Secure encrypted-data aggregation for wireless sensor networks

In Wreless Networks, 16:4, May 2010, pp. 915-927 Wreless Netw (2010) 16:915 927 DOI 10.1007/s11276-009-0177-y Secure encrypted-data aggregaton for wreless sensor networks Shh-I Huang Æ Shuhpyng Sheh Æ J. D. Tygar Publshed onlne: 7 May 2009 Ó Sprnger Scence+Busness Meda, LLC 2009 Abstract Ths paper proposes a secure encrypted-data aggregaton scheme for wreless sensor networks. Our desgn for data aggregaton elmnates redundant sensor readngs wthout usng encrypton and mantans data secrecy and prvacy durng transmsson. Conventonal aggregaton functons operate when readngs are receved n plantext. If readngs are encrypted, aggregaton requres decrypton creatng extra overhead and key management ssues. In contrast to conventonal schemes, our proposed scheme provdes securty and prvacy, and duplcate nstances of orgnal readngs wll be aggregated nto a sngle packet. Our scheme s reslent to known-plantext attacks, chosen-plantext attacks, cphertext-only attacks and man-n-the-mddle attacks. Our experments show that our proposed aggregaton method sgnfcantly reduces communcaton overhead and can be practcally mplemented n on-the-shelf sensor platforms. Ths work was supported n part by Natonal Scence Foundaton, ITRI, Chung Shan Insttute of Scence and Technology, the Internatonal Collaboraton for Advancng Securty Technology (CAST) and Tawan Informaton Securty Center (TWISC), under Natonal Scence Councl grants NSC96-3114-P-001-002-Y and NSC96-2219-E-009-013, respectvely. S.-I. Huang S. Sheh Department of Computer Scence and Informaton Engneerng, Natonal Chao Tung Unversty, Hsnchu, Tawan e-mal: ssp@cse.nctu.edu.tw S.-I. Huang (&) Industral Technology Research Insttute, Hsnchu, Tawan e-mal: shuang@cse.nctu.edu.tw J. D. Tygar Unversty of Calforna Berkeley, Berkeley, USA e-mal: doug.tygar@gmal.com eywords Data aggregaton Wreless Sensor networks Secrecy Prvacy Lst of symbols S Sensor mote g A one-way functon havng the followng property: gx ð yþ ¼ gx ðþgy An encrypton key randomly generated by sensor mote A verfcaton key used to verfy data from sensor mote 1 Introducton Wreless Sensor Networks (WSN) have emerged as an mportant new area n wreless technology. A wreless sensor network [1] s a dstrbuted system nteractng wth physcal envronment. It conssts of motes equpped wth task-specfc sensors to measure the surroundng envronment, e.g., temperature, movement, etc. It provdes solutons to many challengng problems such as wldlfe, battlefeld, wldfre, or buldng safety montorng. A key component n a WSN s the sensor mote, whch contans (a) a smple mcroprocessor, (b) applcaton-specfc sensors, and (c) a wreless transcever. Each sensor mote s typcally powered by batteres, makng energy consumpton an ssue. A maor applcaton for a wreless mote s to measure envronmental values usng embedded sensors, and transmt sensed data to a remote repostory or a remote server. Because of lmted transmsson capabltes, ths often requres mult-hop forwardng of messages, and s power consumng. One specfc power-savng mechansm used n wreless sensor networks s data aggregaton [2 8]. Our paper

916 Wreless Netw (2010) 16:915 927 proposes a novel method for elmnatng duplcate encrypted data durng aggregaton wthout decrypton. Data aggregaton [9 16] has been put forward as an essental paradgm n sensor networks. The aggregator uses specfc functons, such as addton, subtracton or exclusveor, to aggregate ncomng readngs, and only aggregated result are forwarded [17 23]. Therefore, communcaton overhead can be reduced by decreasng the number of transmtted packets [24 30]. Wthout encrypton, adversares can montor and nect false data nto the network. Encrypton can solve ths problem, but how can we aggregate over encrypted data [31]? Adversares can use the followng attacks: Adversares can deploy sensors near exstng sensors to determne ther lkely value. Adversares can use common key encrypton systems (whch always encrypt common sensor data n the same way) to see when two readngs are dentcal. By usng nearby sensors under the adversares control, adversares can conduct a known-plantext attack. Adversares can tamper wth sensors to force them to predetermned values (such as heatng a temperature sensor) and thus conduct a chosen-plantext attack. Adversares can nect false readngs or resend logged readngs from legtmate sensor motes to manpulate the data aggregaton process, conductng a man-n-themddle attack. Table 1 presents encrypton polces, possble attacks, and vulnerabltes n data aggregaton schemes. Ths paper proposes a new method for determnng and elmnatng duplcate data whle protectng prvacy (usng encrypton) wthout excessve key-management or power management ssues. Our scheme has the followng contrbutons. Frst, we provde a lghtweght data aggregaton mechansm whch protects data when data are processed n aggregators. Aggregators can help to elmnate redundant data wthout decryptng data. Thus, aggregators do not need to spend extra power n data decrypton, and more network lfetme can be guaranteed. Second, our proposed scheme s reslent to known-plantext attacks, chosenplantext attacks, cphertext-only attacks, and man-n-themddle attacks. The rest of the paper s organzed as follows: Sect. 2 provdes background on related work. In Sect. 3, we descrbe our system archtecture and proposed aggregaton protocol.securty analyss and performance evaluaton are gven n Sects. 5 and 6 offers conclusons and future drectons. 2 Related work Prevous work n data aggregaton assumes that every mote s honest and only transmts ther correct readngs. Intanagonwwat, Govndan, Estrn, and Hedemann [17] proposed a data-centrc dffuson method to aggregate data. Ther method enables dffuson to acheve energy savngs by selectng emprcally good paths and by cachng and processng data n-network. Though ther method can acheve sgnfcant energy savngs, securty s not put nto consderaton n ther desgn. Hu and Evans [13] further examned the problem that a sngle compromsed sensor mote can render the networks useless, or worse, mslead the operator nto trustng a false readng. They proposed an aggregaton protocol that s reslent to both ntruder devces and sngle devce key compromses, but ther scheme suffers a problem that the aggregated data wll be expanded every tme when t was aggregated and forwarded by any ntermedate sensor mote. Przydatek et al. [30] proposed a secure nformaton aggregaton protocol to answer queres over the data acqured by the sensors. In partcular, ther proposed protocols are desgned especally for secure computaton of the medan and the average of the measurements, for the estmaton of the network sze and for fndng the mnmum and maxmum sensor readng. Even though ther scheme provded data authentcaton to provde secrecy, the data s stll delvered n plantext format whch provdes no prvacy durng transmsson. Table 1 Encrypton plces, attacks and vulnerabltes n data aggregaton schemes Encrypton polcy Possble attacks Secrecy Prvacy Data aggregaton Sensors transmt readngs wthout encrypton Man-n-the-mddle No No Generatng wrong aggregated results Sensors transmt encrypted readngs wth permanent keys Sensors transmt encrypted readngs wth dynamc keys nown-plantext attack Yes No Data aggregaton cannot be acheved when Chosen-plantext attack data are encrypted unless the aggregator has encrypton keys Man-n-the-mddle None of above Yes Yes Data aggregaton cannot be acheved when data are encrypted unless the aggregator has encrypton keys

Wreless Netw (2010) 16:915 927 917 Wagner [14] presented a paper studyng related attacks on data aggregaton n sensor networks. He thoroughly examned current aggregaton functons and proved that these aggregaton functons are vulnerable and nsecure under several attacks. He also proposed a theoretcal framework for evaluatng data aggregaton reslently n sensor networks and n ts securty aganst these attacks. Stll prvacy s not guaranteed n hs scheme. Acharya and Grao [2] proposed an end-to-end encrypton algorthm supportng operatons over cphertexts for wreless sensor networks. Ther scheme uses a specal class of encrypton functons, Prvacy Homomorphsms (PH) [32 35, 16], that allow end-to-end encrypton and provde aggregaton functons that are appled to cphertexts. PH s an encrypton transformaton that allows drect computatons on encrypted data. Two functons E and D are addtvely homomorphc encrypton and decrypton f the followng property s satsfed: for plantext operands x and y and key k, x þ y ¼ D k ðe k ðþþe x k ðþ y Þ: However, prvacy homomorphsms have exponental bound n computaton. It s too computatonally expensve to mplement n wreless sensor networks. Moreover, t has been proved that prvacy homomorphsm s nsecure even aganst cphertext only attacks whch are commonly encountered n wreless sensor networks. Cam et al. [6] proposed a secure energy-effcent data aggregaton (ESPDA) to prevent redundant data transmsson n data aggregaton. Unlke conventonal technques, ther scheme prevents the redundant transmsson from sensor motes to the aggregator. Before transmttng sensed data, each sensor transmts a secure pattern to the aggregator. The secure pattern s generated by assocatng orgnal data wth a random number. Instead of transmttng real data, the sensor mote transmts the secure patter to the cluster-head before transmttng t. The cluster-head then uses these secure patterns to check whch sensors have same readngs. Then, the cluster-head notfes certan sensor motes to transmt ther data. Only sensors wth dfferent data are allowed to transmt ther data to the cluster-head. However, snce each sensor at least needs to transmt a packet contanng a pattern once, power cannot be sgnfcantly saved. In addton, each sensor mote uses a fxed encrypton key to encrypt data; data prvacy cannot be mantaned n ther scheme. Perrg and Tygar [36] proposed several secure broadcast schemes sutable for wreless sensor networks. The computaton overhead for ther schemes s affordable for tny sensor motes. They proposed a hashed key-chan scheme to sequentally generate encrypton/decrypton keys for sensor motes wthout notfyng others. Przydatek, Song and Perrg [30] further extended these schemes and proposed a secure data aggregaton scheme for sensor network. Ther scheme provded an effcent random samplng mechansms and nteractve proofs to enable the querer to verfy that the answer gven by the aggregator s a good approxmaton of the true value, even when the aggregator and some sensor motes were compromsed. 3 Problem statement and proposed data aggregaton Data aggregaton uses prmtve functons, such as mean, average, addton, subtracton, and exclusve or to elmnate dentcal readngs, and only unque results are be forwarded, reducng the cost of data transmsson. Fgure 1 depcts an overvew of data aggregaton flow. 3.1 Proposed data aggregaton method 3.1.1 Archtecture There are two commonly used network topologes n sensor networks. One s the self-organzed sensor network (Fg. 2). A self-organzed network s a mult-hop, temporary autonomous system composed of sensor motes wth wreless transmsson capablty. It s easy to form such networks but every mote n such networks consumes sgnfcant amounts of power n data transmsson as each node must spend power to transmt/forward data to other sensor nodes because of the dynamc network topology. The other network topology s the clustered sensor network (Fg. 3). In ths archtecture, the entre network s parttoned nto non-overlappng clusters. Each cluster has an aggregator (or cluster head) to receve readngs from other sensor motes and to forward these readngs to the remote server. To extend operaton lfetme, we choose the clustered topology as our network archtecture [29]. In a clustered sensor network, each mote temporarly belongs to a cluster, and sensors n ths cluster wll receve and forward data for sensors n the same cluster. Snce a mote only transmts data for several motes nstead of all motes, t can obvously reduce ts power consumpton for data transmsson. In a clustered WSN, we assume the network s dvded nto clusters. Each cluster owns an aggregator havng a more powerful wreless transcever that can transmt data Fg. 1 Conventonal data aggregaton process

918 Wreless Netw (2010) 16:915 927 Fg. 2 Self-organzed WSN archtecture and ts data aggregaton flow V = E t 1 ( x) E t 4 ( y) E t 1 ( x) E t 2 ( x) E t 3 ( x) E t 4 ( y) E t 5 ( y) Fg. 3 A clustered sensor network topology x x x y y drectly to the backend server. In our framework, we also assume each sensor transmts data only to the aggregator; hence, each sensor mote can reduce overhead n forwardng data packets. We also assume sensor motes have no moblty,.e., they are fxed n a poston and wll not be moved forever. The queston of how to best deploy sensor motes and how to cluster these sensor motes s nterestng to consder but s beyond the scope of ths paper. Usng a clustered network to reduce power consumpton, we propose a data aggregaton method whch mantans both secrecy and prvacy. In terms of secrecy, each sensor mote encrypts ts readng and transmts the encrypted data to the aggregator (Fg. 4). Adversares wll not be able to recognze Fg. 4 Encrypted-data aggregaton what readng t s durng data transmsson. In terms of prvacy, our desgn ams to elmnate redundant readng for data aggregaton but ths readng remans secret to the aggregator,.e., the aggregator cannot know anythng about these readngs. Besdes, our desgn can also prevent known-plantext attacks, chosen-plantext attacks and cphertext-only attacks. 3.1.2 System setup Before deployng a wreless sensor network, we have to set up three roles: the sensor mote, the aggregator, and the remote database.

Wreless Netw (2010) 16:915 927 919 1. The sensor mote: each sensor mote s assgned an one-way functon g, and a verfcaton key. 2. The aggregator: the aggregator s gven the one-way functon g, and all þ1 V. Hereafter, these keys are referred as aggregaton verfcaton keys. 3. The remote database: The remote database needs to decrypt aggregated data, and thus we need to store the one-way hash functon f, the one-way functon g, and all verfcaton key for all. Necessary keys, denttes, and functons are pre-dstrbuted n the sensor mote, the aggregator, and the remote database before they are physcally deployed and used. Table 2 lsts all pre-nstalled elements n ndvdual roles. ey pre-dstrbuton s a scheme where keys are dstrbuted among all sensor motes pror to deployment. Our proposed key pre-dstrbuton scheme does not rely on pror deployment knowledge. Sensor motes are nstalled wth random keys for encrypton. These encrypton keys have no mandatory relatons between each other, and ths makes system setup more flexble. Random keys can be generated by usng random source of data, such as values based on CPU clock, radoactve decay, or atmospherc nose. The queston of how to generatng random numbers s nterestng to consder but s beyond the scope of ths paper. 3.1.3 Proposed scheme Table 2 Pre-nstalled elements n three roles Role The sensor mote The aggregator The remote server Pre-nstalled elements SID, g, and g, and g, and V þ1 V. ; and ; the There are two phases n our proposed scheme: data encrypton phase and data aggregaton phase. The encrypton phase provdes a lghtweght encrypton algorthm that supports data aggregaton property, and provdes secrecy and prvacy for data transmsson. The data aggregaton phase provdes a method to elmnate redundant readngs from sensor motes wthout decryptng them. Snce the aggregator cannot decrypt ncomng packets, the aggregator cannot know anythng about the plantext, and therefore more power can be saved. Data encrypton phase Our encrypton desgn ams to provde lghtweght encrypton overhead and secrecy whle provdng data aggregaton property. When a sensor mote has a readng m and wshes to transmt ths readng to the aggregator, t frst randomly generates a new key ; whch wll be used as the nextround encrypton key. By usng g, correspondng cphertext E (m ) s defned n Eq. 1. E ðm Þ ¼ m g ; ð1þ where k ndcates data concatenaton. Our proposed scheme s very close to the one-tme pad method [37] as each mote changes to a dfferent key for encryptng data but provdes more capabltes. It s obvous that the length of data s requred to be at least as long as the length of encrypton key n our proposed scheme. When the length of data s shorter than the length of the key, extra paddng must be appended to the data so that the appended data can be encrypted. As the message m s xored wth g ; t does not matter f we pad random values or fxed values (e.g., all 0 s or 1 s). It does not reduce any securty strength n our scheme. Next, we wll ntroduce how to fnd out redundant readngs among these cphertexts wthout decryptng them n our data aggregaton phase. Data aggregaton phase Our data aggregaton method provdes a par-wse method to dentfy f two readngs are dentcal. Although the goal of our data aggregaton scheme s to fnd redundant readngs among n ncomng encrypted packets n the aggregator, our aggregaton scheme can be further extended by parng off these n ncomng encrypted packets. By teratvely performng par-wse comparsons we can elmnate all redundant readngs among them. If n same readngs are encrypted and transmtted to the aggregator, the aggregator needs to check n - 1 tmes to verfy these nputs and save n - 1 packet transmsson. It needs computaton overhead for data aggregaton but saves more energy from fewer data transmssons. In the followng secton, frst we wll ntroduce our approach to fnd redundant readngs n two packets; then, we wll ntroduce how to extend our approach to fnd redundant readngs among n packets. Assume sensor mote and sends two encrypted readngs to the aggregator, and these encrypted readngs can be expressed by the followng equatons: E ðm E m Þ ¼ m g ; ð2þ ¼ m g : ð3þ Frst, the aggregator XOR the frst parts of these two cphertexts, and t can be expressed by the followng equaton: m g m g ð4þ Next, snce the aggregator s pre-nstalled wth þ1 8; can be obtaned by þ1 þ1 þ2 1 ; the aggregator can XOR the last two parts of Eqs. 2 and 3 to obtan:

920 Wreless Netw (2010) 16:915 927 ¼ ð5þ It can be found that the aggregator can use E (m ) and E (m ) to retreve ; but cannot retreve or separately; therefore, the aggregator cannot decrypt E (m ) and E (m ). Next, we defne a check value V, and V s calculated by XOR Eqs. 4 and 5 and g : The check value s used to dstngush f two encrypted readngs are the redundant n ther plantext format. As a result, the check value V can be expressed by the followng equaton: V ð;þ ¼ m g m g ð6þ g By usng the propertes of functon g, Eq.6 can be further reduced to: V ð;þ ¼ m g m g g ð7þ ¼ m m It s easer observed that f m s equal m, V ð;þ ¼ m m ¼ 0; and vce versa. We can formally descrbe V (,) by the followng equatons: ( V ð;þ ¼ 0; then m ¼ m f ð8þ V ð;þ 6¼ 0; otherwse Fgure 5 depcts the data aggregaton phase. If these two readngs are the same, the aggregator ust needs to send ether E (m )ore (m ) to the remote server. If these two readngs are dfferent, the aggregator then sends Fg. 6 Data aggregaton verfcaton steps for n = 5 E (m ) E (m ) to the remote server. Snce remote server s pre-nstalled wth the verfcaton key ; the remote server therefore can use to obtan by: ¼ ð Þ : Then, the orgnal data m can be recovered by: m ¼ m g g : In above case, the aggregator only needs to examne two ncomng cphertexts, but n general cases, the aggregator usually receves more than two ncomng cphertexts. When the aggregator receve n (n [ 2) ncomng cphertexts ðe 1 ; E 2 ;...; E n Þ; our proposed scheme can be easly extended. Frst, we group these cphertexts nto pars,.e., E ; E 8: Then, we can repeat above steps to generate ther check value V. Next, we can use V to check f E has the same readng wth E. Fnally, f V ð1;2þ ¼ V ð2;3þ ¼¼ V ðn1;nþ ; then we can conclude that E 1 ; E 2 ;...; E n has the same readng. Fgure 6 depcts necessary comparsons for data aggregaton when n = 5. It can be observed that S Agg S E ( m ) = m g( ) E ( m ) = m g( ) Step 1: = Step 2: V (, ) = m m == m g( ) m g( ) g( ) Fg. 5 Data aggregaton phase

Wreless Netw (2010) 16:915 927 921 these comparsons can be vewed as all edges n a complete graph, and we wll dscuss ths property n next secton. Prelmnares: When the aggregator receves n encrypted readngs, the mnmum number of comparsons s n - 1 under the condton that all these readngs (when unencrypted) are the same. The maxmum number of comparsons s nðn1þ 2 when all these readngs (when unencrypted) are totally dfferent from each other. 4 Threat models The goals of the adversares are to read, nsert, and even modfy sensor readngs. We consder several possble threats, classfed accordng to the capabltes of the adversares. 4.1 nown-plantext attacks To mplement known-plantext attacks, no capabltes are need except the ablty to deploy malcous sensors close to legtmate sensors. In ths scenaro, an adversary can Collect all readngs from all sensors, calculated aggregated values, know ther routng paths, and nect wrong readngs or aggregated values to the network. Collect abundant encrypted readngs to enhance the compromse of encrypton keys. In practce, known-plantext attacks can be easly acheved by deployng same sensor very close to legtmate sensors. The goal of these attacks s merely to read readngs and to record correspondng responses of a sensor mote. 4.2 Chosen-plantext attacks Adust the sensors by changng physcal condtons, such as temperature or mosture. Log all plantext-cphertext mappngs wthout knowng what the encrypton keys are. In practce, adversares can take some physcal methods to adust the sensng envronment n order to make sensor motes generate false readngs the adversares desred. For example, adversares can use heaters to rase the temperature to a certan degree, and temperature sensors wll send the false temperature readngs makng the aggregators generate ncorrect results. 4.3 Man-n-the-mddle attacks Read, nsert, or modfy messages between sensor motes. Inect false readngs or resend logged readngs on behalf of legtmate sensor motes to malfuncton data aggregaton. Sgnfcantly, we assume that an adversary cannot retreve encrypton keys from a sensor mote by physcally compromsng t. Otherwse, there wll be no securty at all. 5 Securty analyss and performance evaluaton In ths secton, we evaluate our proposed scheme accordng to two aspects: theoretcal and practcal. In theoretcal aspect, we use random oracle model to ustfy our protocol s secure n terms of provable securty. We frstly bult an deal random oracle model and show that our proposed encrypton algorthm s an mplementaton of the deal random oracle. Then, we use the random oracle model to ustfy that t can resst know-cphertext attacks. In practcal aspect, we estmate necessary tme for compromsng our proposed scheme usng dfferent key lengths. The result shows that usng encrypton keys longer than 80 bts would be consderable secure enough even f the adversary uses 1,000,000 4 GHz PCs runnng smultaneously to compromse our scheme. Then, we show that our proposed scheme can resst known-plantext attacks, chose-plantext attacks, and know-cphertext attacks. Before we proceed to theoretcal proof, we frst descrbe the securty requrement specfyng the adversary s abltes and when the latter s consdered successful. The abltes and dsabltes of the adversary nclude: The adversary has an arbtrary polynomal-tme computaton power. The adversary can eavesdrop on messages n the ar. The adversary can know the orgnal readngs of any sensor. The adversary cannot access the encrypton keys. An attack s consdered to be successful f the adversary can compromse the encrypton keys. In terms of system securty, we adopt the dea n [38]. A system s consdered secure f any adversary wth the gven abltes has only a neglgble probablty of success. A random oracle s a theoretcal black box that reples to queres wth random response chosen unformly n ts output doman. A methodology for desgnng a cryptographc protocol can be dvded nto two steps. In frst step, one desgns an deal system n whch all partcpants as well as adversares have oracle access to a truly random functon, and proves the securty of the deal system. In second step, we replace the random oracle by a good cryptographc hashng functon. We can therefore obtan an mplementaton of the deal system n a real-word where

922 Wreless Netw (2010) 16:915 927 random oracles do not exst. Ths methodology s referred to as the random oracle methodology. Before we buld our deal system, we frst descrbe the noton. {0, 1}* the space of fnte bnary strngs {0, 1}? the space of nfnte bnary strngs G : f0; 1g! f0; 1g a random generator f a trapdoor permutaton wth nverse f -1 k the securty parameter H : f0; 1g! f0; 1g a random has functon GðrÞx the btwse XOR of x wth the frst x bts of the output of G(r) 5.1 Prelmnares Defnton A functon e(k) s neglgble f for every c there exsts a k c satsfyng e(k) B k -c for every k C k -c. Defnton If A P s a probablstc algorthm, then for any nputs m 1, m 2,, A P (m 1, m 2, ) s the probablty space whch to the stng r assgns the probablty that A P outputs r. For probablstc spaces S, T,, P r [x / S; y / T; :p(x, y, )] denotes the probablty that the predcate p(x, y, ) s true after the executon of the algorthms x / S, y / T, etc. Defnton ArandomoracleR s a map from {0, 1}* to {0, 1}? chosen by selectng each bt of R(x)unformlyforeveryx. Wthout lost of generosty, our proposed scheme can be formulated as the followng oracle: E G r ðmþ ¼ m Gr ðþf k ðþ r... ð9þ 5.2 nown-plantext securty For known-plantext attacks, the adversary knows some m, and P r ½The attacker successfully guesses Gr ð 1 ÞŠ can be descrbed as: P r ½r 1 Gr ðþš ¼ 1 2 r 1 0; when r 1 s large enough. We suggest that r 1 C 88 s adequate and mathematcal nducton wll be gven later. 5.3 Chosen-plantext securty We adapt the noton of CP-adversary (chosen-plantext adversary) n [39] to the random oracle model. A CPadversary A s a par of non-unform polynomal algorthms (F, A 1 ), each wth access to an oracle. For an encrypton algorthm # to be secure, t requres that P½Chosen Plantext FalsŠ¼P r R 2 1 ; ðe;dþ # 1 k ; ðm 0 ;m 1 Þ F R ðeþ; b f0;1g;r E R ðm b Þ: A R 1 ðe;m 0;m 1 ;aþ¼b0:5þk wð1þ : ð10þ Proof The proof s by contradcton. Let A = (F, A 1 )be an adversary that defeats our protocol. Often, the adversary gans advantage k(k) for some nverse polynomal k. We construct an algorthm M(f, d, y) that, when ðf ;f 1 ;dþ #ð1 k Þ;r dð1 k Þ;y f ðrþ; manages to compute f -1 (y). It smulates the oracle G and samples (m 0, m 1 ) / F G (E). If G s asked an r such that f(r) = y, then Moutputs r and halts; otherwse, the F(E) termnates and M chooses a ys for s f0;1g m0 : Then M smulates A G 1 ðe;m 0;m 1 ;aþ; watchng the oracle queres that A 1 makes to see f there s any oracle query r for whch f(r) = y. Let A k be the event that A 1 does not ask for the mage of G at r. It satsfes that 1=2 þ kðkþ ¼P r ½A succeeds A ŠP r ½A k ŠþP r ½A succeeds A k ŠP r ½A k Š: Thus, Eq. 10 s satsfed. 5.4 Chosen-cphertext securty The chosen-cphertext attack s defned as: the adversary can adaptvely choose cphertexts and access to the decrypton algorthm to get the correspondng plantexts. Though t s usually occurred n asymmetrc cryptographc systems, t can also be happened n our scheme as the adversary can know both cphertexts and plantexts (by usng same sensors) n the same tme. We adapt the defnton of [39, 40] to the random oracle [38] settng. An RSadversary ( Rackoff-Smon adversary ) A s a par of nonunform algorthms A = (F, A 1 ), each wth access to an oracle R and a black box mplementaton of D R. The algorthm F s used to generate two messages m 0 and m 1 such that f A 1 s gven the encrypton a, A 1 won t be able to guess well whether a comes m 0 or m 1. Formally, an encrypton scheme # s secure aganst RS-attack f the followng equaton s satsfed: P½Chosen Cphertext FalsŠ ¼ P r ½R 2 1 ; ðe; DÞ #ð1 k Þ; ðm 0 ; m 1 Þ F R;DR ðeþ; b f0; 1g; a E R ðm b Þ : A R;DR 1 ðe; m 0 ; m 1 ; aþ ¼bŠ0:5 þ k wð1þ ð11þ Proof To see our scheme s secure aganst chosen cphertext attacks, we prove the above equaton s satsfed. Let A k denotes the event that akb FðEÞ; for some a and b. Let A = (F, A 1 ) be an RS-adversary that succeeds wth probablty 1 2 þ kðkþ for some non-neglgble functon k(k). The adversary A can make some oracle call of G(r 1 )or HðGðr 1 ÞÞ: Let L k denotes the event that A 1 asked D G;H some queres where a ¼ m f 1 ðr 1 ÞHðf 1 ðr 1 ÞÞ; but A 1 never asked ts H-oracle for Hðf 1 ðr 1 ÞÞ. Letn(k) denotes the total number of oracle queres made. It s easy to see that Pr½L k ŠnðkÞ2 k and Pr½A succeeds L \ A Š¼0:5 accordng to [39]. Thus P r ½A succeeds] ¼ P r ½Choosen Cpher Attack succeeds] ¼ 1 2 þ kðkþ s bounded above by

Wreless Netw (2010) 16:915 927 923 P r ½A succeeds L ŠP r ½L k Š þ P r ½A succeeds L k \ A k ŠP r ½L k \ A k Š þ P r ½A succeeds L k \ A k nk ðþ2 k þ P r ½A k Šþ 1 2 : ŠP r ½L k \ A k Š Therefore, our proposed scheme satsfes Eq. 11, and s chosen-cphertext-attack resstant. In practce aspect, we evaluate the dffcultes to brute force our proposed scheme. To brute force our proposed scheme, frst the adversary need to spend tme generatng all possble keys and test the result wth every possble key. We assume that the adversary can generate an encrypton key and test the result n one duty cycle, our proposed scheme uses r-bt keys to encrypt data, and the adversary uses a g G-Hz PC to brute force our propose scheme. To completely test all possbltes by exhaustve search, the adversary would need to spend 2 r ðcyclesþ g 10; 000; 000 86400 365 years to compromse our scheme. Assume the adversary uses a 4G-Hz PC to brute force our scheme whch uses a 64-bt encrypton key, the adversary needs to generate all 2 64 keys and uses these keys to test the result. If we assume that the adversary can test our encrypton scheme wthn one duty cycle, the total computaton tme to test all 2 64 keys s: 2 64 =4G=86400=365 14; 624 years: However, the adversary can use more PCs smultaneously to compromse our algorthm. If the adversary uses 1,000,000 PCs runnng smultaneously to compromse our scheme, the total computaton tme to test all condtons s 2 64 =4G=86400=365=1M 0:01 years: In ths case, t takes about 3 4 days to compromse our scheme whch s unacceptably nsecure. Table 3 lsts estmated tme to brute force our proposed scheme wth dfferent key lengths. To mantan acceptable securty whle usng mnmal key length, we suggest use 80-bt keys to encrypt data as the adversares need about 958 years to compromse our scheme even f they use 1,000,000 PCs to attack our scheme n parallel. Moreover, usng longer encrypton keys can dramatcally ncrease dffcultes to compromse our scheme as t exponentally expend the key space whch makes adversares spend more tme to brute force the proposed scheme. Fgure 7 llustrate the growth rate of key sze (2 r ) and the growth rate (g) of PCs. Assume the adversary know sensor readng m and correspondng cphertext E ðm Þ¼m gð Þ ; the adversary can therefore know gð Þ and X : Wthout knowng n advance, the adversary cannot compromse : Furthermore, snce the encrypton keys wll be arbtrarly changed, our scheme can hence resst known-plantext attacks. Even adversary can generate desgnate data m to confuse sensor motes, stll the adversary cannot learn anythng about the encrypton keys. Therefore, our scheme can resst know-cphertext attacks and chosen-cphertext attacks. One workload we have to pay s the number of comparsons t takes to verfy encrypted-data from n motes. Our proposed scheme can reduce the number of comparsons as t has transtve property. The transtve property s descrbed as: Gven E h (m h ), E (m ), and E (m ), f V (h,) = 0 and V (,) = 0, then V (h,) = 0. Ths s pretty smple to prove. If V (h,) = 0 and V (,) = 0, then m h = m and m = m It can therefore be easly seen that m h = m = m. Wth ths transtve property, f all readngs are the same, the mnmum number comparsons for verfyng data from n sensor motes s n - 1. And, accordng to Fg. 6, the maxmum number comparsons for verfyng data from n 240 200 160 120 80 40 0 ey sze Number of PCs 1 2 3 4 5 6 7 8 9 10 Fg. 7 The growth rate of key sze (2 r ) and the growth rate (g) of PCs Table 3 Estmated tme (years) to brute force our proposed scheme wth dfferent key lengths ey length One 4 GHz PC 10,000 4 GHz PCs 100,000 4 GHz PCs 1 M 4 GHz PCs 64 bts 14624 1.5 0.15 0.01 72 bts 374363 374.4 37.4 3.74 80 bts 958369660 95837 9583.7 958.37 88 bts 2.45E?11 24534263 2453426.3 245342.6

924 Wreless Netw (2010) 16:915 927 50 45 40 35 30 25 20 15 10 5 0 n(n-1)/2 1 2 3 4 5 6 7 8 9 10 Fg. 8 The number of comparsons for verfyng n encrypted-data sensor motes s equal to the number of edges n a n-complete graph whch s nðn1þ 2 : It s shown n Fg. 8 that our computaton bound s lmted between O(n) and O(n 2 ), and ths can be affordable for off-the-shelf sensor platforms. In comparson wth other schemes, our encrypton algorthm uses XOR and a hash functon. Our encrypton algorthm s more lghtweght. Our proposed encrypton algorthm changes ts encrypton key whenever there s a readng that needs to be transmtted. Ths makes our scheme more feasble for wreless sensor networks. Table 4 lsts the dfferences between our scheme and other schemes. ey Compromse One maor ssue n our scheme s the key compromse problem. As the aggregator stored þ1 V, once an encrypton key s been compromsed, all other encrypton key 8 6¼ wll be compromsed. Therefore, the aggregator must have stronger securty protecton than sensor motes. One way to enhance the hardware securty strength n the aggregator s to nstall a TPM (Trust Platform Module) chp nsde the sensor mote, and all pared encrypton keys þ1 V are stored n-1 nsde TPM. It can sgnfcantly reduce the possblty that adversares compromse the aggregators. Data Sze Varaton Here we dscuss the storage requrement when the length of data s ncreased. When the length of data s ncreased, the encrypton key must be ncreased correspondngly. Assume the length of data s ncreased by l 0, the length of key as well wll ncrease l 0 bts. As each sensor mote stores only, t requres more l 0 bts to store the encrypton key. For the aggregator, as the aggregator stores all pared encrypton keys þ1 V, t requres more h l 0 bts where h s the number of sensor motes n the cluster. It can be seen that when the length of data s ncreased lnearly, the storage requrement for storng keys s also ncreased lnearly. Effcency Here we dscuss the effcency caused from our proposed scheme. Our proposed saves power by elmnatng redundant packets. Thus, the more packets are elmnated, the more power can be saved. As we mentoned earler, the mnmum number of comparsons s n-1 under the condton that all these readngs (when unencrypted) are the same, amd the maxmum number of comparsons s nðn1þ 2. For the best case, t reduces (n-1) packet transmssons. For the worst case, t does not reduce any packet transmsson overhead. For average case, assume that there totally n packets and m of them are the same, the number of comparsons s ðm 1Þþðn mþðn m 1Þ=2: It reduces n - m packets n average case. Table 5 lsts the effcency comparsons for the best, average, and the worst cases. 6 Concluson and future drectons In ths paper, we proposed a secure encrypted-data aggregaton scheme for wreless sensor networks. Our scheme has the followng enhancements: (1) the aggregator does Table 4 Performance evaluatons compared wth other schemes Our proposed scheme Floodng-base scheme Prvacy homomorphsm-based scheme Encrypton Lghtweght Heavyweght Heavyweght Encrypton key Easy to change, and always changes Only one encrypton key, and s hard to change Only one encrypton key, and s hard to change Decrypton (n aggregator) No Yes Yes Aggregated result Only one data Many redundant data Only one data Table 5 Effcency comparsons for the best, average, and the worst case Best case Average case Worst case Number of comparson n - 1 ðm 1Þþðn mþðn m 1Þ=2 nðn 1Þ=2 Packet elmnated n - 1 n m 0

Wreless Netw (2010) 16:915 927 925 not need to decrypt ts receved encrypted-data to verfy f these data are the same; no extra power are wasted n data decrypton, (2) the aggregator does not have decrypton keys and therefore cannot know anythng about the data, and (3) our proposed scheme uses random keys to encrypt data; ths property makes our scheme reslent to knownplantext attacks, chosen-plantext attacks, cphertext-only attacks, and man-n-the-mddle attacks. Moreover, compared wth conventonal PH-based data aggregaton schemes, receved data can be recovered and decrypted to be further analyzed. Our proposed scheme provdes secrecy and prvacy n the sense that each sensor mote randomly generates a new encrypton key each tme provdng semantc securty for data encrypton phase proposed data aggregaton, and the ntermedate aggregators cannot decrypt these encrypted-data. Amng at secrecy and prvacy, our proposed scheme s reslent to several attacks n sensor networks, and makes data aggregaton more practcal n these envronments. Our proposed scheme extends one-tme pad to provde a secure encrypted-data aggregaton paradgm for wreless sensor. Though t supports secrecy and prvacy, our scheme provdes only equalty check. More general mathematcal operatons, such as addton, subtracton, and so on, should be further nvestgated under the same condton: the encrypton keys are always changng and the aggregator cannot decrypt data through t. Except these mathematcal operands, operands for strngs, such as fndng substrng, should also be provded. Currently, our scheme s workable n a one-level clustered network envronment,.e., the aggregator can onehop to the base staton. However, n real deployment, t s usually not the case. Our future work toward ths problem s to extend our scheme to mult-level cluster envronment. Another problem n our scheme s that our expermental sensor motes must be fxed to a cluster and can no longer be moved to another cluster. We wll also address ths ssue n our future work. For key management, our proposed scheme pre-nstalls keys for verfcaton and data aggregaton n the aggregator before deployment. Ths lmts the flexblty of system deployment and aggregaton. In future work, we expect to modfy our key management method so that these keys wll not be stored n aggregators n advance but wll be exchanged and retreved when necessary. We also look forward to extendng prvacy homomorphsm functons to support dynamc key management to brng more flexblty n data aggregaton. Our protocol uses only XOR operatons and an rreversble hash functon to encrypt data. The securty strength s not as strong as block cpher encrypton algorthms, such as AES, DES, etc. We also expect to extend our scheme to adopt block-cpher encrypton algorthms to provde hgher securty strength for aggregaton. References 1. Akyldz, I., Su, W., Sankarasubramanam, Y., & Cayrc, E. (2002). A survey on sensor networks. IEEE Communcatons Magazne, 40, 102 114. do:10.1109/mcom.2002.1024422. 2. Acharya, M., & Grao, J. (2005). Secure comparson of encrypted data n wreless sensor networks. In 3rd nternatonal symposum on modelng and optmzaton n moble, ad hoc, and wreless networks (pp. 47 53). 3. Al-arak, J., Ul-Mustafa, R., & amal, A. (2004). Data aggregaton n wreless sensor networks exact and approxmate algorthms. In proceedngs of the workshop on hgh performance swtchng and routng (pp. 241 245). 4. Atonsh, T., & Matsuda, T. (2006). Impact of aggregaton effcency on GIT routng for wreless sensor networks. In proceedngs of IEEE nternatonal conference oon parallel processng workshops. 5. Buttyan, L., Shaffer, P., & Vada, I. N. (2006). Reslent aggregaton wth attack detecton n sensor networks. In proceedngs of the fourth annual IEEE nternatonal conference on pervasve computng and communcatons workshops (p. 332). 6. Cam, H., Ozdemr, S., Nar, P., Muthuavnashnappan, D., & Ozgur Sanl, H. (2006). ESPDA: Energy-effcent secure pattern based data aggregaton for wreless sensor networks. Computer Communcaton, 29, 446 455. 7. Chen, Y., Lestman, A., & Lu, J. (2006). A herachcal energyeffcent framework for data aggregaton n wreless sensor networks. IEEE Transactons on Vehcular Technology, 55, 789 796. do:10.1109/tvt.2006.873841. 8. Cho, J., Lee, J., Lee,., Cho, S., won, W., & Park, H. (2006). Aggregaton tme control algorthm for tme constraned data delvery n wreless sensor networks. In proceedngs of vehculare technology (pp. 563 567). 9. Consdne, J., L, F., ollos, G., & Byers, J. (2004). Approxmate aggregaton technques for sensor databases. In proceedngs of IEEE conference on data engneerng (p. 449). 10. Gatan, L., Lo Re, G., & Ortolan, M. (2006). Robust and effcent data gatherng for wreless sensor networks. In proceedngs of the 39th Hawa nternatonal conference on system scences (p. 235). 11. Grao, J., Westhoff, D., & Schneder, M. (2005). CDA: Concealed data aggregaton for reverse multcast traffc n wreless sensor networks. In proceedngs of 40th nternatonal conference on communcatons (pp. 3044 3049). 12. Grao, J., Westhoff, D., & Scheneder, M. (2004).Concealed data aggregaton n wreless sensor networks. In proceedngs of ACM WSe conference. 13. Hu, L., & Evans, D. (2003). Secure aggregaton for wreless networks. In proceedngs of applcatons and nternet workshops (pp. 27 31). 14. Wagner, D. (2004). Reslent aggregaton n sensor networks. In proceedngs of the 2nd ACM workshop on securty of ad hoc and sensor networks (pp. 78 87). 15. Westhoff, D., Grao, J., & Acharya, M. (2006).Concealed data aggregaton for reverse multcast traffc n sensor networks: Encrypton, key dstrbuton and routng adaptaton. In proceedngs of IEEE transactons on moble computng (pp. 1417 1431). 16. Wu,., Dreef, D., Sun, B., & Xao, Y. (2006). Secure data aggregaton wthout persstent cryptographc operatons n

926 Wreless Netw (2010) 16:915 927 wreless sensor networks. In proceedngs of performance, computng, and communcatons conference (p. 6). 17. Intanagonwwat, C., Govndan, R., Estrn, D., & Hedemann, J. (2003). Drected dffuson for wreless sensor networkng. In IEEE/ACM transactons on networkng (pp. 2 16). 18. Jang, H., & Jn, S. (2006). Scalable and robust aggregaton technques for extractng statstcal nformaton n sensor networks. In proceedngs of the 26th IEEE nternatonal conference on dstrbuted computng systems (p. 69). 19. rshnamachar, L., Estrn, D., & Wcker, S. (2002). The mpact of data aggregaton n wreless sensor networks. In proceedngs of dstrbuted computng systems workshops. 20. L, H., Yu, H., & Lu, A. (2006). A tree based data collecton scheme for wreless sensor network. In proceedngs of the IEEE nternatonal conference of networkng (p. 119). 21. Rana, M., Ghosh, S., Patro, R., Vswanath, G., & Chadrashekhar, T. (2006). Secure data aggregaton usng commtment schemes and quas commutatve functons. In proceedngs of 1st nternatonal symposum on wreless pervasve computng (pp. 16 18). 22. Shn, S., Lee, J., Baek, J., & Seo, D. (2006). Relable data aggregaton protocol for ad-hoc sensor network envronments. In proceedngs of the 8th nternatonal conference on advanced technology. 23. Shrvastava, N., Buragohan, C., Agrawal, D., & Sur, S. (2004). Medans and beyond: New aggregaton technques for sensor networks. In proceedngs of the 2nd nternatonal conferece on embedded networked sensor systems (pp. 239 249). 24. L, Z., L,., Wen, C., & Soh, Y.(2003). A new chaotc secure communcaton system. In proceedngs of IEEE transactons on communcatons (pp. 1306 1312). 25. L, T., Wu, Y., & Zhu, H. (2006). An effcent scheme for encrypted data aggregaton on sensor networks. In proceedngs of vehcular technology conference (pp. 831 835). 26. Madden, S., Frankln, M. J., Hellersten, J. M., & Hong, W. (2002). TAG: A tny aggregaton servce for ad-hoc sensor networks. In proceedngs of 5th symposum on operatng systems desgn and mplementaton. 27. Mahmkar, A., & Rappaport, T. (2004). SecureDAV: A secure data aggregaton and verfcaton protocol for sensor networks. In proceedngs of global communcaton. 28. Msra, R., & Mandal, C. (2006). Ant-aggregaton: Ant colony algorthm for optmal data aggregaton n wreless sensor networks. In proceedngs of nternatonal conference on wreless and optcal communcaton networks (p. 5). 29. Moussaou, O., sentn, A., Nam, M., & Guerou, M. (2006). Effcent energy savng n wreless sensor networks through herarchcal-based clusterng. In proceedngs of the seventh IEEE nternatonal symposum on computer networks. 30. Przydatek, B., Song, D., & Perrg, A. (2003). SIA: Secure nformaton aggregaton n sensor networks. In proceedngs of ACM SenSys conference (pp. 255 265). 31. Chandramoul, R., Bapatla, S., & Subbalakshm,. P. (2006). Battery power-aware encrypton. In proceedngs of ACM transactons on nformaton and system securty (pp. 162 180). 32. Bao, F. (2003). Cryptoanalyss of a provable secure addtve and Multplcatve Prvacy Homomorphsm. In proceedngs of the nternatonal workshop on codng and cryptography (pp. 43 50). 33. Benaloh, J. (1986). Secret sharng homomorphsms: eepng shares of a secret sharng. In Advances n Cryptology CRYPTO (pp. 251 260). 34. Cramer, R., Damgard, I., & Nelsen, J. B. (2001). Multparty computaton from threshold homomorphc encrypton. In advances n cryptology EUROCRYPT (pp. 280 299). 35. Domngo-Ferrer, J. (2002). A provably secure addtve and multplcatve prvacy homomorphsm. In proceedngs of nformaton securty conference (pp. 471 483). 36. Perrg, A., & Tygar, J. D. (2002). Secure boradcast communcaton n wred and wreless networkss. Dordrecht: luwer Academc Publsher. 37. Schneder, M., & Felten, E. (2000). Effcent commerce protocols based on one-tme pads. In proceedngs of 16th annual computer securty applcatons conference (p. 317). 38. Canett, R., Goldrech, O., & Halev, S. (1998). The random oracle methodology, revsted. In proceedngs of the 30th annual ACM symposum on the theory of computng (pp. 209 218). 39. Bellare, M., & Rogaway, P. (1993). Random oracles are practcal: a paradgm for desgnng effcent protocols. In proceedngs of 1st conferendce on computer and communcatons securty (pp. 62 73). 40. Rackoff, C., & Smon, D. (1991). Non-nteractve zero-knowledge proof of knowledge and chosen cphertext attack. In proceedngs of advances n cryptology. Author Bographes Shh-I Huang receved B.S. and M.S. degrees n Appled Mathematcs from Natonal Sun-Yat Sen Unversty, and he s workng toward hs Ph.D. n EECS n Natonal Chao Tung Unversty. He s also currently a R&D engneer and proect leader n Industral Technology Research Insttute n Tawan. Hs research nterests nclude network securty, nformaton securty, wreless sensor network, data protecton, and data prvacy. Shuhpyng Sheh receved the M.S. and Ph.D. degrees n Electrcal and Computer Engneerng from the Unversty of Maryland, College Park, respectvely. He s a professor of the Department of Computer Scence, Natonal Chao Tung Unversty (NCTU), and the Drector of Tawan Informaton Securty Center at NCTU. He served n the past as the Computer Scence Department Char of NCTU, Drector of GSN-CERT/CC, Advsor to Natonal Informaton and Communcaton Securty Task Force, and Advsor to Natonal Securty Bureau. Dr. Sheh currently serves as the Char of IEEE Relablty Socety Tape and Tanan Chapter, and a steerng commttee member of ACM SIGSAC. He s also an assocate edtor of IEEE Transactons on Dependable and Secure Computng, IEEE Transactons on Relablty, ACM Transactons on Informaton and System Securty, Journal of Computer Securty, former edtor of Journal of Informaton Scence and Engneerng, and guest edtor of IEEE Internet Computng, respectvely. He was the former Presdent of Chnese Cryptology and Informaton Securty Assocaton (CCISA), the largest non-proft academc organzaton for securty research. He was on the organzng commttees of numerous conferences, such as Steerng Commttee Char of ACM Symposum on Informaton, Computer and Communcatons Securty. Dr. Sheh has publshed over a hundred academc artcles, ncludng papers, patents, and books.

Wreless Netw (2010) 16:915 927 927 Recently he receved ACM Award for hs contrbuton to ACM, and Dstngushed Informaton Technology Award for hs contrbuton to computer securty research. Hs research nterest ncludes network and system securty, wreless securty, and cryptography. J. D. Tygar s Professor of Computer Scence at UC Berkeley and also a Professor of Informaton Management at UC Berkeley. He works n the areas of computer securty, prvacy, and electronc commerce. Hs current research ncludes prvacy, securty ssues n sensor webs, dgtal rghts management, and usable computer securty. Hs awards nclude a Natonal Scence Foundaton Presdental Young Investgator Award, an Okawa Foundaton Fellowshp, a teachng award from Carnege Mellon, and nvted keynote addresses at PODC, PODS, VLDB, and many other conferences. Doug Tygar has wrtten three books; hs book Secure Broadcast Communcaton n Wred and Wreless Networks (wth Adran Perrg) s a standard reference and has been translated to Japanese. He desgned cryptographc postage standards for the US Postal Servce and has helped buld a number of securty and electronc commerce systems ncludng: Strongbox, Dyad, Netbll, and Mcro-Tesla. He served as char of the Defense Department s ISAT Study Group on Securty wth Prvacy, and was a foundng board member of ACM s Specal Interest Group on Electronc Commerce. He helped create and remans an actve member of TRUST (Team for Research n Ubqutous Securty Technologes). TRUST s a new Natonal Scence Foundaton Scence and Technology Center wth headquarters at UC Berkeley and nvolvng faculty from Berkeley, Carnege Mellon, Cornell, Stanford, and Vanderblt. Before comng to UC Berkeley, Dr. Tygar was tenured faculty at Carnege Mellon s Computer Scence Department, where he contnues to hold an Adunct Professor poston. He receved hs doctorate from Harvard and hs undergraduate degree from Berkeley.