainly spent on data transmission. On TelosB nodes, sending and receiving one bit data cost 0.72 μJ and 0.81 μJ which are more than 600 times than 1.2 nJ cost on processing one instruction by processor [1]. Therefore, how to reduce communication overhead is the key issue to prolong the life of wireless sensor networks [2, 3].

Other than transmitting data directly to the base station, wireless sensor nodes can perform aggregation operations, such as SUM and AVERAGE, on aggregation nodes. Through this approach, the communication overhead will be reduced largely. An aggregation tree should be built before data aggregation. The topology can be tree-based or cluster-based depending on the applications. Then the sensors need to collect environment data from the monitoring area and transmit the data to the bases station hop by hop. When the intermediate nodes receive the data from their child nodes, they aggregate them using aggregation functions.

Sensor nodes should be deployed in the hostile areas in some applications, such as battlefield surveillance and target tracking. If these data was leaked to the enemies, it would bring heavy losses. The adversaries can contact the physical nodes easily and they can tamper the original sensing data so that the base station will receive the false aggregation results. If the base station cannot receive the true data, it will make wrong decisions. Some other attacks also affect the aggregation process like denial of service (DoS) or data selective forwarding. General data aggregation protocols do not consider these attacks, so they are useless in military applications. Designing a data aggregation protocol should take security into consideration. All above, secure data aggregation mandates three security factors.

1.1. Data Confidentiality

The original sensing data and the intermediate aggregation results should not be disclosed to the unauthorized parties during the transmission process.

1.2. Data Integrity

If the original sensing data or the intermediate aggregation results were tampered by the adversaries or modified due to the poor quality of communications, the base station can detect the changes from final aggregation results.

1.3. Data Freshness

Sensing data received by the base station should represent the very recent state of the environment. If the aggregation values are too old, base station should discard such results.

Researchers have proposed many data aggregation protocols which can provide some secure protections. Most protocols can only provide confidentiality protection [4, 5] or integrity protection [6, 7]. Some protocols claim that they can protect both data confidentiality and data integrity, but some problems still exist. Data must be transmitted in some special forms if data integrity needs to be protected. But data form may be changed when some encryption algorithms are used to protect data confidentiality. They are contradictory in a way. Designing a data aggregation protocol which can provide both data confidentiality and data integrity is a challenge.

In this paper, we propose an efficient confidentiality and integrity preserving aggregation protocol (ECIPAP) in wireless sensor networks motivated by protocols SIES [8] and SHIA [9]. Our scheme is based on a lightweight homomorphic encryption which is energy efficient. Through the result-checking phase, every node in the wireless sensor network can verify if its data was added to the final aggregation results. We use a random number dissemination mechanism to update the keys stored in sensor nodes so as to guarantee the data freshness against replay attacks. This protocol also uses μTESLA [10] to broadcast authenticated queries along with the random numbers. We implement our protocol on TelosB physical nodes. Through the results of the experiment and the theoretic analysis, we will show the practicability and high efficiency of our protocol.

The paper is organized as follows. In Section 2, we introduce the related work in this research area. Section 3 explains the system model in our protocol. Section 4 describes our protocol in detail. Section 5 analyses the security, experiment, and performance of ECIPAP. We conclude this paper in Section 6.

2. Related Work

Hu and Evan proposed the first integrity-preserving hierarchy data aggregation protocol in 2003 [11]. The main idea of this protocol is delayed aggregation and delayed authentication. Girao et al. proposed an aggregation scheme that can guarantee the end-to-end data confidentiality using symmetric key based homomorphic encryption [12]. After that, a series of secure data aggregation protocols have been proposed. Existing protocols, which claim that they can protect both data confidentiality and data integrity, have some potential risks. Generally, we can think that both confidentiality and integrity preserving protocols should satisfy the following conditions. (i)

The encrypted sensing data should only be decrypted at the base station but not on the intermediate nodes thus to implement end-to-end confidentiality.

(ii)

If the adversaries tamper the sensing data, base station can verify the data integrity through checking the final aggregation results.

(iii)

The energy consumption should be reasonable because of the limited energy in each node.

The protocols proposed in [13–16] use pair keys to encrypt the data transmitted between two nodes based on the existing integrity-preserving data aggregation protocols. These protocols achieve hop by hop confidentiality but not end-to-end confidentiality. Based on a confidentiality protection mechanism, paper [17] provides data integrity protection through using a global key $k^{(r)}$ and a key $k^{(r)'}$ shared with the base station to compute the authenticated message $m_{i} k^{(r)} + k^{(r)'}$ of message $m_{i}$ . This protocol is not secure if an adversary compromises a node and gets the global key $k^{(r)}$ , using which the adversary can forge message as wished. Protocol in [18] uses EC-ElGamal to achieve confidentiality protection. It also uses a global key k and the node's private key $z_{i}$ to compute the signature of message $m_{i}$ . However, through compromising a sensor node the adversary can get k which can be used to tamper the cipher and compute the corresponding signature. Paper [19] proposed a protocol that can protect the data confidentiality. Meanwhile, this protocol also can protect the aggregation data sent by cluster header from being tampered. But adversary can compromise a node and get the public key of the cluster; then the aggregation data can be tampered freely.

Chan et al. presented a provable secure tree-based in-network data aggregation protocol named SHIA [9]. Without assuming a particular data structure, SHIA can detect any manipulation of the in-network aggregation. SHIA has three phases: query dissemination phase, aggregation-commit phase, and result-checking phase. After the queries were broadcast to the whole network, sensor nodes send their environment data and commitment upward. In the result-checking phase, associated off-path values would be passed down to the aggregation tree. Through this way, sensor nodes can verify if their data was indeed added to the final aggregation results. After node i is convinced, it will send an authentication message $MAC (K_{i}, N ∥ OK)$ , where $OK$ is a unique identifier and $K_{i}$ is the key shared with base station, to base station hop by hop. The intermediate nodes perform XOR on these authentication messages and the final result received by base station is $MAC (K_{1}, N ∥ OK) \oplus \dots \oplus MAC (K_{n}, N ∥ OK)$ . Base station computes this message itself and compares it with the authentication message received. If two messages match, base station accepts the aggregation result. Otherwise, the result will be ignored. Although this protocol can protect data integrity, the data confidentiality is not guaranteed.

Combining homomorphic encryption and secret sharing, Papadopoulos et al. proposed a secure data aggregation protocol SIES which can protect both data confidentiality and data integrity [8]. In this protocol, each sensor node has a secret message ${ss}_{i}$ , a global key K, and a private key $k_{i}$ shared with base station. After the environment data $v_{i}$ was sensed from monitoring area, each sensor node generates a message $m_{i} = v_{i} ∥ {ss}_{i}$ . Sensor nodes use homomorphic encryption to encrypt $m_{i}$ and send them to their parent nodes. The parent nodes can perform aggregation functions on the encrypted data directly. When the final aggregation result is received by the base station, it will be decrypted and divided into two parts: environment data V and secret $SS$ . Base station computes the $SS$ itself and compares it with the secret received. This protocol also has a problem that if the data $v_{i}$ of the message $m_{i}$ was tampered by adversaries, base station cannot detect such changes.

Our protocol improves SIES [8] by using result-checking mechanism motivated by SHIA [9] to protect data integrity instead of secret sharing. We also use homomorphic encryption to allow intermediate nodes perform aggregation directly so as to achieve end-to-end data confidentiality. When the final aggregating result was sent to the base station, the result-checking process will detect whether all the data is added to the final aggregation result.

3. System Model

Different secure data aggregation protocols support different aggregation functions. The security protection abilities are also various and the adversaries can launch a variety of attacks. This section gives the general problem definition, network assumption, and attack model in detail.

3.1. Network Assumption

We assume that an aggregation tree is already set up in the deployment phase. If not ready, TAG [20] can be used to build such tree-based networks. In our protocol, base station BS has unlimited energy and computing ability. BS can broadcast query messages to the whole network using authenticated method μTESLA [10]. In the aggregation tree, there are two types of nodes, leaf nodes and the intermediate nodes. Leaf nodes only sense environment data and encrypt them, while intermediate nodes not only sense environment data but also aggregate their child nodes' data. The distance between two nodes is about 10 m and nodes can only communicate with its child nodes or parent nodes.

Each sensor node has a unique ID and an initial key $k_{i}$ . We further assume that sensor nodes can perform symmetric additively homomorphic encryption and collision-resistant hash function.

3.2. Problem Definition

In our protocol, we use an efficient symmetric additively homomorphic encryption algorithm. A key distribution mechanism is also used to generate the keys in each sensor node.

3.2.1. Homomorphic Encryption

As shown in Algorithm 1, M is a large integer. Let $m (m \in [0, M])$ be the message that needs to be encrypted, and $k (k \in [0, M])$ is the initial key stored in every node before deployment. Parameter r is the random number sent by base station and H is the hash function.

Algorithm 1: Homomorphic encryption algorithm.

(i) Key Generation:

Round key $k_{r} = H (k, r)$ mod M

(ii) Encryption:

Ciphertext $c = Enc (m, k_{r}, M)$

$= (m + k_{r})$ mod M

(iii) Decryption:

$m =$ $Dec (c, k_{r}, M) = (c - k_{r})$ mod M

(iv) Addition:

$c_{i} = Enc (m_{i}, k_{i, r}, M)$

$c_{j} = Enc (m_{j}, k_{j, r}, M)$

$c = (c_{i} + c_{j})$ mod M

$m_{i} + m_{j} = Dec (c_{i} + c_{j}, k_{i, r} + k_{j, r}, M)$

3.2.2. Message Format

The message m sent by sensor node has a fixed format which is a data tuple:

\begin{matrix} 〈 count, value, \bar{value}, MAC 〉, \end{matrix}

(1)

where count is the number of the sensor nodes in the subtree. If a sensor node is the leaf node, then

count = 1

. Parament value is the environment data and it has lower bound

V_{\min}

and upper bound

V_{\max}

. We also add

\bar{value} = V_{\max} - value

to this data tuple.

MAC

can be computed as follows:

\begin{matrix} MAC = H (count ∥ value ∥ \bar{value} ∥ {ID}_{i}), \end{matrix}

(2)

where

{ID}_{i}

is node's unique ID.

3.2.3. Aggregation Function

An intermediate node i has n child nodes $s_{1}, s_{2}, \dots, s_{n}$ . Let $v_{1}, v_{2}, \dots, v_{n}$ be the data sensed by these child nodes from the monitory area. We define aggregation function $F_{agg}$ that can be performed on intermediate nodes as shown in Algorithm 2.

Algorithm 2: Aggregation functions.

(i) Count Function:

$F_{count} = \sum_{i = 1}^{n} ‍ m_{i} \cdot count$

(ii) Sum Function:

$F_{sum} = 〈 \sum_{i = 1}^{n} ‍ m_{i} \cdot value, \sum_{i = 1}^{n} ‍ m_{i} \cdot \bar{value} 〉$

(iii) Average Function:

$F_{average} = 〈 \frac{\sum_{i = 1}^{n} ‍ m_{i} \cdot value}{\sum_{i = 1}^{n} ‍ m_{i} \cdot count}, \frac{\sum_{i = 1}^{n} ‍ m_{i} \cdot \bar{value}}{\sum_{i = 1}^{n} ‍ m_{i} \cdot count} 〉$

(iv) MAC Aggregation:

$F_{MAC} = ⨁_{i = 1}^{n} m_{i} \cdot MAC$

3.3. Attack Model

The most threatening attack against data aggregation in wireless sensor networks is node compromising launched by the adversaries. Through this attack, adversaries can obtain the keys of the nodes. After that, they can use fake messages to disturb the final aggregation results. Such stealthy attacks [12] can make base station accept the false aggregation results without being detected. We assume that the adversaries can compromise a fraction of sensor nodes in the network.

Denial-of-service attack is out of our consideration, because this type of attack can be detected easily by the base station when the network works improperly.

4. ECIPAP

We improve SIES [8] by using result-checking mechanism instead of secret sharing. Then we propose an efficient confidentiality and integrity preserving aggregation protocol (ECIPAP). The homomorphic encryption used in our protocol can guarantee end-to-end data confidentiality. Our protocol has three phases: query dissemination phase, data aggregation phase, and result-checking phase.

4.1. Network Deployment

Before the sensor nodes were deployed in the monitory area, each sensor node shared a private key $k_{i}$ , a large integer M, and a unique ${ID}_{i}$ with the base station. The symmetric additively homomorphic encryption algorithm and hash function SHA-1 are also preset. When the aggregation process begins, we assume that the aggregation tree is already set up. We can use TAG [20] to form an aggregation tree.

4.2. Query Dissemination Phase

In each aggregation round, base station $BS$ chooses a random number r and the query message such as COUNT, SUM, and AVERAGE. Due to its powerful communication ability, it can broadcast this query message to the whole network along with the random number r. When the nodes receive the query messages, they store them in the RAMs and start the data aggregation phase.

4.3. Data Aggregation Phase

Sensor node collects environment data $value \in [V_{\min}, V_{\max}]$ such as temperature and sets $\bar{value} = V_{\max} - v$ , $count = 1$ . Next it generates the temporary keys $k_{i, r}$ , $k_{i, r}^{'}$ , and $k_{i, r}^{′′}$ :

\begin{matrix} k_{i, r} = H (k_{i}, r) \mod M, \\ k_{i, r}^{'} = H (k_{i}, r + 1) \mod M, \\ k_{i, r}^{′′} = H (k_{i}, r + 2) \mod M . \end{matrix}

(3)

Then it encrypts these data as follows:

\begin{matrix} c_{count, i} = Enc (count, k_{i, r}, M), \\ c_{value, i} = Enc (value, k_{i, r}^{'}, M), \\ c_{\bar{value}, i} = Enc (\bar{value}, k_{i, r}^{′′}, M) . \end{matrix}

(4)

The reason why we use different keys to encrypt count, value, and $\bar{value}$ will be shown latter. Sensor nodes can compute message authentication code as follows:

\begin{matrix} {MAC}_{i} = H (c_{count, i} ∥ c_{value, i} ∥ c_{\bar{value}, i} ∥ {ID}_{i}) . \end{matrix}

(5)

The data tuple can be created now as

\begin{matrix} u_{i} = 〈 c_{count, i}, c_{value, i}, c_{\bar{value}, i}, {MAC}_{i} 〉 . \end{matrix}

(6)

When the nodes prepare the data tuples ready, they send them to their parent nodes. We show the aggregation process in Figure 1. There are $N = 10$ nodes in the network and node F has two child nodes I and J. When node F receives the data tuples $u_{i}$ and $u_{j}$ sent by node I and node J, it aggregates them with the data tuple $u_{f}$ created by itself: $U_{f} = F_{agg} (u_{i}, u_{j}, u_{f})$ . Node F sends this intermediate aggregation result to its parent node C. The final aggregation result will be transmitted to the base station BS at last. BS can decrypt this aggregation result as follows:

\begin{matrix} {count}_{agg} = Dec (U_{a} \cdot count, \sum_{i = 1}^{n} k_{i, r}, M), \\ {value}_{agg} = Dec (U_{a} \cdot value, \sum_{i = 1}^{n} k_{i, r}^{'}, M), \\ {\bar{value}}_{agg} = Dec (U_{a} \cdot \bar{value}, \sum_{i = 1}^{n} k_{i, r}^{′′}, M) . \end{matrix}

(7)

The base station BS can also get the MAC_agg:

\begin{matrix} {MAC}_{agg} = ⨁_{i = 1}^{n} m_{i} \cdot MAC . \end{matrix}

(8)

Figure 1

Data aggregation phase in ECIPAP.

4.4. Result-Checking Phase

When the final aggregation result is received, base station broadcasts the aggregated data tuple down to the whole network using authenticated method. To enable result checking, each sensor node will send a checking message to its child node. We can regard the result checking as a reverse process of data aggregation. We show this in Figure 2. Base station sends the final data tuple $U_{a}^{'}$ to node A. Then node A can remove the data sent by nodes B, C, and D from $U_{a}^{'}$ . We define the reverse computational operation as ⊖. For example, we can get data tuple created by node A as $u_{a}^{'} = U_{a}^{'} ⊖ u_{b} ⊖ U_{c} ⊖ u_{d}$ . Through comparing $u_{a}^{'}$ with the data tuple $u_{a}$ created by node A, node A can verify if its data was added to the final aggregation result.

Figure 2

Result-checking phase in ECIPAP.

Every sensor node can verify if its own data was added to the aggregation data by comparing its own data to the data sent by parent nodes. If the result passes the verification, then every sensor node prepares an authentication message $MAC (k_{i} ∥ r ∥ OK)$ and sends it to the base station hop by hop. If verification is failed, $MAC (k_{i} ∥ r ∥ NO)$ will be sent. When the intermediate sensor nodes receive these authentication messages, they aggregate them using MAC Aggregation Function. The base station also can calculate this authentication message with its own data stored before network deployment. So comparing these two authentication messages can verify if all the sensing data is added to the final aggregation result. If the authentication message passes the verification, then base station accepts this aggregation result. Otherwise, base station just ignores it.

5. Analysis

5.1. Security Analysis

Adversaries can compromise a fraction of sensor nodes in the wireless sensor network. When a sensor node is compromised, its private information such as encryption keys will be leaked. Adversaries can sniff confidential data sent by the sensor nodes. They can launch stealthy attack to make the base station accept false data without being detected.

We assume the adversaries can eavesdrop messages sent between sensor nodes and they already know the range of sensing data. If we use the same key to encrypt both value and $\bar{value}$ , the adversaries can get the original sensing data through algebraic operation, such as ${value}_{i} = (c_{value, i} - c_{\bar{value}, i} + V_{\max}) / 2$ . Because we use different keys $k_{i, r}$ , $k_{i, r}^{'}$ , and $k_{i, r}^{′′}$ to encrypt count, value, and $\bar{value}$ in ECIPAP, data confidentiality can be protected.

Authors in [9] define the direct data injection and optimally secure as follows.

5.1.1. Direct Data Injection

A direct data injection attack occurs when an adversary modifies the data readings reported by the nodes under its direct control, under the constraint that only legal readings in [ $V_{\min}$ , $V_{\max}$ ] are reported.

5.1.2. Optimally Secure

An aggregation algorithm is optimally secure if, by tampering with the aggregation process, an adversary is unable to induce the base station to accept any aggregation result which is not already achievable by direct data injection.

The message format in our protocol is the same as the message format $〈$ vount, value, complement, commitment $〉$ used in SHIA [9]. Adversaries can compromise some nodes and set all their readings to $V_{\min}$ or $V_{\max}$ so that the final aggregation result is in the range [ $μ V_{\min}$ , $μ V_{\max}$ ] where μ is the number of malicious nodes. Obviously, any aggregation result between these two bounds can be achieved by direct data injection. Hence, our ECIPAP is optimally secure.

5.2. Experiment Analysis

We have implemented ECIPAP using SimpleWSN experimental platform to sense average temperature in lab. Characteristics of SimpleWSN nodes are shown in Table 1.

Table 1

Characteristics of simpleWSN nodes.

CPU 8-bit	8 MHz
Storage	10 Kbytes RAM
Storage	48 Kbytes FLASH
Communication	2.4 GHz
Bandwidth	250 Kbps
Operating system	TinyOS 2.1

The temperature data DataNum sensed by SimpleWSN nodes are 16-bit hexadecimal integers. We can use the following formula to transform such data to readable Celsius degree:

\begin{matrix} Temperature (C) = \frac{((DataNum / 4096) * 1.5 - 0.98)}{0.00355} . \end{matrix}

(9)

Table 2 describes the parameters used in our experiment. We use sensor nodes to form an aggregation tree whose root is a powerful PC.

Table 2

Parameters used in experiment.

N	5	Total node number
r	$[1, 2^{16} - 1]$	Random number
$k_{i, r}, k_{i, r}^{'}, k_{i, r}^{''}$	$[0, 2^{32} - 1]$	Encryption keys
count	$[0, 2^{8} - 1]$	Aggregating count
value	$[0, 2^{16} - 1]$	Aggregating value
$\bar{value}$	$[0, 2^{16} - 1]$	$V_{\max}$ − $value$
${MAC}_{i}$	160 bit	SHA-1 output
M	$2^{32}$	Large integer
$V_{\min}$	1000	Lower bound
$V_{\max}$	4000	Upper bound
$OK/NO$	1/0	Identifaction
t	1000 ms	Query period

Table 3 shows the data received by base station before decryption. The data in $count$ , $value$ , and $\bar{value}$ columns are encrypted. We know this environment data is larger than the upper bound $V_{\max}$ , so we cannot get any useful information from such messages.

Table 3

Encrypted aggregation results received by $BS$ .

count	value	$\bar{value}$	MAC
8A 9D A4 86	20 25 79 BE	16 09 0C C5	21 B9 95 E0 86 36 3D 1E F5 9C 06 12 70 BE B1 53 05 AE 81 D4
08 EF 90 17	04 98 E7 85	61 03 3E 1B	76 4A 9B 43 A9 74 5D CB 70 30 D5 D9 43 6E E9 93 29 1D 1B 2C
B9 84 48 53	25 0E 1A AE	6E AD 98 D8	DA 31 9E CA F6 04 A5 1F 21 4C 80 77 CF 75 E7 2B 9C 5A EB 65
A1 1E 78 01	02 A8 59 FD	AA 50 50 0E	35 E2 76 0A 08 EE DB 1E 80 D5 44 77 4A 78 8A 59 CE D9 A8 2F
E0 B1 ED 95	1F 13 C7 A4	B8 53 B3 3E	1B 49 94 BE B3 A0 0F B3 7D 27 56 33 77 11 B8 BE 48 87 34 4F
0D 15 51 8D	04 16 05 14	C8 66 EF C8	1E A4 2C 8B 99 1B 70 E2 BD C1 4C 6F 1B A5 84 34 0C 50 31 7A
36 A5 79 3F	0C CF 54 28	A4 21 21 74	EC 51 67 47 9E CA 90 FA 64 DF 80 25 19 C1 10 01 45 F7 9A 14

Then, we use the keys shared between sensor nodes and base station to decrypt the aggregation results and show them in Table 4. The total number of nodes used is 5 and the average temperature is about 23.2 degrees Celsius. Base station broadcasts query messages every 1000 million seconds. Our experiment shows the practicability and high efficiency of ECIPAP.

Table 4

The original environment data received by $BS$ after decryption.

count	value	$\bar{value}$	MAC
00 00 00 05	00 00 0B 55	00 00 15 77	74 21 49 83 DA ED D4 83 97 21 FA E7 AD 88 9F 58 FC C9 78 AA
00 00 00 05	00 00 0B 54	00 00 15 79	9C A6 75 EF 33 0C 88 9A 90 93 57 C4 73 12 F0 D0 52 6D 39 CE
00 00 00 05	00 00 0B 55	00 00 15 77	F1 37 76 9A 0F 43 66 CA 86 B0 92 34 CC 9A 75 50 25 E4 93 1C
00 00 00 05	00 00 0B 56	00 00 15 72	86 37 5C B3 CB EB C3 B6 2C 92 72 56 B7 46 A9 7C CD 76 6E 00
00 00 00 05	00 00 0B 55	00 00 15 75	DE B3 93 F6 98 E6 D1 E8 D9 D6 35 73 DD D1 34 B5 62 D7 8A A8
00 00 00 05	00 00 0B 55	00 00 15 76	5C AF 15 67 B6 28 5E F6 2F 5A A1 06 89 09 E3 D2 B6 CC C5 06
00 00 00 05	00 00 0B 55	00 00 15 75	98 1D 7E 47 B2 49 B0 96 DE B7 F1 BD EA 00 E0 39 6B AE CB E5

5.3. Performance Analysis

We give a theoretical analysis of the performance in this section. Through comparing the communication overhead between ECIPAP, SHIA, and SIES, we show that ECIPAP not only protect both data integrity and data confidentiality but also reduce the communication overhead in result-checking phase.

We assume every intermediate node in the network has d child nodes and the height of the aggregation tree is h. The length of the data tuple sent by sensor nodes in ECIPAP, SHIA, and SIES are $| m |$ , $| m^{'} |$ and $| m^{′′} |$ . The length of the authentication messages, sent by sensor nodes in result-checking phase, are $| MAC |$ and $| {MAC}^{'} |$ in ECIPAP and SHIA. The number of nodes in the whole network is $\sum_{i = 1}^{h} ‍ d^{i}$ . So we can get the communication overhead of ECIPAP, SHIA, and SIES in Table 5.

Table 5

Communication overhead of ECIPAP, SHIA, and SIES.

	ECIPAP	SHIA	SIES
Edge congestion	$\| m \|$	$h \times (d - 1) \times \| m^{'} \|$	$\| m^{''} \|$
Node congestion	$d \times \| m \|$	$d \times h \times (d - 1) \times \| m^{'} \|$	$d \times \| m^{''} \|$
Data aggregation	$\sum_{i = 1}^{h} ‍ d^{i} \times \| m \|$	$\sum_{i = 1}^{h} ‍ d^{i} \times \| m^{'} \|$	$\sum_{i = 1}^{h} ‍ d^{i} \times \| m^{''} \|$
Authentication	$\sum_{i = 1}^{h} ‍ d^{i} \times \| m \|$	$\sum_{i = 1}^{h} ‍ d^{i} \times (d - 1) \times i \times \| m^{'} \|$	—
MAC transmission	$\sum_{i = 1}^{h} ‍ d^{i} \times \| MAC \|$	$\sum_{i = 1}^{h} ‍ d^{i} \times \| {MAC}^{'} \|$	—

In ECIPAP, we use 4-byte integers to present encrypted count, value, and $\bar{value}$ . Hash function SHA-1 outputs a 160-bit value. So we know $| m | = 256 bit$ and $| MAC | = 160 bit$ . Message length and MAC length in SHIA are the same as ECIPAP, so we can set $| m^{'} | = 256 bit$ and $| {MAC}^{'} | = 160 bit$ . The length of message in SIES is also $256 bit$ . The communication overhead in SHIA is mostly spent in authentication process. Our protocol can reduce such overhead largely as we present in Figure 3.

Figure 3

Communication overhead in authentication process when node degree $d = 3$ .

The total communication overhead reduces by 79% comparing with SHIA when $h = 6$ and $d = 3$ , shown in Figure 4. As the height of aggregation tree increases, the advantages of ECIPAP are more obvious. ECIPAP improves the secure ability of SIES with small communication overhead increase. Our protocol can work more efficiently in the applications where data should be transmitted along multihops.

Figure 4

Total communication overhead in ECIPAP, SHIA, and SIES when node degree $d = 3$ .

6. Conclusion

It is difficult to design an aggregation protocol to protect both data confidentiality and data integrity in wireless sensor networks. Existing protocols which claim to achieve this goal still have some problems. In this paper, we improve SIES by using result-checking mechanism instead of secret sharing. We also use homomorphic encryption algorithm to protect data end-to-end confidentiality. We concentrate on the communication overhead cost in the result-checking phase and propose an efficient confidentiality and integrity preserving aggregation protocol (ECIPAP). We implement our protocol on physical nodes running TinyOS. Through this experiment and theoretical analysis, we show the practicability and high efficiency of ECIPAP.

Footnotes

Conflict of Interests

The authors declare that there is no conflict of interests regarding the publication of this paper.

Acknowledgments

This paper is supported by National Natural Science Foundation of China (no. 61272512, no. 61003262, and no. 61300177), Program for New Century Excellent Talents in University (NCET-12-0047), and Beijing Natural Science Foundation (no. 4121001, no. 4132054).

References

Groat

M. M.

W. B.

Forrest

KIPDA: k-indistinguishable privacy-preserving data aggregation in wireless sensor networks

Proceedings of the 30th IEEE International Conference on Computer Communications (INFOCOM '11)

April 2011

Shanghai, China

2024 2032

2-s2.0-79960854358

10.1109/INFCOM.2011.5935010

Liu

Y. H.

Iso-map: energy-efficient contour mapping in wireless sensor networks

IEEE Transactions on Knowledge and Data Engineering 2010 22 5 699 710

2-s2.0-77949914437

10.1109/TKDE.2009.157

Yick

Mukherjee

Ghosal

Wireless sensor network survey

Computer Networks 2008 52 12 2292 2330

2-s2.0-46449122114

10.1016/j.comnet.2008.04.002

Feng

Wang

Zhang

Ruan

Confidentiality protection for distributed sensor data aggregation

Proceedings of the 27th IEEE International Conference onComputer Communications (INFOCOM '08)

2008

Phoenix, Ariz, USA

68 76

10.1109/INFOCOM.2008.20

Mykletun

Girao

Westhoff

Public key based cryptoschemes for data concealment in wireless sensor networks

Proceedings of the 41th IEEE International Conference on Communications (ICC '06)

July 2006

Istanbul, Turkey

2288 2295

2-s2.0-42549159545

10.1109/ICC.2006.255111

Manulis

Schwenk

Security model and framework for information aggregation in sensor networks

ACM Transactions on Sensor Networks 2009 5 2 1 28

2-s2.0-65849441512

10.1145/1498915.1498919

Cheng

Xiong

Secure continuous aggregation via sampling-based verification in wireless sensor networks

Proceedings of the 30th IEEE International Conference on Computer Communications (INFOCOM '11)

2011

Shanghai, China

1763 1771

10.1109/INFCOM.2011.5934974

Papadopoulos

Kiayias

Papadias

Exact in-network aggregation with integrity and confidentiality

IEEE Transactions on Knowledge and Data Engineering 2012 24 10 1760 1773

10.1109/TKDE.2012.64

Chan

Perrig

Song

Secure hierarchical in-network aggregation in sensor networks

Proceedings of the 13th ACM Conference on Computer and Communications Security (CCS '06)

November 2006

Alexandria, Va, USA

278 287

2-s2.0-33845747795

10.1145/1180405.1180440

10.

Perrig

Szewczyk

Wen

Tygar

J. D.

Culler

D. E.

SPINS: security protocols for sensor networks

Wireless Networks 2002 8 5 521 534

2-s2.0-0036738266

10.1023/A:1016598314198

11.

Evan

Secure aggregation for wireless networks

2003

Proceedings of the IEEE Symposium on Applications and the Internet Workshops (SAINT '03)

Orlando, Fla, USA

384 391

12.

Girao

Westhoff

Schneider

CDA: concealed data aggregation for reverse multicast traffic in wireless sensor networks

Proceedings of the 40th IEEE International Conference on Communications (ICC '05)

May 2005

Seoul, Republic of Korea

3044 3049

2-s2.0-24144459865

10.1109/ICC.2005.1494953

13.

Pawan

Anish

Efficient secure aggregation in sensor networks

Proceedings of the 11st International Conference on High-Performance Computing (HiPC '04)

2004

40 49

14.

Blaß

E.-O.

Wilke

Zitterbart

Relaxed authenticity for data aggregation in wireless sensor networks

Proceedings of the 4th International Conference on Security and Privacy in Communication Networks (SecureComm '08)

September 2008

Istanbul, Turkey

1 10

2-s2.0-70249099630

10.1145/1460877.1460883

15.

Ozdemir

Çam

Integration of false data detection with data aggregation and confidential transmission in wireless sensor networks

IEEE/ACM Transactions on Networking 2010 18 3 736 749

2-s2.0-77953685106

10.1109/TNET.2009.2032910

16.

Hung

M. S.

Chen

C.-H.

P.-C.

A lightweight secure data aggregation protocol for wireless sensor networks

Proceedings of the International Conference on Parallel Processing Workshops (ICPPW '11)

September 2011

Taipei, Taiwan

101 107

2-s2.0-80155190252

10.1109/ICPPW.2011.24

17.

Castelluccia

Chan

A. C.-F.

Mykletun

Tsudik

Efficient and provably secure aggregation of encrypted data in wireless sensor networks

ACM Transactions on Sensor Networks 2009 5 3 1 36

2-s2.0-67651030465

10.1145/1525856.1525858

18.

Albath

Madria

Secure hierarchical data aggregation in wireless sensor networks

Proceedings of the IEEE Wireless Communications and Networking Conference (WCNC '09)

April 2009

Budapest, Hungary

1 6

2-s2.0-70349179495

10.1109/WCNC.2009.4917960

19.

Ozdemir

Xiao

Integrity protecting hierarchical concealed data aggregation for wireless sensor networks

Computer Networks 2011 55 8 1735 1746

2-s2.0-79955780885

10.1016/j.comnet.2011.01.006

20.

Madden

Franklin

J. M.

Hellerstein

TAG: a tiny aggregation service for adhoc sensor networks

Proceedings of the 5th Annual Symposium on Operating Systems Design and Implementation (OSDI '02)

2002

Boston, Mass, USA

131 146

	ECIPAP	SHIA	SIES
Edge congestion	$\| m \|$	$h \times (d - 1) \times \| m^{'} \|$	$\| m^{''} \|$
Node congestion	$d \times \| m \|$	$d \times h \times (d - 1) \times \| m^{'} \|$	$d \times \| m^{''} \|$
Data aggregation	$\sum_{i = 1}^{h} ‍ d^{i} \times \| m \|$	$\sum_{i = 1}^{h} ‍ d^{i} \times \| m^{'} \|$	$\sum_{i = 1}^{h} ‍ d^{i} \times \| m^{''} \|$
Authentication	$\sum_{i = 1}^{h} ‍ d^{i} \times \| m \|$	$\sum_{i = 1}^{h} ‍ d^{i} \times (d - 1) \times i \times \| m^{'} \|$	—
MAC transmission	$\sum_{i = 1}^{h} ‍ d^{i} \times \| MAC \|$	$\sum_{i = 1}^{h} ‍ d^{i} \times \| {MAC}^{'} \|$	—