In the beginning, many literature have been proposed for minimizing energy consumption in WSN [3][17][18]. They present a technique called data aggregation, which can decrease the energy consumption efficiently. But they assume all nodes in the network are honest, and none of them integrate the security threats with in-network aggregation.
In recent years, a lot of research has been proposed to solve the problem about sensor network security with data aggregation. In order to defeat an active adversary whose goal is to tamper or discard messages such that the base station obtains a wrong result, some research discusses data integrity and data authentication for wireless sensor networks [4][5][10][13]. Those works have contribution that the base station accepts the aggregation result with high probability if the aggregated result is on a desired bound. In other words, the base station rejects wrong results (out of desired bound) and detects the compromised nodes.
Due to lots of applications on collecting sensitive measurement, some research focuses on data confidentiality [6][7][8][11]. In [6] Girao et al. introduces a concept of Conceal Data Aggregation, which is the first work in providing end-to-end privacy for wireless sensor networks. They provide a solution for processing encrypted data at the intermediate nodes (aggregators) by using privacy homomorphism. This work reforms the disadvantage of hop-by-hop encryption schemes which we introduce in the next section.
In [7], Castelluccia et al. suggests another approach to aggregate encrypted data for the SUM aggregation. In contrast to [6], they propose a simple and provably secure additively homomorphic scheme that process encrypted data efficiently. The homomorphic encryption scheme used in their architecture is simple and provable
5
secure. This scheme is illustrated as follows.
Although this scheme is cheaper than [6] in resource consumption, and provides security analysis, but it has some limitation. First, the key length must be as long as plaintext and the key management is also problematic. Second, this method is not suitable for other aggregation function such as MAX/MIN. Acharya et al. [8] shows that the first secure comparison scheme which allows comparison operation performed on ciphertex. This scheme uses another encryption scheme that can preserve the order of plaintext. But in this approach, it is only secure against ciphertext-only attack. In other words, if one of sensor nodes is compromised, the adversary is able to get the plaintext-ciphertext pair. Therefore, the privacy of data is broken over whole networks. In [11], He et al. proposed two efficient privacy-preserving data aggregation protocols called CPDA and SMART, the used technique of both schemes differ from [6][7], CPDA uses algebraic properties of polynomials to compute the aggregate value. In the SMART scheme, each node splits its private value into pieces and sends encrypted partial values to other nodes. Then
Additively Homomorphic Encryption Scheme proposed by Castelluccia et al.
System Setup:
M is a large integer. m denote a plaintext and m
0,...,M1
. Each sensor nodes share a unique pair-wise key k with base station. Let
0,..., 1
M
k R
Let Enc( ) denotes encryption function and Dec( ) represents decryption function.
Encryption:
Compute c = Enc(m, k, M) = m + k (mod M) Decryption:
Compute m = Dec(c, k, M) = c – k (mod M) Addition Homomorphism:
1. Let c1 = Enc(m1, k1, M) = m1 + k1 (mod M) and c2 = Enc(m2, k2, M) = m2 + k2 (mod M)
2. m1 + m2 = Dec(c1 + c2, k1 + k2, M ) = (c1 + c2) – (k1 + k2) (mod M)
6
the other nodes can calculate the aggregate value. Finally, all of partial aggregate values are collected by the base station. These approaches are efficient and energy-saving, but it works for statistical functions such as SUM and AVERAGE.
Jadia et al. and Kifayat et al. [9][14], they combine several security requirements such as data confidentiality and authentication mechanism for establishing secure data aggregation protocols.
There are plenty of multiparty secure computation (SMC) techniques used in cryptography, SMC proposes a solution for the problem of processing encrypted data.
In [16], Chu et al. presents a fundamental scheme that is useful in construction secure interactive protocols, they propose schemes for ―equality‖, ―inequality‖ and ―greater than‖ predicates. Because of these schemes are not computationally expensive for WSNs, we use the proposed technique to establish secure protocols for performing MAX/MIN functions in wireless sensor networks.
In the following two sections, we discuss data aggregation in WSNs and show how to process encrypted data with data aggregation.
2.1 Data Aggregation in Wireless Sensor Networks
Because of the resource and power restriction of a sensor node, data aggregation is used to reduce the data communication cost and energy consumption of sensor networks. Many works have been proposed in recent years [3][17][18]. Before a data aggregation, sensor nodes are formed into a hierarchical cluster-based tree structure.
In this tree structure, the base station is the root of a tree, and sensor nodes spilt into several clusters. Within a cluster, one of sensor nodes is elected as the aggregator, the remainding nodes become sensing nodes. The aggregators are formed into a tree structure. Moreover, they can be elected dynamically to balance the power
7
consumption of all the nodes [20]. However this issue is out of scope of this paper.
The tree structure is illustrated in Figure 1. Base on the operation of wireless sensor networks, each node measures sensitive data periodically. When data are taken by individual sensing nodes, they need to be collected and processed to output the result by specific aggregation function, such as MAX/MIN, SUM, AVERAGE, VARIANCE, etc. In order to save the bandwidth and energy of nodes, an approach is to send this collected data to certain special node. More accurately, we refer to some special nodes as the Aggregators. Then aggregators exploit some arithmetic operation for data aggregation. Next, aggregators send the partial result to upper layer cluster for next aggregation. Eventually, partial results will aggregate at sink (base station). The aggregator can either be more powerful nodes or regular sensor nodes. In this paper, we assume aggregators are elected randomly from sensor nodes. Hence, the aggregators must require simple arithmetic operations, such as additions or subtractions or multiplications.
Without considering the security, for some statistical measurements like SUM, AVERAGE aggregation functions, a general method is to simply add up values received from its child nodes and then forwards the partial result to base station. For aggregation functions like MAX/MIN, we also can process it by the order of the value.
However, the assumption that all sensor nodes are honest is an unrealistic assumption in a wireless sensor network. We will then discuss how to provide security with data aggregation for WSN in next section.
8
Figure 1. The cluster-based aggregation tree structure.
2.2 Aggregation for Encrypted Data
As mentioned before, the data aggregation reduces the amount of communication within wireless sensor networks, and lets the procedure run more efficiently. While if data confidentiality is required, efficient data aggregation becomes a challenge. There are some solutions for providing data privacy within network. The standard approach to protect the private information is to encrypt the sensitive data with a secret key that only the legal receiver can decrypt it. In wireless sensor networks, sensor nodes encrypt their private data by using a unique shared secret key with base station and then forward the encrypted value to base station through other nodes. Upon receiving all response messages from sensor nodes, base station decrypts all the ciphertext, and then aggregates them according to specific aggregation function. This kind of solution achieves end-to-end privacy, but has obvious drawback. Since sensor nodes transform packets to base station directly, it steps up traffic within the network enormously.
9
Another solution is called hop-by-hop (HBH) encryption. The general idea of HBH encryption is composed of three phases,
1) The bootstrapping phase: In this phase, to establish secure link between a cluster leader (aggregator) and sensing nodes by using a pair-wise key sharing approach.
2) The data aggregation phase: Within the cluster, children nodes encrypt their readings by shared key with the aggregator A, and send it to A. A decrypts all the received packets and then produce the partial result base on aggregation function.
3) The data transmission phase: each aggregator encrypts its calculated result and sends it to the upper level aggregator. The upper level aggregator decrypts all the received packets and aggregates them as a new aggregation result and then encrypts it again. Finally, the sink gets the aggregation result of the whole network.
As compared with first solution, HBH encryption is more efficient than previous approaches. It reduces the communication cost. However, HBH encryption has a serious flaw. It is vulnerable to attackers because their aggregated data is exposed in plaintext at the aggregator. An adversary can obtain some confidential information easily when an aggregator is compromised. Besides, another obvious drawback is that it requires three steps for aggregation, including decryption, aggregation, and re-encryption which instead increases the computation cost.
In order to achieve the efficient and secure data aggregation, we propose the end-to-end privacy preserving aggregation scheme, which hold both of the advantage of earlier two solutions. At the aggregator, we achieve to process encrypted data by using homomorphic encryption scheme and decrease communication cost.
10