Sage Journals: Discover world-class research

Abstract

Toward the goal of high security and efficiency for data collection in wireless sensor network, this article proposed an adaptable secure compressive sensing–based data collection scheme for distributed wireless sensor network. It adopted public key cryptography technology to solve the key distribution problem, and compressive sensing over finite fields to reduce the communication cost of data collection. Under hardness of decisional learning with errors problem on lattice, it can ensure indistinguishability against chosen ciphertext attack (IND-CCA1) security scheme for collected data on the extranet and indistinguishability against chosen plaintext attack security for data during the process of distributed collection on the intranet. Owing to the similar linear structure for lattices and compressive sensing, data encryption collection can be all in the form of efficient linear operations, and internode data aggregation can be in the form of addition operation.

Keywords

Distributed sensor networks secure data collection encryption algorithm compressed sensing quantum attack resistant

Introduction

Background

Wireless sensor networks (WSN) is considered as a bridge between human society and physical world. It is deployed for collectively monitoring and disseminating information about various interesting phenomena. In a large-scale network, data transmissions are usually fulfilled through multi-hop routing from individual sensor nodes to the sink node, which causes a lot of redundant transmissions. Therefore, it increases the cost of network communication. The basic data collection scheme in WSN is shown in Figure 1.¹

Figure 1.

Basic data collection scheme in WSN.

For $i = 1, 2, \dots, n$ , we use $x_{i}$ to express the data generated by node $S_{i}$ . Each node forwards its own data along with the data received from the child node to the father node. Finally, the sink completes data collection of intranet in WSN and forwards the collected data $x = (x_{1}, x_{2}, \dots, x_{n})$ to data processor through extranet.

Remarkably, nodes that are closed to the sink will transmit more data and consume more energy than those outside the network. The out-off-balance energy consumption has a substantial impact on network lifetime.

Compressive sensing (CS) is a novel sensing paradigm that goes against the common wisdom in data collection.² Compared with the traditional theory, CS theory shows that one can recover sparse data from far fewer measurements or samples and thus reduce the data collection cost and prolong the lifetime of WSN.

CS-based data collection is now wildly used in WSN for data compression and linear structure. It can be depicted in Figure 2.¹

Figure 2.

CS-based data collection schemes in WSN.

More concretely, let $x_{i} \in R$ be the data generated by node $S_{i}$ , and $Ø_{i} = (Ø_{1 i}, Ø_{2 i}, \dots, Ø_{ki})^{T} \in R^{k}$ be a measure matrix of node $S_{i}$ , for a sparse n-dimensional data $x = (x_{1}, x_{2}, \dots, x_{n})^{T} \in R^{n}$ generated by nodes $(S_{1}, S_{2}, \dots, S_{n})$ , we consider a compression form $y = Φ x \in R^{k}$ $(k << n)$ , where $Φ = (Ø_{1}, Ø_{2}, \dots, Ø_{n}) \in R^{k \times n}$ is a measure matrix shared by nodes and data processor, and $y$ is the measure data of $x$ , then the collected measure data $y$ in the sink can be expressed as

y = Φ x = x_{1} Ø_{1} + x_{2} Ø_{2} + \dots + x_{n} Ø_{n}

In intranet of WSN, for $i = 1, 2, \dots, n$ , each node $S_{i}$ first computes $x_{i} Ø_{i}$ , next adds the data of child node $S_{i - 1}$ , and then sends the result to its parent node, thereby completing the encoding during transmission. Finally, the sink sends the collected measure data $y$ to the data processor through extranet. The theory of CS guarantees that $x$ can be accurately recovered from $y$ on the data processor using the measure matrix $Φ$ .

At present, WSN is widely used in many fields. In addition to energy issue, the necessity for security of data in transit becomes very crucial factor. Although CS-based data collection scheme can reduce the data collection cost and prolong the lifetime of WSN,³ it does not consider the existence of adversaries in the network and therefore cannot protect the security of data. Thus, to construct a secure CS-based data collection scheme for WSN is a very significant work.

Previous works

To solve security challenges for CS-based data collection scheme, a feasible method is to let measurement matrix be a symmetric key, which is just known by both encrypted and decrypted parties. This ideal was formally studied in RB08,⁴ who regarded an original signal to be sampled as plaintext and its random measurements as ciphertext. We called it as compressed sensing symmetric encryption (CSSE). In their security model, only the encoding result is accessible to the adversary (both the measurement matrix and signal cannot be accessed to the adversary), which means their conclusion is based on a ciphertext-only attack model. By employing a random Gaussian sensing matrix updated at every time encryption, BBM14⁵ and BBM16⁶ showed that the cryptosystem with the one-time sensing (OTS) random Gaussian matrix could be perfectly secure. The basic idea of the above scheme is to ensure the security of the system by using “one-time pad,” but it costs too much to update the key each time. From the practical point of view, YYN17b⁷ employed a secret bipolar key-stream and a public unitary matrix, which could generate and renew the key-stream at each encryption in a fast and efficient manner. They demonstrated that the entries of the sensing matrix were asymptotically Gaussian distribution if the plaintext length is sufficiently large, and this cryptosystem could achieve the security of indistinguishability against chosen plaintext attack (IND-CPA) if each plaintext had constant energy. Previous security analyses of CS are based on the OTS hypothesis (i.e. the secret key/measurement matrix is used only once). CM18⁸ studied a CS-based asymptotically Gaussian one-time sensing (AG-OTS) cryptosystem for secure wireless communications. HXC14⁹ pointed out the CSSE was not secure enough without OTS assumption. However, due to the complex deployment environment of WSN, CS-based data collection schemes still face security threats, poor efficiency and impracticality.

In typical CS-based data collection scheme of WSN as Figure 2, the data collection, encoding, and aggregation are processed at each node in a distributed model, while the data recovery is accomplished at the sink independently according to measurement results received from other nodes. The sink shares the measurement matrix with each sensing node, respectively. To achieve OTS, the measurement matrix (secret key) should be stored in each node and synchronously updated in each measurement cycle. This may face several challenges. First, it enormously increases the cost of communication. Note that the size of the measurement matrix ( $k \times n$ elements) is much larger than the size of the measurement result (k elements). Therefore, the communication cost of key update is too high, especially updated frequently. Second, the distributed characteristic of WSN also makes it more difficult to achieve OTS. On one hand, the multi-hop transmission mechanism may increase the communication cost of OTS, especially when a single key distribution process contains several round of data transmission. On the other hand, most sensor nodes cannot resist attacks and are easy to be captured, so they are not suitable for storing secret key information.

To improve security and practicality of CSSE-based data collection schemes in WSN, PSK18³ present a secure data collection scheme based on compressive sensing (SeDC) by introducing an additive homomorphism encryption mechanism to enhance data confidentiality. In SeDC, the intermediate nodes can aggregate data directly in the ciphertext domain without decrypting the received data, which means the private key is not necessary to be stored at the intermediate nodes, thus the security is guaranteed.

More specifically, SeDC used a homomorphic encryption function HE to encrypt the ith measurement results of the node $j$ (i.e. $Ø_{ij} x_{j} \in R$ ) into HE $(Ø_{ij} x_{j})$ . The encrypted data HE $(Ø_{ij} x_{j})$ is transferred to its parents for aggregation in ciphertext domain. The aggregation result of sink is $Π_{j = 1}^{n} HE (Ø_{ij} x_{j}) = HE (\sum_{j = 1}^{n} Ø_{ij} x_{j})$ . The detailed process is shown in Figure 3.

Figure 3.

SeDC in PSK18.

Although by combining public key cryptography with compressed sensing, PSK18 solved the key distribution and storage problem of CSSE-based data collection schemes in WSN, there are still some imperfections in terms of efficiency and security.

First, homomorphism encryption function HE usually requires plaintext space to be a finite set, but $Ø_{ij} x_{j} \in R$ is not a finite set. So the encryption operation HE $(Ø_{ij} x_{j})$ cannot be performed correctly.

Second, intranet networks are usually more trustworthy than extranets, IND-CPA security would be sufficient in practice to preserve confidentiality for data on the internal network, but it needs higher security for data on the extranets, especially for some military data. PSK18 just achieves IND-CPA security both for inside attackers and for outside attackers. When data are transmitted to data processors through an external network, it is necessary to re-encrypt the data using a higher secure encryption scheme, for example, an encryption scheme with indistinguishability against chosen-ciphertext attack (IND-CCA1 or IND-CCA2) security.

Third, the expansion of ciphertext and computational efficiency are contradictory in homomorphism encryption. Additive homomorphism schemes¹⁰ with low expansion usually contain large number of time-consuming exponents or bilinear pairings operation and cannot resist quantum attack.

From the aspect of computational efficiency and quantum attack resistant, lattice-based homomorphic encryption may be a good choice. Although lattice-based encryptions usually have large ciphertext expansion, compressed sensing can greatly compress the data for very sparse data. It can compensate for data expansion of lattice cryptography.

Linear structure of lattice-based cryptography is very similar to CS and has been recognized for its many attractive properties, such as strong provable security guarantees and apparent resistance to quantum attacks, flexibility for realizing powerful tools and high asymptotic efficiency (usually requiring only linear operations on small integers).

LHY18¹¹ solves the problem of combining CS with a lattice-based homomorphic public key cryptography by using CS in finite field and constructed an instantiated data collection scheme based on lattice. But LHY18 still can only protect IND-CPA security for data on the extranets.

Our contributions

In this work, we construct a CS-based data collection scheme that can resistant quantum attack and preserve IND-CCA1 security scheme for data on external and IND-CPA security on intranet. By combining an IND-CCA1 secure public key encryption scheme in MP12¹² with CS, we first constructed a CS-based public key encryption scheme (remarkably, we just take CS as a black box, which makes the application of our scheme more general) and proved IND-CCA1 security under hardness of learning with errors (LWE) problem on lattice. Then using some tips, we show how to use this new scheme to secure data collection on distributed WSN. We adopted the method in PSK18 to solve the key distribution problem in WSN with public key and also use CS in finite field as shown in LHY18 to solve the problem of combination of public key and CS. Since lattices and CS have similar linear structures, we use some tips to achieve ciphertext additivity of our new scheme. Furthermore, we proved that the piecewise ciphertext of each node can preserve IND-CPA security of the data on intranet networks; thus, each node completes the secure data collection during the transmission process.

Preliminaries

Notation

We denote the set of real numbers by $R$ , integers by $Z$ and natural numbers by $N$ . For natural number $s$ , $n$ and prime power $q$ , we use $R^{n}$ to express n-dimensional vectors on real numbers field, $Z_{q}^{n}$ to denote n-dimensional vectors on the finite field $Z_{q}$ , and $Z_{q}^{n \times s}$ to indicate the matrix of $n \times s$ size on the finite field $Z_{q}$ . We let $[k] = {1, 2, \dots, k}$ , where k is a nonnegative integer. We use lower-case bold letters (e.g. $x$ ) to express column vectors ( $x^{T}$ express row vector). We use upper-case bold letters to indicate matrices. For a security parameter $k \in N$ , we use $1^{k}$ to express the string of $k$ bits. For a set $V$ , we use $v \leftarrow_{random} V$ to denote an operation of uniformly picking an element $v$ of $V$ at random. For a vector $x$ , we also use $| | x | |$ to denote Euclidean length of $x$ , and $O (\cdot)$ to denote complexity. For matrix $A = [A_{1} | A_{2}]$ , this express $A_{1}$ and $A_{2}$ are partitioned matrix of $A$ .

Over a finite or countable domain $D$ , the statistical distance between two distributions X and $Y$ is $Δ (X, Y) = 1 / 2 (\sum_{ω \in D} | X (ω) - Y (ω) |)$ . When statistical distance from the uniform distribution is at most $ϵ$ , we say that the distribution over $D$ is $ϵ$ -uniform, and we let a “randomized-rounding parameter” $r$ be a fixed function $r (n) = w (\sqrt{\log n})$ growing asymptotically faster than $\sqrt{\log n}$ throughout this article.

For any basis $V = {v_{1}, v_{2}, \dots, v_{n}}$ of $R^{n}$ , we defined its origin-centered parallelepiped as $P_{1 / 2} (V) = V \cdot [- 1 / 2, 1 / 2)^{n}$ and defined its dual basis as $V^{*} = V^{- T} = (V^{- 1})^{T}$ .

Sub-Gaussian distributions and lattices

Definition 1

For any s> 0, the Gaussian function on $R^{n}$ centered at $c$ with parameter $s$ is defined as follows¹³

\forall x \in R^{n}, ρ_{s, c} (x) = \exp (\frac{- π \cdot {‖ x - c ‖}^{2}}{s^{2}})

The subscripts $s$ and $c$ are taken to be 1 and 0 (respectively) when omitted.

Definition 2

For n-dimensional lattice $Λ$ , any $c \in R^{n}$ , and real $s > 0$ , the discrete Gaussian distribution over $Λ$ is defined as follows¹³

\forall x \in Λ, D_{Λ, s, c} (x) = \frac{ρ_{s, c} (x)}{ρ_{s, c} (Λ)}

As above, we may omit the parameters $s$ or $c$ .

If for $δ \geq 0$ , and for all $t \in R$ , the (scaled) moment-generating function satisfies

E [\exp (2 π tX)] \leq \exp (δ) \cdot \exp (π u^{2} t^{2})

We say the random variable $X$ (or its distribution) over $R$ is δ-sub-Gaussian with parameter $u > 0$ .

Notice that the $\exp (π u^{2} t^{2})$ term is just the (scaled) moment-generating function of the Gaussian distribution $D_{u}$ . When working with discrete Gaussians, it usually takes $δ = In ((1 + ϵ) / (1 - ϵ)) \approx 2 ϵ$ .¹²

Definition 3

For any n-dimensional lattice $Λ$ and positive real $ϵ > 0$ , the smoothing parameter $η_{ϵ} (Λ)$ is the smallest real $s > 0$ such that $ρ_{1 / s} (Λ^{*} \ {0})$ .¹³

Lemma 1

For a lattice $Λ \subset R^{n}$ , let $r \geq η_{ϵ} (Λ)$ and $0 < ϵ < 1$ , for any $c \in span (Λ)$ , we have¹²

\Pr [‖ D_{Λ + c, r} ‖ \geq r \sqrt{n}] \leq 2^{- n} \cdot \frac{1 + ϵ}{1 - ϵ}

When $c = 0$ and $ϵ = 0$ for any $r > 0$ , the above bound holds.

Lemma 2

For a lattice $Λ \subset R^{n}$ , let $u \geq η_{ϵ} (Λ)$ and $0 < ϵ < 1$ .¹² For any $c \in span (Λ)$ , $D_{Λ + c, u}$ is $In ((1 + ϵ) / (1 - ϵ))$ -sub-Gaussian with parameter $u$ . When $c = 0$ , it is just 0-sub-Gaussian for any $u > 0$ .

Theorem 1

For any positive integer k, some $u \geq η_{ϵ} (Z)$ and $ϵ = negl (n)$ , let $D_{Z^{m}, u}$ be a discrete Gaussian distribution. assuming vectors $e_{1}, e_{2}, \dots, e_{k} \leftarrow_{random} D_{Z^{m}, u / \sqrt{k}}$ , then vector $e = e_{1} + e_{2} + \dots + e_{k}$ obeys discrete Gaussian distribution over $D_{Z^{m}, u}$ .

Proof

For $e_{1}, e_{2}, \dots, e_{k} \leftarrow_{random} D_{Z^{m}, u / \sqrt{k}}$ , then $e_{1}, e_{2}, \dots, e_{k}$ are independent of each other and all obeys the same distribution over $D_{Z^{m}, u / \sqrt{k}}$ . According to the additive property of Gauss distribution, we have vector $e = e_{1} + e_{2} + \dots + e_{k}$ also obeys discrete Gaussian distribution over $D_{Z^{m}, u}$ .

Decisional LWE problem

For $α > 0$ , the LWE problem $LW E_{q, α}$ may be seen an average-case version of the bounded-distance decoding problem on the dual lattice $Λ (A^{T}) / q$ . Let $T = R / Z$ , the additive group of reals modulo 1, and let $D_{α}$ denote the Gaussian probability distribution over $R$ with parameter $α$ . For any fixed $x \in Z_{q}^{l}$ , define $A_{x, α}$ to be the distribution over $Z_{q}^{l \times s} \times T^{s}$ obtained by choosing $A \leftarrow Z_{q}^{l \times s}$ uniformly at random, choosing $e \leftarrow D_{α}^{s}$ , and outputting $(A, b = A^{T} x / q + e \mod 1)$ .

The decisional $LW E_{q, α}$ problem is to distinguish, with non-negligible advantage, between sampling from $A_{x, α}$ for uniformly random $x \in Z_{q}^{l}$ , and uniformly random sampling from $Z_{q}^{l \times s} \times T^{s}$ .

The hardness of decisional $LW E_{q, α}$ problem is based on the worst-case quantum hardness of approximate-SVP,^14,15 to which there is no known effective quantum algorithm.

Trapdoor for lattices and algorithms for inverting LWE

MP12¹² defined a new trapdoor, given a method of inverse LWE, and established some of important properties as follow.

Definition 4

Let $A \in Z_{q}^{n \times m}$ and $G \in Z_{q}^{n \times ω}$ be matrices with $m \geq ω \geq n$ .¹² A G -trapdoor for $A$ is a matrix $F \in Z_{q}^{(m - ω) \times ω}$ such that $A [\begin{matrix} F \\ I \end{matrix}] = HG$ for some invertible matrix $H \in Z_{q}^{n \times n}$ . Matrix $H$ is called tag or label of the trapdoor. The trapdoor’s quality is measured by its largest singular value $s_{1} (F)$ .

For our construction, we define an algorithm $GenTra p^{D}$ ( $n$ , $m$ , $ω$ , $q$ ) according to Algorithm 1 in MP12 as follow.

Definition 5

Efficient algorithm $GenTra p^{D}$ ( $n$ , $m$ , $ω$ , $q$ ) for generating a parity-check matrix $A$ with trapdoor $F$ .

Input. Parameters $n, m, ω$ are positive integers, and $q$ is a prime power, and distribution $D$ is over $Z^{(m - ω) \times ω}$ .

Output. A parity-check matrix $A = [\bar{A} | A_{1}] \in Z_{q}^{n \times m}$ , where $\bar{m} + ω = m$ , and trapdoor $F$ .

Pick $\bar{A} \in Z_{q}^{n \times \bar{m}}$ uniformly at random, choose a matrix $F \in Z^{\bar{m} \times ω}$ from distribution $D$ .

Output $A = [\bar{A} | - \bar{A} F] \in Z_{q}^{n \times m}$ and trapdoor $F \in Z^{\bar{m} \times ω}$ .

Statistical instantiation

For any parameter $\bar{m}$ and distribution $D$ over $Z^{\bar{m} \times ω}$ , this instantiation have the following property:

Regularity. For $\bar{A} \leftarrow_{random} Z_{q}^{n \times \bar{m}}$ , and $F \leftarrow_{random} D$ , $A = [\bar{A} | - \bar{A} F]$ is δ-uniform for some $δ = nelg (n)$ .

For example, let $D = D_{Z, u}^{\bar{m} \times ω}$ be a discrete Gaussian distribution for some $u \geq η_{ϵ} (Z)$ and $ϵ = negl (n)$ . Then $D$ is 0-sub-Gaussian with parameter $u$ . Moreover, given $A = [\bar{A} | - \bar{A} F]$ , with overwhelming probability over the choice of $\bar{A}$ , the conditional distribution of $F$ is negl(n)-sub-Gaussian with parameter $u$ .

Algorithm 2 in MP12 shows an efficient algorithm $Inver t^{O} (F, A, b)$ for inverting the function $b = A^{T} s + e$ , where $F \in Z^{\bar{m} \times ω}$ is a trapdoor of matrix $A \in Z_{q}^{n \times m}$ .

MP12 also gave a detail construction of $Inver t^{O} (F, A, b)$ and proved that over the choice of $e$ such that $[F^{T} | I^{T}] e \in P_{1 / 2} (q \cdot B)$ for some $B = O (1)$ , then the algorithm output $s$ and $e$ successfully except with probability $2^{- Ω (l)}$ (see Theorem 5.4 and Theorem 4.1 in MP12).

Compressed sensing over finite field

Let $q$ is a prime power, compressed sensing over finite field $Z_{q}$ consists of three steps:¹⁶ sparse representation of signals, measure matrix selection, and reconstruction of signals.

Sparse representation of signals

Set signal $x = {[x_{1}, x_{2}, \dots, x_{n}]}^{T}$ is n-dimensional vectors on the finite field $Z_{q}$ , and $wt (x)$ express the number of non-zero element in $x$ , if for all $x \in Z_{q}^{n}$ , it meets that $wt (x) \leq k$ , it calls signal $x$ is $k$ -spare. If γ is sparse factor, it meets $k = n γ$ .

Selection of measure matrix

If signal $x$ is $k$ -spare on $Z_{q}^{n}$ , it can express by $m$ $(m << n)$ -dimensional measured value

y = Φ x

where for $i = 1, 2, \dots, n$ , it meets $Ø_{i} \in Z_{q}^{m}$ , and $y = [y_{1}, y_{2}, \dots, y_{m}]^{T} \in Z_{q}^{m}$ is measured value.

DM09¹⁶ pointed out that a necessary condition for the successful recovery of all k-sparse signal is $m > 2 k$ , if more tractable $l_{1}$ minimization is used, then the sparse source can still be recovered if $m > C n \log (1 /)$ , where C is a constant. S18¹⁷ introduced methods of selecting the measure matrix and reconstructing signals, respectively.

In our scheme, we just consider the condition with $q = 2$ . For $= 2^{k}$ , we can fulfill data collection by running scheme k times. Considering convenience to descript, we give the definition of measure matrix selection algorithm as follow. By the way, we just take it as a black box, and detail construction can utilize the method in previous studies^16–19 according the specific circumstances.

Definition 6

Let GetMatr( $m$ , $n$ ) is a polynomial time algorithm, when inputs security parameters (m, n), it outputs a random measure matrix $Φ \in Z_{2}^{m \times n}$ , where $m, n \in Z$ and $0 < m < n$ .

Reconstruction of signals

Reconstruction of signals can be described as to reconstruct signals $x \in Z_{q}^{n}$ on a given measure matrix $Φ$ and measured values $y = Φ x$ by solving the optimization problem. For convenience of description, we also give the definition of signals reconstruction algorithm as follows. Incidentally, we just take it as a black box, and the detail construction can also utilize the corresponding method in previous studies.^16–19

Definition 7

Let RecSig(Φ, y) is a polynomial time algorithm, when inputs parameters ( Φ, y ), it outputs signals $x \in Z_{2}^{n}$ , where $Φ \in Z_{2}^{m \times n}$ is a measure matrix, and it meets $y = Φ x \in Z_{2}^{m}$ .

CS-based public key encryption and security definition

The CS-based Public Key Encryption (CSPKE) is defined as follows:

Definition 8

A CS-based public key encryption scheme is quadruples of algorithms (KeyGen, Enc, Dec, MesRec) such that

KeyGen( $n, l, q$ ) is a probabilistic polynomial-time key generation algorithm which receives as input a security parameter $n, l, q \in Z$ and outputs a measure matrix $Φ$ as public parameter, a public key $pk$ , and a secret key $sk$ .

Enc( $m$ , $pk$ , $Φ$ ) is a probabilistic polynomial-time encryption algorithm which takes as input a public key $pk$ and a signal $x$ in $X$ ( $X$ is the signal space), and outputs a ciphertext $c$ .

Dec( $c$ , $sk$ ) is a deterministic polynomial-time decryption algorithm which receives as input a secret decryption key $sk$ and a ciphertext $c$ and outputs either a measured value $y$ of signal $x$ or an error symbol ⊥.

MesRec( $y, Φ$ ) is a polynomial-time reconstruction algorithm which receives as input a measure matrix $Φ$ and a measured value $y$ and outputs a reconstructed signal $x$ .

Moreover, a further fundamental property is required: correctness. We want that, for any pair of public and secret keys generated by KeyGen, and for every message $x$ in $X$ , it holds that MesRec(Dec (Enc( $x$ , $pk$ ), $sk$ ), $Φ$ ) = $x$ with overwhelming probability over the randomness used by KeyGen and Enc.

Our CSPKE is IND-CCA1 secure for outside attackers and IND-CPA secure for inside attackers in distributed application. Next, we define IND-CCA1 security of CSPKE and IND-CPA security of CSPKE-D (we use CSPKE-D to express the scheme of CSPKE for distributed application) according to NYP²⁰ as follows.

Definition 9

IND-CCA1 security is defined by the interaction experiment between challenger C and attacker A.

Challenger C runs KeyGen( $n, l, q$ ), getting public key $pk$ and secret key $sk$ , then outputs a measure matrix $Φ$ as public parameter and sends $pk$ to attacker A.

When A makes a sequence of decryption query to C, for each decryption query, A submits a ciphertext $c$ , and C responds with a corresponding plaintext $x$ .

A chooses two signals $x_{0}$ and $x_{1}$ in $X$ , then sends them to C.

C randomly selects bits $b \in {0, 1}$ , then computers challenge ciphertext $c^{*}$ = Enc( $x_{b}$ , $pk$ , $Φ$ ). At last, C sends A.

A outputs $b' \in {0, 1}$ as the guess values to $b$ .

The advantage of attacker A to attack the above encryption algorithm is defined as

{Adv}_{A}^{CCA 1, CSPKE} = | \Pr [b = b'] - \frac{1}{2} |

The CSPKE Algorithm is IND-CCA secure if for all probabilistic polynomial time (PPT) adversaries the advantage ${Adv}_{A}^{CCA 1, CSPKE}$ is negligible.

Definition 10

IND-CPA security is defined by the interaction experiment between challenger C and attacker A.

Challenger C runs KeyGen( $n, l, q$ ), getting public key $pk$ and secret key $sk$ , then outputs a measure matrix $Φ$ as public parameter, and sends $pk$ to attacker A.

A chooses two signals $x_{0}$ and $x_{1}$ in $X$ , then sends them to C.

C randomly selects bits $b \in {0, 1}$ , then computers challenge ciphertext $c^{*}$ = Enc( $x_{b}$ , $pk$ , $Φ$ ). At last, C sends $c^{*}$ to A.

A outputs $b' \in {0, 1}$ as the guess values to $b$ .

The advantage of attacker A to attack the above encryption algorithm is defined as

{Adv}_{A}^{CPA, CSPKE - D} = | \Pr [b = b'] - \frac{1}{2} |

The CSPKE-D scheme is IND-CPA secure if for all PPT adversaries the advantage ${Adv}_{A}^{CPA, CSPKE - D}$ is negligible.

Compressed sensing public key encryption scheme based on LWE

The concrete scheme

We give some exemplary asymptotic bounds for a number of parameters involved in our scheme. In the following, we used $w \sqrt{(\log l)}$ to represent a fixed function who asymptotically grows faster than $\sqrt{(\log l)}$ .

Let $l, s, n, d$ be positive integers, $q$ be a prime power, $x = [x_{1}, x_{2}, \dots, x_{n}]^{T} \in Z_{2}^{n}$ be $d$ -spare signal, $ω$ be the measurement times to $x$ needed in CS algorithm, it satisfying $n >> ω$ (note that we just take CS as a black-box, so the specific relationship among $ω$ , $d$ , and $n$ is based on concrete CS algorithm,^16–19 $s > ω \geq l$ and $s \geq 2 l \log q$ . Typically $ω = l \log q$ and $s = 2 ω$ (see MP12).

For prime power $q$ , $G \in Z_{q}^{l \times ω}$ is a gadget matrix. Let $\bar{s} = O (ω)$ and $D = D_{Z, w \sqrt{(\log l)}}^{\bar{s} \times ω}$ , thus $[\bar{A} | - \bar{A} F]$ is negl(l)-far from uniform fo $r \bar{A} \leftarrow_{random} Z_{q}^{l \times \bar{s}}$ . Let $F \leftarrow_{random} D$ , and $s = \bar{s} + ω$ . We need an oracle $O$ to solve LWE with respect to $Λ (G^{T})$ for any error vector in some $P_{1 / 2} (q \cdot B)$ where $‖ B ‖ = O (1)$ . (The constructions of oracle $O$ can be seen in section 4 in MP12.)

The error rate in LWE is express by $α$ , such that $1 / α = O (ω) \cdot w \sqrt{(\log l)}$ is sufficiently large.

We need a special collection in the ring $R = Z_{q} (x) / f (x)$ and an injective ring homomorphism $h : R \to Z_{q}^{l \times l}$ (see section 6.1 in MP12). We also need a large set $U = {u_{1}, u_{2}, \dots, u_{l}} \subset R$ with the “unit differences” property: for any $i \neq j$ , the difference $u_{i} - u_{j} \in R^{*}$ , and hence $h (u_{i} - u_{j}) = h (u_{i}) - h (u_{j}) \in Z_{q}^{l \times l}$ is invertible.

For measure matrix $Φ = [Ø_{1}, Ø_{2}, \dots, Ø_{n}] \in Z_{2}^{ω \times n}$ , the message space of signal measure value $Φ x$ mod 2 is ${0, 1}^{ω}$ . Through an efficient function $encode$ , we map bijectively to the cosets of $Λ / 2 Λ$ for $Λ = Λ (G^{T})$ . Specifically, letting $\bar{B} \in Z^{ω \times ω}$ be any basis of $Λ$ , we can map $Φ x \in {0, 1}^{ω}$ to $encode (Φ x) = \bar{B} Φ x \in Z^{ω}$ .

KeyGen( $n, l, s, q$ )

Runs algorithm GetSMatr( $ω, n$ ) to get measure matrices $Φ = [Ø_{1}, Ø_{2}, \dots, Ø_{n}] \in Z_{2}^{ω \times n}$ , then sets $Φ$ as public parameter.

For parameters $l, s, q$ , runs the algorithm $GenTra p^{D}$ ( $1^{l}, 1^{s}, q$ ) to get matrix $A = [\bar{A} | A_{1}] \in Z_{q}^{l \times s}$ and corresponding $G$ -trapdoor $F \in Z_{q}^{(s - ω) \times ω}$ , where $\bar{A} \leftarrow_{random} Z_{q}^{l \times \bar{s}}$ and it satisfies $A_{1} = - \bar{A} F$ .

Outputs public key $pk = {A}$ and secret key $sk = {F}$ .

Enc( $x$ , $pk$ , $Φ$ )

Chooses a nonzero $u \leftarrow_{random} U$ and let $A_{u} = [\bar{A} | A_{1} + h (u) G]$ .

Chooses a vector $b \leftarrow_{random} Z_{q}^{l}$ , $\bar{e} \leftarrow_{random} D_{Z, α q}^{\bar{s}}$ , $\tilde{e} \leftarrow_{random} D_{Z, α q \sqrt{2 \bar{s}} \cdot w \sqrt{(\log l)}}^{ω}$ .

Computes $c_{2} = 2 (A_{u}^{T} b \mod q) + [(0 / \bar{B} Φ x)] + e \mod 2 q$ , where 0 has $\bar{s}$ dimension and $e = [\begin{matrix} \bar{e} \\ \tilde{e} \end{matrix}] \in Z^{s}$ . Let $c_{1} = u$ .

Outputs the ciphertext $c = (c_{1}, c_{2})$ .

Dec( $c$ , $sk$ )

Let $A_{u} = [\bar{A} | A_{1} + h (u) G] = [\bar{A} | h (u) G - \bar{A} F]$ .

If $u = 0$ or $c$ does not parse, outputs ⊥, otherwise, calls $Invert (F, A, c)$ to get value $b' \in Z_{q}^{l}$ and $e = [\begin{matrix} \bar{e} \\ \tilde{e} \end{matrix}] \in Z^{s}$ for which $c_{2} = {A_{u}}^{T} b' + e \mod q$ . (Note that $h (u) \in Z_{q}^{l \times l}$ is invertible.) If the call to $Invert$ fails for any reason, outputs ⊥.

If $‖ \bar{e} ‖ \geq α q \sqrt{\bar{s}}$ or $‖ \tilde{e} ‖ \geq α q \sqrt{2 \bar{s} ω} \cdot w \sqrt{(\log l)}$ , outputs ⊥.

Let $v = c_{2} - e \mod 2 q$ , computes value $y = {\bar{B}}^{- 1} ([F^{T} | I^{T}] v)$ , then outputs $y$ .

MesRec( $y$ , $Φ$ )

Runs the algorithm RecSig( $Φ$ , $y$ ) to get reconstruction signal $x$ , then outputs $x$ .

Analyses

Correctness

Theorem 2

The above scheme has only $2^{- Ω (l)}$ probability of decryption error.

Proof

Let $(A, F) \leftarrow KeyGen (n, l, s, q)$ . By Lemma 2.9 in MP12, we have $‖ F ‖ \leq O (\sqrt{ω}) \cdot w \sqrt{(\log l)}$ except with probability $2^{- Ω (l)}$ .

For arbitrary $Φ x \in Z^{ω}$ , we consider the random choices in Enc( $x$ , $pk$ , $Φ$ ) as follows. By Lemma 2.6 in MP12, we have both $‖ \bar{e} ‖ \leq α q \sqrt{\bar{s}}$ and $‖ \tilde{e} ‖ \leq α q \sqrt{2 \bar{s} ω} \cdot w \sqrt{(\log l)}$ , except with probability $2^{- Ω (l)}$ . Letting $e = [\begin{matrix} \bar{e} \\ \tilde{e} \end{matrix}]$ , it has

‖ [F^{T} | I^{T}] e ‖ \leq ‖ F^{T} \bar{e} ‖ + ‖ \tilde{e} ‖ < α q \cdot O (\sqrt{ω}) \cdot w \sqrt{(\log l)}

Specially, for large enough $1 / α = O (ω) \cdot w \sqrt{(\log l)}$ , it has $[F^{T} | I^{T}] e \in P_{1 / 2} (q \cdot B)$ . Therefore, the call to $Invert$ made by Dec( $c$ , $sk$ ) returns $e$ . It follows that for $v = (\bar{v}, v_{1}) = c_{2} - e \mod 2 q$ , it has $[F^{T} | I^{T}] v = [F^{T} | I^{T}]$ $[A_{u}^{T} x + [\begin{matrix} 0 \\ \bar{B} Φ x \end{matrix}]] = 2 (G^{T} h (u)^{T} x \mod q) + \bar{B} Φ x \mod 2 q$ , which is in the coset $\bar{B} Φ x \in Λ (G^{T}) / 2 Λ (G^{T})$ , and so Dec outputs $y = Φ x$ mod 2 as desired. Noticing that, algorithm RecSig is just run over $Z_{2}$ in Definition 7. So RecSig( $Φ$ , $y$ ) can output $x$ as desired.

IND-CCA1 security

We will prove the security of above-described scheme.

Theorem 3

The above CSPKE scheme is IND-CCA1 secure assuming the hardness of decision- $LW E_{q, α'}$ for $α' = α / 3 \geq 2 \sqrt{l} / q$ .

Proof

Let $Φ x \mod 2 \in {0, 1}^{ω}$ , our scheme can just be described as a instantiation of encryption scheme in MP12 section 6.3.

For signal $x$ , we can first compute $Φ x \mod 2 \in {0, 1}^{ω}$ , and then call encryption scheme in MP12 section 6.3 to encrypt and decrypt for message $Φ x$ , then run the reconstruction algorithm RecSig( $Φ$ , $Φ x$ ) of CS to get reconstruction signal $x$ . It is noteworthy that $Φ$ is a public parameter. For input message $Φ x$ , the reconstruction algorithm RecSig is just a public polynomial time algorithm without secret key. So the security of CSPKE is just provided by the encryption scheme in MP12.

The encryption scheme in MP12 is IND-CCA1 secure assuming the hardness of decision- $LW E_{q, α'}$ for $α' = α / 3 \geq 2 \sqrt{l} / q$ . So CSPKE scheme is also IND-CCA1 secure assuming the hardness of decisional $LW E_{q, α'}$ for $α' = α / 3 \geq 2 \sqrt{l} / q$ . Detailed proof can be seen in Theorem 6.3 in MP12.

A CS-based adaptable secure data collection scheme for WSN

Now, we show how to use CSPKE to implement a CS-based data collection scheme for distributed WSN that is IND-CPA secure for inside attackers and IND-CCA1 secure for outside attackers.

Although CSPKE scheme itself does not have additive homomorphic property, if we fix the first partial ciphertext $c_{1} = u$ , then matrix $A_{u}$ is determined, thereby the second partial ciphertext $c_{2} = 2 (A_{u}^{T} b \mod q) + [\begin{matrix} 0 \\ \bar{B} Φ x \end{matrix}] + e \mod 2 q$ has additive homomorphic property. In more detail, let each node share the same $u$ together in every time data collection, the second partial ciphertext $c_{2}$ with additive homomorphic property can be used to implement data collection for distributed WSN.

The main steps are summarized as follows:

Setup

The system first initializes the network, and for parameter $n, l, s, q$ , runs algorithm KeyGen( $n, l, s, q$ ) to get public key $pk = {A}$ , secret key $sk = {F}$ , and measure matrix $Φ$ and gadget matrix $G$ , and then broadcasts parameter, public key, measure matrix, and gadget matrix. Data processor saves private keys for decryption.

Encryption measurement and in-network aggregation

Let $Θ = \bar{B} = [θ_{1}, θ_{2}, \dots, θ_{n}]$ , node $S_{1}$ first chooses nonzero $u \leftarrow_{random} U$ and computes $A_{u} = [\bar{A} | A_{1} + h (u) G]$ , then computes $c_{1, 2} = c_{1, 2}^{'} = 2 (A_{u}^{T} b_{1} \mod q) + [\begin{matrix} 0 \\ x_{1} θ_{1} \end{matrix}] + e_{1} \mod 2 q$ , at last sends ( $u, c_{1, 2}$ ) to its father node $s_{2}$ . For $i = 2, \dots, n$ , Node $S_{i}$ first chooses $b_{i} \leftarrow_{random} Z_{q}^{l}$ and $e_{i} = [\begin{matrix} {\bar{e}}_{i} \\ {\tilde{e}}_{i} \end{matrix}]$ , where ${\bar{e}}_{i} \leftarrow_{random} D_{Z, α q / \sqrt{n}}^{\bar{s}}$ and ${\tilde{e}}_{i} \leftarrow_{random} D_{Z, α q \sqrt{2 \bar{s} n} \cdot w \sqrt{(\log l)}}^{ω}$ , then computes $A_{u} = [\bar{A} | A_{1} + h (u) G]$ , ${c'}_{i, 2} = 2 (A_{u}^{T} b_{i} \mod q) + [\begin{matrix} 0 \\ x_{i} θ_{i} \end{matrix}] + e_{i} \mod 2 q$ , $c_{i, 2} = {c'}_{i, 2} + c_{i - 1, 2}$ , at last sends $(u, c_{i, 2})$ to father node. Each node performs this procedure thereby completing the encryption measurement during transmission.

Finally, the sink received encrypted measurement value $c = (u, c_{2})$ , where

$\begin{array}{l} c_{2} = c_{n, 2} = {c^{'}}_{1, 2} + {c^{'}}_{2, 2} + \dots + {c^{'}}_{n, 2} = 2 (A_{u}^{T} b_{1} \mod q) + [\begin{matrix} 0 \\ x_{1} θ_{1} \end{matrix}] + e_{1} \mod 2 q + 2 (A_{u}^{T} b_{2} \mod q) + [\begin{matrix} 0 \\ x_{2} θ_{2} \end{matrix}] + \\ e_{2} \mod 2 q + \dots 2 (A_{u}^{T} b_{n} \mod q) + [\begin{matrix} 0 \\ x_{n} θ_{n} \end{matrix}] + e_{n} \mod 2 q \end{array}$ .

Let $e = [\begin{matrix} \bar{e} \\ \tilde{e} \end{matrix}] = e_{1} + e_{2} + \dots + e_{n}$ , according to Theorem 1, we have $\bar{e} \in D_{Z, α q}^{\bar{s}}$ and $\tilde{e} \in D_{Z, α q \sqrt{2 \bar{s}} \cdot w \sqrt{(\log l)}}^{ω}$ . Let $b = b_{1} + b_{2} + \dots + b_{n} \in Z_{q}^{l}$ , we have $c_{2} = 2 ({A_{u}}^{T} b \mod q) + [\begin{matrix} 0 \\ \bar{B} Φ x \end{matrix}] + e \mod 2 q$ which is a consistent partial ciphertext according to CSPKE. Although all nodes share the same $u$ together, $u$ is chosen random in $U$ by $S_{1}$ according to CSPKE. For the collected data on the sink, $u$ is also a consistent partial ciphertext according to CSPKE. Then collected data $c = (u, c_{2})$ is just a consistent ciphertext generated by Enc( $x$ , $pk$ , $Φ$ ) of CSPKE taking as input a public key $pk = {A}$ , a measure matrices $Φ$ and a signal $x$ .

The detailed process is shown as Figure 4.

Figure 4.

CS-based IND-CCA1 secure data collection scheme in WSN.

3. Data recovery

The data processor runs algorithm Dec( $c$ , $sk$ ) to decrypt the aggregation result by using the private key $sk$ , and output measurement value $y$ , then runs the algorithm RecSig( $Φ$ , $y$ ) to get reconstruction signal $x = (x_{1}, x_{2}, \dots, x_{n}) \in Z_{2}^{n}$ , then outputs $x$ .

Security analysis

As can be seen from the above description, the collected data $c = (u, c_{2})$ on sink is just a consistent ciphertext generated by Enc( $x$ , $pk$ , $Φ$ ) of CSPKE taking as input a public key $pk = {A}$ , a measure matrices $Φ$ and a signal $x$ . So for outside attackers, CSPKE-D is IND-CCA1 secure according to Theorem 3.

CSPKE scheme itself does not have additive homomorphic property. In order to implement a distributed data collection, we share the first partial ciphertext $c_{1} = u$ to all nodes in every time data collection. It means that $A_{u}$ is a determined matrix for all nodes and also inside attackers in every time data collection, so the security of CSPKE-D is declined for inside attackers. However, it is still IND-CPA secure for inside attackers. This security is usually sufficient for intranets.

Theorem 4

Our above CSPKE-D scheme is IND-CPA secure for inside attackers assuming the hardness of decision- $LW E_{q, α'}$ for $α' = α / 3 \geq 2 \sqrt{l} / q$ .

Proof

For inside adversaries, the first partial ciphertext $c_{1} = u$ is fixed, and then $A_{u}$ is a determined matrix. Next we assume if there is a polynomial time inside adversary A who can break the IND-CPA security of this CSPKE-D, we show how to use this adversary to construct a distinguisher for the decisional $LW E_{q, α'}$ problem for $α' = α / 3 \geq 2 \sqrt{l} / q$ .

For the distinguisher, we are given $(A, b)$ coming from either an LWE distribution $A_{s, α'}$ over $Z_{q}^{l \times s} \times T^{s}$ for any $s \in Z_{q}^{l}$ (where recall that $T = R / Z$ ) or uniformly random samples from $Z_{q}^{l \times s} \times T^{s}$ . Our construction works are as follows.

Prepare the public key

The simulator runs the key generation algorithm GetSMatr( $ω, n$ ) to get measure matrices $Φ = [Ø_{1}, Ø_{2}, \dots, Ø_{n}] \in Z_{2}^{ω \times n}$ , then sets $Φ$ as public parameter.

For a gadget matrix $G \in Z_{q}^{l \times ω}$ and the fixed first partial ciphertext $u$ , let $A_{u} = A = [\bar{A} | A_{1}] \in Z_{q}^{l \times s}$ , where $\bar{A} \in Z_{q}^{l \times \bar{s}}$ , and then computes $A' = [\bar{A} | A_{1} - h (u) G]$ .

Outputs public key $pk = {A'}$ , and sends it to adversary A.

Prepare the challenge ciphertext

When the adversary chooses $x_{0}$ and $x_{1}$ in $X$ , and gives it to the simulator, the simulator chooses $\bar{b} \in (0, 1)$ at random and computes $c_{2} = 2 q b + [\begin{matrix} 0 \\ \bar{B} Φ x_{\bar{b}} \end{matrix}] + e^{'} \mod 2 q$ for $e' \leftarrow D_{Z, α q}^{s}$ .

By Theorem 3.1 of Pei10²¹ we can transform its samples $(A, b = A^{T} s / q + e \mod 1)$ to have the form $(A, 2 A^{T} s \mod q + e' \mod 2 q)$ for $e' \leftarrow D_{Z, α q}^{s}$ , by mapping $b \to 2 q b + D_{Z - 2 q b, g}^{s}$ where $g^{2} = (α q)^{2} - (2 α' q)^{2} \geq 4 l \geq η_{ϵ} (Z)^{2}$ . This transformation maps the uniform distribution over $Z_{q}^{l \times s} \times T^{s}$ to the uniform distribution over $Z_{q}^{l \times s} \times Z_{2 q}^{s}$ .

As we see from the adversary’s view, when the input to the simulator comes from an LWE distribution $A_{s, α'}$ , the output of the encryption oracle is just a perfectly legitimate ciphertext. It is clear that the joint distribution of the adversary’s view and $\bar{b}$ is identical to that in the actual attack. However, when the input to the simulator uniformly random samples from $Z_{q}^{l \times s} \times T^{s}$ , the adversary’s view and $\bar{b}$ are essentially information theoretic independent. This completes the construction of a distinguisher for the decisional $LW E_{q, α'}$ problem. Consequently if there is a polynomial time inside adversary A who can break the IND-CPA security of this CSPKE-D, the simulator can solve the decisional $LW E_{q, α'}$ problem with the same non-negligible advantage. That completes the proof of security.

Efficiency analysis

Considering from the computational efficiency, our above scheme just involved simple some linear operations, which are very efficiency on computation. It is worth noting that we take CS as a black box, thus the method used measurement sparse matrix for CS in PSK18 can also be used in our scheme to further improve computation efficiency. Next, we mainly analyze the communication efficiency.

Our scheme can be described as a public key encryption scheme to CS. In detail, original data $x$ is first compressed by CS, and then encrypted by a lattice-based PKE scheme. Although lattice-based encryptions usually have large ciphertext expansion, compressed sensing can greatly compress the data for very sparse data (the original data in WSN are naturally sparse). It can compensate for data expansion of lattice cryptography, which makes our scheme practical in WSN.

For a more intuitive description, we follow give a theoretical traffic comparison of related schemes in Table 1.

Table 1.

Comparison of related schemes.

Schemes	CS	PSK18	LHY18	Our scheme
Signal (bit)	n	n	n	n
security	No	IND-CPA	IND-CPA	IND-CCA1 for extranetIND-CPA for intranet
Ciphertext (bit)	ω	ωHE-Exp	2ωlog₂q	\| $R$ \|+ 2ω log₂(2q)
Ciphertext expansion	ω / n	ωHE-Exp/n	(2ω log₂q)/n	\| $R$ \|/n + 2ω (log₂q + 1)/n

CS: compressive sensing; IND-CPA: indistinguishability against chosen plaintext attack; IND-CCA1: indistinguishability against chosen ciphertext attack.

In Table 1, we assume that the lengths of input signal to these schemes are all n bits, and we use “Ciphertext” to represent the corresponding lengths of the outputs (theoretical traffic). For the line of ciphertext expansion, it means the ratio of outputs to inputs. Assuming that the outputs of CS scheme (who is the basis of PSK18, LHY18 and our CSPKE-D) are ω bits, it is easy to compute that the outputs of our scheme are| $R$ |+ 2ω log₂(2q) bits, where we used $| R |$ to express the size of ring $R$ used in our CSPKE-D, and then we can compute that the outputs of LHY18 are 2ωlog₂q bits. For the reason that PSK18 just takes additive homomorphism scheme²² as a black box (without specifying a certain scheme), we use “HE-Exp” to express the ciphertext expansion of additive homomorphism scheme, and the outputs of PSK18 are $ω HE - Exp$ bits.

Next, we analyze theoretical communication load of our above scheme in comparison with related schemes in detail.

Compared with the original CS scheme, the increased communication load of our scheme mainly comes from ciphertext expansion. According to MP12, we have $s = 2 ω = 2 l lo g_{2} q$ , $| R | \geq l$ and $q \geq 2$ . Thus, the ciphertext expansion is $[| R | + 2 ω (lo g_{2} q + 1)] / n \geq ω / (n lo g_{2} q) + 2 ω (lo g_{2} q + 1) / n$ .

In order to facilitate the comparisons, from the aspect of quantum attack resistant and computational efficiency, we assume the homomorphic encryption scheme used in PSK18 is a lattice-based homomorphic encryption.

Furthermore, LHY18 can be seen as a concrete scheme of PSK18 by using a specific lattice-based additive homomorphism encryption scheme. Thus, PSK18 and LHY18 have a similar ciphertext expansion from the perspective of quantum attack resistant. As can be seen from Table 1, The ciphertext expansion of our scheme is only a little larger than that of LHY18 (note that |ℜ| is much smaller than $2 lo g_{2} (2 q)$ ).

In terms of security, the size of $q$ is inversely proportional to that of $n$ . Usually $n$ (the number of nodes in WSN) is very large. Typically for the 128 bit security level of $q$ ,¹⁵ the ciphertext expansion of CSPKE-D is close to $258 / n$ times (the ciphertext length of CSPKE-D is close to $258 ω$ ).

However, CS data compression rate is proportional to data sparsity. For $n$ -bit data with sparse factor $γ$ , we have $ω \geq 2 δ n lo g_{q} n$ , where $δ$ is a constant.¹⁹ When the original signal is well sparse, such as Taobao data with the $10^{- 5}$ level of the sparse factor $γ$ ,²³ our scheme still achieves good data compression (the ciphertext length of CSPKE-D is close to $5.16 \times 10^{- 3} δ n lo g_{q} n$ for $n$ -bits input signal).

Conclusion

The security issues of data collection in WSN have attracted great attention from academics and industry. In this article, we mainly focused on the security among data collection and transmission process and proposed an IND-CCA1 for extranet and IND-CPA for intranet secure CS-based data collection scheme. The security of our scheme is based on the hardness of decisional LWE problem, to which there is no known effective quantum algorithm. In terms of computational efficiency, our scheme only contains simple linear operation, so it has high computational efficiency. In terms of communication efficiency, although CSPKE-D algorithm brings a little of data expansion, CS realized a good communication cost compensation by data compression, which makes our scheme practical in WSN.

Footnotes

Handling Editor: Weizhi Meng

Declaration of conflicting interests

The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

Funding

The author(s) disclosed receipt of the following financial support for the research, authorship, and/or publication of this article: This work was supported by National Natural Science Foundation of China (Grant Nos 61572521, U1636114, 61772550), National Key R&D Program of China (Grant No. 2017YFB0802000), National Cryptography Development Fund of China (Grant No. MMJJ20170112), Innovative Research Team in Engineering University of PAP (KYTD201805), State Key Laboratory of Information Security (2017-MS-18).

ORCID iD

Zhen Liu

References

Luo

Sun

et al . Efficient measurement generation and pervasive sparsity for compressive data gathering. IEEE T Wirel Commun 2010; 9(12): 3728–3738.

Donoho

. Compressed sensing. IEEE T Inform Theory 2006; 52(4): 1289–1306.

Zhang

Wang

Guo

et al . A secure data collection scheme based on compressive sensing in wireless sensor networks. Ad Hoc Netw 2018; 70: 73–84.

Rachlin

Baron

. The secrecy of compressed sensing measurements. In: Proceedings of the 46th annual Allerton conference on communication, control, and computing, Urbana-Champaign, IL, 23–26 September 2008, pp.813–817. New York: IEEE.

Bianchi

Bioglio

Magli

. On the security of random linear measurements. In: Proceedings of the IEEE international conference on acoustics, speech and signal processing (ICASSP), Florence, 4–9 May 2014, pp.3992–3996. New York: IEEE.

Bianchi

Bioglio

Magli

. Analysis of one-time random projections for privacy pre-serving compressed sensing. IEEE T Inf Foren Sec 2016; 11(2): 313–327.

. Indistinguishability and energy sensitivity of asymptotically Gaussian compressed encryption. Arxiv, 2017, https://arxiv.org/abs/1709.05744

Cho

. Secure communications with asymptotically Gaussian compressed encryption. IEEE Signal Proc Let 2018; 25(1): 80–84.

Xing

Cheng

et al . Information leaks out: attacks and countermeasures on compressive data gathering in wireless sensor networks. In: Proceedings of the IEEE INFOCOM 2014—IEEE conference on computer communications, Toronto, ON, 27 April–2 May 2014, pp.1258–1266. New York: IEEE.

10.

Guellier

. Can homomorphic cryptography ensure privacy? Doctoral dissertation, IRISA; Supélec Rennes, Équipe Cidre; Inria, 2014.

11.

Liu

Han

Yang

et al . Secure data acquisition method among multi-hop transmission environments. J Cryptol Res 2018; 5(2): 206–217.

12.

Micciancio

Peikert

. Trapdoors for lattices: simpler, tighter, faster, smaller. In: Proceedings of the annual international conference on the theory and applications of cryptographic techniques, Cambridge, 15–19 April 2012, pp.700–718. Berlin: Springer.

13.

Micciancio

Regev

. Worst-case to average-case reductions based on Gaussian measures. SIAM J Comput 2007; 37(1): 267–302.

14.

Regev

. On lattices, learning with errors, random linear codes, and cryptography. J ACM 2009; 56(6): 34.

15.

Brakerski

Langlois

Peikert

et al . Classical hardness of learning with errors. In: Proceedings of the forty-fifth annual ACM symposium on theory of computing, Palo Alto, CA, 1–4 June 2013, pp.575–584. New York: ACM.

16.

Draper

Malekpour

. Compressed sensing over finite fields. In: Proceedings of the 2009 IEEE international conference on symposium on information theory, Seoul, South Korea, 28 June–3 July 2009, Vol. 1, pp.669–673. New York: IEEE.

17.

Seong

. Performance evaluation of finite sparse signals for compressed sensing frameworks. IEICE T Inf Syst 2018; 101(2): 531–534.

18.

Gankhuyag

Hong

Choe

. Sparse recovery using sparse sensing matrix based finite field optimization in network coding. IEICE T Inf Syst 2017; 100(2): 375–378.

19.

Das

Vishwanath

. On finite alphabet compressive sensing. In: Proceedings of the IEEE international conference on acoustics, speech and signal processing (ICASSP), Vancouver, BC, May 26–31 2013, pp.5890–5894. New York: IEEE.

20.

Naor

Yung

. Public-key cryptosystems provably secure against chosen ciphertext attacks. In: Proceedings of the twenty-second annual ACM symposium on theory of computing, Baltimore, MD, 13–17 May 1990, pp.427–437. New York: ACM.

21.

Peikert

. An efficient and parallel Gaussian sampler for lattices. In: Proceedings of CRYPTO 2010, Santa Barbara, CA, 15–19 August 2010, pp.80–97. Berlin: Springer.

22.

Damgard

Jurik

. A generalisation, a simplification, and some applications of Paillier’s probabilistic public-key system. Presented at the 4th international workshop on practice and theory in public key cryptosystems, Cheju Island, South Korea, 13–15 February 2001.

23.

Tao

. Ten challenges of personalized recommendation. Commun CCF 2012; 8: 48–61.

A compressive sensing–based adaptable secure data collection scheme for distributed wireless sensor networks

Abstract

Keywords

Introduction

Background

Previous works

Our contributions

Preliminaries

Notation

Sub-Gaussian distributions and lattices

Definition 1

Definition 2

Definition 3

Lemma 1

Lemma 2

Theorem 1

Proof

Decisional LWE problem

Trapdoor for lattices and algorithms for inverting LWE

Definition 4

Definition 5

Statistical instantiation

Compressed sensing over finite field

Sparse representation of signals

Selection of measure matrix

Definition 6

Reconstruction of signals

Definition 7

CS-based public key encryption and security definition

Definition 8

Definition 9

Definition 10

Compressed sensing public key encryption scheme based on LWE

The concrete scheme

Analyses

Correctness

Theorem 2

Proof

IND-CCA1 security

Theorem 3

Proof

A CS-based adaptable secure data collection scheme for WSN

Security analysis

Theorem 4

Proof

Prepare the public key

Prepare the challenge ciphertext

Efficiency analysis

Conclusion

Footnotes

Declaration of conflicting interests

Funding

ORCID iD

References