Sage Journals: Discover world-class research

Abstract

Many miraculous ideas have been proposed to deal with the privacy-preserving time-series data aggregation problem in pervasive computing applications, such as mobile cloud computing. The main challenge consists in computing the global statistics of individual inputs that are protected by some confidentiality mechanism. However, those works either suffer from collusive attack or require time-consuming initialization at every aggregation request. In this paper, we proposed an efficient aggregation protocol which tolerates up to k passive adversaries that do not try to tamper the computation. The proposed protocol does not require a trusted key dealer and needs only one initialization during the whole time-series data aggregation. We formally analyzed the security of our protocol and results showed that the protocol is secure if the Computational Diffie-Hellman (CDH) problem is intractable. Furthermore, the implementation showed that the proposed protocol can be efficient for the time-series data aggregation.

1. Introduction

The security and privacy issue in pervasive computing applications, such as mobile cloud computing, crowd sourcing, and smart metering, has long been a hot research topic in the field of applied cryptography. An adversary may infringe customers' privacy in pervasive computing environment since they are “smart” enough to record one's preferences or habits. For example, smart meters report consumption for users at high frequency (e.g., once per minute) and in real time. This level of monitoring can reveal much private information about users' habits and subject the users to many loathsome outcomes [1, 2], for example, whether they often watch TV (discriminating pricing of health insurance), or even stealthy surveillance in general [3]. For another example, mobile users report their locations, speeds, and mobility to a GPS service provider at real time. The aggregated data, for instance, the number of users at each region during each time period, can be mined for congestion patterns on the roads [4, 5]. However, the individual information above needs to be protected in the privacy consideration.

In this paper, we focus on the privacy-preserving aggregation problem of time-series data without a trusted third party. We use a new additive homomorphic encryption as the cryptographic primitive to handle this aggregation problem. Jung et al. had pointed out that the trusted or semitrusted key issuers could be a security hole since the security of those schemes relies on the assumption that keys are disclosed to authorized participants only [6]. Therefore, the proposed scheme is not initialized by requesting keys from trusted or semitrusted key issuers via secure channel. Meanwhile, we do not require that participants be able to communicate with their neighbors via wireless communication channel. This requirement is expensive and somewhat difficult to actualize in large area situations, so we simply assume that each participant only has a bidirectional communication channel with the aggregator. Besides the aforementioned drawbacks, a large number of aggregation protocols are proposed under the weak security assumption that all the participants are semitrusted and do not collude with the aggregator. To sum up, the goal of this paper is to design a privacy-preserving time-series data aggregation protocol which is robust against up to k colluding passive adversaries that do not try to tamper the computation.

The main contributions of this paper are as follows. (1) We propose a privacy-preserving time-series data aggregation protocol without trusted central key issuer and it only needs one initialization for the participants to acquire their encryption keys. (2) Security and complexity analyses of the proposed protocol are given and the proposed protocol is shown to be efficient and scalable and also it is proved to tolerate up to k colluding passive adversaries. (3) A method which allows the participant and aggregator to verify any individual input or the accumulation of inputs is proposed and the performance evaluations are given in this paper.

The remainder of this paper is structured as follows. The related work is detailed in Section 2. We present the system model and necessary background in Section 3. Subsequently, the construction of our scheme is described in Section 4 and, thereafter, security analysis is in Section 5. The complexity analysis and performance evaluation are reported in Section 6. Section 7 presents the conclusions of this research.

2. Related Work

Many papers have been done in the fields of privacy-preserving data aggregation for many application scenarios. We present the most relevant work to our contribution in this paper. A Paillier's encryption scheme based privacy-enhancing protocol was proposed by Li et al. [10]. Subsequently, Li and Luo introduced the use of homomorphic signature allowing verification to confirm that the data aggregation was correct in [11]. Garcia and Jacobs proposed an aggregation scheme for secure communication with smart meters [12], where a combination of Paillier's additive homomorphic encryption and additive secret sharing has been used. Danezis et. al. [13] proposed an aggregation scheme based on secret-sharing and secure multiparty computation techniques. Shi et al. [14] proposed a Diffie-Hellman based encryption scheme where participants periodically upload encrypted values to an aggregator, and the aggregator computes the sum of those values without learning anything else. It uses brute-force search or Pollard's lambda method to find the exact sum. This kind of brute-force decryption limits its usage restricted to small plaintext spaces due to the hardness of the discrete logarithm problem. Joye and Libert [15] proposed a solution to efficiently decrypt the sum based on the idea of splitting the exponent. Leontiadis et al. [16] introduced a secure protocol for aggregation of time-series data that is based on Joye's scheme [15] and the requirements for key updates and for the trusted dealer are eliminated. The main idea of it is to introduce a semitrusted collector which plays the role of an intermediary between the users and the aggregator.

Recently, Li et al. [8] introduced an efficient protocol to obtain the sum aggregate, which employs an additive homomorphic encryption to support large plaintext space. But this scheme relies on trusted key dealers that distribute the keys via secure channel. Mármol et al. [7] proposed a protocol in which each participant adds its key to its measurement and sends the result to the aggregator, but their scheme needs a previous aggregation before getting the exact sum. In [9], Borges and Muhlhauser proposed an efficient privacy-preserving protocol for smart metering systems based on Paillier's scheme. However, they assume smart meters in the neighborhood communicate with a collector through a wireless mesh network and the collector further communicates with the central management facility through wired communication in the initial setup. Their scheme has the common problem that it will fail if the collector device colludes with the aggregator. Jung et al. [6] presented an advanced protocol which tolerates up to k passive adversaries that did not try to tamper the computation without secure channel. Their protocol needs to initialize for every round of aggregation, so both the communication and computation overheads are too extravagant in time-series data aggregation. Table 1 summarizes our protocol with major related protocols in the literatures. Besides, there are also several works [17–22] on privacy-preserving aggregation of time-series data. Some of them leverage the differential privacy [23] in various ways to achieve privacy as well as collusion (or fault) tolerance. Our scheme can also achieve differentially privacy by simply adding the noises that follow diluted geometric distribution to each meter's data [14].

Table 1

Comparison between the proposed protocols and related aggregation protocols.

	No trusted key dealer	No previous aggregation	Collusion-tolerable	No neighborhood communication	Setup once for all
Mármol et al. [7]	√	×	√	×	×
Li et al. [8]	×	√	√	√	√
Jung et al. [6]	√	√	√	√	×
EPPP4SMS [9]	√	√	×	×	√
Our scheme	√	√	√	√	√

In our scheme, the trusted key dealer in [8, 18, 21] is removed because of the aforementioned security loophole. Unlike [8, 17], we assume insecure channels between most participants, while the secure channels are established based on public key encryption among a small fraction of participants in the same subgroup, which enabled us to implement the proposed scheme in the real cloud environments easily. In this paper, we also take into consideration a small fraction of the participants colluding with the curious aggregator as [6, 17] do. Our scheme is also based on the hardness of the discrete logarithm problem like [14], and we employ an efficient method to calculate the sum instead of employing brute-force manner in decryption.

3. System Model

3.1. Problem Definition and Threat Model

Assume that there are N participants with equivalent number of IDs ${1,2, \dots, N}$ in the system considered in this paper and there is an aggregator that wants to get the sum aggregate of N participants periodically. In this paper, the aggregator may be the service supplier or the cloud. The system is shown in Figure 1. At a time stamp t, each participant i produces a privately known data point $x_{i} (t$ ) from ℤ. The privacy-preserving data aggregation problem is to compute the sum of $x_{i} (t)$ by the aggregator while preserving the data privacy; that is, the objective of the aggregator is to compute the following polynomial without knowing the value of $x_{i} (t)$ :

\begin{matrix} S U M (x (t)) = \sum_{i = 1}^{N} x_{i} (t), \end{matrix}

(1)

where vector

x (t) = (x_{1} (t), x_{2} (t), \dots, x_{N} (t))

. Here, we assume that the final result SUM

(x (t))

is positive and bounded from above by a large prime number p.

Figure 1

The system model.

We assume that participants have a bidirectional communication channel with the aggregator like [17]. The participants are not connected to each other directly, but they can exchange encrypted messages among themselves via the aggregator or intermediate routers. Similar to [6], the communication channels in the system are insecure. Anyone can easily eavesdrop them and/or intercept the data being transferred. In this paper, the aggregator is untrusted so that a curious aggregator may try to compromise someone's private information through the aggregation protocol. A small fraction of the participants may collude with the aggregator, say at most k participants. Similar to [14], we assume that the system has a priori estimate over the upper bound of k. Participants will in general hide the information they have before reporting it to the aggregator. To assist the curious aggregator, however, colluders may deviate from the protocol by providing their own information in the clear to the aggregator. We further assume the participants and aggregator may be passively adversarial; that is, they will not falsify the computation, but they may try to manipulate their calculation to infer others' private information.

3.2. Security Model

To address the challenges of insecure communication channel, we assume that the following CDH problem is computationally intractable; that is, any Probabilistic Polynomial Time Adversary has negligible chance to solve the following problem.

Definition 1 (CDH problem in G).

The Computational Diffie-Hellman problem in a multiplicative group G with generator g is defined as follows: given only $g, g^{a}, g^{b} \in G$ , where $a, b \in Z$ , compute $g^{a b}$ without knowing a or b.

According to [6], we define the security of our proposed scheme as follows.

Definition 2 (CDH-security in G).

We say our privacy-preserving sum calculation is CDH-secure in G if any Probabilistic Polynomial Time Adversary (PPTA) that cannot solve the CDH problem with nonnegligible chance has negligible chance to infer any honest participant's private value in G; that is, any PPTA's probability to solve the CDH problem ε satisfies $ε < |1 / p (κ)|$ for any polynomial $p (\cdot)$ , where κ is the order of group G defined in the CDH problem.

Informally, we opine that our calculation is CDH-secure in G if illegally inferring an honest participant's private value during our calculation is at least as hard as CDH problem in G.

3.3. Some Definitions

Group G is selected as follows. Two large prime numbers p and q are chosen such that $p = k_{c} q + 1$ , where $k_{c}$ is an integer. Then the q-order cyclic multiplicative group G is defined as $〈 g 〉$ , where the generator g is selected with a random number $r \in Z_{p}$ as

\begin{matrix} g = r^{p (p - 1) / q} \mod p^{2} s.t. g \neq 1 \mod p^{2} . \end{matrix}

(2)

In this system, the aggregator intends to compute the sum

\sum_{i = 1}^{n} x_{i} (t)

without knowing any individual

x_{i} (t)

. For simplicity, we index the aggregator with number 0. In our scheme, the aggregator has the capability

k_{0,1}

and

k_{0,2}

to decrypt the encrypted sum. Nevertheless, each participant i has also its permanent private key

k_{i, 1}

and time-dependent private key

k_{i, 2}

to encrypt its data. Like [9], we define the encryption function Enc as

\begin{matrix} Z_{p^{2}} \times G \times G ⟶ Z_{p^{2}}, \\ E n c_{i} (m, h, g) ⟼ (1 + m p) \cdot h^{k_{i, 1}} \cdot g^{k_{i, 2}} \mod p^{2} . \end{matrix}

(3)

Here, h is nonce over

Z_{p^{2}}

and

k_{i, 1}, k_{i, 2}

are nonces over

Z_{p}^{*}

. We can assume the existence of a secure hash function H and define

h = H (t)

H : Z \to G

, where t is the timestamp. The time-dependent private key

k_{i, 2}

is defined on the base of a pseudorandom function (PRF) family

F = {f_{k} : Z \to Z_{q}}_{k \in G}

with the seed k, and we set

k_{i, 2} = f_{k} (t) - f_{k^{'}} (t)

, where

f_{k}, f_{k^{'}} \in F

. Note that the timestamp t cannot be repeated, so the hash function and the nonce

k_{i, 2}

ensure that previous encrypted data points will not be correlated to obtain information.

Subsequently we introduce the decryption mechanism behind the encryption function. Obviously, the Enc function defined here is an additive homomorphic encryption; that is,

\begin{matrix} {E n c}_{i} (m_{1}, h, g) E n c_{j} (m_{2}, h, g) = E n c_{i + j} (m_{1} + m_{2}, h^{'}, g) \mod p^{2} . \end{matrix}

(4)

Given the family of encryption functions from (3), each participant i encrypts its data $x_{i} (t)$ and gets $E n c_{i} (x_{i} (t), h, g)$ . Then participant i sends $E n c_{i} (x_{i} (t), h, g)$ to the aggregator. To decrypt the consolidated summation, the aggregator needs to multiply all encrypted data computing:

\begin{matrix} \prod_{i = 1}^{N} E n c (x_{i} (t), h, g) = (1 + p \sum_{i = 1}^{N} x_{i} (t)) H {(t)}^{\sum_{i = 1}^{N} k_{i, 1}} g^{\sum_{i = 1}^{N} k_{i, 2}} \mod p^{2} . \end{matrix}

(5)

If the aggregator has capability $k_{0,1}$ and $k_{0,2}$ , s.t. $k_{0, j} + \sum_{i = 1}^{N} ‍ k_{i, j} = 0, j = 1,2$ , then the aggregator only needs to compute

\begin{matrix} \frac{(H {(t)}^{k_{0,2}} \cdot g {(t)}^{k_{0,2}} \cdot \prod_{i = 1}^{n} E n c (x_{i} (t), h, g) - 1) \mod p^{2}}{p} \end{matrix}

(6)

to get the decryption sum

\sum_{i = 1}^{N} x_{i} (t)

because

H (t)

and g are cancelled when

H (t)^{k_{0,1}}

and

g (t)^{k_{0,2}}

are multiplied to the encryption result. The detailed construction of our aggregation scheme will be shown in the next section.

4. Our Construction

Jung and Li's scheme [6] includes an advanced protocol which tolerates up to k passive adversaries that do not try to tamper the computation. But the communication and computation overheads are large for participant since it needs to exchange $k + 1$ rounds of messages and to compute its private encryption key every time when a new sum is desired. In this section, we propose a secure key assignment protocol to initialize our scheme and to distribute secret keys among the participants and the aggregator. Even though the communication and computation overheads might be large in our initial setup, our aggregation scheme can perform effectively after setup for only one encryption and one communication with the aggregator in the following aggregations. Before detailing the description of our solution, we first give a brief overview of Jung and Li's scheme.

4.1. Jung and Li's Scheme

(i) Setup. The participant i picks a secret number $r_{i} \in Z_{p}$ and calculates a public parameter $Y_{i} = g^{r_{i}}$ . Then, each participant i shares $Y_{i}$ with participants $i - k$ , $i + 1$ , and $i + 2$ . After a round of exchanges, the participant $i + 1$ computes $Y_{i = 1}^{'} = (g^{r_{i + k + 1}} / g^{r_{i - 1}})^{r_{i + 1}}$ and sends $Y_{i + 1}^{'}$ to $i + 2$ . After the second round of exchanges, the participant $i + 2$ computes $Y_{i + 2}^{'} = (Y_{i + 1}^{'})^{r_{i + 2}}$ and sends it to participant $i + 3$ . In general, when there are k colluding adversaries, it needs $k + 1$ rounds of exchanges such that i gets its randomizer $R_{i} = (g^{r_{i + k + 1}} / g^{r_{i - 1}})^{r_{i + k} r_{i + k - 1} \dots r_{i + 1} r_{i}}$ $\mod p$ .

(ii) Encrypt. Every participant i calculates $C_{i} = (1 + x_{i} (t) p) \cdot R_{i} \mod p^{2}$ . Then, it sends $C_{i}$ to the aggregator.

(iii) Sum. After receiving the ciphertexts from all of the participants, the aggregator calculates $\prod_{i = 1}^{N} ‍ C_{i} (t) \mod p^{2} = (1 + p \sum_{i = 1}^{N} ‍ x_{i} (t)) \mod p^{2}$ . And the aggregator calculates $(C (t) - 1) / p = \sum_{i = 1}^{N} ‍ x_{i} (t)$ to recover the final sum.

It is obvious that the randomizer $R_{i}$ should change at every timestamp t, so Jung and Li's scheme has to set up for every aggregation request. The successive time-consuming setup phase makes the above scheme inapplicable for the aggregation of time-series data.

4.2. Protocol Description

Similarly, our scheme of privacy-preserving sum calculation for time-series data has the three phases: Setup, Encrypt, and Sum.

4.2.1. Setup

(A) Phase 1. In our construction, the aggregator needs to get the capability $k_{0,1} = - \sum_{i = 1}^{N} ‍ k_{i, 1}$ such that $H (t)$ in the encrypted sum can be cancelled in decryption. Here we propose a secure and privacy-preventing sum aggregation protocol without trusted key dealers based on Shamir's secret sharing [24] and Diffie-Hellman key agreement protocol. As is assumed previously, the number of compromised nodes is at most k; thus we divide all N participants into a series of subgroups that contains at least $k + 2$ participants firstly. For simplicity, we set $n \geq k + 2$ . Here we consider the naïve division that every subgroup has n participants and the participant with identity number i belongs to the $[i / n]$ th subgroup (the participants in the first subgroup can be reused if there are no enough participants in the last subgroup). We assume the participant i has an auxiliary identity number $m_{i} \in [n]$ in its subgroup; that is, the participants will get an auxiliary identity number $m_{i}$ from 1 to n according to its identity number i in proper order.

At first, every participant and the aggregator choose a private number to set up the secure channel based on Diffie-Hellman key agreement protocol. Take participants in the mth subgroup as the example. Here each participant i has an auxiliary identity number $m_{i} \in [n]$ in this subgroup. At first, each participant i chooses a random number $r_{i} \in Z_{q}$ computing its public parameter $g_{i} = g^{r_{i}}$ and sends $g_{i}$ to the aggregator. After receiving messages from participants, the aggregator uses its privately known number $r_{0}$ to compute $s_{0, i} = g_{i}^{r_{0}} = g^{r_{0} r_{i}}$ and sends its public parameter $g_{0} = g^{r_{0}}$ and all the other $g_{j}$ $(i \neq j)$ to each participant i; here participant j is also in the mth subgroup. After that each participant i computes $s_{i, 0} = g_{0}^{r_{i}} = g^{r_{0} r_{i}}$ and all $s_{i, j} = g_{j}^{r_{i}} = g^{r_{j} r_{i}} (i \neq j)$ . Thus, all the participants in the mth subgroup and the aggregator share a private session key with each other in the above way.

After the session keys in the subgroup are established, each participant i chooses a private number $p_{i}$ and generates a random polynomial $w_{i}$ over $Z_{q}^{*}$ of order $n - 1$ , such that $w_{i} (0) = p_{i}$ . Then each participant i computes the share of participant j which belongs to the same subgroup as $w_{i, m_{j}} = w_{i} (m_{j})$ for $m_{j} \in [n]$ . Then, each participant i stores share $w_{i, m_{i}}$ itself and all the other shares $w_{i, m_{j}}$ $(m_{j} = 1,2, 3, \dots, m_{i} - 1, m_{i} + 1, \dots, n)$ are sent to the aggregator after being encrypted with the symmetric cryptography (e.g., AES in this paper and we use $A E S (w_{i, m_{j}})$ to denote the ciphertext of $w_{i, m_{j}}$ under AES cryptography with symmetric key derived from $s_{i, j})$ . Then the aggregator distributes the encrypted $A E S (w_{j, m_{i}})$ to participant i. After participant i gets all the encrypted shares $w_{j, m_{i}} (i \neq j)$ from participant j via the aggregator, it decrypts the messages with corresponding symmetric keys and computes the sum $W_{i} = \sum_{j} ‍ w_{j, m_{i}}$ , where participant j is in the mth subgroup. After that participant i encrypts $W_{i}$ as $A E S (W_{i})$ with the secret key derived from $s_{i, 0}$ . Finally, the aggregator collects and decrypts the messages from the entire N participants, computes the sum $W_{s} = \sum_{m_{j} = s} ‍ W_{j}$ for $s = 1,2, \dots, n$ , interpolates $n - 1$ -order polynomial $\sum_{i = 1}^{N} w_{i}$ , and gets the sum $\sum_{i = 1}^{N} ‍ p_{i} = \sum_{i = 1}^{N} ‍ w_{i} (0)$ . Thus participant i's permanent private key $k_{i, 1}$ is selected as $p_{i}$ , and the aggregator's first capability $k_{0,1}$ is equal to $- \sum_{i} ‍ p_{i} \mod q$ .

Here we do not use the method that participant i slices its private number $p_{i}$ into n pieces and sends the corresponding pieces to its subgroup mates in ciphertext, since the aggregator may use exhaustive search to find the unknown small pieces when k participants in this subgroup collude with him.

(B) Phase 2. The capability $k_{0,2}$ is established in a simple way. As mentioned above, each participant $i (i = 1,2, \dots, N)$ has chosen a privately known number $r_{i}$ and its public parameter $g_{i} = g^{r_{i}}$ has been sent to the aggregator. Then, the aggregator distributes $g_{i - 1}$ and $g_{i + 1}$ (here $g_{N + 1} = g_{0}$ ) to participant i and participant i computes $s_{i, i - 1} = g_{i - 1}^{r_{i}}$ and $s_{i, i + 1} = g_{i + 1}^{r_{i}}$ . Note that the process has been done partially in Phase 1 in each subgroup; therefore the aggregator only needs to distributes one message $g_{i - 1}$ or $g_{i + 1}$ to participant i if i and $i - 1$ (or $i + 1$ ) belong to different subgroups. Thus, the time-dependent private key $k_{i, 2}$ for participant i is

\begin{matrix} k_{i, 2} = f_{k} (t) - f_{k^{'}} (t) = f_{s_{i, i - 1}} (t) - f_{s_{i, i + 1}} (t) . \end{matrix}

(7)

Similarly, the aggregator's second capability

k_{0,2} = f_{s_{0, N}} (t) - f_{s_{0,1}} (t)

4.2.2. Encrypt

The participants do not need to repeat the exchanges to get new random numbers to encrypt their data after setup, so our protocol is more communication and computation efficient than Jung and Li's scheme. For a queried timestamp t, each participant i calculates $1 + x_{i} (t) p$ firstly. Then, it multiplies the secret parameters $H (t)^{p_{i}}$ and $g^{f_{s_{i - 1}} (t) - f_{s_{i + 1}} (t)}$ with $1 + x_{i} (t) p$ to get the ciphertext $C_{i} (t) \in Z_{p^{2}}$ :

\begin{matrix} C_{i} (t) = (1 + x_{i} (t) p) \cdot H {(t)}^{p_{i}} \cdot g^{f_{s_{i, i - 1}} (t) - f_{s_{i, i + 1}} (t)} \mod p^{2} . \end{matrix}

(8)

Note that a small fraction of participants (reused participants) will be divided into two subgroups; thus it has two permanent private keys $p_{i}$ and $p_{i}^{'}$ . In order to get the right sum, these reused participants should compute the ciphertext $C_{i}^{'} (t) \in Z_{p^{2}}$ as

\begin{matrix} C_{i}^{'} (t) = (1 + x_{i} (t) p) \cdot H {(t)}^{p_{i} + p_{i}^{'}} \cdot g^{f_{s_{i, i - 1}} (t) - f_{s_{i, i + 1}} (t)} \mod p^{2} . \end{matrix}

(9)

We will omit

p_{i}^{'}

in the following by adding

p_{i}^{'}

p_{i}

; that is,

p_{i} \leftarrow p_{i} + p_{i}^{'}

. After all, the participants send their ciphertexts to the aggregator. In addition, the Encrypt scheme can be efficiently encrypted “on-the-fly.” Namely, exponentiations

H (t)^{p_{i}} \mod p^{2}

and

g^{f_{s_{i, i - 1}} (t) - f_{s_{i, i + 1}} (t)} \mod p^{2}

can be precomputed in such a way that when the plaintext

x_{i} (t)

is known, the participant only has to compute a modular multiplication to get

C_{i} (t)

4.2.3. Sum

The aggregator, after receiving the ciphertexts $C_{i} (t)$ from all participants, calculates $C (t) \in Z_{p^{2}}$ as

\begin{matrix} C (t) = H {(t)}^{k_{0,1}} \cdot g^{k_{0,2}} \cdot \prod_{i = 1}^{N} C_{i} (t) \mod p^{2} = \prod_{i = 1}^{N} (1 + x_{i} (t) p) \cdot H {(t)}^{p_{i}} \cdot g^{f_{s_{i, i - 1}} (t) - f_{s_{i, i + 1}} (t)} \mod p^{2} = (1 + p \sum_{i = 1}^{N} x_{i} (t)) \cdot H {(t)}^{k_{0,1} + \sum_{i = 1}^{N} p_{i}} \cdot g^{f_{s_{0, N}} (t) - f_{s_{0,1}} (t) + f_{s_{1,0}} (t) - f_{s_{N, 0}} (t)} \mod p^{2} = (1 + p \sum_{i = 1}^{N} x_{i} (t)) \mod p^{2} (Here p > \sum_{i = 1}^{N} x_{i} (t)) . \end{matrix}

(10)

Then, the aggregator calculates

(C (t) - 1) / p = \sum_{i = 1}^{N} ‍ x_{i} (t)

to recover the final sum.

4.2.4. Leaving of Existing Participant

Suppose that participant i decides to leave the network with effect at timestamp t. The aggregator should assign a reused participant $i^{'}$ to hold the auxiliary identity number $m_{i}$ in the corresponding subgroup at timestamp t. Then the aggregator sends $g_{i}$ and the public parameters of all the other $n - 1$ members in that subgroup to participant $i^{'}$ and vice versa. Therefore, the secure session keys are established among participant i, $i^{'}$ , and all the other $n - 1$ members of that subgroup. Each participant j (including participant $i^{'}$ ) in that subgroup generates a random number $r_{m_{j}} \in Z_{q}^{*}$ and sends its encryption to participant i. Participant i uses respective session key to decrypt the received key $r_{m_{j}}$ and generates the equality using the received key and its permanent key randomly as $p_{i} + \sum_{m_{j} = 1}^{n} r_{m_{j}} = \sum_{m_{j} = 1}^{n} p_{m_{j}}^{i} \mod q$ and then sends $p_{m_{j}}^{i}$ encrypted under the shared symmetric key. So, the reused participant $i^{'}$ updates $p_{i^{'}}$ as $p_{i^{'}} - r_{m_{i}} \mod q$ and sets the reused permanent key $p_{i^{'}}^{'} = p_{m_{i}}^{i}$ . The other member j of that subgroup updates its permanent private key by adding the previous one to the received number and subtracting its random number $r_{m_{j}}$ soon afterwards; that is, $p_{j} \leftarrow (p_{j} + p_{m_{j}}^{i} - r_{m_{j}}) \mod q$ . To deal with the time-dependent private key, participant i should do nothing but the aggregator distributes the public parameters $g_{i - 1}$ and $g_{i + 1}$ to participant $i + 1$ and participant $i - 1$ correspondingly. When participants $i - 1$ and $i + 1$ receive $g_{i + 1}$ or $g_{i - 1}$ , they correspondingly compute $s_{i - 1, i + 1} = g_{i + 1}^{r_{i - 1}}$ and $s_{i + 1, i - 1} = g_{i - 1}^{r_{i + 1}}$ . So their time-dependent private keys are denoted as $k_{i - 1,2} = f_{s_{i - 1, i - 2}} (t) - f_{s_{i - 1, i + 1}} (t)$ and $k_{i + 1,2} = f_{s_{i - 1, i - 2}} (t) - f_{s_{i - 1, i + 2}} (t)$ .

4.2.5. Joining of New Participant

Assume that a participant, say i, joins just before time slot t and participants $i - 1$ and $i + 1$ hold their time-dependent private keys as $k_{i - 1,2} = f_{s_{i - 1, i - 2}} (t) - f_{s_{i - 1, i + 1}} (t)$ and $k_{i + 1,2} = f_{s_{i - 1, i - 2}} (t) - f_{s_{i - 1, i + 2}} (t)$ . Participant i has to share a session key $s_{i, 0}$ with the aggregator using Diffie-Hellman key agreement protocol at first. Then the aggregator should assign participant i an auxiliary identity number $m_{i}$ which holds by a reused participant j previously in the corresponding subgroup. The aggregator sends $g_{i}$ and $g_{j}$ to participants j and i, correspondingly. Hence, participants i and j share a secure session key by raising the message to the power of its private number. Then, participant j sends its reused permanent private key $p_{j}^{'}$ encrypted under the shared symmetric key to participant i. Participant i will get $p_{j}^{'}$ by decrypting the message of j. Then the aggregator sends $g_{i}$ to all the other $n - 1$ members within that subgroup and vice versa to establish the secure session key among i and all the others in that subgroup. Participant i slices $p_{j}^{'} = \sum_{m_{j} = 1}^{n} p_{m_{j}}^{i} \mod q$ randomly and each participant j in this subgroup generates a random number $r_{m_{j}}$ simultaneously. Then participant i sends the slice $p_{m_{j}}^{i} (m_{j} \neq m_{i})$ encrypted under the shared symmetric key between participants i and j to participant j and $r_{m_{j}}$ is sent to participant i in encryption as aforementioned. After decrypting the message $r_{m_{j}}$ , participant i gets its permanent private key $p_{i} = p_{m_{i}}^{i} + \sum_{m_{j} = 1, j \neq i}^{n} r_{m_{j}} \mod q$ . Then, participant j in this subgroup updates its permanent private key as $p_{j} + p_{m_{j}}^{i} - r_{m_{j}} \mod q$ . To reassign the time-dependent private key, the aggregator distributes $g_{i - 1}$ and $g_{i + 1}$ to participant i and $g_{i}$ to participant $i + 1$ and $i - 1$ . By the way mentioned earlier, participants $i - 1$ , i, and $i + 1$ get their time-dependent private key as $f_{s_{i - 1, i - 2}} (t) - f_{s_{i - 1, i}} (t)$ , $f_{s_{i, i - 1}} (t) - f_{s_{i, i + 1}} (t)$ , and $f_{s_{i + 1, i}} (t) - f_{s_{i + 1, i + 2}} (t)$ , correspondingly.

5. Protocol Analysis

When p is chosen large enough to hold the inequality $p > \sum_{i = 1}^{N} ‍ x_{i} (t)$ , the correctness of the proposed scheme is proven in Section 4.2.3. In this section, we present the property of verification which can be used by the participants and the aggregator. The analyses of privacy and security about our aggregation scheme are also presented.

5.1. Verification Properties

If a participant did not send its data or sent an invalid message, the aggregator cannot read consolidated summation, that is, the exact sum. Obviously, neighboring participants and participants in the same subgroup can cooperate to disclose the key of the damaged participant. But this can result in the privacy disclosure of the damaged one. A better solution is to generate new keys for nondamaged participants. As the benefits of our subgroup method, the aggregator can know the exact sum of one subgroup's permanent private keys. Therefore, only n participants need to change their permanent private keys and two participants need to regenerate their time-dependent private keys.

The aggregator can ask for verification when the sum is different from the expected. If the aggregator asks for verification to identify that something is wrong, a participant i can reveal its proof of the timestamp t without disclosing its actual reading. To perform verification over a sent encrypted value $C_{i}$ of participant i, the aggregator sends a request to i, and then the participant might send $R_{i} (t) = (1 + x_{i} (t) p) \cdot H (t)^{p_{i}} \mod p^{2}$ and $V_{i} (t) = g^{f_{s_{i, i - 1}} (t) - f_{s_{i, i + 1}} (t)} \mod p^{2}$ to the aggregator. Therefore, the sent encrypted value can be verified by $C_{i} (t) ? = R_{i} (t) \cdot V_{i} (t) \mod p^{2}$ . Note that the accumulation of participant's inputs during the time period from $t_{0}$ to $t_{0} + d$ (e.g., one day) can be verified in the following way. The aggregator computes $O C_{i} (t) = \prod_{t = t_{0}}^{t_{0} + d} ‍ C_{i} (t) \mod p^{2}$ by multiplying all the $d + 1$ encrypted inputs and participant i sends the sum $O R_{i} (t) = \prod_{t = t_{0}}^{t_{0} + d} ‍ x_{i} (t)$ and the product $O V_{i} (t) = \prod_{t = t_{0}}^{t_{0} + d} ‍ H (t)^{p_{i}} g^{f_{s_{i, i - 1}} (t) - f_{s_{i, i + 1}} (t)} \mod p^{2}$ to the aggregator. If $O C_{i} (t) = (1 + O R_{i} (t) \cdot p) \cdot O V_{i} (t) \mod p^{2}$ , then the participant proves the accumulation result is correct. The later verification property can be used to invoice the billing information in many realistic applications, such as smart grids.

5.2. Security Analysis

Since our aggregator scheme includes three steps: Setup, Encrypt, and Sum, and the Setup is the foundation of our construction, we will give the security proof of Setup at first.

Theorem 3.

Our Phase 1 of Setup in the aggregation scheme is CDH-secure in G.

Proof.

The symmetric cryptography AES is used in our Setup phase as well as Shamir's secret sharing scheme and Diffie-Hellman key agreement protocol. As mentioned in [25], a 128-bit AES key demands a DH key size of 3072 bits for equivalent security. Thus, the security level mainly depends on the DH key agreement protocol. In a nutshell, we show that any PPTA that has significant chance to infer private values in our Setup phase has nonnegligible advantage to solve the CDH problem, which is a contradiction to our security assumption that CDH problem is intractable.

Since the communication channel is insecure, any adversary has the same view unless it can collude with some adversarial participants. In the worst case, the aggregator can collude with $n - 2$ adversarial participants in one subgroup and at least participants i and j are uncompromised. If the aggregator wants to infer the permanent private key $p_{i}$ of participant i, it has to get $w_{i, m_{j}}$ and $w_{i, m_{i}}$ , because even if the aggregator gets another $n - 2$ shares of i, it cannot reconstruct the $n - 1$ -order polynomial $w_{i}$ to get $p_{i}$ . If all the symmetric session keys are gotten by the aggregator, it can recover $w_{i, m_{j}}$ by decrypting the corresponding message and $w_{i, m_{i}}$ by subtracting $\sum_{k} ‍ w_{k, m_{i}} (k \neq i)$ from $W_{i}$ . When the aggregator gets all the n shares of participant i, it interpolates $n - 1$ -order polynomial $w_{i}$ to calculate $p_{i} = w_{i} (0)$ . Note that any PPTA is only given $g_{i} = g^{r_{i}}$ and $g_{j} = g^{r_{j}}$ from the insecure communication channel, so a PPTA has to solve the CDH problem in G to get the unknown symmetric session keys. However, this is exactly the CDH problem, which is assumed to be intractable. That is, inferring permanent private key during Setup is at least as hard as a CDH problem in G for any Probabilistic Polynomial Time Adversary.

The time-dependent private key in Phase 2 of Setup is aimed not only at enhancing the security but also at reducing the probability that aggregator can get the sum of one subgroup. Without the time-dependent private key, it is easy for aggregator to compute the sum of one subgroup. As Enc is constructed, aggregator can get the sum of a subgroup only if the first and the last participants in its neighboring subgroups are colluded with the aggregator with a probability of $(n - 2) (n - 3) / N^{2}$ . The time-dependent private key can confuse the outside adversaries but will fail in collusion attacks. The security of our scheme mainly depends on the permanent private key. Then we will give the security proof of the proposed aggregation process.

Theorem 4.

Our proposed aggregation protocol is CDH-secure in G.

Proof.

To infer $x_{i} (t)$ given $C_{i} (t) = (1 + x_{i} (t) p) \cdot H (t)^{p_{i}} \cdot g^{f_{s_{i, i - 1}} (t) - f_{s_{i, i + 1}} (t)} \mod p^{2}$ , any adversary has to solve the secret randomizer $H (t)^{p_{i}} \cdot g^{f_{s_{i, i - 1}} (t) - f_{s_{i, i + 1}} (t)} \mod p^{2}$ . In the worst case, the participants $i - 1$ and $i + 1$ collude with the aggregator and there are also another $n - 4$ participants which are compromised. Thus, the aggregator knows the participant $i^{'} s$ time-dependent private key $f_{s_{i, i - 1}} (t) - f_{s_{i, i + 1}} (t)$ . It has been shown that inferring permanent private key during Setup is at least as hard as a CDH problem in G for any PPTA; thus the aggregator has to solve the secret randomizer $H (t)^{p_{i}} \mod p^{2}$ . Denote $H (t) = g^{h}$ ; the aggregator has to compute the discrete logarithms to get h and $h p_{i}$ . Assume that there is a PPTA that can solve the discrete logarithm problems, so it also solves the CDH problem defined in our group G. However, the CDH problem is intractable; therefore the adversary has a negligible advantage to solve the secret randomizer $H (t)^{p_{i}} \mod p^{2}$ . That is, inferring private values during the aggregation scheme is at least as hard as a CDH problem in G for any PPTA.

Theorem 5.

Our proposed aggregation protocol is aggregator obliviousness; that is, a party without the aggregator capability learns nothing.

Proof.

To infer $\sum_{i = 1}^{N} ‍ x_{i} (t)$ given

\begin{matrix} C^{'} (t) = (1 + p \sum_{i = 1}^{N} x_{i} (t)) H {(t)}^{\sum_{i = 1}^{N} p_{i}} g^{f_{s_{0,1}} (t) - f_{s_{0, N}} (t)} \mod p^{2}, \end{matrix}

(11)

any PPTA has to solve the secret randomizer

H (t)^{\sum_{i = 1}^{N} ‍ p_{i}} g^{f_{s_{0,1}} (t) - f_{s_{0, N}} (t)}

firstly. Note that any PPTA is only given

H (t)

and g from the insecure communication channel; the PPTA has to compute the discrete logarithms to cancel the exponent of g. That is, inferring the aggregation results without the aggregator capability is at least as hard as a CDH problem in G for any PPTA.

The security proof of the Leaving or Joining process is omitted. However, these two processes are CDH-secure in G.

6. Performance Evaluation

6.1. Complexity

In this section, we will discuss the computation and communication complexities of the proposed aggregation scheme. For the sake of simplicity, we denote that the computation complexity of encryption or decryption in 128-bit AES is $O (1)$ and we also assume that there are no reused participants.

6.1.1. Setup Process

In Phase 1, it is easy to see that the participant needs to compute one public parameter, n symmetric session keys, and n secret shares and to encrypt and decrypt $n - 1$ shares. Therefore, the computation complexity of each participant is $O (4 n - 1)$ . Since the aggregator needs to compute one public parameter, N symmetric session keys, N decryption, and n Lagrange basis polynomials, the computation complexity of the aggregator is $O (2 N + n + 1)$ . In addition, participant i in subgroup boundary (i.e., $i = k n$ and $i = k n + 1$ , $i \neq 1, N$ ) will need extra computation of symmetric session key in Phase 2, while others do not need any computations.

In Phase 1, every participant exchanges public parameter with its groupmates in the subgroup via the aggregator, which incurs communication of $O (2 | p |)$ bits, where $| p |$ represents the bit length of p. The participant needs to exchange the secret shares with its partners and the communication overhead is $O (n | q |)$ . Since the aggregator needs to send all messages to N participants, its communication overhead is $O (2 N (n - 1) | q | + N (n - 1) | p |)$ . In Phase 2, there is no extra communication overhead for the participants, and the aggregator only needs to send about $O (4 | q | N / n)$ messages.

6.1.2. Encrypt and Sum Processes

In Encrypt process, it is easy to see that every participant has a communication overhead of $O (2 | p |)$ and a computation complexity of $O (1)$ . In Sum process, the aggregator's computation overhead is $O (N + 1)$ .

6.1.3. Leaving of Existing Participant

In this process, the assigned participant $i^{'}$ needs to compute n symmetric session keys and every participant in this subgroup has a computation overhead of $O (2)$ to compute the symmetric session key with $i^{'}$ and to update its permanent private key. Moreover, each one of these participants should compute one AES encryption and decryption. The leaving participant needs to compute one symmetric session key, one equality, and n 128-bit AES encryptions and decryptions, so its computation overhead is $O (4 n + 1)$ . In addition, each adjacent neighbor of i (e.g., participant $i + 1$ or participant $i - 1$ ) has to change its time-dependent private key with the computation overhead of $O (2)$ . As we can see, the leaving participant i has a communication overhead of $O (2 n | q |)$ and the reused participant $i^{'}$ has that of $O (2 (n + 1) | p | + 2 | q |)$ . The aggregator sends $2 n$ public parameters and $2 n$ encrypted messages to the subgroup and two public parameters to the adjacent neighbors of leaving participant; therefore the communication overhead of the aggregator is about $O (4 n | p | + 4 n | q |)$ .

6.1.4. Joining of New Participant

The joining participant has to compute its public parameter at first, and then it needs to compute n session keys and to decrypt and encrypt n messages. In addition, the joining participant needs to compute two equalities and two session keys to get its time-dependent private key. Thus, the computation complexity of i is $O (4 n - 1)$ . Other members in its subgroup need to compute one session key to decrypt and encrypt a single message and to update the permanent private key. So, the computation complexity is $O (4)$ . Note that the adjacent neighbors of joining participant need to take extra computation to update their time-dependent private key. To our understanding, the joining participant has a communication overhead of $O (2 n | p | + 2 (n - 1) | q |)$ and the reused participant has that of $O (2 | p | + 2 | q |)$ . And we conclude that the aggregator's communication overhead is also $O (4 n | p | + 4 n | q |)$ . Thus, the total complexities of aggregator and participants are summarized in Table 2.

Table 2

Complexity of our scheme.

Per meter	Computation	Communication
Setup	$O (n)$	$O (n \| p \| + n \| q \|)$
Encrypt	$O (1)$	$O (\| p \|)$

Aggregator	Computation	Communication

Setup	$O (N)$	$O (N n \| q \| + N n \| p \|)$
Sum	$O (N)$	$O (N \| p \|)$
Meter leaving	∖	$O (n \| p \| + n \| q \|)$
Meter joining	$O (1)$	$O (n \| p \| + n \| q \|)$

Leaving/joining meter	Computation	Communication

Meter leaving	$O (n)$	$O (n \| q \|)$
Meter joining	$O (n)$	$O (n \| p \| + n \| q \|)$

Subgroup mates	Computation	Communication

Meter leaving	$O (1)$	$O (\| p \| + \| q \|)$
Meter joining	$O (1)$	$O (\| p \| + \| q \|)$

Reused meter	Computation	Communication

Meter leaving	$O (n)$	$O (n \| p \|)$
Meter joining	$O (1)$	$O (\| p \| + \| q \|)$

6.2. Evaluation by Implementation

The Encrypt process may be run by the participant with constrained resources and the sum is run on the aggregation side. So the performance of encryption is more important in the aggregation protocols. As is pointed out, EPPP4SMS is much faster in encryption than many protocols that use Paillier's scheme [7]. Therefore, in this simulation, we only compare the performance of our protocol with other two existing aggregation protocols in [6] (specifically, Jung's advanced protocol) and [7] (EPPP4SMS). To simulate and measure the computation overhead, the aggregation protocols are all implemented in Java in a computer with Intel i3-2100 CPU @ 3.10 GHz and 3 GB of RAM, and each result is the average time measured in the 1,000 times of executions. Also, the input data $x_{i}$ is a random number less than 100,000. In our protocol and Jung's advanced sum protocol, q is of 512-bit length, and p is roughly of 520-bit length, while EPPP4SMS uses 512 bits for the exponents and primes with 512 bits. Thus, the ciphertexts in these protocols are roughly of 1024-bit length.

First of all, we compared the participant's computation overhead in setup of our sum protocol and Jung's protocol. We do not simulate the setup phase of EPPP4SMS for the reason that it does not cover the same security assumption with ours and Jung's protocol. It is clear that the computation overhead of each participant in Setup phase only depends on the number of colluders if the length of ciphertext is fixed. We measured the total computation time of each participant spent in calculating its final encryption keys with different number of colluders and the results are shown in Figure 2. As we can see in Figure 2(a), the setup time for each participant of our protocol in the first aggregation is almost the same as Jung's protocol. However, as aforementioned, Jung's protocol needs to set up for every round of aggregations, while our scheme only needs one setup during all of the aggregations. Obviously, our protocol is much more efficient for the time-series data aggregation and the conclusion is in accordance with the simulation results in Figure 2(b).

Figure 2

The time spent in setup phase. (a) The dependence of number of colluders and setup time for each participant in the first aggregation. (b) The dependence of number of aggregations and the total time for setup for each participant (here the number of colluders is set to 800).

The independence of computation time of encryption (decryption) for each participant (aggregator) and the number of colluders is shown in Figure 3. In Figure 3, we set the total number of participants to 2,000, while the number of colluders ranges from 50 to 400. Figure 3(a) suggests that the number of colluders has a negligible influence on the computation times of each participant spent in encryption and Figure 3(b) indicates that the number of colluders does not affect significantly the decryption time of aggregator. In addition, Figure 3 shows that the encryption efficiency can be improved by around 300 times (from about 15 ms to 0.05 ms) when exponentiations $H (t)^{p_{i}} \mod p^{2}$ and $g^{f_{s_{i, i - 1}} (t) - f_{s_{i, i + 1}} (t)}$ are precomputed. Thus, we assume the number of coconspirators is 50 for our protocol and Jung's protocol in the following simulations. The independence of total number of participants and encryption time for each participant is shown in Figure 4. As suggested in Figure 4, our protocol is faster than EPPP4SMS in encryption if both our protocol and EPPP4SMS have the same length of ciphertexts. The simulation of our protocol ran in a mean time of 15.69 ms, while the EPPP4SMS ran in 17.30 for encryption. Because Jung's protocol only computes two modular multiplications in encryption, it has the most efficient encryption ran in about 0.016 ms. Moreover, our protocol takes 0.05 ms after deploying the “on-the-fly” method and EPPP4SMS has that of 0.38 ms in average. Nevertheless, Jung's protocol needs to recall time-consuming initialization for every aggregation; it turns out to be the most inefficient one for the time-series data aggregation. The dependence of total number of participants and decryption time for aggregator is shown in Figure 5. It indicates that the decryption time for the aggregator grows linearly with the number of participants. We can also see that EPPP4SMS has the most inefficient decryption when the total number of participants is small and these three schemes have an almost similar decryption time for large number of participants.

Figure 3

The independence of computation time of encryption (decryption) for each participant (aggregator) and the number of colluders. (a) encryption; (b) decryption.

Figure 4

The dependence of total number of participants and decryption time for aggregator.

Figure 5

The independence of the total number of participants and encryption time for each participant. (a) The encryption time of our scheme and EPPP4SMS. (b) The “on-the-fly” encryption time and the encryption time of Jung's protocol.

7. Conclusion

In this paper, we proposed a privacy-preserving aggregation scheme for time-series data without trusted key dealers. Our proposed scheme is experimentally shown to be scalable and faster in the encryption and decryption compared to some Paillier's cryptosystem based protocols. The reason of the outwardly inefficient setup in our scheme is that no trusted or semitrusted key dealer is assigned in the system and the communication channels between the participants and the aggregator are not secure. However, our scheme is shown to be much more efficient than Jung and Li's protocol in [6] with the same security assumption because Jung and Li's protocol is not the time-series data and its initialization should be repeated every time when a new sum is desired. In the proposed scheme, the aggregation results can be calculated efficiently after setup and each participant takes the same processing time independent of the number of participants considered in the aggregation.

The scheme is proposed to tolerate up to k collusive adversaries that will not tamper the computation but try to manipulate their parameters to infer others' private values. And the security of our scheme is formally analyzed and it is shown that the scheme is secure if the CDH problem is assumed to be intractable. Our proposed scheme provides verification as well as scalable encryption because the processing time of the encryption does not depend on the number of participants. The implementations of our scheme suggest that the proposed aggregation protocol is efficient for time-series data.

Footnotes

Competing Interests

The authors declare that they have no competing interests.

Acknowledgments

This work was supported by the National Natural Science Foundation of China (Grant no. 41371402), the National Basic Research Program of China (973 Program) (Grant no. 2011CB302306), and the Fundamental Research Funds for the Central Universities under Grant no. 2015211020201.

References

Lisovich

M. A.

Mulligan

D. K.

Wicker

S. B.

Inferring personal information from demand-response systems

IEEE Security and Privacy 2010 8 1 11 20

10.1109/MSP.2010.40

2-s2.0-77249154055

Quinn

E. L.

Smart metering and privacy: existing law and competing policies

A Report for the Colorado Public Utilities Commission 2009

Hart

G. W.

Residential energy monitoring and computerized surveillance via utility power flows

IEEE Technology and Society Magazine 1989 8 2 12 16

10.1109/44.31557

2-s2.0-0024686013

Fan

Xiong

An adaptive approach to real-time aggregate monitoring with differential privacy

IEEE Transactions on Knowledge and Data Engineering 2014 26 9 2094 2106

10.1109/tkde.2013.96

Xiong

Jiang

Liu

Differentially private histogram publication for dynamic datasets: an adaptive sampling approach

Proceedings of the 24th ACM International on Conference on Information and Knowledge Management (CIKM ′15)

2015

ACM

1001 1010

Jung

Wan

Collusion-tolerable privacy-preserving sum and product calculation without secure channel

IEEE Transactions on Dependable and Secure Computing 2015 12 1 45 57

10.1109/tdsc.2014.2309134

Mármol

F. G.

Sorge

Ugus

Pérez

G. M.

Do not snoop my habits: preserving privacy in the smart grid

IEEE Communications Magazine 2012 50 5 166 172

10.1109/mcom.2012.6194398

2-s2.0-84860860164

Cao

Porta

T. F. L.

Efficient and privacy-aware data aggregation in mobile sensing

IEEE Transactions on Dependable and Secure Computing 2014 11 2 115 129

10.1109/TDSC.2013.31

2-s2.0-84898685015

Borges

Muhlhauser

EPPP4SMS: efficient privacy-preserving protocol for smart metering systems and its simulation using real-world data

IEEE Transactions on Smart Grid 2014 5 6 2701 2708

10.1109/tsg.2014.2336265

2-s2.0-84908307120

10.

Luo

Liu

Secure information aggregation for smart grids using homomorphic encryption

Proceedings of the 1st IEEE International Conference on Smart Grid Communications (SmartGridComm ′10)

October 2010

Gaithersburg, Md, USA

327 332

10.1109/smartgrid.2010.5622064

11.

Luo

Preserving data integrity for smart grid data aggregation

Proceedings of the IEEE 3rd International Conference on Smart Grid Communications (SmartGridComm ′12)

November 2012

Tainan, Taiwan

366 371

10.1109/smartgridcomm.2012.6486011

2-s2.0-84876027843

12.

Garcia

F. D.

Jacobs

Cuellar

Lopez

Barthe

Pretschner

Privacy-friendly energy-metering via homomorphic encryption

Security and Trust Management 2011 6710

Berlin, Germany

Springer

226 238 Lecture Notes in Computer Science

10.1007/978-3-642-22444-7_15

13.

Danezis

Fournet

Kohlweiss

Zanella-Béguelin

Smart meter aggregation via secret-sharing

Proceedings of the 1st ACM Workshop on Smart Energy Grid Security (SEGS ′13)

2013

ACM

75 80

10.1145/2516930.2516944

14.

Shi

Chan

T.-H. H.

Rieffel

E. G.

Chow

Song

Privacy-preserving aggregation oftime-series data

Proceedings of the Network and Distributed System Security (NDSS ′11) Symposium

2011

15.

Joye

Libert

Sadeghi

A.-R.

A scalable scheme for privacy-preserving aggregation of time-series data

Financial Cryptography and Data Security 2013 7859

New York, NY, USA

Springer

111 125 Lecture Notes in Computer Science

10.1007/978-3-642-39884-1_10

16.

Leontiadis

Elkhiyaoui

Molva

Gritzalis

Kiayias

Askoxylakis

Private and dynamic time-series data aggregation with trust relaxation

Cryptology and Network Security 2014 8813 305 320 Lecture Notes in Computer Science

10.1007/978-3-319-12280-9_20

17.

Won

C. Y. T.

Yau

D. K. Y.

Rao

N. S. V.

Proactive fault-tolerant aggregation protocol for privacy-assured smart metering

Proceedings of the 33rd IEEE Conference on Computer Communications (INFOCOM ′14)

May 2014

Toronto, Canada

2804 2812

10.1109/infocom.2014.6848230

2-s2.0-84904497233

18.

Castelluccia

Chan

Mykletun

Tsudik

Efficient and provably secure aggregation of encrypted data in wireless sensor networks

ACM Transactions on Sensor Networks (TOSN) 2009 5 3, article 20

10.1145/1525856.1525858

19.

Liang

Lin

Shen

EPPA: an efficient and privacy-preserving aggregation scheme for secure smart grid communications

IEEE Transactions on Parallel and Distributed Systems 2012 23 9 1621 1632

10.1109/tpds.2012.86

2-s2.0-84864583229

20.

Jawurek

Kerschbaum

Fault-tolerant privacy-preserving statistics

Proceedings of the 12th International Symposium on Privacy Enhancing Technologies (PET ′12)

2012

Vigo, Spain

Springer

221 238

21.

Cao

Efficient privacy-preserving stream aggregation in mobile sensing with low aggregation error

Proceedings of the 13th International Symposium on Privacy Enhancing Technologies (PETS ′13), Bloomington, Ind, USA, July 2013 2013

Berlin, Germany

Springer

22.

Mármol

F. G.

Sorge

Petrlic

Ugus

Westhoff

Martínez Pérez

Privacy-enhanced architecture for smart metering

International Journal of Information Security 2013 12 2 67 82

10.1007/s10207-012-0181-6

2-s2.0-84874813956

23.

Dwork

Differential privacy

Automata, Languages and Programming 2006 4052

Berlin, Germany

Springer

1 12 Lecture Notes in Computer Science

10.1007/11787006_1

MR2307219

24.

Goryczka

Xiong

Sunderam

Secure multiparty aggregation with differential privacy: A Comparative Study

Proceedings of the Joint EDBT/ICDT 2013 Workshops

March 2013

ACM

155 163

10.1145/2457317.2457343

2-s2.0-84876804705

25.

Vanstone

S. A.

Next generation security for wireless: elliptic curve cryptography

Computers & Security 2003 22 5 412 415

10.1016/s0167-4048(03)00507-8

2-s2.0-0038443119

Collusion-Tolerable and Efficient Privacy-Preserving Time-Series Data Aggregation Protocol

Abstract

1. Introduction

2. Related Work

3. System Model

3.1. Problem Definition and Threat Model

3.2. Security Model

Definition 1 (CDH problem in G).

Definition 2 (CDH-security in G).

3.3. Some Definitions

4. Our Construction

4.1. Jung and Li's Scheme

4.2. Protocol Description

4.2.1. Setup

4.2.2. Encrypt

4.2.3. Sum

4.2.4. Leaving of Existing Participant

4.2.5. Joining of New Participant

5. Protocol Analysis

5.1. Verification Properties

5.2. Security Analysis

Theorem 3.

Proof.

Theorem 4.

Proof.

Theorem 5.

Proof.

6. Performance Evaluation

6.1. Complexity

6.1.1. Setup Process

6.1.2. Encrypt and Sum Processes

6.1.3. Leaving of Existing Participant

6.1.4. Joining of New Participant

6.2. Evaluation by Implementation

7. Conclusion

Footnotes

Competing Interests

Acknowledgments

References